RE: [ActiveDir] Overlapping AD Subnet Boundaries
An AD client will try to associate itself with the site that it is most specific for its IP. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Friday, January 26, 2007 3:20 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Overlapping AD Subnet Boundaries Say I create an AD subnet of 10.10.0.0/16 and assign it to our primary site, and another subnet as 10.10.41.0/24 and assign it to a secondary site. Will AD treat a client address of, say, 10.10.41.104 as a client on the secondary site, or will it default to the more general primary subnet? The reason I ask is we now have a need for a second AD site (I can see all the enterprise folks grinning now) and we have quite a number of other subnets that I'd have to manually enter if this is not the case. I don't mind doing it, but I was curious either way. Brian Cline, Applications Developer Department of Information Technology GP Trucking Company, Inc. 803.936.8595 Direct Line 800.922.1147 Toll-Free (x8595) 803.739.1176 Fax
[ActiveDir] OT: maintaining creation date when copying directories?
What move/copy tools can be used to copy directories/files to another location and still retain the creation date value? Robocopy seems to keep creation date on files but directories are given the current date. Am I missing a switch in Robocopy to do this? A backup/restore operation (with ntbackup.exe) retains the creation date as one would expect. I am just looking for other possible tools. I should mention that with all of the tools I've tried, the modified date is always the current date for directories. Any help is appreciated! Mike Thommes
RE: [ActiveDir] OT: maintaining creation date when copying directories?
Hi Ulf, Thanks for the response! I tried Robocopy (version XP010) with the /E /B /COPYALL switches. It does not seem to have the desired effect (ie, both the modified date and the creation date are still the current date). Any other thoughts? Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, January 25, 2007 6:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Robocopy with the /B-Switch should work. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 25. Januar 2007 13:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: maintaining creation date when copying directories? What move/copy tools can be used to copy directories/files to another location and still retain the creation date value? Robocopy seems to keep creation date on files but directories are given the current date. Am I missing a switch in Robocopy to do this? A backup/restore operation (with ntbackup.exe) retains the creation date as one would expect. I am just looking for other possible tools. I should mention that with all of the tools I've tried, the modified date is always the current date for directories. Any help is appreciated! Mike Thommes
RE: [ActiveDir] Kerberos Question
I think you are seeing your Kerberos tickets start to reach their expiration time. The kerbtray icon will go from green to red. I think the last 5 or 15 minutes the default configuration will also issue an audible (and very distinctive) sound. The tickets will renew automatically (and the icon will go from red back to green). This will happen until you reach the default renew tickets until... date. At that time you will need to manually renew your ticket unless you do something like logoff and then logon to automatically get new tickets. Hth, Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 25, 2007 1:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Question Just curious - I have the resource kit tool Kerbtray running on my taskbar - When I double click it; it list my tickets, etc... Twice during the day yesterday it turned red and said there was no tickets available. It's already done this once today - When it was showing information it had a ticket renewal until time up to 8 days and a start and end time offset of 10 minutes Does this mean my ticket is getting renewed or that I could have a time problem, connecting to the PDC emulator problem, etc. Thanks in advance for any insight on this. Mike
RE: [ActiveDir] OT: maintaining creation date when copying directories?
Hi Ulf, I don't have any problems with the creation date on files. It's the creation date on the directory folders that is not right. Could you try robocopy again, this time trying to copy some tree structure that has branches (subdirectories) and see what creation date is on the subdirectory folders? Thanks much! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, January 25, 2007 3:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Hi Thommes, I've just tried this here, and both commands Robocopy /B .\ ..\ wins.dll Robocopy /B .\ c:\ wins.dll (first one on the same drive, second one on another drive) Maintain the Create and Modified date. My Robocopy-Version is the same (XP010, 5.1.1.1010) Weird. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811D blocked::http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B4 89-F2F1214C811D Weblog: http://msmvps.org/UlfBSimonWeidner blocked::http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org blocked::http://www.windowsserverfaq.org/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 25. Januar 2007 14:18 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Hi Ulf, Thanks for the response! I tried Robocopy (version XP010) with the /E /B /COPYALL switches. It does not seem to have the desired effect (ie, both the modified date and the creation date are still the current date). Any other thoughts? Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, January 25, 2007 6:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: maintaining creation date when copying directories? Robocopy with the /B-Switch should work. Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 25. Januar 2007 13:10 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: maintaining creation date when copying directories? What move/copy tools can be used to copy directories/files to another location and still retain the creation date value? Robocopy seems to keep creation date on files but directories are given the current date. Am I missing a switch in Robocopy to do this? A backup/restore operation (with ntbackup.exe) retains the creation date as one would expect. I am just looking for other possible tools. I should mention that with all of the tools I've tried, the modified date is always the current date for directories. Any help is appreciated! Mike Thommes
RE: [ActiveDir] PHP Module for Windows
Is this what you are looking for? http://www.php.net/downloads.phpI have not used it, however, and can't speak to how well it works but it seems to come from the right place. ;) Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EIS Lists Sent: Wednesday, January 24, 2007 5:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] PHP Module for Windows Hi - I reviewed PlexSSO (www.ioplex.com http://www.ioplex.com/ ), but it appears to only run on Linux. Does anyone know of an off the shelf module that will run under Windows? Thanks. -- nme Noah Eiger
[ActiveDir] moving server local groups to AD?
(I sure hope this doesn't sound like too dumb a question!) We have a server where local security groups were created for local file access. The files on this server are going to be moved to a file server cluster. Can ADMT v3 migrate these security groups up to the AD structure with the hopes of retaining SIDHistory and therefore access to the moved files? If ADMT wouldn't work, does anyone have suggestions for this operation? As always, any help is appreciated! Mike Thommes
[ActiveDir] OT: Apache LDAP authentication oddity
We have an application that is using an Apache server to do LDAP authentications against our active directory. (Yeah, I know; if only I were king! LOL!) The application developer tells me that if he tries doing an auth against our root base (dc=yyy,dc=zzz), the auth fails. If he uses a search base of ou=xxx,dc=yyy,dc=zzz, the auth works. The user account that is being tested is some OU levels below this. He is coding a subtree scope and he is filtering on (objectclass=user and objectcategory=person). It's like Apache needs to start at an OU structure. I couldn't find much on Google about this other than someone else was having the same issue last Fall and just gave up in frustration. The Apache documentation I could find seemed to indicate that a search of dc=yyy,dc=zzz SHOULD work. Any thoughts/pointers are appreciated! Thanks! Mike Thommes
RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy)
You might want to test the network connection. We have a public tester at http://miranda.ctd.anl.gov:7123/ that might detect duplex mismatches or faulty cables. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, January 19, 2007 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Given the fact that its intermittent, that its just this one server, that you've already replaced the NIC and that the error is an unexpected network error occurred, there's not much else to do I think, other than get MS involved. Either its something in the OS or the network switch you're using is flaky. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Donavon Yelton Sent: Friday, January 19, 2007 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) I spoke too soon in regards to it being fixed. Apparently it is now intermittent and I can't make the 1054 error come up consistently. The logging has been set to 0x00030002 for some time but I haven't been able to catch anything beyond the 59 error. I did a gpupdate about 5 minutes ago and it showed the 1054 error but then when I waited a couple of minutes (not changing anything at all) it did not show up after doing a gpupdate and the userenv log showed nothing out of whack (no 59 errors). Any ideas to what could be the cause of intermittent issues? After over a week with this issue I'm losing my hair, and I don't have much more to lose. 8-( Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, January 19, 2007 1:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) http://support.microsoft.com/kb/221833/en-us Up the debugging Set to 0x00030002 what's the log say? Donavon Yelton wrote: Well, I did as you and other suggested, install an Intel NIC card in the system. I purchased an NC360T Intel chipset card. So after a $300 NIC card was installed in the system I boot it up, run gpupdate and bam, I get a 1054 userenv error (same one I was getting with the Broadcom's). Any further suggestions before I call Microsoft? Donavon Yelton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 4:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) And if you like I'll ping you up with Les, Nick and others who ..yes ...brand spanking new server... brand spanking new machines and they would not/could not do what they were supposed to do. Put in Intels and all was well. If you'd like to get a similar dent in your head feel free. All I can say is, these days the minute we start having weird issues and there's a Broadcom on the box, we're not wasting the time on them anymore. Donavon Yelton wrote: I'm not about to give up on the Broadcom NICs as this is a brand new server that cost as much as a Honda Accord. I'm not sure I can believe that HP would put a defective card in such a machine. You'd think others would have the same issues in mass quantity if that were the case. I'm also using Broadcoms in other HP servers here (including the two DCs) and they have not had any issues. It is all too easy to chalk up a problem like this to network cards, but I don't think it explains why the GPO is applied successfully without issues within the first 15 minutes or so after a reboot. There are no other problems cropping up from these Broadcoms either. Now for a question, how do I disable slow link detection for all terminal service users on this problem server since that seems to have fixed the issue? I need to make the change in the registry on the problem server apparently as making the switch in the GPO itself seems to not have any effect. Donavon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, January 15, 2007 3:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] 1054 Error (Windows cannot contact DC - Group Policy) Dump the broadcoms and get Intel. http://msmvps.com/blogs/bradley/archive/2007/01/04/the-following-netw o rk -cards-are-evil.aspx We've had no end of weirdness with those suckers. Even the latest drivers don't work. Donavon Yelton wrote: Yes, these are Broadcom NICs. I want to go back to the last question that was asked (if my network card drivers were up to date) and change
[ActiveDir] release date for W2K3/SP2?
Has anyone heard of a release date for Windows Server 2003/SP2? Thanks. Mike Thommes
RE: [ActiveDir] Shares with Computer Account Permissions
Hi Laura, That's what I thought of first but that would stop all traffic to the server, not just a particular share. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, January 09, 2007 4:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Shares with Computer Account Permissions Sure. IPsec. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Tuesday, January 09, 2007 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Shares with Computer Account Permissions I was asked today whether it was possible to allow or deny access to shares not just based on user accounts, but also upon computer accounts. My immediate response was that I didn't think so. So I tested it by simply creating a folder up on our file server, and added the computer account for my workstation and denying it access completely. This made no difference to my permissions when trying to access it from this workstation. So my question is this, is there any way to design access permissions in such a way so you could not only allow access to a share to a certain security group, but also to this security group only when they are accessing it on hosts that we have explicitly defined? ~Ben -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007 4:12 PM
RE: [ActiveDir] Disabled user + when
If nothing else has been done to the account, I wonder if you could use the whenChanged attribute. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Wednesday, January 03, 2007 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Thanks for the quick response. I don't have logs for more than 2 days on the DCs. They get overwritten due to size. Is there any other way? In future I will have monitoring to detect the event and send me an email for future reference. But right now I need information from the last quarter. Thanks -Parag From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ziots, Edward Sent: Wednesday, January 03, 2007 4:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Disabled user + when Auditing, You are looking for the following event ID. Event Type= Account Management Event ID 629 (User account disabled) Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I,M.E,CCA,Network+, Security + email:[EMAIL PROTECTED] cell:401-639-3505 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Parag Nagwekar Sent: Tuesday, January 02, 2007 9:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Disabled user + when Team, Is there way to find when user account was disabled in AD? Our sox auditor would like to see the list of users that accounts were disabled in last quarter plus the date when they were disabled. They will match this information with HR database. We can't rely on whenmodified attribute because helpdesk team takes a day or two to complete rest of the termination process on that account after account is disabled. -Parag
[ActiveDir] how to get ALL users in Domain Users
I am trying to get a list of all of the users in the builtin group Domain Users. I am using the following commands, but get incomplete results. Can someone tell me why? Thanks! And Happy New Year to everyone! dsquery group -name domain users | dsget group -members c:\temp\domain_users.txt Mike Thommes
[ActiveDir] OT: help with running a scheduled job
We are trying to get a particular account to run a scheduled backup job on a server. Our results are puzzling. Here are the particulars: 2003 R2 standard server Domain account, non privileged, doesn't belong to domain users Added to local backup operators group Trying to run a system state backup job through a scheduled batch (.bat) file File permissions appear to be ok in file system where batch file is located. Results: When run from a remote scheduled tasks/run (without the user logged into the server): a scheduled job with the user's credentials specifying an ipconfig command works. a scheduled job with the user's credentials specifying notepad.exe works. a scheduled job with the user's credentials calling a batch file (.bat) which runs ntbackup.exe FAILS with (from SchedLgU.txt): test.job (simple.bat) 12/13/2006 5:50:08 PM ** ERROR ** Unable to start task. The specific error is: 0x80070005: Access is denied. Try using the Task page Browse button to locate the application. All the jobs run successfully from a remote scheduled tasks/run environment if the user is in the local administrators group. When the user is only in the local Backup Operators group, all the jobs run successfully from a remote scheduled tasks/run environment when this account is logged into the server/console! They can also be run successfully locally by the user. Note this same user got an Access is denied previously. We checked through the local security policy thinking it could be related to User Rights assignments or Security Options but did not see anything there. I think we're missing something really simple here, but it's eluding us. Any thoughts are appreciated. Mike Thommes
RE: [ActiveDir] OT: help with running a scheduled job
Mike, Thanks! That worked. I owe you a beer if we ever cross paths! Thanks again! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael A. Barker Sent: Friday, December 15, 2006 5:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: help with running a scheduled job I think the default permissions of the CMD.exe file are getting you, read the KB enclosed. As I recall permissions allow RX for the interactive special group which is why it worked if you're signed in at the console. On our servers where we have ordinary users executing batch jobs I've setup a local group to grant read and execute. http://support.microsoft.com/kb/867466 Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, December 15, 2006 4:31 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: help with running a scheduled job We are trying to get a particular account to run a scheduled backup job on a server. Our results are puzzling. Here are the particulars: 2003 R2 standard server Domain account, non privileged, doesn't belong to domain users Added to local backup operators group Trying to run a system state backup job through a scheduled batch (.bat) file File permissions appear to be ok in file system where batch file is located. Results: When run from a remote scheduled tasks/run (without the user logged into the server): a scheduled job with the user's credentials specifying an ipconfig command works. a scheduled job with the user's credentials specifying notepad.exe works. a scheduled job with the user's credentials calling a batch file (.bat) which runs ntbackup.exe FAILS with (from SchedLgU.txt): test.job (simple.bat) 12/13/2006 5:50:08 PM ** ERROR ** Unable to start task. The specific error is: 0x80070005: Access is denied. Try using the Task page Browse button to locate the application. All the jobs run successfully from a remote scheduled tasks/run environment if the user is in the local administrators group. When the user is only in the local Backup Operators group, all the jobs run successfully from a remote scheduled tasks/run environment when this account is logged into the server/console! They can also be run successfully locally by the user. Note this same user got an Access is denied previously. We checked through the local security policy thinking it could be related to User Rights assignments or Security Options but did not see anything there. I think we're missing something really simple here, but it's eluding us. Any thoughts are appreciated. Mike Thommes
RE: [ActiveDir] dynamic variables within an event log entry?
