RE: [ActiveDir] Adfind + Admod help

[WATSON, BEN]

Yeah, I agree.  I see the logic in how to get to the solution, but I just don’t 
have the programmatic tool knowledge yet.  I may not have the time to hold off 
this project until I can figure it out myself programmatically, but I am going 
to set aside my evenings at home until I learn how to do this sort of thing 
myself.

 

Hmm, I’m almost a little scared to ask what the answer is to the bonus 
question.  Does it make a difference that he is our sole software dev employed 
by our IT department to do IT related work?  J  In any case, let’s hear the 
answer.

 

~Ben

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 23, 2007 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adfind + Admod help

 

I believe you know how, but may not have the programmatic tool knowledge yet.  
I think this is a great oppty to learn though, if you can make the time.  

Since the HR department did this manually, it almost screams that you could 
manually do this in same fashion. That's a lot of work most likely. 

Using csv or ldif is still fairly within the realm of non-code solutions. ADMOD 
would also be in that realm, but as was mentioned elsewhere in the thread, it's 
not a question of the code, but the logic. Which you know already. 


Bonus question: Do you know what you call somebody who gets a dev to do this 
kind of coding work?  :)

-ajm



On 1/23/07, WATSON, BEN <[EMAIL PROTECTED]> wrote:

We have a software developer in our group who has developed a Corporate 
Directory application that acts as our internal employee directory on our 
intranet.  It also includes an administrative side which  gives certain 
individuals (mostly HR) the ability to create and disable user accounts when 
people are hired or let go.  The need for Active Directory to house information 
such as department, section, as well as other information unique to our company 
was mostly done to accommodate this application.

 

It was this administrative portion of our Corporate Directory application that 
allowed Human Resources to literally go in and do some data entry and make the 
proper entries for each employee as to their correct department and section.  
So that answers the question of how the data got in there in the first place.

 

As for how I'll go about this, it looks like I'll unfortunately have to go back 
and bug our software dev for help on this.  I hate doing it, because when it 
comes to things like this I feel like I should be able to do it but 
unfortunately I just don't know how to yet apparently.

 

~Ben

 

 

 

 

 

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] 
On Behalf Of Al Mulnick
Sent: Tuesday, January 23, 2007 9:05 AM


To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adfind + Admod help

 

What are you comfortable with for administration?  
How'd the attributes get populated in the first place? 

joe's tool wouldn't be the tool of choice for this problem. To clarify that, I 
mean to say that it wouldn't be the only tool because there's logic that has to 
occur that is specific to your situation. 

The manual method (non-automated) would be to export the information into 
spreadsheets and use ldif or csv (comfort level again) to create and populate 
the group structures as needed. 

Al

On 1/23/07, WATSON, BEN <[EMAIL PROTECTED]> wrote:

Thank you for the response Al.

 

To answer your ultimate question, which was "Does that help, or ??", then I 
would have to lean more towards ?? in my case.  Not to say you didn't give some 
excellent options, but unfortunately it all boils down to me simply not being 
any sort of a programmer and so I currently wouldn't know how to do any of the 
options you suggest.  (I'm studying the ways of VBScripting right now).  To 
answer an earlier question, "Do you already have the department names in a 
list? Or is that something that you have to gather first?", the department and 
section information is already contained within Active Directory through Schema 
Extensions.  The actual names of the departments/sections are not important at 
this level, all I need to be concerned with is the department and section 
numbers.

 

As an example…

 

dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com

>apsgDepartment: 24

>apsgSection: 242

 

I am a part of Department 24, section 242.  Thus, my user account should be a 
member of the (not created yet) Sec242 security group, and then the Sec242 
security group would be a member of the (not created yet) Dep24 security group.

 

I too was hoping I could lure Joe out to respond and see if Adfind + Admod 
could meet this challenge.  I'm certainly hoping so.  J 

 

Thanks,

~Ben

 

 

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] 
On Behalf Of Al Mulnick
Sent: Monday, Januar

RE: [ActiveDir] Adfind + Admod help

[WATSON, BEN]

Thanks for the response Hunter.  Yeah, that's pretty much the logic that
I had come down to.  By the way, what is the real difference between
Powershell and VBScript anyway?  I've been hearing more and more about
Powershell lately, and since I'm going to take the time to learn a
scripting language, I will want to make sure I learn the one that will
have the most value to me from an administration perspective.

 

Let me go talk to my local software dev here in our department.  I'm
sure we'll be able to come to a solution no problem.  It just bugs me
that I don't know how to do scripting like this yet.

 

And I'll certainly holler if I run out of options.

 

Thanks again,

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Tuesday, January 23, 2007 9:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help

 

I agree with Al in that I don't see an obvious way to do this from a
single command line. The key, as he mentioned, is going to be getting a
list of unique department numbers and section numbers. I'd probably
separate those out into two distinct lists, one for departments and one
for sections. Once you have those lists, you could pipe them to admod or
any other tool of your choice to create the groups. However, since
you're probably going to need some script to generate the lists, you
might as well keep the group creation within the script as well.

 

The problem with trying to use adfind is that you are not going to be
able to construct an LDAP query that returns only unique instances of
apsgDepartment and apsgSection. No knock on adfind, you'll run into the
same thing with ldp or dsquery. You can query for and return any object
that has those attributes populated, but the returned set of those
attributes will have duplicates. That's where your script will throw the
attributes into a hash (or scripting dictionary) to eliminate the
duplicates.

 

The outline of your script would look something like this:

-query AD for all user objects that have apsgDepartment and/or
apsgSection populated

-loop through the returned set to build unique lists of Department
numbers and Section numbers

-loop through the Department number list and create a group for each one

-loop through the Section number list and create a group for each one,
and nest it in the corresponding Department group

 

None of that is heinously difficult to script. I'd probably lean towards
powershell or perl, since they handle hashes better than VBScript. But
it's certainly feasible in VBScript as well. Holler if you want some
help going down this road.

 

Hunter

 

 

 

____

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 23, 2007 8:46 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adfind + Admod help

Thank you for the response Al.

 

To answer your ultimate question, which was "Does that help, or ??",
then I would have to lean more towards ?? in my case.  Not to say you
didn't give some excellent options, but unfortunately it all boils down
to me simply not being any sort of a programmer and so I currently
wouldn't know how to do any of the options you suggest.  (I'm studying
the ways of VBScripting right now).  To answer an earlier question, "Do
you already have the department names in a list? Or is that something
that you have to gather first?", the department and section information
is already contained within Active Directory through Schema Extensions.
The actual names of the departments/sections are not important at this
level, all I need to be concerned with is the department and section
numbers.

 

As an example...

 

dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com

>apsgDepartment: 24

>apsgSection: 242

 

I am a part of Department 24, section 242.  Thus, my user account should
be a member of the (not created yet) Sec242 security group, and then the
Sec242 security group would be a member of the (not created yet) Dep24
security group.

 

I too was hoping I could lure Joe out to respond and see if Adfind +
Admod could meet this challenge.  I'm certainly hoping so.  J

 

Thanks,

~Ben

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 22, 2007 5:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adfind + Admod help

 

Do you already have the department names in a list? Or is that something
that you have to gather first? 

 

If you have to gather, then I assume you'll have to iterate each user
object and determine the department value. Then, you'll create a group
for every single unique instance of department value. After those are
created, you'd then create the section sg's and make them members of the
relevant department sg.  

 

Is there a clean way? 

RE: [ActiveDir] Adfind + Admod help

[WATSON, BEN]

We have a software developer in our group who has developed a Corporate 
Directory application that acts as our internal employee directory on our 
intranet.  It also includes an administrative side which  gives certain 
individuals (mostly HR) the ability to create and disable user accounts when 
people are hired or let go.  The need for Active Directory to house information 
such as department, section, as well as other information unique to our company 
was mostly done to accommodate this application.

 

It was this administrative portion of our Corporate Directory application that 
allowed Human Resources to literally go in and do some data entry and make the 
proper entries for each employee as to their correct department and section.  
So that answers the question of how the data got in there in the first place.

 

As for how I’ll go about this, it looks like I’ll unfortunately have to go back 
and bug our software dev for help on this.  I hate doing it, because when it 
comes to things like this I feel like I should be able to do it but 
unfortunately I just don’t know how to yet apparently.

 

~Ben

 

 

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, January 23, 2007 9:05 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adfind + Admod help

 

What are you comfortable with for administration?  
How'd the attributes get populated in the first place? 

joe's tool wouldn't be the tool of choice for this problem. To clarify that, I 
mean to say that it wouldn't be the only tool because there's logic that has to 
occur that is specific to your situation. 

The manual method (non-automated) would be to export the information into 
spreadsheets and use ldif or csv (comfort level again) to create and populate 
the group structures as needed. 

Al

On 1/23/07, WATSON, BEN <[EMAIL PROTECTED]> wrote:

Thank you for the response Al.

 

To answer your ultimate question, which was "Does that help, or ??", then I 
would have to lean more towards ?? in my case.  Not to say you didn't give some 
excellent options, but unfortunately it all boils down to me simply not being 
any sort of a programmer and so I currently wouldn't know how to do any of the 
options you suggest.  (I'm studying the ways of VBScripting right now).  To 
answer an earlier question, "Do you already have the department names in a 
list? Or is that something that you have to gather first?", the department and 
section information is already contained within Active Directory through Schema 
Extensions.  The actual names of the departments/sections are not important at 
this level, all I need to be concerned with is the department and section 
numbers.

 

As an example…

 

dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com

>apsgDepartment: 24

>apsgSection: 242

 

I am a part of Department 24, section 242.  Thus, my user account should be a 
member of the (not created yet) Sec242 security group, and then the Sec242 
security group would be a member of the (not created yet) Dep24 security group.

 

I too was hoping I could lure Joe out to respond and see if Adfind + Admod 
could meet this challenge.  I'm certainly hoping so.  J 

 

Thanks,

~Ben

 

 

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] 
On Behalf Of Al Mulnick
Sent: Monday, January 22, 2007 5:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adfind + Admod help

 

Do you already have the department names in a list? Or is that something that 
you have to gather first? 

 

If you have to gather, then I assume you'll have to iterate each user object 
and determine the department value. Then, you'll create a group for every 
single unique instance of department value. After those are created, you'd then 
create the section sg's and make them members of the relevant department sg.  

 

Is there a clean way?  I don't think it's something that you can do on a single 
command line, although I throw that out there mostly as a challenge to joe. He 
likes that kind of challenge I suspect ;)

 

Couple of options come to mind: 

 

You could build a table and based on that table you can create/populate.  ADMOD 
and ADFIND could be useful to you there. 

You could build a script that uses dictionary objects and creates the unique 
instances for you and correlates that information to the sections and then 
creates/populates.  It's slightly complex, but...

 

Building the tables, you could then execute manually.  Depends on the scope of 
course. 

 

Of course, .NET is an option as well.  Same logic depending on language though. 
And you will want to do this in passes most likely so you can ensure that the 
department group is created when it comes time to add an object to it.  It's 
helpful to do it that way... 

 

Does that help, or ??

Al



 

On 1/2

RE: [ActiveDir] Adfind + Admod help

[WATSON, BEN]

Thank you for the response Al.

 

To answer your ultimate question, which was “Does that help, or ??”, then I 
would have to lean more towards ?? in my case.  Not to say you didn’t give some 
excellent options, but unfortunately it all boils down to me simply not being 
any sort of a programmer and so I currently wouldn’t know how to do any of the 
options you suggest.  (I’m studying the ways of VBScripting right now).  To 
answer an earlier question, “Do you already have the department names in a 
list? Or is that something that you have to gather first?”, the department and 
section information is already contained within Active Directory through Schema 
Extensions.  The actual names of the departments/sections are not important at 
this level, all I need to be concerned with is the department and section 
numbers.

 

As an example…

 

dn:CN=Ben Watson,OU=UserAccounts,DC=appsig,DC=com

>apsgDepartment: 24

>apsgSection: 242

 

I am a part of Department 24, section 242.  Thus, my user account should be a 
member of the (not created yet) Sec242 security group, and then the Sec242 
security group would be a member of the (not created yet) Dep24 security group.

 

I too was hoping I could lure Joe out to respond and see if Adfind + Admod 
could meet this challenge.  I’m certainly hoping so.  J

 

Thanks,

~Ben

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, January 22, 2007 5:38 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adfind + Admod help

 

Do you already have the department names in a list? Or is that something that 
you have to gather first? 

 

If you have to gather, then I assume you'll have to iterate each user object 
and determine the department value. Then, you'll create a group for every 
single unique instance of department value. After those are created, you'd then 
create the section sg's and make them members of the relevant department sg.  

 

Is there a clean way?  I don't think it's something that you can do on a single 
command line, although I throw that out there mostly as a challenge to joe. He 
likes that kind of challenge I suspect ;)

 

Couple of options come to mind: 

 

You could build a table and based on that table you can create/populate.  ADMOD 
and ADFIND could be useful to you there. 

You could build a script that uses dictionary objects and creates the unique 
instances for you and correlates that information to the sections and then 
creates/populates.  It's slightly complex, but...

 

Building the tables, you could then execute manually.  Depends on the scope of 
course. 

 

Of course, .NET is an option as well.  Same logic depending on language though. 
And you will want to do this in passes most likely so you can ensure that the 
department group is created when it comes time to add an object to it.  It's 
helpful to do it that way... 

 

Does that help, or ??

Al



 

On 1/22/07, WATSON, BEN <[EMAIL PROTECTED]> wrote: 

Hey guys,

 

I'm trying to wrap my brain around how best to accomplish this and need a 
little help.