Hi Laura, (Brian's answer came in after I sent my email out.) The problem with using adfind (in my experience) is that the creator (Caller User Name) is not part of the AD object's attributes, only the owner, which will be Domain Admins for accounts created by members of Domain Admins (as you pointed out). I would like my daily report to contain the actual name (samaccountname) that created the account. Maybe the only way I can create the report I am looking for (account name, DN, when created, and creator name) is to collect eventid 624 records and filter them on creation date. However, I am still looking for suggestions. Thanks. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 11:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Okay, the below totally cracked me up. :-) Brian gave you the ADFind answer, but I guess I would also ask in what format you need to retrieve this information and whether or not you're plugging it into something. I'm not sure that last sentence even made sense, sorry. I'm sleep deprived. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 10:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? Tony and Laura, Thanks for the replies! Actually, I am already trapping eventid 624 and I see the Caller User Name: entry with the right value. Where I got confused was when I built a daily job using adfind (with the -owner switch) to produce a list of users created during the previous 24 hours. Laura's #2 answer explains why I see what I do for accounts created by members of the Domain Admins. Her #1 answer is going to make me rethink how we do some of the account creations. Her #3 answer begs the question of how would I construct a query to produce new accounts created over a 24 hour period? Adfind was the first (and maybe only) tool that popped into my head to do this. Other suggestions? Thanks! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this incoming message
RE: [ActiveDir] Split pagefile
How about a remote shutdown like shutdown /m \\computername /r /f Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Friday, December 01, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile If you can get to Computer Management, you could start the Telnet service. At that point, telnet to the server and do a shutdown /r. And I mean a standard telnet connection, not telnet to some fancy port. I suspect you are having the dreaded rdp doesn't work for some reason problem, which somehow clears itself up after a reboot most of the time. I know this has been discussed on this board several times, but no one has really come up with a solution from what I've seen, other than reboot and see if it works. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Friday, December 01, 2006 9:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Laura, Thanks ever so much for all your help. I will be trying some of these things soon, but for now, I'm one of the over 400,000 people in St. Louis without power. My workplace is closed, too, so I might end up waiting it out One question, if you don't mind and have a minute: How do I reboot the server if I can't log on? Many thanks again. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 8:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Split pagefile Inline... Thanks for replying, Laura! Sure thing. You wrote: Are you able to connect to the server via Computer Management? Yes. Then you can use that to reconfigure the pagefile, making very, very sure you click Set. :-) After you've connected to it in CM, right click the computer, choose Properties, go to the Advanced tab, yada yada yada. If so, can you see the service statuses and event logs on the server? Yes. I looked all through the event logs, and didn't see anything relating to terminal services failures. And the terminal services service is started. How about the security log? Are you seeing logon failures? Can you telnet to the RDP port? If you mean, can I telnet to the server by name or by its IP address, no. But yes, I can telnet to port 3389 on the server, and the cursor sits there and blinks at me, but as soon as I hit any key, I get back to my command prompt. Okay, port's open. Can you map a drive to a share on the server? Yes. And, in fact, I have the same 2Gb pagefile on C: that I had before, and no pagefile on E: So, I'm thinking that A. I forgot to hit the set button, or B. The server got confused. The snow might have made it sluggish. (That's a joke, folks.) See above for remedy (hopefully). When you say you can't log on, do you get the logon dialog box and a failure to let you log on, or do you get no remote desktop UI at all? No remote desktop UI at all. I immediately get the disconnected from server message. Okay. Try logging on with a different account that has TS connection permissions. Check the security logs. If you're not auditing logon events, you'll need to do that. Check the terminal services permissions, etc. Maybe do a preemptive reboot (or just do it as part of that pagefile adjustment) and see if anything changes. If none of that works, there's still more stuff to check, but I'm tired of typing right now and hopefully one of the above things will determine the issue. Laura (probably a bit overcaffeinated now; can you tell?) No problem. I'm snowed in, but the server is running. I guess what I'd like to do is see if I can reset the pagefile and reboot the server, all remotely, and still manage to terminal service to it and log in. Thanks for your help, Laura. You deserve many pats on the back, attagirls, and stuff. No problem, and no pats necessary. Laura -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info :
[ActiveDir] dynamic variables within an event log entry?
I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes
RE: [ActiveDir] dynamic variables within an event log entry?
Tony and Laura, Thanks for the replies! Actually, I am already trapping eventid 624 and I see the Caller User Name: entry with the right value. Where I got confused was when I built a daily job using adfind (with the -owner switch) to produce a list of users created during the previous 24 hours. Laura's #2 answer explains why I see what I do for accounts created by members of the Domain Admins. Her #1 answer is going to make me rethink how we do some of the account creations. Her #3 answer begs the question of how would I construct a query to produce new accounts created over a 24 hour period? Adfind was the first (and maybe only) tool that popped into my head to do this. Other suggestions? Thanks! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, November 30, 2006 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] dynamic variables within an event log entry? 1. This is one of the eight gazillion reasons to discourage the use of accounts that are Domain Admins for routine purposes that can be achieved without that level of rights. 2. By default, when a member of the Domain Admins group creates an object in the directory, the Domain Admins group becomes the owner of the object. That is by design. 3. When I create an object with an account that is a member of Domain Admins, the creator of the object shows as that account, not as Domain Admins. Why aren't you just looking at that value in the event logs, rather than looking at the ownership of the object? That's why auditing allows tracking of who creates/modifies/deletes directory objects. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, November 30, 2006 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] dynamic variables within an event log entry? I wonder if someone could explain to me (or point me at some reference) about what mechanism is used to populate the information in a Windows event log entry. The reason why I ask is that I see in the Security log when a new user account is created by an account which is a member of the Domain Admins group, the _OBJECT_OWNER=XYZ\Domain Admins , not XYZ\adminacct1 . If it is created by an account that is a member of the Account Operators group, then _OBJECT_OWNER=XYZ\operacct1, not XYZ\Account Operators . This makes auditing somewhat less worthwhile. Is this design on purpose or a deficiency? Any help is appreciated. Thanks! Mike Thommes -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date: 11/30/2006 5:07 AM
RE: [ActiveDir] AD Security Group Information
adfind -default -f (objectclass=group)(groupType=-2147483646) -tdc whenChanged hth, Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale Sent: Tuesday, October 31, 2006 2:51 AM To: activedir@mail.activedir.org Subject: [ActiveDir] AD Security Group Information I'm having a clear up of my domain and there are approx 8000 security groups. Some of these are no longer required, how is the best way to determine whether the groups are still in use? Is there any way to query the groups to identify when they were last modified? thanks Frank Single Domain, Windows 2003 FFL We have the perfect Group for you. Check out the handy changes to Yahoo! Groups.
RE: [ActiveDir] List Groups I'm In?
Hi Deji, My version of whoami shows the usage as: whoami /groups. Thanks for pointing me at this; I always just used whoami. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Wednesday, October 25, 2006 11:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] List Groups I'm In? whoami -group Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Michael B Allen Sent: Wed 10/25/2006 9:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] List Groups I'm In? Was is the easiest way for a user (say on a stock XP client) to listwhat groups they're in?Specifically I'd like the user to be able to just type a command like'net user list groups' or some such and get a list of NT Account namesfor tokenGroups.Or if there is a dialog somewhere that's good too.Ideas?Mike-- Michael B AllenPHP Active Directory SSOhttp://www.ioplex.com/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] The remote computer has ended the connection.
In W2K days, I would *always* log off an admin TS session and then do a remote shutdown/reboot. Executing a shutdown from within the interactive session was problematic, to say the least. I think part of it was breaking down TS-generated printer connections. I don't see this problem with W2K3. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, October 18, 2006 2:13 AM To: ActiveDir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Does logging off before the shutdown happens still cancel the shutdown? It used to be a top-tip in NT, but I can never reproduce this in 2Kx. Regards, Mark Parris Base IT Ltd Active Directory Consultancy Tel +44(0)7801 690596 -Original Message- From: Brian Desmond [EMAIL PROTECTED] Date: Tue, 17 Oct 2006 17:21:07 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. My experience has been that it never actually reboots and I have to issue a shutdown –r –f –t 3 –m \\screwedupserver: file:///\\screwedupserver remotely. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael A. Barker Sent: Tuesday, October 17, 2006 5:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Are you really sure the system rebooted the first time? I’ve seen this twice in the last two months and all the machines I got to before someone rebooted them never actually shut down the first time. Connect and look at the logs or use the uptime command to check when the last reboot was. I think you’ll find it never really went down. You do however get the very familiar disconnect message which leads you to believe the machine is going down. For VIP systems I like to “ping –t IPAddress” and see that it goes down and comes back up. With that said I’ve never had a problem with patching from RDP (using WSUS) and then signing off to later send a reboot command over the wire. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 12:01 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. Yes it doesnt happened with any other serves but i have rebooted it more than twice. but no gud luck. what do you guys suggest in this case? did only rebooting second time resolved the issue for you? It worked for me when i have disjoined from my domain. but i am sure this has nothing to do with any GPO. Also same thing happened for me when i joined this to any other domain. other than the previous one. Thanks!!! Ravi From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 10/17/2006 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 8:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection. However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi .+Šw†ÛÿüÁ§Š÷Šºƒò²Ö§²ÑB§ÿö+v*®ŠË§²Örz§ÿö+v*®—û汫 [EMAIL PROTECTED])
RE: [ActiveDir] The remote computer has ended the connection.
I have also seen where a second reboot is necessary for RDP to work. I have not determined the cause of this yet. It does not happen on all servers. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona Sent: Tuesday, October 17, 2006 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] The remote computer has ended the connection. I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? Unknown at this time. -vC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Technical Support Sent: Tuesday, October 17, 2006 8:28 AM To: activedir@mail.activedir.org Subject: [ActiveDir] The remote computer has ended the connection. Importance: High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error The remote computer has ended the connection.However if i am using mstsc /v:IP Address /console it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! Ravi
RE: [ActiveDir] The remote computer has ended the connection.
Hi Susan, I didn't mean to imply that this was just with the last set of patches. I think your note says that you have been seeing this for a while. We have too. One of the guys in my group uses Update Expert to patch and he sees it more often than I do. Of course, he patches a lot more servers than I do. Another part of the group uses WSUS and they have not mentioned any issues; but then again, they don't TS into computers much. And yes, I will bring it up with my TAM (again?). I think I had mentioned it to him previously but never started anything formal on it. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Tuesday, October 17, 2006 10:54 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] The remote computer has ended the connection. Can you PLEASE call into Microsoft PSS or your tam or pam or whatever and report this? Along with anyone else seeing this issue? I know that calling into PSS can be a pain, but please report this issue. We are seeing this more and more and I need to have bodies called in. We seriously need to get to the bottom of this because in the SBS space we do a lot of remote management and if the RDP dies we have to fall back to ILOs and this isn't acceptable in my book for patching to do this. Do you rely on WSUS? Vinnie Cardona wrote: I have noticed that after updating to the latest security patches and rebooting that some (not all) of my servers had an issues with RDP. It cleared after rebooting a second time. Root cause? /Unknown /at this time. -vC *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Technical Support *Sent:* Tuesday, October 17, 2006 8:28 AM *To:* activedir@mail.activedir.org *Subject:* [ActiveDir] The remote computer has ended the connection. *Importance:* High Hi, I am trying to access one of my servers using Remote Connection. I am using mstsc but its not connecting me to the server. error /*/The remote computer has ended the connection/*/. However if i am using /*/_mstsc /v:IP Address /console_/*/ it lets me connect to it. Problem is in this mode i can use only admin id when connected like this. I want my engineers (who dont have administrator priviledges) to access this. its not possible in this mode. This all happened when i rebooted my server. Please suggest what can be done to normalize the things. Thanks!!! /*/Ravi/*/ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Determine disabled computer accounts
Check out oldcmp at http://www.joeware.net/win/free/tools/oldcmp.htm Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Monday, October 16, 2006 12:50 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Determine disabled computer accounts Hello all I'm trying to determine the number of computer accounts as well as which are disabled for our three domains. I've tried Quest Reporter, ADUC and Hyena but I'm not able to get the disabled computers from any of those tools. I'm assuming at this point it will take a script but I'm not sure of the attribute to use. From what I've gathered from web searches it looks like I should use the userAccountControl attribute. But that doesn't seem to give me the necessary answer either. Any help is appreciated. Thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Discovering LDAPS availability
In this context, would it make sense to write/use a servicePrincipalName value? (maybe even using admod/adfind 8-) ) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, October 11, 2006 9:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability The alternate solution I previously mentioned to David and his cohorts in crime was a distasteful but functional solution of writing their own service or script to register the records based on that script/service querying the DCs and getting their LDAPS capability at any given point and then being aware that there will be some level of latency there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Wednesday, October 11, 2006 3:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability The project that I'm working on makes heavy use of LDAPS. However, at the moment, we favour the latter statement - the built DCs don't leave staging until the certs are pulled. They must be signed off, and that's one of the last items on the deployment check list. We'll probably automate this check soon, but we're too busy with automating the buillds at the moment. Personally, I like the idea of _ldaps SRV RRs. Although I can appreciate there's a bit more to it from MSFTs point of view than simply getting NETLOGON to register them in DNS. --Paul - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, October 10, 2006 10:45 PM Subject: RE: [ActiveDir] Discovering LDAPS availability Hmm doesn't look like anyone else has figured this out or just doesn't deploy LDAPS or alternately makes sure every DC is capable of LDAPS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Loder Sent: Friday, October 06, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Discovering LDAPS availability joe's absolutely right. What's trying to be accomplished is to publish new LDAPS SRV records for a 300+ DC environment. But I don't want to just blindly assume each DC properly enrolled with the CA (we had problems like that at the beginning), and I'd really like to avoid the overhead of touching each DC. Unfortunately, that's about the only viable method I see. We have a DCR in with MS to change the behavior so that the DCs automatically publish LDAPS if it's available. But what we're hearing right now is that it's probably not in the pipeline until LH SP1. --- joe [EMAIL PROTECTED] wrote: LDAPS records aren't published by DCs, only LDAP records. I can assure you if it were that easy, David wouldn't have had an issue. From what I have seen, if a secure LDAP connection is required, the internal routines from MSFT simply locate a DC and go to the port. If LDAPS isn't hot, the connection is dropped with server down error. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, October 05, 2006 6:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Discovering LDAPS availability Couldn't you just query the DNS for the SRV record advertising it... Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | David Loder| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/10/2006 08:56 a.m. | | | Please respond to | | | ActiveDir | | | | |-+-- -- - ---| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] Discovering LDAPS availability |
[ActiveDir] problem changing employeeID attribute value
For an AD user account, we normally populate the attribute employeeID with a value. Circumstances surrounding some accounts requires me to unpopulate this value. In ADSIEdit, however, when I go to this Unicode String valued attribute with the Edit function, I can delete the value but when I go to save it, I get The parameter is incorrect. An unpopulated normal value shows not set (without the quotes). Is it possible I should type in not set instead of just trying to delete the value? It just doesnt seem right. What am I doing wrong? Any help is appreciated! TIA! Mike Thommes
RE: [ActiveDir] problem changing employeeID attribute value
Hi Andrew, I am embarrassed the answer was so simple. (I thought I tried that; obviously not!) Thanks! -mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Cace Sent: Tuesday, October 10, 2006 11:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] problem changing employeeID attribute value Try clicking the 'Clear' button instead of deleting the value. -Andrew From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, October 10, 2006 11:29 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] problem changing employeeID attribute value For an AD user account, we normally populate the attribute employeeID with a value. Circumstances surrounding some accounts requires me to unpopulate this value. In ADSIEdit, however, when I go to this Unicode String valued attribute with the Edit function, I can delete the value but when I go to save it, I get The parameter is incorrect. An unpopulated normal value shows not set (without the quotes). Is it possible I should type in not set instead of just trying to delete the value? It just doesnt seem right. What am I doing wrong? Any help is appreciated! TIA! Mike Thommes
RE: [ActiveDir] Who keeps creating this folder files?!
Try FileNotify freeware at http://www.xtware.com/ Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Falde Sent: Thursday, October 05, 2006 1:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Who keeps creating this folder files?! Drop filemon on the box with a filter for mp3 and just let it stay running in a disconnected ts window would probably be one method. Kurt Falde From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of J B Sent: Thursday, October 05, 2006 12:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Who keeps creating this folder files?! Argh! On one of our file servers, there is a public directory that allows any authenticated user to do anything within it (minus changing permissions). MP3 files and folders appear there every so often and are removed soon thereafter. Is there some way for me to tell who has created these folders and MP3 files? Every time I check, no one is currently accessing the files - which would be an easy way for me to know...
RE: [ActiveDir] 200 users network. Adding 2 classes to the GC
Hi Rezuma, I suspect you might run into the same issue I had when I did the R2 forestprep with SFU 3.5 (although you have the earlier SFU 3.0). If so, see the fixup from Steve Linehan posted to this newsgroup on 8/7/06 (and my comment from 8/12/06). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 03, 2006 11:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC You get the R2 CD and do the forestprep, it will install the entire R2 schema which includes all of those Unix interop classes and attributes. You do not really want to do this manually or it could be troublesome later. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, October 03, 2006 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC We are using windows 2003 servers. But what I need is, to add those 2 classes that already exist in the AD schema to the global catalog so they replicate through the GCs in theforest. How do I add 2 whole classes with their attributes? changing the replicate this attribute in the global catalog optionattribute by attribute? Thanks Rezuma From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, October 03, 2006 11:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC Modifying the schema except for indexing or adding PAS attributes in a forest with Windows 2000 domain controllers is really a non-event when done properly with proper OIDs and names. Indexing can work your DCs a little as the new indexes have to be created but it depends on the attribs being indexed and what type of index is being created on how much that will hit your DC. Usually I would say it is minimal impact. WIth Windows 2000 GCs, you get to enjoy a full PAS refresh which generates a considerable amount of replication. Simply, if you are running Windows 2000 DCs, why in the world are you doing so, upgrade already, 2003 has been around for 3 years already and has a ton of AD enhancements. In a small network like yours, I wouldn't expect even a small burp even in the worst case unless you have few users and a ton (tens or hundreds of thousands)of other types of objects. You would mention that though I expect. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, October 03, 2006 8:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC thanks for the info, how do I go about adding them to the GC? and, being a small network, do you see any dramatic effect to doing that? in terms of replication I mean. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 02, 2006 11:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 200 users network. Adding 2 classes to the GC SFU30 is pretty old. What you really shoulddo is apply the Windows Server 2003 R2 Schema which has the aux classes: posixAccount posixGroup joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, October 02, 2006 3:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 200 users network. Adding 2 classes to the GC Hi, I have a Unix application that uses LDAP queries. The developer is telling me that 2 classes should be available in the GC (theyneed to query the whole forest for some information) The classes are msSFU30PosixAccount and msSFU30PosixGroup. How do I add a whole class to the GC? I know how to add an attribute, do I have to go attribute by attribute? We only have 200 users and no many AD objects, is there a reason while I should not add those 2 classes, in terms of replication I mean and for small network like this. Thanks Rezuma
RE: [ActiveDir] different version of R2 available?
Thanks for all of the replies! I actually was able to get a hold of the Standard and Enterprise versions of R2 (aka Disk 2) to do a compare (windiff.exe) and there are differences. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, September 20, 2006 5:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] different version of R2 available? My officemate and I were discussing whether there are different versions of the R2 CD depending on whether youre running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of R2? TIA! Mike Thommes
[ActiveDir] different version of R2 available?
My officemate and I were discussing whether there are different versions of the R2 CD depending on whether youre running Server 2003 Standard or Server 2003 Enterprise. Or is there only one version of R2? TIA! Mike Thommes
RE: [ActiveDir] OT: Protecting against Spyware/Adware
Touche 8-) Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, September 14, 2006 5:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware I run as local admin and have zero issues with spyware? Coincidence? ;o) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Thursday, September 14, 2006 11:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Protecting against Spyware/Adware Nobodyruns as a local administrator. We have zero issues with spyware. Coincidence? From: [EMAIL PROTECTED] on behalf of Chris Pohlschneider Sent: Thu 9/14/2006 9:44 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Protecting against Spyware/Adware Just curious what other people are using for protecting against adware/spyware? We are using Webroot Spysweeper right now, but I see some performance hits on computers running this software and it does work, but it causes headaches will installing some apps that we approve. Any suggestions are appreciated. Chris Pohlschneider Holloway SportswearIT 937-494-2559 937-497-7300 (Fax) [EMAIL PROTECTED]
[ActiveDir] OT: uptime.exe in a 2003/sp1 world - problem
Hi, I have moved a job that employs uptime.exe (in a loop using the FOR command) from a Windows 2000/SP4 server to a Windows 2003/SP1 server. Now part way through the job, I get: Event Type: Information Event Source: Application Popup Event Category: None Event ID: 26 Date: 9/7/2006 Time: 9:29:36 AM User: N/A Computer: ODDJOB221 Description: Application popup: UPTIME.EXE - Application Error : The instruction at 0x7c837cf5 referenced memory at 0xfffd. The memory could not be read. Click on OK to terminate the program Click on CANCEL to debug the program For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Any thoughts? TIA! Mike Thommes
RE: [ActiveDir] Seperate Administrator password policy
We are still testing PassFiltPro software (http://www.altusnet.com/products/) which supposedly has the ability with one of its versions (MPE) to enforce different password policies based on global groups. This is mentioned only for information, not endorsement, at this time. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF NASIC/SCNA Sent: Thursday, August 31, 2006 7:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Seperate Administrator password policy Just wanted to field this to see if it makes any sense to any of you guys. We are going to implement a mandatory 15 character password policy for all of our administrator accounts. The only way that makes sense is a subdomain with a separate password policy, since there is only one per domain. I also know that I have to edit the minPwdLength attribute and the uASCompat attribute to make this work on the subdomain. Can anyone think of another method of doing this? Thanks, Nate Bahta
[ActiveDir] www.activedir.org MIA?; storing pictures in AD?
Can anyone else get to the archives? Specifically, I was looking for a thread from, I think, a couple of years ago where there was discussion about storing (not storing?) employee pictures in AD. I am concerned about how that attribute will grow our DIT. I seem to recall that maybe just a pointer could be stored that would point to maybe an oracle or access database. Any thoughts/recalls? Thanks! Mike Thommes
RE: [ActiveDir] nslookup. AD beginer question
I am guessing, based on the port number, you have a DNS A record for this computer in gc._msdcs.domain.com . Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Tuesday, August 29, 2006 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I did the nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com and I got _ldap._tcp.dc._msdcs.domain.com SRV service location: priority = 0 weight = 100 port = 389 svr hostname = sami.domain.com I cant find that machine anywhere, not in the AD or dns server!!! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Tuesday, August 29, 2006 10:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question I think the key to this question is a very simple troubleshooting step. Go into DNS and look at the (same as parent folder) records. Delete the ones that arent currently DNS servers. If you are using AD integrated DNS, then this should be any domain controllers that you want clients to get DNS from. Give it a day or two and see if the bad ones come back. If they dont then you can assume this was an obsolete entry. If they do then you can start looking for why. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams Sent: Tuesday, August 29, 2006 4:43 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] nslookup. AD beginer question If you do NSLOOKUP DOMAIN-NAME.COM then you will get a list of all the DNS servers for that domain. For example, if you are using AD-Integrated DNS, you will get a list of any DCs that are also DNS servers. Basically, that command returns the (Same as parent) records for the domain. If you want to pull all DCs in the domain, you need to run something like this: nslookup -type=srv _ldap._tcp.dc._msdcs.domain-name.com If you run the above command and get computer accounts back, see kb825675 as referenced by Steve. I wasn't aware that that bug also registered A records for the domain name, but it might... If you're new to NSLOOKUP, consider what information you want. There's a bunch of different types of DNS record that might be of interest (A, CNAME, PTR, SRV, MX). When troubleshooting AD, the main ones to look for are A and SRV (there's also an instance where you need to check the CNAME record too). Remember that simply pinging a DC doesn't mean that the necessary SRV records are in place. I personally always advise people to use a combination of NSLOOKUP and NLTEST to troubleshoot DNS and the locator process. Use NSLOOKUP to see if the records that you expect are there, and NLTEST to make the DsGetDC and DsGetSite calls. --Paul - Original Message - From: Ramon Linan To: ActiveDir@mail.activedir.org Sent: Monday, August 28, 2006 7:14 PM Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] nslookup. AD beginer question
You should get back your domain controllers IP addresses. Is it possible that your users computer has gotten the IP of an old DC? Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan Sent: Monday, August 28, 2006 3:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question Thanks, but after reading all that I still was not able to find out what kind of information do you get when you do lookup domain.com, being domain.com your AD domain, and why am I getting a users computer. Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, August 28, 2006 2:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] nslookup. AD beginer question http://www.cni.org/pub/inetroom/nslookup.html http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup.mspx?mfr=true http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/nslookup__subcommands.mspx?mfr=true Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com- we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Ramon Linan Sent: Mon 8/28/2006 11:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] nslookup. AD beginer question Hi Everyone, When I do a nslookup domain.com, being domain.com my AD domain, what should I see? A list of the dns server in my domain? A list of the DC? The fact is that I am doing nslookup and I am getting, domain controllers but also a users computer Thanks
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Secure LDAP queries from the outside
Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes
RE: [ActiveDir] Secure LDAP queries from the outside
Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] User AutoEnrollment
Maybe the CRL (Certificate Revocation List) location is not available? Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Wednesday, August 16, 2006 8:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User AutoEnrollment Event Source: AutoEnrollment EventID: 15 Does anyone have a better definition of what this is? Half of my machines cannot find the domain this morning. Lots of eventid 15 showed up. I went into GPO and disabled autorollment in both computer and user settings. BAM! Everyone can log on again. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Adding the first Win2003 R2 DC
I fixed this issue with ldp and Steve Linehans instructions to the list about two weeks ago. Microsoft supposedly has an unofficial patch to fix this issue. Talk to your TAM. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 15, 2006 6:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC All of the issues I have heard of around R2 ForestPrep have been around the mangling of the SFU attributes that has been discussed here. I am not sure why MSFT is acting surprised about it. Aric Bernard (from the list here) encountered it and told them about it in the beta groups a long long time ago. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jim Patton Sent: Monday, August 14, 2006 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC Did you run into any issues performing this upgrade? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, July 27, 2006 10:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding the first Win2003 R2 DC Thanks to all for the responses. Bryan Lucas Server Administrator Texas Christian University From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, July 27, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding the first Win2003 R2 DC You need to run forestprep from the R2 CD on your schema master. Paul has a nice summary here: http://www.msresource.net/content/view/60/47/ and more from Microsoft http://technet2.microsoft.com/WindowsServer/en/library/5022eea0-54bc-422f-b98b-ddb836c8ee851033.mspx?mfr=true Thanks Mike On 7/27/06, Lucas, Bryan [EMAIL PROTECTED] wrote: I have 4 DC's that are Win2003 SP1 and 1 DC that is still Win2000 SP4. I'd like to add a new DC that is Win2003 R2. Is there anything special I need to do ( i.e. forestprep/domainprep) or can I join it just like another Win2003 SP1 DC? Thanks, Bryan Lucas Server Administrator Texas Christian University
RE: [ActiveDir] joe - please say it isn't so!