 

I need to create a security group for each department in our company, and then 
a security group for each section.  At our company sections fall underneath 
departments.  So we may have a department #24, and then sections #241, #242, 
#243, etc… 

 

Right now, we have made some schema extensions to allow Active Directory to 
contain relevant user data, such as what Department and Section the user is a 
part of.  So the data is already in our Active Directory.  I imagine there 
should be a relatively easy way to take each unique value of Department and 
Section and turn that into the security groups I need. 

 

So if it were to find Departments 24 and 25.  It would turn that into two 
security groups named Dept24 and Dept25.  Furthermore, if it found sections 
241, 242, 251, 252, it would create four security groups named Sec241, Sec242, 
Sec251, and Sec252. 

 

It would also be "nice" if I could create the Department security groups first, 
and then not only create the proper Section security groups, but make them a 
member of the appropriate Department security groups as well. 

 

Any ideas on how best to accomplish this in a relatively pain-free fashion?  Or 
if there is an alternative way to do this rather than Admod, then please 
suggest it.  I just figured that Admod would probably be my best choice. 

 

Thanks,

~Ben

 

[ActiveDir] Adfind + Admod help

[WATSON, BEN]

Hey guys,

 

I'm trying to wrap my brain around how best to accomplish this and need
a little help.

 

I need to create a security group for each department in our company,
and then a security group for each section.  At our company sections
fall underneath departments.  So we may have a department #24, and then
sections #241, #242, #243, etc...

 

Right now, we have made some schema extensions to allow Active Directory
to contain relevant user data, such as what Department and Section the
user is a part of.  So the data is already in our Active Directory.  I
imagine there should be a relatively easy way to take each unique value
of Department and Section and turn that into the security groups I need.

 

So if it were to find Departments 24 and 25.  It would turn that into
two security groups named Dept24 and Dept25.  Furthermore, if it found
sections 241, 242, 251, 252, it would create four security groups named
Sec241, Sec242, Sec251, and Sec252.

 

It would also be "nice" if I could create the Department security groups
first, and then not only create the proper Section security groups, but
make them a member of the appropriate Department security groups as
well.

 

Any ideas on how best to accomplish this in a relatively pain-free
fashion?  Or if there is an alternative way to do this rather than
Admod, then please suggest it.  I just figured that Admod would probably
be my best choice.

 

Thanks,

~Ben

RE: [ActiveDir] Remote DC's on Virtual Server

[WATSON, BEN]

Noah,
 
I initially thought that as well in regards to the video emulation performance. 
 Now correct me if I'm wrong, but I'll bet that you were using virtualized 
Windows Server 2003 operating systems.  The default setting in Windows Server 
2003 is that your display hardware acceleration is turned off.  If you set your 
hardware acceleration to full, then your video emulation performance issues 
will go away.
 
Personally, I have used both Microsoft and VMWare products, and have found the 
video performance to be pretty much the same.
 
~Ben



From: [EMAIL PROTECTED] on behalf of Noah Eiger
Sent: Thu 1/18/2007 4:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server



I realize this is now getting a bit OT, but...

 

Deji, I think the fruit distinction is based on the fact that one runs on bare 
metal and other runs under a host OS. (Or at least that is how I have always 
thought of them.) Beyond that, I agree there are simply feature comparisons.

 

That said, (and with the caveat that I have not worked with ESX) I find the MS 
product to be much simpler than VM Server (nee GSX). I started halfway down the 
path of migrating my MS VMs to VM Server and found it overly complex and the 
video emulation performance using the VM Ware client was so bad as to be 
unacceptable. 

 

And as to the OP, I have DCs running on MS VS2k5 R2 and have not had any 
problems. In the situation you describe, Justin, it seems like performance and 
cost would be the deciding factor.

 

--- nme

 



From: Akomolafe, Deji [mailto:[EMAIL PROTECTED] 
Sent: Thursday, January 18, 2007 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server

 

:)

 

Interesting points, again. Did I remember to say that I am biased? I think so. 
I expect that I'm going to catch some flaks for what I'm about to write, but 
.

 

These do not make VS and ESX "apples and oranges". VMotion, Host clustering. 
Different nomenclature, different capabilities, same purpose, Resource 
allocation guarantee, CPU Resource allocation weight.

 

Superior Networking capabilities. Sure. Does VS have networking capabilities? 
Of course. Does ESX integrate with AD as well as VS? Does it run on Windows? 
Support software iSCSI? Live backup and Shadow Copy? (OK, if you count VCB and 
its proxy).

 

Administration - show of hands, quick - ESX or VS, which is easier and less 
complex to deploy and administer? Which has easier and faster client deployment 
option?

 

I swear, I have NOT drunk any kool-aid, but I think people's perceptions of the 
superiority of ESX over VS is largely driven by a combination of historical 
trends, myths, marketing and the unavoidable "Winblows Sux" mentality. Since we 
are on a Windows-centric list here, I do not mind admitting that I do not 
subscribe to the notion that if it's not Windows, it must be better than 
Windows. Mind you, Hunter, I am NOT implying that this is where you are coming 
from, but the reason I asked you to enunciate the reasoning behind your 
thinking was because I was hoping to hear something I haven't heard before on 
this issue.

 

VS certainly wasn't as feature-rich as ESX a couple of revs back. The gap is 
considerably narrowed with what's currently going into VS and what ESX 3.0.1 
has today. Will VS catch and surpass ESX in a few months, no. Will it ever 
catch up, maybe. But, today, if we factor in the cost overlay (in licensing, 
hardware and administrative values), and discount our preconceived (or 
received) notions of ESX superiority, and give VS (as of SP1 Beta 2) a fair 
shake, one would be pleasantly surprised at how narrow the gap really is.

 

To me, these 2 products are all bananas - one is a "just banana" and the other 
is "organic banana". They are certainly not more "apple and orange" than your 
convertible and my jalopy are "apple and orange". They are both virtualization 
tools, and they each serve the same purpose. One is cheap (like, FREE cheap, 
while giving you liberal Windows licensing terms and flexibility to boot), the 
other is not.

 

Now, I'm off to find my Teflon :)

 


Sincerely, 
   _
  (, /  |  /)   /) /)   
/---| (/_  __   ___// _   //  _ 
 ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)  
   (/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
-anon

 



From: Coleman, Hunter
Sent: Thu 1/18/2007 2:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote DC's on Virtual Server

On the Virtual Infrastructure side: Moving running guests across hosts 
(vmotion), the network configuration options, lower host overhead, grouping 
hosts into resource 

RE: [ActiveDir] Client time sync

[WATSON, BEN]

Try the command...

w32tm /resync /rediscover

See if that helps the client figure out where it should look for time.

~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Wednesday, January 10, 2007 2:12 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Client time sync


I have a machine (at least one I know of) that isn't syncing time with
the domain controller its logging into.  I've restarted the win32time
service on it to see if that would sync it and it doesn't.  Any
suggestions on where to start?  The DC and the client are off by about 9
minutes.

~~
This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Cameron
and its Operating Divisions. Any unauthorized use or disclosure is
prohibited. If you are not the intended recipient, please contact
the sender by reply email and delete and destroy all copies of the
original message inclusive of any attachments.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx

RE: [ActiveDir] Shares with Computer Account Permissions

[WATSON, BEN]

So you can use IPSec to allow or deny access to a network share based on
originating host?