So here I went to take a look at Deans article, and I find this: http://blog.joeware.net/cat/recipes/ , expecting to find more of joes great adfind codes. At first, I thought it got misfiled and should have been filed under humor but I suspect this is hardly funny. Joe, are you pulling our collective legs? Please tell me this blog is a poor Michiganders joke! If not, please take me with you to New Zealand I need to see first hand that the Brown Trout there are bigger than they are in Michigan! ;-) Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] joe said pretty decent http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it. M@ On 8/14/06, Dean Wells [EMAIL PROTECTED] wrote: Why thank you but who said otherwise? ;0) -- Dean Wells MSE technology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808 I dont care what anyone says. Thats a damn fine article. I couldnt possibly thank Dean enough for that info. M@ On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote: Alter ego ! my thanks are due worked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ?? GT Hey Robert, In the article you posted, the registry key is incorrect in the KB content.It lists the registry key as: HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI I've sent a comment to my former employer to ask for them to fix the article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to check to see how many members you have in the group(s) in question.By default, if the group has over 500 members in it, the user icons inside the group will turn grey.Check out this article for more information: http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ? after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a scheduled basis to resolve the directory issue. would seem not in this case ? as a point to note, neither netdiag or dcdiag are coming up with nothing concliusive in this respect. help as always gladly received GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] joe - please say it isn't so!
look stupid And here the newsgroup was telling me about check the date. April Fools Day did not even dawn on me! (cant see the forest through the trees.) Boy, joe, you must write convincingly, or maybe I was too focused on New Zealand and those Brown Trout! /look stupid :-o Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 14, 2006 4:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] joe - please say it isn't so! It ain't so. :) Happy April Fool's day... Though I have to say, it felt good writing that. Building a fountain in the middle of New Zealand so you can appreciate it from a hammock sounds like a good gig. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Monday, August 14, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] joe - please say it isn't so! So here I went to take a look at Deans article, and I find this: http://blog.joeware.net/cat/recipes/ , expecting to find more of joes great adfind codes. At first, I thought it got misfiled and should have been filed under humor but I suspect this is hardly funny. Joe, are you pulling our collective legs? Please tell me this blog is a poor Michiganders joke! If not, please take me with you to New Zealand I need to see first hand that the Brown Trout there are bigger than they are in Michigan! ;-) Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] joe said pretty decent http://blog.joeware.net/2006/06/08/400/ I think thats an understatement ;-) However, my profuse thanks to joe too. I wasnt aware of the article until he blogged it. M@ On 8/14/06, Dean Wells [EMAIL PROTECTED] wrote: Why thank you but who said otherwise? ;0) -- Dean Wells MSE technology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matheesha Weerasinghe Sent: Monday, August 14, 2006 2:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] http://searchwinit.techtarget.com/originalContent/0,289142,sid1_gci1192821,00.html?track=NL-463ad=554811USCAad=554808 I dont care what anyone says. Thats a damn fine article. I couldnt possibly thank Dean enough for that info. M@ On 8/14/06, Graham Turner [EMAIL PROTECTED] wrote: Alter ego ! my thanks are due worked out a treat - so the GC's are not so ***'d as i thought any info on the concept of the phantoms though ?? GT Hey Robert, In the article you posted, the registry key is incorrect in the KB content.It lists the registry key as: HKCU\Software\Policies\Microsoft\Windows\Directory However, the correct registry key is: HKCU\Software\Policies\Microsoft\Windows\Directory UI I've sent a comment to my former employer to ask for them to fix the article...next time, test it *before* you post! Your Alter Ego, Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Williams, Robert Sent: Monday, August 14, 2006 9:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Hey Graham, This may not be what you're experiencing, but it could be worth it to check to see how many members you have in the group(s) in question.By default, if the group has over 500 members in it, the user icons inside the group will turn grey.Check out this article for more information: http://support.microsoft.com/kb/q281923/ Let us know if that turned out to be the cause. Have a great day! Robert Williams -Original Message- From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Graham Turner Sent: Monday, August 14, 2006 9:01 AM To: activedir@mail.activedir.org Subject: [ActiveDir] Dear all, am experiencing issues that i think attributable to the concept of Active Directory phantoms the symptom is that when we open certain global groups the membership list comes out with grey icons this is not all groups - affected ones being - Domain Users / Domain computers must confess to not a full understanding of the issue here -but it seems this relates in some way to GC lookup ?? i can for sure confirm that the GC port 3268 is open on the GC's not sure why as the group / user members are in the same domain ? after the understanding of what is going on here is, of course 'HOW DO WE FIX' ?? technet seems to reference a concept of 'phantom clean up task' - a process that runs on the server running 'INFRASTRUCURE MASTER' fsmo role on a scheduled basis to resolve
RE: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question
Title: OT: Enterprise Terminal Server Licensing Server question Hi Freddy, Thanks for the feedback. But I get the same result from the W2K lsview.exe . And this is running these tools right on the license server/domain controller! I am thinking that I need to manually populate the AD group Terminal Server Licensing Servers. Conversely, I hate making changes when there are no known problems. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Sunday, August 06, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question Hi Mike I had the same problems in which I actually logged a pss call on, try using the windows 2000 resource kit version of lsview.exe and it works fine. Basically if i remember this correctly using the win2003 lsview.exe it will only detect it if your machine is in the same site as the tsls server, if you are running the lsview on a machine that is outside the site, it wouldnt detect it. No solution, fedup with the answers I was getting - closed the ticket (as I thought this only occurs in my ex company, apparently now im getting the same result as well) Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Saturday, August 05, 2006 5:04 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Enterprise Terminal Server Licensing Server question Hi, This is not causing any issues that I am aware of, but something does not seem right. We set up two Enterprise Terminal Server Licensing Servers, both DCs. They are both identified in CN=TS-Enterprise-License-Server,CN=site-name,CN=Sites,CN=Configuration,DC=something,DC=com under the attribute siteServer. When I run the GUI LSVIEW.EXE from the W2K3 ResKit, nothing populates but the spotlight icon shows green (ie, everything is hunky-dory). Some more research shows that the AD group Terminal Server License Servers has *no* members! Would it make sense to populate this group with the appropriate servers? Any idea why it wouldnt have been populated in the first place? TIA, Mike Thommes
[ActiveDir] OT: Enterprise Terminal Server Licensing Server question
Title: OT: Enterprise Terminal Server Licensing Server question Hi, This is not causing any issues that I am aware of, but something does not seem right. We set up two Enterprise Terminal Server Licensing Servers, both DCs. They are both identified in CN=TS-Enterprise-License-Server,CN=site-name,CN=Sites,CN=Configuration,DC=something,DC=com under the attribute siteServer. When I run the GUI LSVIEW.EXE from the W2K3 ResKit, nothing populates but the spotlight icon shows green (ie, everything is hunky-dory). Some more research shows that the AD group Terminal Server License Servers has *no* members! Would it make sense to populate this group with the appropriate servers? Any idea why it wouldnt have been populated in the first place? TIA, Mike Thommes
RE: [ActiveDir] root admin account able to be locked out?
Title: root admin account able to be locked out? Jorge (and joe), Thanks for your reply on this issue! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, July 18, 2006 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] root admin account able to be locked out? My experience with this is the default ADMINISTRATOR can be locked out (wait before shouting!) what I mean is that if you have a lockout threshold of lets say 5, the lockoutTime attribute will show the lockout date and time the account was locked. In ADUC (using another custom admin account for example) you will see the default ADMINISTRATOR is locked you will even see and event ID 644 mentioning the account lockout HOWEVER here it comes... while the default ADMINISTRATOR is locked, it will unlocked automatically by the SYSTEM (DC)AS SOON ASthe correct password is used (even before it is unlocked after the unlock period) jorge Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Tue 2006-07-18 20:27 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didnt lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes
[ActiveDir] OT: Microsoft Acquires Winternals Software
Title: OT: Microsoft Acquires Winternals Software You may find this of interest (from todays WServerNews): Mike Thommes = Microsoft Acquires Winternals Software Mark Russinovich and Bryce Cogswell have been snagged up by Redmond. And they deserve to be, as they have been making significant and very useful contributions to the Windows Market. Congrats from all of us at Sunbelt Software. Current Winternals products will be withdrawn from the market as they're integrated into existing or new Microsoft product offerings. The Sysinternals community site and tools will likely continue to be available, but that is not completely sure, so grab those tools while you can. Mark will become one of only 14 Microsoft Technical Fellows, taking his place alongside legends like Windows NT guru Dave Cutler and Jim Gray. Mark and Bryce are looking forward to making Windows an even better platform for all of us, and I'm sure they will. Official Press Release at: http://www.wservernews.com/30R633/060724-Winternals
[ActiveDir] root admin account able to be locked out?
Title: root admin account able to be locked out? Hi AD Gurus! We have penetration testing going on and I saw a security event log entry that showed our root admin account getting locked out. I was surprised because I thought this account could never get locked out. In addition, we had a scheduled job that runs under the credentials of this root account that ran successfully a couple of minutes *after* the supposed account was locked. (We have the standard 30 minute lockout time.) I think the reason that this happened was that the penetration testing really didnt lock out the root account but did lockout the local SID 500 account that exists on all servers (including domain controllers). This is my belief. My officemate says there is no such account on a DC and that the root account could have been locked out for a short period of time but then made active again when AD saw what the account was or that the security log entry is just bogus. Can someone offer a little insight into this (nope, no dinners or cash riding on this debate!). Thanks much! Mike Thommes
RE: [ActiveDir] Account Password Expiration Tool
joe's tools again ( 8-) ): adfind -b ou=Employees,dc=xyz,dc=com -bit -f ((objectcategory=person)(useraccountcontrol:AND:=65536)) samaccountname c:\temp\pw_never_expires.txt Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Alborzfard Sent: Tuesday, July 11, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account Password Expiration Tool Do you know of any tools out there that would check for and list AD accounts whose Password Never Expires is checked and/or how old is a user's password; e.g. it would generate a report listing all accounts with password older than 90 days? The closest thing I can find is JoeWare's (bowing my head!) FindExpAcc tool with -pwd switch, but it only lists accounts with expired passwords. TIA Alex Alborzfard Systems Administrator List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] importance of gc._msdcs.mycompany.com A records?
Title: importance of gc._msdcs.mycompany.com A records? What is the importance of the gc._msdcs.mycompany.com A records? Environment: 1) Split DNS Unix Bind and AD integrated DNS 2) DCs use: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] RegisterDnsARecords=dword: to avoid registering the A domain record on our Unix DNS server, which will not accept them. This record is put in manually. This registry entry also prevents these failures to register from being written into the system event log. 3) Today my DNS admin noticed that the gc._msdcs.mycompany.com zone was not populated correctly, with hardly any of the current GCs listed. Some of the IPs that were listed havent been used for years. The GC A record for our current GCs obviously is not written because of #2. 4) If I check for enterprise GCs using a tool like replmon, all of the GCs show up. 5) There are no AD issues that we are aware of. So the question is what are these A records used for, if anything. It would appear in our scenario this zone is unused. Any thoughts/comments are appreciated! TIA! Mike Thommes
RE: [ActiveDir] Ammunition, please!
Hi Larry, You might want to check this reference which was posted to this group a few days ago: http://iase.disa.mil/stigs/checklist/AD_Checklist_V1R11_20060607.pdf It discusses physical security and not running other services on DCs, among other things. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers Sent: Wednesday, June 28, 2006 10:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Ammunition, please! On a lesser note, is there any problem with having a DC also be their file server and print server? Again, we're only talking 20 people here. Assuming I can at least get the server rack locked, and I put the file shares on a separate partition (i.e., not on the C drive, of course). This is all good. I think I have enough ammunition to, at least, cover myself if management decides to go ahead and put a DC in that location. The reason is, of course, this group of 20 folks have no money, so we'll have to buy them a server out of our own budget, because they are one of our supported clients and we have no choice. In my opinion, however, we *do* have a choice as to whether we allow a DC to be in a physically non-secure location. -- Larry Wahlers Concordia Technologies The Lutheran Church - Missouri Synod mailto:[EMAIL PROTECTED] direct office line: (314) 996-1876 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] DC Configuration
I know, I know...how about the AD Party? We're ethical, right? joe's probably the most ethical guy around. And he gives stuff away for free. When was the last time you saw a politician do that? I nominate him for President! ;-) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 22, 2006 8:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] DC Configuration A party? Where? They got beer? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura E. Hunter Sent: Thursday, June 22, 2006 8:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Configuration ...whichever party that may be. On 6/22/06, Gil Kirkpatrick [EMAIL PROTECTED] wrote: Ethics? Thats the stuff the guys in the other party don't have. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 22, 2006 3:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Configuration From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 22, 2006 3:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Configuration Exactly... Congress: Ethics? What's that? -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, June 22, 2006 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Configuration Yea, it seemed an awful basic question for you joe. And, of course I fell for it. Agreed though that software RAID is like Congress creating its own ethics rules--just a bad idea all around. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 22, 2006 3:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Configuration ROFL! That was more of a case of purposely refusing to acknowledge software RAID versus truly understanding what it is. I have had far more than my share of times trying to rebuild software raid configs. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, June 22, 2006 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Configuration Software RAID is where the OS (in this case) handles the striping of the data rather than the hardware (usually the controller). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 22, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DC Configuration o Software RAID? What's that? o Yeah I am not a fan of mirrors. I like lots of spindles. But then I tend to work with big busy directories with Exchange beating on it. Being 64 bit you don't have to worry _as much_ assuming you have enough RAM to cache your entire DIT but you still have to load that baby in the first place so I would still recommend RAID 0+1, 10, or 5 or if you don't care about fault tolerance the fastest is RAID-0. o I would say if you are going 64 bit, make sure you make it a priority to get enough RAM to hold your entire DIT. That is the cool thing about getting 64 bit. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, June 22, 2006 5:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC Configuration There would be a little more to gain than that but often that's the reason. joe might point out that a two mirror configuration is not his optimal configuration. I'm pretty sure he'd also point out that compared with software raid, that he'd take that option. :) I can honestly say I'd agree with him on this one. Software mirroring for this type of application is never a good idea. The slower spindle speeds likely won't be enough of an issue to matter in your configuration. Unless you have a very large DIT queue jokes here or applications that pound the snot out of the individual servers spindle speed won't be nearly as important. Since it's 64 bit you're after, spend some money on the memory and take advantage of the cache as much as you can. Al On 6/22/06, Noah Eiger [EMAIL PROTECTED] wrote: What would the partitions on the first configuration gain you (over just a single C:)? I thought the idea behind placing NTDS, etc on something _besides_ C: was to get the performance benefits of extra spindles
[ActiveDir] can I exclude a particular user account from authenticated users?
Title: can I exclude a particular user account from authenticated users? This may sound like an off the wall question, but I would like to exclude a particular user account from the built-in security principal Authenticated Users. Is there any way to do this? TIA! Mike Thommes
RE: [ActiveDir] OT: srvinfo output incomplete -- solution!
The solution to this problem is that the Local Service account must have read access to the following registry key: HKLM\System\Currentcontrolset\control\securepipeservers\winreg There are snippets here and there on Google implicating this issue can happen when an upgrade is done to a W2K/SP4 computer to XP or Server 2003. It supposedly does not happen to a pre-SP4 W2K upgrade to XP or Server 2003. If this fix doesn't work, check MS KB313222 on how to reset security settings back to the default. HTH, Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Thursday, June 01, 2006 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: srvinfo output incomplete It's been a while but last time I checked srvinfo was predominately registry calls so I'd look at Remote Registry Service, policy settings like Network Access: Remotely accessible Registry paths, stuff like that. \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\w inreg might be enlightening... Regmon on the remote machine should be helpful... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, June 01, 2006 8:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: srvinfo output incomplete Situation: running srvinfo \\computer_name file://\\computer_name with domain admin credentials from a remote computer. One w2k3/sp1 server target returns the full complement of information, including CPU, BIOS info, hotfixes, network card info, uptime. Another w2k3sp1 server target returns only partial information, missing CPU, BIOS info, hotfixes, network card info, and uptime. Also, this second computer also returns Domain: Error 5 and PDC: Error 5. This same domain admin can log into the second computer target directly and run srvinfo and get a full complement of information! Both target computers are in AD and have the same policies applied to them. Security options appear to be the same. Does anyone have any thoughts as to what might be preventing a complete information disclosure when running srvinfo from across the network? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
This is the same issue I posted to this group on 5/25/06. We never did figure out the cause. The local admins were rebuilding the workstation in question yesterday since that seemed to be the most expedient thing to do. I will be interested in future postings to this thread. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready to capture. The thing about my environment is I do not manage the switches or router. I don't know if someone is messing with something. -Z.V. , Justin (ITS) wrote: Hello, Last night we upgraded our 3 Win2K3 domain controllers to SP1. This morning, we're getting tons and tons of calls from users who report that their computer sits at Applying computer settings for a good 10 minutes, then another 10 or so minutes at Applying your personalized settings After the upgrade we did start seeing DCOM errors in the System event log, which I've found many people online have experienced. I fixed it (or at least the DCOM errors went away) by granting Network Service the following rights: Local Launch Remote Launch Local Activation Remote Activation In the Launch and Activation Permissions dialog on the Security tab of the netman component. However, even after the DCOM errors have gone away, we continue to see the same results on the clients. Any ideas? I'm considering calling Premier Support, but I figured you guys would be better help than them. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
[ActiveDir] OT: srvinfo output incomplete
Title: OT: srvinfo output incomplete Situation: running srvinfo \\computer_name with domain admin credentials from a remote computer. One w2k3/sp1 server target returns the full complement of information, including CPU, BIOS info, hotfixes, network card info, uptime. Another w2k3sp1 server target returns only partial information, missing CPU, BIOS info, hotfixes, network card info, and uptime. Also, this second computer also returns Domain: Error 5 and PDC: Error 5. This same domain admin can log into the second computer target directly and run srvinfo and get a full complement of information! Both target computers are in AD and have the same policies applied to them. Security options appear to be the same. Does anyone have any thoughts as to what might be preventing a complete information disclosure when running srvinfo from across the network? TIA! Mike Thommes
RE: [ActiveDir] MSC pointing at untrusted domain?
How about: Runas /netonly /user:target_computer\username eventvwr.exe /auxsource=target_computer Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, May 31, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MSC pointing at untrusted domain? Dear collective, I was wondering if there was a way to have a .MSC file (eg to show the event log) of a computer in another domain, which has no trust set up with the one I'm using. Unfortunately, setting up a trust is not an option - as the other domain is sitting on an SBS box. I had hoped I could create a .msc pointing at the SBS domain/server and get prompted for credentials, but it just goes straight to an access denied error. Any ideas? TIA, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] MSC pointing at untrusted domain?
Sorry for the last incorrect answer. Try this: runas /netonly /user:domain_or_target_computer\username mmc.exe eventvwr.msc /computer=target_computer Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AdamT Sent: Wednesday, May 31, 2006 11:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] MSC pointing at untrusted domain? Dear collective, I was wondering if there was a way to have a .MSC file (eg to show the event log) of a computer in another domain, which has no trust set up with the one I'm using. Unfortunately, setting up a trust is not an option - as the other domain is sitting on an SBS box. I had hoped I could create a .msc pointing at the SBS domain/server and get prompted for credentials, but it just goes straight to an access denied error. Any ideas? TIA, -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: stuck processing policy
Title: OT: stuck processing policy Hi Shariff (and Darren too!), Yeah, I saw some entries in WINS that I didnt like. I believe it is some issue where the computer is not fully into the domain. Although others can use this particular computer with no issues whatsoever, next week I am going to work with the local admins to take it out of the domain and then put it back in, maybe even with a brand new IP. Thanks for the responses! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Navroz Shariff Sent: Friday, May 26, 2006 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: stuck processing policy Mike, Make sure you flush the local DNS cached entries as well if you think it's a client-side DNS issue. I had encountered a similar issue awhile back and I re-joined the box back to the domain after noting authentication errors in the event log. Darren gives many possible solutions and I would agree with him that it's probably that the client has lost its trust relationship with the domain. To be sure, see the eventlog, more specifically, the entries that deal with authentication. -Shariff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, May 25, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: stuck processing policy Ok. The purpose of MyGetUserName (and GetUserNameEx) is so that GP can impersonate the user for the purposes of applying user policy. GetUserNameEx returns the user name of the current thread. MyGetUserName basically calls GetUserNameEx and asks for the Fully Qualified DN of the current user. So, the fact that that is failing with an internal error (1359) could mean almost anything. It could mean that the user's FQDN is not available (not sure if its actually querying AD at that point or just querying the token) or it could mean that, if it is querying AD, that there isn't a good line to AD. Maybe the machine account has lost its secure channel to the domain, or maybe the user logged in using cached creds or something? I'm sorry I'm not more help here. I've seen this error a lot but have never been able to track it down to a specific thing. I would make sure DNS is configured correctly on the client, check the system event log on the client to ensure there are no errors related to authentication, etc. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, May 25, 2006 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: stuck processing policy Hi Darren! Here you go. Thanks! Mike Thommes == USERENV(2bc.774) 11:20:27:665 ProcessGPOs: USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: Entering with timeout 60 and flags 0x0 USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: User critical section has been claimed. Handle = 0x618 USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: Leaving successfully. USERENV(2bc.774) 11:20:27:665 ProcessGPOs: Machine role is 2. USERENV(2bc.774) 11:20:27:681 PingComputer: Adapter speed 1 bps USERENV(2bc.774) 11:20:27:681 PingComputer: First time: 0 USERENV(2bc.774) 11:20:27:681 PingComputer: Fast link. Exiting. USERENV(2bc.774) 11:23:28:482 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:23:28:482 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(2bc.774) 11:26:29:749 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:26:29:749 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(2bc.774) 11:29:31:015 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:29:31:015 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(2bc.774) 11:32:32:271 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:32:32:271 ProcessGPOs: MyGetUserName failed with 1359. USERENV(2bc.774) 11:32:32:286 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(2bc.774) 11:32:32:286 ProcessGPOs: Processing failed with error 1359. USERENV(2bc.774) 11:32:32:286 LeaveCriticalPolicySection: Critical section 0x618 has been released. USERENV(2bc.774) 11:32:32:286 ProcessGPOs: User Group Policy has been applied. USERENV(2bc.774) 11:32:32:286 ProcessGPOs: Leaving with 0. USERENV(2bc.774) 11:32:32:286 ApplyGroupPolicy: Leaving successfully. USERENV(2bc.548) 11:32:32:286 GPOThread: Next refresh will happen in 104 minutes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, May 25, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: stuck processing policy Hi Mike. Can you post the lines of userenv right around that GetUserNameEx error? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent
RE: [ActiveDir] OT: stuck processing policy
Hi Al, Yeah, Im with you on this. I checked this workstations settings yesterday and its network performance and so far everything checks out. One curious point I cant get to computer remotely, like to view the event logs. The computer name had been changed a few times, but I think at this point, everything is in synch (computer name, domain suffix, DNS, etc). The big problem that I see with this whole current track is that the workstation works fine for other users. All of the network parameters etc apply to ALL users. This particular user/computer had this issue several months ago. The local admins gave up trying to solve the issue and just rebuilt the OS. And the problem went away. Now its popped up again. It may have to do with software that was installedstill to be determined. Thanks. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, May 26, 2006 8:51 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: stuck processing policy You might also want to check the network connection parameters. Make sure it's connected and configured properlywithout errors. Everything described to this point could easily be related to network issues (especially at the NIC/Router) as well. Al On 5/26/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Hi Shariff (and Darren too!), Yeah, I saw some entries in WINS that I didn't like. I believe it is some issue where the computer is not fully into the domain. Although others can use this particular computer with no issues whatsoever, next week I am going to work with the local admins to take it out of the domain and then put it back in, maybe even with a brand new IP. Thanks for the responses! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Navroz Shariff Sent: Friday, May 26, 2006 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: stuck processing policy Mike, Make sure you flush the local DNS cached entries as well if you think it's a client-side DNS issue. I had encountered a similar issue awhile back and I re-joined the box back to the domain after noting authentication errors in the event log. Darren gives many possible solutions and I would agree with him that it's probably that the client has lost its trust relationship with the domain. To be sure, see the eventlog, more specifically, the entries that deal with authentication. -Shariff From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Darren Mar-Elia Sent: Thursday, May 25, 2006 5:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: stuck processing policy Ok. The purpose of MyGetUserName (and GetUserNameEx) is so that GP can impersonate the user for the purposes of applying user policy. GetUserNameEx returns the user name of the current thread. MyGetUserName basically calls GetUserNameEx and asks for the Fully Qualified DN of the current user. So, the fact that that is failing with an internal error (1359) could mean almost anything. It could mean that the user's FQDN is not available (not sure if its actually querying AD at that point or just querying the token) or it could mean that, if it is querying AD, that there isn't a good line to AD. Maybe the machine account has lost its secure channel to the domain, or maybe the user logged in using cached creds or something? I'm sorry I'm not more help here. I've seen this error a lot but have never been able to track it down to a specific thing. I would make sure DNS is configured correctly on the client, check the system event log on the client to ensure there are no errors related to authentication, etc. Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Thommes, Michael M. Sent: Thursday, May 25, 2006 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: stuck processing policy Hi Darren! Here you go. Thanks! Mike Thommes == USERENV(2bc.774) 11:20:27:665 ProcessGPOs: USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: Entering with timeout 60 and flags 0x0 USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: User critical section has been claimed. Handle = 0x618 USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: Leaving successfully. USERENV(2bc.774) 11:20:27:665 ProcessGPOs: Machine role is 2. USERENV(2bc.774) 11:20:27:681 PingComputer: Adapter speed 1 bps USERENV(2bc.774) 11:20:27:681 PingComputer: First time: 0 USERENV(2bc.774) 11:20:27:681 PingComputer: Fast link. Exiting. USERENV(2bc.774) 11:23:28:482 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:23:28:482 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(2bc.774) 11:26:29:749 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11
RE: [ActiveDir] AD DNS along with Bind
(From my DNS admin) If I did that, then I would have to open DNS conduits through our firewalls for the DC, as anyone who was requesting information from any AD zone would be querying the DNS Server on the DC. We try to limit contact to the DC from the Internet. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, May 24, 2006 4:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Why configure the BIND servers as secondary to the zones delegated to the Windows DNS servers? Why not just let the Windows DNS servers handle those queries? By doing so you would remove the issue surrounding the zone serial numbers while also provide redundancy for Windows based zones and the dynamic updates they require. Could just be a personal preference I suppose... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 12:47 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If you
[ActiveDir] OT: stuck processing policy
Title: OT: stuck processing policy I have a user on a computer that takes forever to log in. She can go to any other computer and log in quickly. Anyone else can go to the computer in question and log in quickly. It is only THIS user on the THIS computer. We have renamed her local profile to no avail. Looking at the userenv.log debugging file, I see a big time gap marked by a GetUserNameEx failed with 1359. Googling didnt produce much. Does anyone (Darren?) have any thoughts on how I can track this down? Thanks! Mike Thommes
RE: [ActiveDir] OT: stuck processing policy
Title: OT: stuck processing policy Hi Darren! Here you go. Thanks! Mike Thommes == USERENV(2bc.774) 11:20:27:665 ProcessGPOs: USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: Entering with timeout 60 and flags 0x0 USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: User critical section has been claimed. Handle = 0x618 USERENV(2bc.774) 11:20:27:665 EnterCriticalPolicySectionEx: Leaving successfully. USERENV(2bc.774) 11:20:27:665 ProcessGPOs: Machine role is 2. USERENV(2bc.774) 11:20:27:681 PingComputer: Adapter speed 1 bps USERENV(2bc.774) 11:20:27:681 PingComputer: First time: 0 USERENV(2bc.774) 11:20:27:681 PingComputer: Fast link. Exiting. USERENV(2bc.774) 11:23:28:482 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:23:28:482 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(2bc.774) 11:26:29:749 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:26:29:749 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(2bc.774) 11:29:31:015 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:29:31:015 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(2bc.774) 11:32:32:271 MyGetUserName: GetUserNameEx failed with 1359. USERENV(2bc.774) 11:32:32:271 ProcessGPOs: MyGetUserName failed with 1359. USERENV(2bc.774) 11:32:32:286 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(2bc.774) 11:32:32:286 ProcessGPOs: Processing failed with error 1359. USERENV(2bc.774) 11:32:32:286 LeaveCriticalPolicySection: Critical section 0x618 has been released. USERENV(2bc.774) 11:32:32:286 ProcessGPOs: User Group Policy has been applied. USERENV(2bc.774) 11:32:32:286 ProcessGPOs: Leaving with 0. USERENV(2bc.774) 11:32:32:286 ApplyGroupPolicy: Leaving successfully. USERENV(2bc.548) 11:32:32:286 GPOThread: Next refresh will happen in 104 minutes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Thursday, May 25, 2006 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: stuck processing policy Hi Mike. Can you post the lines of userenv right around that GetUserNameEx error? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, May 25, 2006 1:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: stuck processing policy I have a user on a computer that takes forever to log in. She can go to any other computer and log in quickly. Anyone else can go to the computer in question and log in quickly. It is only THIS user on the THIS computer. We have renamed her local profile to no avail. Looking at the userenv.log debugging file, I see a big time gap marked by a GetUserNameEx failed with 1359. Googling didnt produce much. Does anyone (Darren?) have any thoughts on how I can track this down? Thanks! Mike Thommes