 

Would you mind elaborating on this a little bit?

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Tuesday, January 09, 2007 2:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Shares with Computer Account Permissions

 

Sure. IPsec.

 

Laura

 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, January 09, 2007 5:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Shares with Computer Account Permissions

I was asked today whether it was possible to allow or deny
access to shares not just based on user accounts, but also upon computer
accounts.  My immediate response was that I didn't think so.

 

So I tested it by simply creating a folder up on our file
server, and added the computer account for my workstation and denying it
access completely.  This made no difference to my permissions when
trying to access it from this workstation.

 

So my question is this, is there any way to design access
permissions in such a way so you could not only allow access to a share
to a certain security group, but also to this security group only when
they are accessing it on hosts that we have explicitly defined?

 

~Ben

 

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date:
1/8/2007 4:12 PM

 

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.16.7/620 - Release Date: 1/8/2007
4:12 PM

[ActiveDir] Shares with Computer Account Permissions

[WATSON, BEN]

I was asked today whether it was possible to allow or deny access to
shares not just based on user accounts, but also upon computer accounts.
My immediate response was that I didn't think so.

 

So I tested it by simply creating a folder up on our file server, and
added the computer account for my workstation and denying it access
completely.  This made no difference to my permissions when trying to
access it from this workstation.

 

So my question is this, is there any way to design access permissions in
such a way so you could not only allow access to a share to a certain
security group, but also to this security group only when they are
accessing it on hosts that we have explicitly defined?

 

~Ben

RE: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.

[WATSON, BEN]

Hi Yann,

 

I was reading this over the weekend, and perhaps this might provide enough 
relevant info for you to find what you are looking for.

 

http://blog.joeware.net/2007/01/06/756/

 

~Ben

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann
Sent: Monday, January 08, 2007 2:42 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Decode the msExchMailboxSecurityDescriptor attribute.

 

Hello,

 

I'd like to dump the msExchMailboxSecurityDescriptor attribute of a user object 
into readable format. It seems that the value is in binary blob format.

 

Is there a way to do this ?

 

Thanks,

 

Yann

 

 __
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible 
contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 

[ActiveDir] OT: Hello?

[WATSON, BEN]

I haven't seen a single e-mail from the mailing list since yesterday
morning. Is anyone else seeing this e-mail?  Has anyone else received
e-mails since then?

 

Just curious if the list has just been dead for the past day, or if
something might not be working properly.

 

~Ben

[ActiveDir] [OT]MOM mailing list

[WATSON, BEN]

Anyone have a recommendation on a good MOM mailing list?

 

Thanks,

~Ben

RE: [ActiveDir] Delegate Password Resets

[WATSON, BEN]

Ah good to know.  I'll remove that right from the security group I
delegated the rights to since it's unnecessary.

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Friday, December 22, 2006 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

 

Why would you want to modify the change password rights on your OUs?
That doesn't make sense to delegate: unlike password reset, it's the
right that only allows you to _change_ the password if you know the old
one...  

 

So this is typically what the rights the users would need to change the
PW on their own account - and by default it's granted to the Everyone
well-known-secprin. This is NOT a security issue since if you know a
user's password, you _are_ the user.

 

/Guido

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Freitag, 22. Dezember 2006 06:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

 

In our case, I simply modified the security permissions on the OU
containing our user accounts to provide a granular delegation of rights
so the members of this security group can go into ADUC and unlock user
accounts or reset/change passwords only.  I modified various read/write
property rights as well as reset password and change password rights.

 

Besides modifying ACLs, what other methods of delegating password reset
functions were you referring to?

 



From: [EMAIL PROTECTED] on behalf of Salandra, Justin
A.
Sent: Thu 12/21/2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate Password Resets

I wanted to find out from all of you what ways you have delegated
password reset functions to your helpdesks.  We have a product that does
this but it is continually having problems and want to know if there are
nay other ways.

 

Justin A. Salandra

MCSE Windows 2000 and 2003

Network and Technology Services Manager

Catholic Health Care System

646.505.3681

cell 917.455.0110

[EMAIL PROTECTED]

 

RE: [ActiveDir] Delegate Password Resets

[WATSON, BEN]

Ah interesting.  For tasks related specifically to technically
proficient IT personnel, I prefer to keep it simple (from the standpoint
of application layers in between the user and the completed task).  I
delegate granular rights, give them the adminpak, and tell them what
they can and can't do.  If they try to do something they can't do, they
just get an access denied error anyway.  There are no additional layers
of software to make things overly complex (and easier to break).

 

For non-IT personnel, that's where having an alternative front-end is
nice.  In our case, we have an in-house developed web based application
that allows our HR department to directly create and disable user
accounts as well as do other minor configuration such as mailbox
enabling.  This addressed a communications gap in which HR and IT would
not communicate effectively enough and new and terminated employees
would not have accounts created or disabled in a timely manner.  Now
that HR has the ability to do that themselves, the process has been
streamlined and things in general run a lot smoother.

 

This same web based application also acts as our internal corporate
directory.

 

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, December 22, 2006 8:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

 

We use a product called rDirectory and the Reset Password function has
suddenly sporatically stopped working throwing what appear to be .net
errors.

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Friday, December 22, 2006 12:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate Password Resets

 

In our case, I simply modified the security permissions on the OU
containing our user accounts to provide a granular delegation of rights
so the members of this security group can go into ADUC and unlock user
accounts or reset/change passwords only.  I modified various read/write
property rights as well as reset password and change password rights.

 

Besides modifying ACLs, what other methods of delegating password reset
functions were you referring to?

 



From: [EMAIL PROTECTED] on behalf of Salandra, Justin
A.
Sent: Thu 12/21/2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate Password Resets

I wanted to find out from all of you what ways you have delegated
password reset functions to your helpdesks.  We have a product that does
this but it is continually having problems and want to know if there are
nay other ways.

 

Justin A. Salandra

MCSE Windows 2000 and 2003

Network and Technology Services Manager

Catholic Health Care System

646.505.3681

cell 917.455.0110

[EMAIL PROTECTED]

 

RE: [ActiveDir] Built in Security groups

[WATSON, BEN]

I'm a bit confused on what you mean by "removing" the built-in security
groups?  Could you elaborate a little bit for me?

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, December 22, 2006 8:14 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Built in Security groups

 


Does anyone have a reference (preferably from MS) showing that you
should not remove the Built in Security groups such as Schema Admins,
Enterprise Admins, etc. It has come down from above that we should be
removing these groups and while I know better I need some ammunition to
back me up. 

Thanks, 
Andrew Fidel

RE: [ActiveDir] Delegate Password Resets

[WATSON, BEN]

Personally, I see the Account Operators group as going far beyond the
principle of least privilege.  I simply have not run across a helpdesk
that actually requires the privileges on a scale that the built-in
Account Operators group provides.  Most helpdesk personnel will do the
majority of their account related work through joining computers to the
domain, reset computer accounts, reset user passwords, and unlock user
accounts.  

On top of that, if you've arranged your OU structure so user accounts
and computer accounts are split up in a meaningful manner, then more
than likely the helpdesk personnel only need rights to do their limited
tasks (that I stated above) in only a few OUs.

Account Operator pretty much gives blanket full control to all user and
computer accounts in all OUs and that just seems overboard to me.  Not
to mention (with default settings) members of the Account Operators
group have the ability to log on locally to Domain Controllers which I
would expect is probably something most helpdesk personnel should not be
doing.

Anyway, what I'm trying to say is that I much prefer to work at giving
people the permissions they need to do their job and nothing more (or as
close to nothing as possible).  I've found that user error is the most
likely type of issue to arise and when you limit the rights of users to
only what they need, you end up significantly reducing your own workload
by preventing major issues from occurring in the first place.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller
Sent: Friday, December 22, 2006 7:39 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Delegate Password Resets

I put the user accounts of the helpdesk personnel in the built in group,

Account Operators. This is precisely why I think that group exists.

-mjm


Salandra, Justin A. wrote:
>
> I wanted to find out from all of you what ways you have delegated 
> password reset functions to your helpdesks.  We have a product that 
> does this but it is continually having problems and want to know if 
> there are nay other ways.
>
>  
>
> Justin A. Salandra
>
> MCSE Windows 2000 and 2003
>
> Network and Technology Services Manager
>
> Catholic Health Care System
>
> 646.505.3681
>
> cell 917.455.0110
>
> [EMAIL PROTECTED] 
>
>  
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Delegate Password Resets

[WATSON, BEN]

In our case, I simply modified the security permissions on the OU containing 
our user accounts to provide a granular delegation of rights so the members of 
this security group can go into ADUC and unlock user accounts or reset/change 
passwords only.  I modified various read/write property rights as well as reset 
password and change password rights.
 
Besides modifying ACLs, what other methods of delegating password reset 
functions were you referring to?



From: [EMAIL PROTECTED] on behalf of Salandra, Justin A.
Sent: Thu 12/21/2006 6:24 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Delegate Password Resets



I wanted to find out from all of you what ways you have delegated password 
reset functions to your helpdesks.  We have a product that does this but it is 
continually having problems and want to know if there are nay other ways.

 

Justin A. Salandra

MCSE Windows 2000 and 2003

Network and Technology Services Manager

Catholic Health Care System

646.505.3681

cell 917.455.0110

[EMAIL PROTECTED]

 

<>

[ActiveDir] ADfind to find locked accounts

[WATSON, BEN]

I'm using a bitwise filter to search for locked accounts using ADFind.

 

I have one particular account, a service account, that is locked out and
also has Password No Expire set.

 

In ADFind it comes up as such...

 

C:\tools>adfind -default -bit -f samaccountname=servaccount -alldc
useraccountcontrol

 

AdFind V01.33.00cpp Joe Richards ([EMAIL PROTECTED]) October 2006

 

Transformed Filter: samaccountname=servaccount

Using server: dc.appsig.com:389

Directory: Windows 2000

Base DN: DC=appsig,DC=com

 

dn:CN=servaccount,OU=APSG SvcAccounts,DC=appsig,DC=com

>userAccountControl: 66048 [NORMAL_USER(512);NO_EXPIRE(65536)]

 

Why does the userAccountControl read as 512+65536 only?  Shouldn't it be
512 (Normal User) + 16 (Locked Out) + 65536 (No Expire) = 66064?

 

In fact, I cannot even find this account when searching for locked
accounts via ADFind.  The only reason I realized it was locked out was
because I also used Joe's Unlock utility to search for all locked
accounts and it returned this account as part of the search.  

 

C:\tools>unlock . * -view

 

Unlock V02.01.00cpp Joe Richards ([EMAIL PROTECTED]) August 2004

 

Processed at dc.appsig.com

Default Naming Context: DC=appsig,DC=com

 

1: servaccount12/15/2006-10:52:45 LOCKED   VIEW_ONLY

 

 

I'm probably just missing something here, but was hoping for some
clarification.

 

Thanks,

~Ben

RE: [ActiveDir] AdminSDHolder orphans

[WATSON, BEN]

Paul,

On a side note, this part of your response caught my eye...

"...and then retriggered SDPROP."

Is there a way to manually trigger SDPROP?  There have been times when I
have wanted to do this but didn't know how or if it was possible.

Thanks,
~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Tuesday, December 19, 2006 1:29 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AdminSDHolder orphans

The SDPROP thread technically, doesn't do anythign with inheritance.
That 
is a trait of the security descriptor, which SDPROP sets.  So, 
realistically, SDPROP overwrites the nTSecurityDescriptor attribute and 
increments adminCount to 1.  The step of setting inheritance to off is 
unnecessary in the bulleted list (sorry, I know that's pedantic).

Should this be reversed?  Good question.  There could be a cleanup task,
but 
in my mind it shouldn't be part of SDPROP.  SDPROP spikes the PDCe
enough as 
it is.  Perhaps it should be a different process, possibly running less 
frequently, e.g. once every 24 hours.

As it is, this needs to be process driven.  For example, on the current 
design I'm working on, if an administrator in the English sense of the
word 
(as opposed to the techie definition) requires additional administrative

access for a particular change they are elevated via a semi-automated 
workflow process.  This process is done via Active Roles.  We're
currently 
working on the technical side of how to undo the effects of SDPROP when
such 
an action occurs, e.g. elevated to schema admins.

In the past I've occasionally brute forced this and queried for anyone
with 
an adminCount of 1, set that back to 0 and enabled inheritance and then 
retriggered SDPROP.  We've discussed scheduling this periodically but I 
don't like it.  For one, there might be additional ACEs that are not
needed. 
Cleaning those up is more tricky - you need to strip the ACE, inherit
and 
set any default ACEs, as well as any non-inherited bespoke ACEs back.

It's an interesting question.  One no doubt the DS guys have pondered.
The 
mechanics of a rollback seem more tricky, as does some of the security 
implications I'm sure.

On another note, adminCount is also a quick and dirty way of proving to 
someone just how many users they have that have more rights than they
need. 
Especially when they're spewing a load of BS re. how they delegate most 
functions and only have a select few admins.

Just some semi-cohesive thoughts from me for y'all anyway.