RE: [ActiveDir] view only rights on ADI DNS Zone
The Microsoft link at the bottom of an event log entry has gotten much better. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) [E] Sent: Wednesday, May 24, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] view only rights on ADI DNS Zone I was able to get a nice list of sources from EventcombMT. So that will get me started, but if anyone has a good source with event IDs that would be cool. Todd From: Al Mulnick [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 24, 2006 9:27 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] view only rights on ADI DNS Zone You'll need a description of the rights needed to open the tool in this case, as everyone has read access by default. IIRC, the Windows 2000 DNS white paper describes how to delegate rights etc. using tools such as ADSIEDIT or DSACLS. Curious though: why bother? Read access to a DNS zone? Has the user ever used NSLOOKUP or DIG? You can read the zone records using these tools quite easily and it'll tell you just about everything you want to know about the RR. Is there a different requirement in this? Al On 5/24/06, Kamlesh Parmar [EMAIL PROTECTED] wrote: Is it possible to give normal domain account rights to view ADI DNS zonein console ? I tried to give normal account a rights to READ thru ACL on zone, but it didn't help. Only otherway, I know is to create a secondary for that zone, on that users machine. but thats overkilll :) -- Kamlesh ~ Be the change you want to see in the World ~
RE: [ActiveDir] AD DNS along with Bind
Hi Freddy, (From my DNS Admin) When any client (or server) machine wants to locate an SRV record, it asks the BIND slave servers, as the Windows 2003 DNS Server is not in any TCP/IP configuration as a DNS server to be queried. In fact, we recently moved the DNS Service from one DC to another when we upgraded the original DC to new hardware. The only machines we had to change were the BIND slave servers, which had the IP address of the old master in the BIND configuration file. The BIND servers are slaves for all of the AD zones, so those BIND servers give answers to the queries. We have three DCs for the forest, and if the one on which the DNS Service is running is down, then the only problems are 1) the rare DDNS update from a DC, updating an SRV or CNAME record 2) the more frequent DDNS updates for one forward subdomain zone and its five reverse zones, all under the control of a Windows DHCP server. I do not know of the DHCP code retries its DDNS. The DC on which DNS runs is not down that often, and we have not received complaints when it was down. Interesting article mentioned below, does it applies to 2003 as well? I assume you are referencing 282826 (previously know as Q282826). It does apply to 2003. When I first read it, I could not understand it. I made a flowchart from the text, and after a MS employee explained it, I understood it. Assume that there is an AD-integrated zone, xxx.example.com, and there are two DCs running the DNS Service. Assume that all of the behind-the-scenes AD synchronization has taken place, and both DCs have exactly the same zone information; the zone serial number is, say 100. Some machine, pc1.xxx.example.com, sends a DDNS update to DC1. After the update is complete, the zone serial number on DC1 is now 101. At the same time, another machine, pc2.xxx.example.com, sends a DDNS update to DC2. After that update is complete, the zone serial number on DC2 is 101. We now have two copies of the zone, each with serial number 101, and each has an update that the other does not have. Which DC has the correct zone information? Neither. I have no idea how long it takes the behind-the-scenes AD synchronization to occur. When it has occurred, the resulting zone has both updates. But what is the serial number? It can't be 101, as serial number 101 was associated with a copy of the zone that did not have both of the updates. Can it be 102? No, as there could have been another DDNS update to DC1 before the synchronization occurred. In this case, DC1 would have serial number 102, and DC2 serial number 101. I contend that there is no value that can be used as the serial number for the combined-update zone. What 282826 is saying is that the zone serial number is meaningless unless that DNS Server is a master server feeding a BIND (or other vendor) slave server. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONO Sent: Tuesday, May 23, 2006 8:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Hi Mike, If you are delegating those 6 zones to only 1 DNS server, if that dns server is going through a quick reboot or downtime - then none of your client can find the NS delegation and hence causing a no domain controller found scenario isnt it? Interesting article mentioned below, does it applies to 2003 as well? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, May 24, 2006 4:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD DNS along with Bind Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcpIN NS windnsserver.example.com. _udpIN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DNS Server
RE: [ActiveDir] Naming conventions (quasi-OT)
Title: Naming conventions (quasi-OT) Following this thread, I want to comment that we name workstations with their local serial numbers. In addition, we have a process to look through the local security log to see who is the most common user of the workstation and put their name in the description field. That make computers easy to find. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 24, 2006 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Naming conventions (quasi-OT) If you don't have the resources or timeto change a computer name every time is changes departments, you could go with something static like a serial number or service tag number. It may not help you physically locate the PC, but you would be able to track machine history to determine if therewas a trend ofproblems leading up to a hardware/software failure. By documenting the computer name on each Help Desk ticket, it gives an effective log of issues with a particular computer. One down side to this is that it's difficult to guess the machine name if you need to remote in and work on it. Bonnie From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Cline Sent: Wednesday, May 24, 2006 1:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Naming conventions (quasi-OT) I'm curious to see how some of you (especially at the larger corporations) name your domain-joined computers. At my company we've got about 110 computers in roughly , and for the longest time they've been named after the logon name of the user who primarily operates the PC. (Not a fan of that method myself.) However, when naming or renaming a PC there are cases (such as preparing a replacement PC for a user) where there's already one with the desired name. Our network admin has a horrible habit of putting random numbers at the end when he runs into this problem, rather than using ADUC to remove a ghost computer object (or renaming the existing one when a new one is being prepared for said user). Of course this constantly frustrates me as I can never correctly guess a user's PC name when trying to remote control it during a support call. I've had several ideas in the past, the most favorable being naming them by location then department, then numbering them (for example, CHS-DISP-01 would represent the first dispatcher PC at our Charleston terminal), and automagically renaming the My Computer icon on the user's desktop at startup time to reflect the computer name. This way we'd never have to worry about renaming a computer when an employee is terminated, and when I've got a user on the phone I can simply ask them to read the computer name to me. But I was curious to see how you guys go about naming your PCs and how you deal with problems similar to this. -- Brian A. Cline Internet Applications Developer GP Trucking Company, Inc. Direct: 803.936.8595 Toll Free: 800.922.1147 x8595
RE: [ActiveDir] AD DNS along with Bind
Adeel, Here is a response from our DNS guy. I hope it helps you. Mike Thommes = Here are the steps I took for delegating the AD zones for example.com: 1) In the example.com zone on the BIND server I added these NS records to delegate the zone to the Windows 2003 DNS Server: _msdcs IN NS windnsserver.example.com. _sites IN NS windnsserver.example.com. _tcpIN NS windnsserver.example.com. _udpIN NS windnsserver.example.com. ForestDNSZones IN NS windnsserver.example.com. DomainDNSZones IN NS windnsserver.example.com. 2) Define these six zones on the Windows 2003 DNS Server. I use ONLY ONE Windows DNS Server due to serial number problems that can/will occur with the MS multi-master setup. See Q282826. Insure that the zones are AD-integrated with secure DDNS only. Change the zone properties: In the SOA insure that the Responsible person field has the correct e-mail address (with the @ replaced with .). In the Name Servers tab add the BIND slaves (that are the registered nameservers for the example.com domain). Allow zone transfers to the servers in the Name Servers tab. Notify servers in the Name Servers tab. These changes will have to be done for each zone, as MS has not implemented global zone properties. 3) Define these six zones on the BIND slave DNS servers that are registered for the example.com zone. The master server is obviously the Windows 2003 DNS Server. 4) In my case, the parent example.com zone is still on a BIND server, so I have manually entered the domain A records on that master server. Note that there are three types of DDNS from a Windows machine: a) A machine (desktop, server, or DC) self-registering b) A DC (netlogon) registering its SRV and CNAME records c) A DC (netlogon) registering the domain A record. There are different registry keys controlling each of these, and since they have been implemented at different times and since some of them have been reused (from former, still current usage), the interaction among these registry keys is complicated. I count 162 different cases, and I have not had time to test all of them. If you do not care about DDNS requests being sent to the BIND master for the example.com zone, where (I would hope) the DDNS would be refused, then you do not have to worry about some of these registry keys. With this setup, the MS Windows DNS Server is a hidden master. It is known only via the MNAME (master server name) field in the SOA (Start of Authority) record in each zone. If your clients (be they Unix, Windows, or Mac desktops) have the BIND servers in their TCP/IP configurations, then these clients will continue to use the BIND servers for DNS resolution. This will work for the AD zones, as all of the AD zones are slaved on the BIND servers. Any machine that needs to update the zone (DCs updating CNAME and SRV records), or Windows clients (self-registration via DHCP) will use secure DDNS, and these machines will locate the master via a standard SOA query. There is NO NEED for ANY machine to have the Windows DNS Server in its TCP/IP configuration as a DNS server. The nice thing about this is that you do not have to go and change any client TCP/IP configuration. On my one MS W2003 DNS Server I have the six AD zones for anl.gov and fifteen sets of AD zones for subdomains of anl.gov. There is documentation in the DNS Bible - DNS and BIND 4th edition (with a fifth addition due out any minute, I am told). There is also documentation in DNS on Windows Server 2003. Both are O'Reilly books. -- Barry S. Finkel Computing and Information Systems Division Argonne National Laboratory Phone:+1 (630) 252-7277 9700 South Cass Avenue Facsimile:+1 (630) 252-4601 Building 222, Room D209 Internet: [EMAIL PROTECTED] Argonne, IL 60439-4828 IBMMAIL: I1004994 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adeel Ansari Sent: Tuesday, May 23, 2006 2:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD DNS along with Bind Team, Is is possible to have AD DCs manage all the dynamic zones i.e. _tcp, _udp, _msdcs etc. and have the rest of the non-AD zones managed by Bind. Has anyone done something like this? There is a MS article (ID:255913) that talks about it however, it doesnt say what DNS should client point to? Regards, Adeel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] how to find DNS servers in a forest?
Hi Deji, I was thinking about the following but the results are wrong (and I don't understand why!): For /F %a IN ('dsquery server -o rdn -forest') do srvinfo \\%a |find /i DNS Server Can anyone tell me what I am doing wrong? Thanks! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, May 17, 2006 2:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] how to find DNS servers in a forest? For /F %a IN ('dsquery server -o rdn') do portqry -n %a -e 53 -i|find /i listening This will check if the server is listening on 53, but it won't tell you whether its MS-DNS or not. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Tue 5/16/2006 11:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] how to find DNS servers in a forest? first thing comes to mind is using WMI and check for the DNS server service and that it is also started Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Manjeet Singh Sent: Wed 2006-05-17 07:24 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to find DNS servers in a forest? If I have a list of DCs in windows 2003 forest, I just want to verify if they have Microsoft-DNS installed on them? Where this information stored in AD? Or I want to find how many DC's have DNS Installed. Thanks, Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Test Windows 23K Firewall
telnet or portqry? telnet [-a][-e escape char][-f log file][-l user][-t term][host [port]] -a Attempt automatic logon. Same as -l option except uses the currently logged on user's name. -e Escape character to enter telnet client prompt. -f File name for client side logging -l Specifies the user name to log in with on the remote system. Requires that the remote system support the TELNET ENVIRON option. -t Specifies terminal type. Supported term types are vt100, vt52, ansi and vtnt only. hostSpecifies the hostname or IP address of the remote computer to connect to. portSpecifies a port number or service name. Portqry: http://support.microsoft.com/default.aspx?kbid=832919 Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, May 09, 2006 5:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Test Windows 23K Firewall What is the best and faster way to test Windows firewall. I want to see if a specific port is block when it is supposed to be open. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema extension
DefaultHidingValue? defaultHidingValue A Boolean value that specifies the default setting of the showInAdvancedViewOnly property of new instances of this class. Many directory objects are not interesting to end users. To keep these objects from cluttering the UI, every object has a Boolean attribute called showInAdvancedViewOnly. If defaultHidingValue is set to TRUE, new object instances are hidden in the Administrative snap-ins and the Windows shell. A menu item for the object class will not appear in the New context menu of the Administrative snap-inseven if the appropriate creation wizard properties are set on the object class's displaySpecifier object. If defaultHidingValue is set to FALSE, new instances of the object are displayed in the Administrative snap-ins and the Windows shell. Set this property to FALSE to see instances of the class in the administrative snap-ins and the shell and enable a creation wizard and its menu item in the New menu of the administrative snap-ins. If the defaultHidingValue value is not set, the default is TRUE. From: http://msdn.microsoft.com/library/default.asp?url=""> Mike thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, May 09, 2006 9:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema extension We received our OID from Microsoft this week, so I went ahead and added an attribute so I could flag service accounts so we won't accidently 'clean them up' during our account cleanup processes. I then went to the User class and added my new attribute to it. When I view a user's AD schema properties, however, I'm not seeing the new property assigned to it. Is there any other step that I'm missing? Thanks ~~ This e-mail is confidential, may contain proprietary information of Cameron and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] which GC answers?
Hi Jorge, I dont mean to hijack this thread but I have also been having an issue with lingeringobjects. I ran your repadmin command shown below on one of the lingering objects I have. For the lingering object I specified, the output lists a GUID (Originating DC) that doesnt exist any more. An Originating DC is also the owner of the object, right? The member DC/GCs) of the domain that once hosted this Originating DC produce a different output from the repadmin /showobjmeta command than the other GCs namely Directory Object not found. If a DC is demoted, the object would be owned by one of the remaining DCs. But, if the owner is no longer around, the object is garbage. Right? My question is this why are lingeringobjects such a bear to clean out? It seems to me an admin should be able to use a repadmin /removelingeringobjects GC: DN of lingering object type of syntax to take care of all of the GCs at the same time. My TAM has indicated the existence of a replfix tool, but Im not sure how it works. Thoughts/comments? Mike Thommes Ps. For any MS folks out there, it would really be helpful to include examples within the repadmin help considering how powerful this command can be. Pps. I think lingeringobjects are synonymous with headache. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Wednesday, May 03, 2006 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] which GC answers? a way to check this is: REPADMIN /SHOWOBJMETA GC: DN of lingering object OUTPUT.TXT GC: targets ALL GCs in the forest For each GC: * you get the metadata of the object if it exists on the GC OR * you get Directory object not found if the object does not exist in addition to this you can wrap a script around this that takes away some manual stuff you must do. Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server- Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Wed 2006-05-03 14:44 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] which GC answers? When I use ldp and I found a user (lingering) how can I know which GC of many of them has that copy of the object? I use ADSIEDT, but I have many GC´s. is there a easier way to discover in which of them it is? Thanks Adrião F Ramos
[ActiveDir] how to get rid of an obsolete DC?
In a child domain I have what I believe is the remnants of an old NT4 DC. Using ADUC, it shows up in the child domain's Domain Controllers OU. When I try to delete it, I get The DSA object cannot be deleted. When I use ADSIEdit and go to the domain, it only shows me the two functioning DCs and not the one I'm looking for. What other tools are available for this type of house cleaning? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to get rid of an obsolete DC?