--Paul

- Original Message - 
From: "Brian Desmond" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, December 19, 2006 2:38 AM
Subject: RE: [ActiveDir] AdminSDHolder orphans


> Yeah this caused me issues when I was at a large client which had this
> proposensity to put everyone and their brother into a group that
> triggered this behavior. What I would do is dump everyone with
> admincount>0, then set admincount=0 on all of them, wait a bit, and
see
> who was back to >0 and then fix the deltas.
>
> Thanks,
> Brian Desmond
> [EMAIL PROTECTED]
>
> c - 312.731.3132
>
>
>> -Original Message-
>> From: [EMAIL PROTECTED] [mailto:ActiveDir-
>> [EMAIL PROTECTED] On Behalf Of Tony Murray
>> Sent: Monday, December 18, 2006 8:32 PM
>> To: [EMAIL PROTECTED]
>> Subject: [ActiveDir] AdminSDHolder orphans
>>
>>
>> Just wanted to get your opinion on something.
>>
>> When an object becomes a member of one of the groups protected by the
>> AdminSDHolder, the next run of the SDProp thread will:
>>
>> * Replace the object's security descriptor with that of the
>> AdminSDHolder;
>> * Disable permissions inheritance on the object;
>> * Set a new adminCount attribute with a value > 0 on the object.
>>
>> If the object is then removed from the protected group(s), the
changes
>> made by the AdminSDHolder are not reversed.  In other words, the
>> adminCount value remains the same, as does the security descriptor.
>>
>> Is it just me or does anyone think this behaviour a little strange?
>> What I am finding in many environments is a large number of these
>> AdminSDHolder "orphans".  These can arise quite easily, e.g. an
> account
>> is made a temporary member of a privileged group to perform a
specific
>> task or someone changes role within the organisation.  Of course I
>> realise that in a perfect world these scenarios would be minimised by
>> the use of dual accounts for splitting standard vs. admin functions,
>> but the reality is that it is all too common.
>>
>> The AdminSDHolder orphans can cause problems when troubleshooting
>> delegation issues.  For example, I came across this issue recently
> when
>> setting up permissions for GAL Sync using IIFP.  I had to tidy up
>> before the sync would complete without errors.
>>
>> Does anyone run a regular cleanup using the script provided in this
>> article (or similar)?
>>
>> http://support.microsoft.com/kb/817433
>>
>> Do you think the AdminSDHolder behaviour should be cha

RE: [ActiveDir] Strange Lock Out Issue

[WATSON, BEN]

Download the Account Lockout and Management Tools from Microsoft.  More
specifically, from the downloaded EXE, extract the LockoutStatus.EXE
file and use it to query for the user account that is having issues.

 

It will tell you how many bad password attempts have been made, what
time/date the lockout occurred, and on what DC.  Furthermore, you can
directly manage the Domain Controller from the tool and pull up the
event viewer to look for the security entry pointing you to the source
of the bad credentials.

 

It's always worked like a charm for me when dealing with issues like
these.

 

Good luck,

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, December 18, 2006 11:35 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Strange Lock Out Issue

 

I have a user, who is not logged in anywhere else, and while surfing the
web or access a program is getting locked out of her account for no
reason.  I have checked the logs on all three domain controllers and
nothing is showing a failed logon attempt or bad password.  It doesn't
even show when the account got locked.  Any ideas on how to rectify
this?

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]  

 

RE: [ActiveDir] Strange Lock Out Issue

[WATSON, BEN]

I meant to also include the link.

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4
E63-8629-B999ADDE0B9E&displaylang=en

 

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, December 18, 2006 11:35 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Strange Lock Out Issue

 

I have a user, who is not logged in anywhere else, and while surfing the
web or access a program is getting locked out of her account for no
reason.  I have checked the logs on all three domain controllers and
nothing is showing a failed logon attempt or bad password.  It doesn't
even show when the account got locked.  Any ideas on how to rectify
this?

 

Justin A. Salandra

MCSE Windows 2000 & 2003

Network and Technology Services Manager

Catholic Healthcare System

646.505.3681 - office

917.455.0110 - cell

[EMAIL PROTECTED]  

 

RE: [ActiveDir] Vista GPO

[WATSON, BEN]

Maybe he may be referring to the location of any possible new ADM files
included with Vista.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Thursday, December 14, 2006 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Vista GPO 

What do you mean Za? I'm not familiar with any GPO plug-in for Win2K3,
unless you mean the LDIF files that are in sources\adprep on the Vista
CD?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Thursday, December 14, 2006 9:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Vista GPO 

Anyone know what and where the GPO plugin for Win2003 on the Vista DVD 
is called and located?

-Z.V.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Lockdown CD-ROM access for some

[WATSON, BEN]

Yes, that's the same one I had found previously and didn't meet my
requirements since it's on a per-computer basis, not per-user
unfortunately.

 

That information was actually pulled from this KB article.

 

http://support.microsoft.com/kb/555324

 

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Aaron Steele
Sent: Wednesday, December 13, 2006 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lockdown CD-ROM access for some

 

A quick google search turned up this reference to a custom .ADM template
that is available.

 

http://joeelway.spaces.live.com/blog/cns!2095EAC3772C41DB!293.entry

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, December 13, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lockdown CD-ROM access for some

 

I have been given a task for our secured environments (by secured, I
mean government clearances required) to develop a means to lock down
access to the CDROM drive at a user based level.  They want most users
to be restricted from using the CDROM drives in anyway, but allow a
certain security group the ability to have full use of their CDROM
drives.

 

As far as I can tell, there is not a group policy that allows for this
type of granular lockdown of the devices.  Any suggestions on how to
best tackle this?

 

Information simply cannot leave these secured environments, and they no
longer want users to have unfettered access to CD/DVD burners.  The
drive letter of the CD drives may not always be the same, in fact some
machine's drive letters may vary wildly.

 

Thanks,

~Ben

RE: [ActiveDir] Lockdown CD-ROM access for some

[WATSON, BEN]

Hi Darren,

 

Thanks for the response.  Yeah, I saw that KB article and noticed it was
only on a per computer basis and that's when I turned to the group here
for a bit of assistance.

 

I'll check out the 3rd party companies you recommended and go with one
of them if it turns out to be necessary.

 

I appreciate your help.

 

~Ben

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, December 13, 2006 8:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Lockdown CD-ROM access for some

 

Ben-

You might want to consider one of the 3rd party solutions for this.
There are several on the market that both use and don't use Group Policy
to implement lockdown. Check out Securewave and DesktopStandard, among
others. If you don't have a budget, then there is a policy hack you can
use to just disable the CD device driver altogether. This would be on a
per computer basis though-not per user. See the following KB for
details:

http://support.microsoft.com/kb/555324

 

Darren

 

 

 

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, December 13, 2006 7:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Lockdown CD-ROM access for some

 

I have been given a task for our secured environments (by secured, I
mean government clearances required) to develop a means to lock down
access to the CDROM drive at a user based level.  They want most users
to be restricted from using the CDROM drives in anyway, but allow a
certain security group the ability to have full use of their CDROM
drives.

 

As far as I can tell, there is not a group policy that allows for this
type of granular lockdown of the devices.  Any suggestions on how to
best tackle this?

 

Information simply cannot leave these secured environments, and they no
longer want users to have unfettered access to CD/DVD burners.  The
drive letter of the CD drives may not always be the same, in fact some
machine's drive letters may vary wildly.

 

Thanks,

~Ben

[ActiveDir] Lockdown CD-ROM access for some

[WATSON, BEN]

I have been given a task for our secured environments (by secured, I
mean government clearances required) to develop a means to lock down
access to the CDROM drive at a user based level.  They want most users
to be restricted from using the CDROM drives in anyway, but allow a
certain security group the ability to have full use of their CDROM
drives.

 

As far as I can tell, there is not a group policy that allows for this
type of granular lockdown of the devices.  Any suggestions on how to
best tackle this?

 

Information simply cannot leave these secured environments, and they no
longer want users to have unfettered access to CD/DVD burners.  The
drive letter of the CD drives may not always be the same, in fact some
machine's drive letters may vary wildly.

 

Thanks,

~Ben

RE: [ActiveDir] running scripts via group policy using alternate accounts

[WATSON, BEN]

My memory is a bit fuzzy on this as I read about this awhile ago, but 
essentially when you run a logon script as you are, you are running it under 
the credentials of the user logging in.  So if you are attempting to install 
some software, and the user logging in has only limited privileges, then the 
install will most likely fail.  However, if you configure the script as a 
startup or shutdown script, then the script runs under the Local System account 
and has administrative privileges.
 
So in your case, you'll probably want to run it as a startup or shutdown script.
 
~Ben
 



From: [EMAIL PROTECTED] on behalf of Anuj Attree
Sent: Fri 12/8/2006 11:28 PM
To: activedir@mail.activedir.org
Subject: [ActiveDir] running scripts via group policy using alternate accounts


Hi,
 
Is there a way to run user logon scripts via Group Policy using alternate 
credentials (say domain admins)? 
i m putting this question because i want to (for example) install some s/w (yes 
i can use s/w installation feature from GPMC, i know) or want to run a command 
which can be run only by administartor (say ipconfig /registerdns or something 
else) through the script but as the user logging in should have administrator 
priveleges to install the s/w etc and which is not the case generally. 
 
please correct me if i m wrong.

-- 
Regards
Anuj Attree 
<>

RE: [ActiveDir] Delegate join computer to domain

[WATSON, BEN]

Thanks for all the responses everyone.
 
Just as James stated, this is not a situation of risk and threat, but in our 
case an enforcement of policy and procedure as well as more granular control 
over their privileges.  Previously, our desktop support staff could join 
computers and they were supposed to then move the computer account from CN= 
Computers over to the proper OU.  Now they are forced to pre-create the 
computer account in the only OU they have privileges, and THENjoin the computer 
to the domain.
 
@ James - Ah, I didn't realize all of those other privileges were actually 
required simply to perform a join to the domain.  Fortunately, I must have 
delegated all of those privileges when I also delegated the ability for this 
security group to unlock user accounts, and reset passwords because all I added 
was the ability to create and delete computer objects and it definitely works.
 
@ Al - As for how I knew he was getting caught in the check was because he got 
the specific error message stated he had exceeded the number of computers he 
was allowed to join to the domain.  After my own testing though, the only way 
he would've got this message would be if he forgot to pre-create the computer 
account in the proper OU beforehand.
 
In any case, it's working and now the desktop support staff can't forget to put 
the compuer accounts where they need to be.  :)
 
Thanks,
~Ben



From: [EMAIL PROTECTED] on behalf of Wells, James Arthur
Sent: Thu 12/7/2006 6:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate join computer to domain



Not really the risk - more the ability to delegate the right on a very granular 
level.  Semi-independent organizations are given OUs in our domains, with 
limited rights.  One of those rights needed to be the ability to precreate 
computer objects and then join them to the domain (and to be nice, to
allow one SA to create the object and a DIFFERENT SA to join the computer, so 
the extra parameter in ADUC at creation time to specify a security principle 
didn't help).

We also use Quest ActiveRoles for AD security ACLs and auditing, so we needed 
to know the specific ACEs necessaryand, voila!

Now, if there were some way to script the delegation wizard tasks, and build in 
easy auditing and administration like Quest ActiveRoles has, I would have gone 
that route...but not sure such an API exists...

The GPO wasn't the direction we wanted to go, because we also handle patching 
and compliance (different apps for different OUs even), so computers going into 
the "Computers" container isn't a good option, which I think that GPO would 
allow for - correct?


(That's why WE did all of the above.  Not sure what Ben's list of goals is).

--James

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, 
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, December 07, 2006 5:54 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Delegate join computer to domain

In the default domain set up ... a domain user can set up 10 computers
as was pointed out

"After I adjusted the security settings, I reduced the default number of
computers an authenticated user can join to the domain down to zero."

Why not just change the group to have that right again?  As you know
there's a specific group policy setting for that.

What's the risk for this group to not have this right?

(Threats and Countermeasures guide discusses the pros/cons)

Wells, James Arthur wrote:
> Ben,
>
> There is a larger list of required ACE entries to JOIN a computer to the 
> domain.
>
> They are:
>
> List Contents
> Read All Properties
> Delete
> Delete Subtree
> Read Perms
> All Extended Rights(gives you Allowed to Authenticate
> Change Pwd
> Receive As
> Reset Pwd
> Send As)
> Validate write to DNS host name
> Validated write to service principal name
>
> (Property permissions)
> Write Account Restrictions
> Read DNS Host Name Attributes
> Read Personal Information
> Read Public Information
>
> Good luck!
>
>
> (I'm assuming you're in W2K3 domain mode, because in mixed, Pre-Win2K 
> Compatible Access grants extra permissions letting users join computers, even 
> when dropping the workstation quota to 0).
>
>
> --James
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
> Sent: Thursday, December 07, 2006 1:45 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Delegate join computer to domain
>
> Hello everyone,
>
> Our desktop support group are all a part of a security group called IT.  I 
> delegated the Create and Delete Computer ACEs to the security group over the 
> OU that I want them to add computer accounts 

[ActiveDir] Delegate join computer to domain

[WATSON, BEN]

Nevermind guys, I'm out on vacation and I was unable to verify that the desktop 
support staff were pre-creating the computer accounts properly.  I got back to 
my hotel and was able to VPN in and check up on everything and they were not 
creating the accounts properly.  Everything is working as intended.

Thanks,
~Ben

-Original Message-
From: WATSON, BEN 
Sent: Thursday, December 07, 2006 11:45 AM
To: ActiveDir@mail.activedir.org
Subject: Delegate join computer to domain

Hello everyone,

Our desktop support group are all a part of a security group called IT.  I 
delegated the Create and Delete Computer ACEs to the security group over the OU 
that I want them to add computer accounts into when a machine is joined to the 
domain.

After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can  join to the domain down to zero.

It seems that the members of the IT security group can pre-create the computer 
accounts, but when they attempt to go through the join process, they are caught 
at the check that determines if they have surpassed the number of machines a 
user can join to the domain (which is now zero).  

What must I do so this security group is not subject to that check?

Thanks,
Ben

-Original Message-
From: "Thompson, Elizabeth" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Sent: 12/7/06 11:31 AM
Subject: RE: [ActiveDir] Please help me

Check and see if it still has the "dead" server listed under its the NTDS 
Settings in AD Sites and Services. Had this happen once to me. I manually 
deleted the NTDS reference and it was happy.
 