Sorry, I meant to say ntdsutil, not adsiedit. Ntdsutil only shows me the two active DCs in that child domain. (It must be either a long day or from the sweat I worked up getting through ntdsutil! LOL!) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: Tuesday, May 02, 2006 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] how to get rid of an obsolete DC? ntdsutil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, May 02, 2006 12:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to get rid of an obsolete DC? In a child domain I have what I believe is the remnants of an old NT4 DC. Using ADUC, it shows up in the child domain's Domain Controllers OU. When I try to delete it, I get The DSA object cannot be deleted. When I use ADSIEdit and go to the domain, it only shows me the two functioning DCs and not the one I'm looking for. What other tools are available for this type of house cleaning? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to get rid of an obsolete DC?
H.so *is* ADSIEdit a valid tool to use? I can see the object I want to delete in ADSIEdit. (Would I be talking to myself if I reply to my own post?) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, May 02, 2006 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] how to get rid of an obsolete DC? Sorry, I meant to say ntdsutil, not adsiedit. Ntdsutil only shows me the two active DCs in that child domain. (It must be either a long day or from the sweat I worked up getting through ntdsutil! LOL!) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hutchins, Mike Sent: Tuesday, May 02, 2006 3:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] how to get rid of an obsolete DC? ntdsutil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, May 02, 2006 12:37 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] how to get rid of an obsolete DC? In a child domain I have what I believe is the remnants of an old NT4 DC. Using ADUC, it shows up in the child domain's Domain Controllers OU. When I try to delete it, I get The DSA object cannot be deleted. When I use ADSIEdit and go to the domain, it only shows me the two functioning DCs and not the one I'm looking for. What other tools are available for this type of house cleaning? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] dealing with authentication errors after password change?
How do other admins deal with the copious authentication errors a user will generate after the user resets his password with a CNTL+ALT+DEL and stays logged into the session with his old credentials? Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003/SP1 TS Licensing Server registry key confusion
Hi, In trying to determine why my TS Licensing Server (located on a W2K3/SP1 DC) is only handing out temporary licenses, although we have successfully entered the license data, I find the registry key for the type of license is spelled differently (an extra space) than what I find in KB834651. Ours: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core] KB834651: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\LicensingCore] Our registry key was generated automatically; we did not enter it. Can anyone tell me what they have in their registry on their TS Licensing Server for this key? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] anyone using IPV6?
Has anyone tried IPV6 yet? Production? Or just testbed? Any gotchas? What kind of infrastructure (eg, switches) is needed to support it? How does AD play in this sandbox? I am probably out of my league pretty quickly with subject. I've done a little googling but it seems like a pretty big subject to get my arms around. Thanks for any info or pointers! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] any experiences with PassFilt Pro software? (again)
(I didn't get any response to my first query. I thought I would try it again). This software (http://www.altusnet.com/products/pfp/) supposedly enhances the default passflt.dll, allowing an admin to enforce/control password complexity and, at the same time, does a dictionary check. The price appears to be very reasonable. == Anybody out there have any experience with the PassFilt Pro software by Altus Networks Solutions, Inc.? TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Lsasrv error
Maybe this will help. From eventid.net: Matthew C. Miller (Last update 11/24/2005): The error in our server (domain controller) System Event Log was: The Security System detected an authentication error for the server server. The failure code from authentication protocol Kerberos was {Operation Failed} The requested operation was unsuccessful. (0xc001). This issue occurs if the Network Service security account does not have sufficient privileges to access the following registry subkeys when you upgrade to Windows Server 2003: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dhcp HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip To resolve this issue, assign the Network Service account full control access to the mentioned registry subkeys. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, April 24, 2006 10:01 AM To: activedirectory Subject: [ActiveDir] Lsasrv error I keep getting this error logged in the system log of my PDC FSMO- The source server casuing the issue is another DC in the same domain(Win2k3 FFL) Event Type:Warning Event Source:LSASRV Event Category:SPNEGO (Negotiator) Event ID:40960 Date:10/28/2005 Time:11:04:18 PM User:N/A Computer:PDCFSMO Description: The Security System detected an authentication error for the server cifs/myDC.mydomain.com. The failure code from authentication protocol Kerberos was {Operation Failed} The requested operation was unsuccessful. (0xc001). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 01 00 00 c0 ...À This is the error logged on the offending DC- Event Type:Warning Event Source:LSASRV Event Category:SPNEGO (Negotiator) Event ID:40960 Date:4/11/2006 Time:11:04:19 PM User:N/A Computer:MYdc Description: The Security System detected an authentication error for the server cifs/PDCFSMO.mydomain.com. The failure code from authentication protocol Kerberos was The attempted logon is invalid. This is either due to a bad username or authentication information. (0xc06d). For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Data: : 6d 00 00 c0 m..À I checked Eventid but nothing really applies. Does anyone know what the issue could be? Thanks
[ActiveDir] any experiences with PassFilt Pro software?
Anybody out there have any experience with the PassFilt Pro software by Altus Networks Solutions, Inc.? TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] how to report on scheduled jobs?
Is there a script to output scheduled job information? Maybe something I could call in a for loop driven by a list of servers. Ideally, I would like to see the job and who's credentials it is running under, with maybe the schedule. Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] how to report on scheduled jobs?
Excellent! Just what I was looking for! Thanks, Jef! Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Monday, April 17, 2006 3:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] how to report on scheduled jobs? Does the SCHTASKS.EXE do what you want? perhaps with the /V switch SCHTASKS /Query [/S system [/U username [/P password]]] [/FO format] [/NH] [/V] [/?] Description: Enables an administrator to display the scheduled tasks on the local or remote system. Parameter List: /S system Specifies the remote system to connect to. /U username Specifies the user context under which the command should execute. /P password Specifies the password for the given user context. /FO format Specifies the output format to be displayed. Valid values: TABLE, LIST, CSV. /NH Specifies that the column header should not be displayed in the output. Valid only for TABLE and CSV formats. /V Specifies additional output to be displayed. /? Displays this help/usage. Examples: SCHTASKS /Query SCHTASKS /Query /? SCHTASKS /Query /S system /U user /P password SCHTASKS /Query /FO LIST /V /S system /U user /P password SCHTASKS /Query /FO TABLE /NH /V Subject: [ActiveDir] how to report on scheduled jobs? Date: Mon, 17 Apr 2006 14:31:25 -0500 From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Isthereascripttooutputscheduledjobinformation?Maybesomething Icouldcallinaforloopdrivenbyalistofservers.Ideally,I wouldliketoseethejobandwho'scredentialsitisrunningunder, withmaybetheschedule. MikeThommes Listinfo:http://www.activedir.org/List.aspx ListFAQ:http://www.activedir.org/ListFAQ.aspx Listarchive:http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
Hi Brian, It appears that a schema attribute rename is what's needed. We haven't had a chance to try this yet in our testbed where the problem occurred. Here's the info we got back (we did not open an official case opened with MS but I am guessing someone else did.) as a workaround until an official patch is released. HTH, Mike Thommes Case Problem: Adprep for R2 runs into problems. Attributes in conflict: CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=gidNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=gecos,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=loginShell,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowLastChange,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowMin,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowMax,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowWarning,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowInactive,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowExpire,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=shadowFlag,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=memberUid,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=memberNisNetgroup,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipServicePort,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipServiceProtocol,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipProtocolNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=oncRpcNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipHostNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipNetworkNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=ipNetmaskNumber,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=macAddress,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=bootParameter,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=bootFile,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=nisMapName,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=nisMapEntry,CN=Schema,CN=Configuration,DC=anl,DC=gov CN=nisMap,CN=Schema,CN=Configuration,DC=anl,DC=gov Resolution: First of all, we followed the guidelines in http://support.microsoft.com/?kbid=285172 Step 1 - Connect to the Schema Master using LDP, Login with Enterprise Admin Credentials or Schema Admin Privileges. Step 2 - What we have to change is the conflicting Schema Attributes to a bogus or a dummy name. Like for Example: Change uidnumber to Old-uidNumber. Step 3 - Choose Modify, and type in the name of the attribute and value you want Step 4 - We have to change the below attributes of the conflicting one: a. adminDisplayName b. LDAPDisplayName c. DN (This will have to be done after the two upper ones.) There is a modify DN option just for it. We have to do this with all the conflicting attributes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, April 13, 2006 12:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Mike- Did you ever get any resolution on this or more info? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of joe Sent: Monday, February 20, 2006 7:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Ask him/her what the article number is if this is a known issue. If he/she says there isn't one then say it sure isn't known very well then. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, February 17, 2006 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Our MS TAM has indicated this is a known bug! I will keep the group posted as I learn more details. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, February 17, 2006 10:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? As an update to this thread, we transferred the Schema Master role back to other DC that has the SFU tools installed originally thinking this might get the R2 schema update to work. Wrong! It fails with the same error. I can only imagine we do not have that unique an environment in our testbed and expect others to have the same experience. Luckily, we never put SFU 3.5 on our production systems. We are going to open up a trouble ticket with Microsoft regarding this issue. I would like to hear of others' experiences (success or failure) when trying to install R2 in an environment where SFU 3.5 had been installed. Thanks! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, February 16, 2006 9:07
[ActiveDir] how to display DC services on a single line?
Brain freeze active There is a command that shows on a single line what services are running on a DC. The output is something like DS::GC::Time::LDAP:: Can someone help this poor, tired brain out? Thanks! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] default values for net time /querysntp on new systems?
Hi, I've noticed in our Active Directory environment default settings on Windows XP and Server 2003 computers for net time /querysntp to be one of two values: net time /querysntp The current SNTP value is: time.windows.com,0x1 net time /querysntp This computer is not currently configured to use a specific SNTP server. The value does not seem to correspond to new vs. upgraded systems. Our PDC emulator role holder, as recommended, is set to an outside time source. Does the value time.windows.com,0x1 have some special significance like obtain your time through normal AD channels, but just in case there is a problem, go to time.windows.com? There are no time problems in my environment that I am aware of. Thanks for any enlightenment! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Server 2003 DNS Admins group permissions
The default DNS Admins group has permission to use the DNS GUI (dnsmgmt.msc) and to make changes in it but does not have permission to view the DNS event log (DnsEvent.Evt). Would this just be an oversight on Microsoft's part? TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 DFS/open files
Title: [ActiveDir] 2003 DFS/open files Maybe I need to describe my environment a little morewe have 3 file servers that have a common file structure with one server holding a master directory structure that is copied to both itself (with xcopy) and to the other two servers with robocopy. To ensure that a file actually does get copied, via a daily scheduled job we need to stop the server service and kick off each of the current user connections (net session \\computer_name_here /delete) to make sure no one has a file open before the xcopy/robocopy process starts. Note each of these users will only have a particular file(s) open for read access. With the latest DFS process using dynamic file replication (yes, I know we can schedule the replication times), I wonder what would happen when a file is updated and a user still has it open. Hope this explanation makes things a little clearer. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ion Gott Sent: Wednesday, April 05, 2006 2:01 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 DFS/open files The client will continue to have the file open but depends on what action they take next...if they close the file..nothing. If they save the file, the last write is going to win and possibly replace the changes that were made on the file saved previously that the user may not be aware of. The work around for this issue really depends on the structure of your DFS environment, I tend to use DFS-R to just replicate data and disable referrals to that backup server so that doesn't happened. Depends on exactly how your using it I guess... Ion V. Gott From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Wed 4/5/2006 7:25 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 DFS/open files Can someone tell me what happens with DFS/replication when a file is updated on one DFS server and a client has that same file open on another DFS server? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Server 2003 DNS Admins group permissions
Thanks, Ulf and Sergio! I also came across this one: http://www.mcse.ms/archive45-2004-10-1149114.html -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivarez, Sergio J Mr CTNOSC/GD-NS Sent: Thursday, April 06, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server 2003 DNS Admins group permissions Here is a link of what Ulf is talking about: http://support.microsoft.com/default.aspx?scid=kb;en-us;323076 Thanks, Sergio -Original Message- From: Ulf B. Simon-Weidner [mailto:[EMAIL PROTECTED] Sent: Thursday, April 06, 2006 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server 2003 DNS Admins group permissions Might be - you know that you can delegate any eventlog by adjusting the CustomSD Registrykey underneath the specific eventlog in the registry? Gruesse - Sincerely, Ulf B. Simon-Weidner MVP-Book Windows XP - Die Expertentipps: http://tinyurl.com/44zcz Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D |-Original Message- |From: [EMAIL PROTECTED] |[mailto:[EMAIL PROTECTED] On Behalf Of |Thommes, Michael M. |Sent: Thursday, April 06, 2006 5:54 PM |To: ActiveDir@mail.activedir.org |Subject: [ActiveDir] Server 2003 DNS Admins group permissions | |The default DNS Admins group has permission to use the DNS GUI |(dnsmgmt.msc) and to make changes in it but does not have |permission to view the DNS event log (DnsEvent.Evt). Would |this just be an oversight on Microsoft's part? | |TIA, |Mike Thommes |List info : http://www.activedir.org/List.aspx |List FAQ: http://www.activedir.org/ListFAQ.aspx |List archive: |http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003 DFS/open files
Can someone tell me what happens with DFS/replication when a file is updated on one DFS server and a client has that same file open on another DFS server? TIA! Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain
How about: dsquery computer -samid computer_name_here | dsget computer sid Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of matheesha weerasinghe Sent: Tuesday, April 04, 2006 10:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain No it works fine as computer$. He wanted MS tools only remember? ;-) M@ On 04/04/06, Freddy HARTONO [EMAIL PROTECTED] wrote: if getsid doesnt work (if i remember correctly this is only for user accounts not comp)- try psgetsid or newsid.exe Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of matheesha weerasinghe Sent: Tuesday, April 04, 2006 10:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain Use getsid.exe of the support tools. How come you are using regmon. I thought sysinternals was a no no :0) M@ On 02/04/06, Rodrigo Blanco [EMAIL PROTECTED] wrote: Freddy, is there any stadard way (tools included in the W2K3 OS) to verify the SID of a machine? I am not allowed to install or use any external software, such as sysinternals, for instance. Joe, I believe that the application is using the wINSOCK API too. TCP/IP is working fine and the setting are just are they should be... :-/ So I will do a regmon on a good machine and extract the differences with mine. Thank you very much, Best regards, Rodrigo. On 02/04/06, joe [EMAIL PROTECTED] wrote: I believe that tool is using the gethostname WINSOCK API call, I expect you are hitting an error and it isn't handling it gracefully. Is TCP/IP working properly on that machine? Are all of the TCP/IP settings correct? If everything looks ok, I would recommend running regmon on a known good machine and then do the same on the troublesome machine and see what the differences are in the requests, you might get a hint there. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rodrigo Blanco Sent: Tuesday, March 28, 2006 6:54 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Empty hostname for a Win 2003 server belonging to an AD domain Hello list, I am currently having a problem with a Windows 2003 server inside a Windows 2003 server-based Active Directory domain. The problem is that when I run the hostname command, it is empty: C:\hostname C:\ I suspect this happened after doing a clone of the VM machine and, by error, starting it and changing its name in the same network of the original one (this should have happened in an off-line network). I have tried to take it out from the domain and register it again in it, but his will not help. There is no conflict between the DNS and the local hosts file on the server. The server is registered in both the direct and inverse DNS lookup zones. If I look in System Properties Computer Name, everything looks fine: hostname and domain are correctly configured. Any help will more than welcome. Thanks in advance and best regards, Rodrigo. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Mass AD Full Name Display Name Changes - Last name, first name
These may be of interest to you: http://support.microsoft.com/kb/277717/en-us http://support.microsoft.com/?kbid=300427 Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Wednesday, March 01, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Mass AD Full Name Display Name Changes - Last name, first name My goal is to automate a process to change Full Name and Display Name from John Doe to Doe, John. I am not yet familiar with VB et al scripting, so assistance would be greatly appreciated if you propose a scripting solution. Thank you! ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] repadmin info oddity
Adfind (http://www.joeware.net/win/free/tools/adfind.htm) to the rescue! I recently had to do this and got it accomplished with the following syntax (with a little help from joe :) ): adfind -default -binenc -f objectGUID={{GUID:0B3F5BC4-5713-4611-8F6A-752A3B0DE664}} dn (adfind /??? For lots of good info!) Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SCOTT KLASSEN Sent: Monday, February 20, 2006 8:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] repadmin info oddity I try to keep up on new or updated MS KB articles and often check to see how they correlate with my environment. I noticed that 875495, dealing with USN rollbacks, was updated earlier this month. As I've experienced two AD issues, both of which needed PSS involvement (one dealing with sysvol inconsistency and the other which wound up being the RID master going on temporary strike) I figured that I'd do a quick check as described in the article. On the good side, the USN's are consistent between controllers. On the disconcerting side, I got a little more information than I was expecting. Besides my DC's, I also got USN listings for several GUIDs. I assume these are leftovers from DC demotions and only remain in the form of historical data. Do I need to worry about these (especially the DC1 (retired) listing) and is there a way I can resolve the GUIDs to names, find where this info is hiding, and clear them out? Thanks, Scott Klassen repadmin /showutdvec dc1 dc=domain,dc=com Caching GUIDs. .. Default-First-Site-Name\DC2 @ USN455091 @ Time 2006-02-20 20:08:20 2c92760e-e8fc-4418-947e-3b1016ab8514 @ USN 1012381 @ Time 2005-08-04 00:02:34 6e129965-56c3-469e-b70a-f1fdfb8bb2cc @ USN969931 @ Time 2004-07-24 11:53:16 Default-First-Site-Name\DC1 @ USN 1717571 @ Time 2006-02-20 20:10:50 Default-First-Site-Name\DC1 (retired) @ USN 1298674 @ Time 2005-08-05 06:36:16 e2199f22-f1dd-4d1c-90a6-0e8bb874f355 @ USN744173 @ Time 2004-12-28 20:52:04 ff0d7d50-214f-4bc1-96b6-55ac6ef317f0 @ USN852323 @ Time 2005-06-08 14:29:20 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
As an update to this thread, we transferred the Schema Master role back to other DC that has the SFU tools installed originally thinking this might get the R2 schema update to work. Wrong! It fails with the same error. I can only imagine we do not have that unique an environment in our testbed and expect others to have the same experience. Luckily, we never put SFU 3.5 on our production systems. We are going to open up a trouble ticket with Microsoft regarding this issue. I would like to hear of others' experiences (success or failure) when trying to install R2 in an environment where SFU 3.5 had been installed. Thanks! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, February 16, 2006 9:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Hi Guido, Thanks for the response! This server is Windows 2003/SP1 with all but the current month's patches. It is the current FSMO role holder. I did some checking this morning and find the SFU 3.5 tools on another DC that could have been the FSMO role holder at the time the SFU schema changes were made. I don't see why that would make any difference, do you? -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 16, 2006 3:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Mike - I see you're upgrading from Win2000 AD. Are your sure that you've previously installed SFU 3.5 or was it maybe SFU 2.0 ? The reason I'm asking is that there's a known schema incompatibility with SFU 2.0: check out http://support.microsoft.com/?id=293783 Cannot Upgrade Windows 2000 Server to Windows Server 2003 with Windows Services for UNIX 2.0 Installed CAUSE The upgrade may not work because the attributeSchema 'uid' that is used by Windows 2000 Server for the NIS schema is not compatible with the one that is used by Windows Server 2003. As such your error is likely independent from the changes in the R2 schema - it's actually an incompatibility in the Win2003 base schema (not that this really matters for you; I just want to clarify that the error should be unrelated to R2). As such it's different from Aric's case, who was performing an upgrade from a Win2003 schema to Win2003 R2... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 16. Februar 2006 02:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Hi Aric, No, there were a lot more errors - all seem to be related to SFU attributes. I only copied a small portion to my posting to save bandwidth. Painful = time = headaches 8-( I was expecting this upgrade to be a walk in the park. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, February 15, 2006 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Are these the only two errors you received? I encountered similar errors during beta testing when I implemented R2 in an existing forest - but a lot more than just 2. :) I created a secondary forest and validated that it did not recur. Note that I also had SFU installed in the original forest and the new secondary forest. I was able to clean up the schema in the existing forest exhibiting the errors but it was a fairly painful process of what seemed to be a goose chase. The tasks included disabling objects attributes in the schema and renaming them amongst other things. Fortunately I have not heard of this happening in production...yet. So can these errors be ignored? If I remember correctly ADPrep is actually failing and therefore NO you cannot ignore these errors since ADPREP will nto occur until they are resolved. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, February 15, 2006 5:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] issue with R2 upgrade; SFU confusion? Hi, We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on our testbed FSMO DC. It gave the following errors (only a portion shown below) because, I am guessing, that we had already installed SFU 3.5 on this forest some time ago. Should I assume these errors can be ignored? Has anybody else experienced this? Thanks as always! Mike Thommes attributeId attribute value for objects defined in Windows 2000 schema and ext ended schema do not match. A previous schema extension has defined the attribute value as 1.2.840.113556.1 .4.7000.187.70 for object CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go v
RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
Our MS TAM has indicated this is a known bug! I will keep the group posted as I learn more details. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Friday, February 17, 2006 10:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? As an update to this thread, we transferred the Schema Master role back to other DC that has the SFU tools installed originally thinking this might get the R2 schema update to work. Wrong! It fails with the same error. I can only imagine we do not have that unique an environment in our testbed and expect others to have the same experience. Luckily, we never put SFU 3.5 on our production systems. We are going to open up a trouble ticket with Microsoft regarding this issue. I would like to hear of others' experiences (success or failure) when trying to install R2 in an environment where SFU 3.5 had been installed. Thanks! Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, February 16, 2006 9:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Hi Guido, Thanks for the response! This server is Windows 2003/SP1 with all but the current month's patches. It is the current FSMO role holder. I did some checking this morning and find the SFU 3.5 tools on another DC that could have been the FSMO role holder at the time the SFU schema changes were made. I don't see why that would make any difference, do you? -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 16, 2006 3:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Mike - I see you're upgrading from Win2000 AD. Are your sure that you've previously installed SFU 3.5 or was it maybe SFU 2.0 ? The reason I'm asking is that there's a known schema incompatibility with SFU 2.0: check out http://support.microsoft.com/?id=293783 Cannot Upgrade Windows 2000 Server to Windows Server 2003 with Windows Services for UNIX 2.0 Installed CAUSE The upgrade may not work because the attributeSchema 'uid' that is used by Windows 2000 Server for the NIS schema is not compatible with the one that is used by Windows Server 2003. As such your error is likely independent from the changes in the R2 schema - it's actually an incompatibility in the Win2003 base schema (not that this really matters for you; I just want to clarify that the error should be unrelated to R2). As such it's different from Aric's case, who was performing an upgrade from a Win2003 schema to Win2003 R2... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 16. Februar 2006 02:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Hi Aric, No, there were a lot more errors - all seem to be related to SFU attributes. I only copied a small portion to my posting to save bandwidth. Painful = time = headaches 8-( I was expecting this upgrade to be a walk in the park. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, February 15, 2006 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Are these the only two errors you received? I encountered similar errors during beta testing when I implemented R2 in an existing forest - but a lot more than just 2. :) I created a secondary forest and validated that it did not recur. Note that I also had SFU installed in the original forest and the new secondary forest. I was able to clean up the schema in the existing forest exhibiting the errors but it was a fairly painful process of what seemed to be a goose chase. The tasks included disabling objects attributes in the schema and renaming them amongst other things. Fortunately I have not heard of this happening in production...yet. So can these errors be ignored? If I remember correctly ADPrep is actually failing and therefore NO you cannot ignore these errors since ADPREP will nto occur until they are resolved. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, February 15, 2006 5:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] issue with R2 upgrade; SFU confusion? Hi, We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on our testbed FSMO DC. It gave the following errors (only a portion shown below) because, I am guessing, that we had already installed SFU 3.5 on this forest some time ago. Should I assume these errors can be ignored? Has anybody else experienced this? Thanks
RE: [ActiveDir] issue with R2 upgrade; SFU confusion?
Hi Guido, Thanks for the response! This server is Windows 2003/SP1 with all but the current month's patches. It is the current FSMO role holder. I did some checking this morning and find the SFU 3.5 tools on another DC that could have been the FSMO role holder at the time the SFU schema changes were made. I don't see why that would make any difference, do you? -mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, February 16, 2006 3:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Mike - I see you're upgrading from Win2000 AD. Are your sure that you've previously installed SFU 3.5 or was it maybe SFU 2.0 ? The reason I'm asking is that there's a known schema incompatibility with SFU 2.0: check out http://support.microsoft.com/?id=293783 Cannot Upgrade Windows 2000 Server to Windows Server 2003 with Windows Services for UNIX 2.0 Installed CAUSE The upgrade may not work because the attributeSchema 'uid' that is used by Windows 2000 Server for the NIS schema is not compatible with the one that is used by Windows Server 2003. As such your error is likely independent from the changes in the R2 schema - it's actually an incompatibility in the Win2003 base schema (not that this really matters for you; I just want to clarify that the error should be unrelated to R2). As such it's different from Aric's case, who was performing an upgrade from a Win2003 schema to Win2003 R2... /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Donnerstag, 16. Februar 2006 02:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Hi Aric, No, there were a lot more errors - all seem to be related to SFU attributes. I only copied a small portion to my posting to save bandwidth. Painful = time = headaches 8-( I was expecting this upgrade to be a walk in the park. Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Wednesday, February 15, 2006 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] issue with R2 upgrade; SFU confusion? Are these the only two errors you received? I encountered similar errors during beta testing when I implemented R2 in an existing forest - but a lot more than just 2. :) I created a secondary forest and validated that it did not recur. Note that I also had SFU installed in the original forest and the new secondary forest. I was able to clean up the schema in the existing forest exhibiting the errors but it was a fairly painful process of what seemed to be a goose chase. The tasks included disabling objects attributes in the schema and renaming them amongst other things. Fortunately I have not heard of this happening in production...yet. So can these errors be ignored? If I remember correctly ADPrep is actually failing and therefore NO you cannot ignore these errors since ADPREP will nto occur until they are resolved. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, February 15, 2006 5:22 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] issue with R2 upgrade; SFU confusion? Hi, We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on our testbed FSMO DC. It gave the following errors (only a portion shown below) because, I am guessing, that we had already installed SFU 3.5 on this forest some time ago. Should I assume these errors can be ignored? Has anybody else experienced this? Thanks as always! Mike Thommes attributeId attribute value for objects defined in Windows 2000 schema and ext ended schema do not match. A previous schema extension has defined the attribute value as 1.2.840.113556.1 .4.7000.187.70 for object CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go v differently than the schema extension needed for Windows 2003 server . [Status/Consequence] Adprep cannot extend your existing schema [User Action] Contact the vendor of the application that previously extended the schema to res olve the inconsistency. Then run adprep again. = attributeId attribute value for objects defined in Windows 2000 schema and ext ended schema do not match. A previous schema extension has defined the attribute value as 1.2.840.113556.1 .4.7000.187.71 for object CN=gidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go v differently than the schema extension needed for Windows 2003 server . [Status/Consequence] Adprep cannot extend your existing schema [User Action] Contact the vendor of the application that previously extended the schema to res olve the inconsistency. Then run adprep
[ActiveDir] ability to create container objects not in ADUC
Is there a technical reason why the ability to create a new container is not available in the Active Directory Users and Computers (ADUC) mmc? (Sorry if this is a dumb question.) Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] issue with R2 upgrade; SFU confusion?
Hi, We did a adprep /forestprep from the W2K3/SP1 R2 Disk 2 CD today on our testbed FSMO DC. It gave the following errors (only a portion shown below) because, I am guessing, that we had already installed SFU 3.5 on this forest some time ago. Should I assume these errors can be ignored? Has anybody else experienced this? Thanks as always! Mike Thommes attributeId attribute value for objects defined in Windows 2000 schema and ext ended schema do not match. A previous schema extension has defined the attribute value as 1.2.840.113556.1 .4.7000.187.70 for object CN=uidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go v differently than the schema extension needed for Windows 2003 server . [Status/Consequence] Adprep cannot extend your existing schema [User Action] Contact the vendor of the application that previously extended the schema to res olve the inconsistency. Then run adprep again. = attributeId attribute value for objects defined in Windows 2000 schema and ext ended schema do not match. A previous schema extension has defined the attribute value as 1.2.840.113556.1 .4.7000.187.71 for object CN=gidNumber,CN=Schema,CN=Configuration,DC=anl,DC=go v differently than the schema extension needed for Windows 2003 server . [Status/Consequence] Adprep cannot extend your existing schema [User Action] Contact the vendor of the application that previously extended the schema to res olve the inconsistency. Then run adprep again. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/