Elizabeth Thompson 
Service and Support Technician/Exchange Admin 
Information Technology Services 
The Community College of Baltimore County 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 10:50 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: [ActiveDir] Please help me



I have a strange problem and can not find any solution 

I used DCpromo to depromote a computer. It worked ok, the Domain 
controller was depromoted. But when I use repadmin to show other dc´s 
replication, it show replications from the domain controler depromoted. I 
didn´t find anything to explain how to solve that. 
Where can I find it, to remove it from replication. The machine is a 
network computer, but replication fails with message: 


SPO-COSTA\SPO-CENTRO5   <<<--   (THIS IS THE DOMAIN CONTROLER 
THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
USNs: 13018091/OU, 13018091/PU 
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
A operação de agente do sistema de diretórios (DSA) não pode 
prosseg 
uir devido a uma falha de pesquisa de DNS. 
96 consecutive failure(s). 
Last success @ 2006-12-01 07:58:08.

Adrião Ferreira Ramos 
Depto. de Operações e Infra-Estrutura - CII.14 
[EMAIL PROTECTED]   
(11) 3388.8193  


Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode 
usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação 
baseada nessas informações. Se você recebeu esta mensagem por engano, por favor 
avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. 
Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose or take any action based on this message or any information 
herein. If you have received this message in error, please advise the sender 
immediately by reply e-mail and delete this message. Thank you for your 
cooperation.

[ActiveDir] Delegate join computer to domain

[WATSON, BEN]

Hello everyone,

Our desktop support group are all a part of a security group called IT.  I 
delegated the Create and Delete Computer ACEs to the security group over the OU 
that I want them to add computer accounts into when a machine is joined to the 
domain.

After I adjusted the security settings, I reduced the default number of 
computers an authenticated user can  join to the domain down to zero.

It seems that the members of the IT security group can pre-create the computer 
accounts, but when they attempt to go through the join process, they are caught 
at the check that determines if they have surpassed the number of machines a 
user can join to the domain (which is now zero).  

What must I do so this security group is not subject to that check?

Thanks,
Ben

-Original Message-
From: "Thompson, Elizabeth" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Cc: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
Sent: 12/7/06 11:31 AM
Subject: RE: [ActiveDir] Please help me

Check and see if it still has the "dead" server listed under its the NTDS 
Settings in AD Sites and Services. Had this happen once to me. I manually 
deleted the NTDS reference and it was happy.
 
Elizabeth Thompson 
Service and Support Technician/Exchange Admin 
Information Technology Services 
The Community College of Baltimore County 





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, December 07, 2006 10:50 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: [ActiveDir] Please help me



I have a strange problem and can not find any solution 

I used DCpromo to depromote a computer. It worked ok, the Domain 
controller was depromoted. But when I use repadmin to show other dc´s 
replication, it show replications from the domain controler depromoted. I 
didn´t find anything to explain how to solve that. 
Where can I find it, to remove it from replication. The machine is a 
network computer, but replication fails with message: 


SPO-COSTA\SPO-CENTRO5   <<<--   (THIS IS THE DOMAIN CONTROLER 
THAT IS NOT A DOMAIN CONTROLER ANYMORE) 
DEL:357e1f2d-65bf-4a6d-8399-ce536b6da174 (deleted DSA) via RPC 
DC object GUID: ab0540a5-545d-43d6-be25-94a21ba3893f 
Address: ab0540a5-545d-43d6-be25-94a21ba3893f._msdcs.sabesp.com.br 
DC invocationID: fc87edcb-ab23-4fd6-8d12-14c79aa926d2 
DO_SCHEDULED_SYNCS COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS 
USNs: 13018091/OU, 13018091/PU 
Last attempt @ 2006-12-07 07:56:32 failed, result 8524 (0x214c): 
A operação de agente do sistema de diretórios (DSA) não pode 
prosseg 
uir devido a uma falha de pesquisa de DNS. 
96 consecutive failure(s). 
Last success @ 2006-12-01 07:58:08.

Adrião Ferreira Ramos 
Depto. de Operações e Infra-Estrutura - CII.14 
[EMAIL PROTECTED]   
(11) 3388.8193  


Esta mensagem pode conter informação confidencial e/ou privilegiada. Se você 
não for o destinatário ou a pessoa autorizada a receber esta mensagem, não pode 
usar, copiar ou divulgar as informações nela contidas ou tomar qualquer ação 
baseada nessas informações. Se você recebeu esta mensagem por engano, por favor 
avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. 
Agradecemos sua cooperação.

This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose or take any action based on this message or any information 
herein. If you have received this message in error, please advise the sender 
immediately by reply e-mail and delete this message. Thank you for your 
cooperation.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Delegate VPN rights

[WATSON, BEN]

Hi Laura,

Thanks so much for the response.  It's kind of odd actually.  I did as
Tony suggested and made the adjustment so I could delegate read and
write privileges for msNPAllowDialin.  Once I did this, this definitely
made the Remote Access Permission portion under the Dial-in tab
"ungrayed" I guess you could say.  However when changes are made, and
you attempt to save those changes by hitting OK/Apply, I get an error
that, "Dial-in profile changes were not saved because: Access is
Denied."

I'll continue looking for an answer in the display specifiers whitepaper
and hope it has an answer for me, although I haven't had any real luck
so far.

Thanks,
~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 1:09 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Delegate VPN rights

Thank you! I've been giving myself a headache trying to remember the
name of
the file! I couldn't remember the extension.

That said, Ben, still take a look at the display specifiers whitepaper;
not
all attributes display names match the actual attribute names. I've not
checked the one in question.

Laura 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: Thursday, November 30, 2006 2:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Delegate VPN rights
> 
> You will need to modify dssec.dat to expose the property.
> 
> http://www.activedir.org/article.aspx?aid=24#11
> 
> Tony
> -- Original Message --
> From: "WATSON, BEN" <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> Date:  Thu, 30 Nov 2006 09:34:39 -0800
> 
> I'm attempting to delegate out the permissions to adjust the 
> Remote Access Permissions under the Dial-In tab in Active 
> Directory for user accounts.  When performing an LDAP query, 
> I notice that changes to this setting are recorded in the 
> msNPAllowDialin attribute.  Set to False when Deny Access is 
> set, True when Allow Access is set, and "not set"
> when Control Access through Remote Access Policy is set.
> 
>  
> 
> However when I attempt to delegate out the rights to a 
> security group so they can modify this, it is not listed as a 
> selectable property.  Am I missing something here?  Should I 
> be looking for a different property to delegate out this right?
> 
>  
> 
> Thanks,
> 
> ~Ben Watson
> 
> 
> 
>  
> 
> 
> 
> 
> 
> Sent via the WebMail system at mail.activedir.org
> 
> 
>  
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.430 / Virus Database: 268.15.2/559 - Release 
> Date: 11/30/2006 5:07 AM
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006
5:07 AM
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Delegate VPN rights

[WATSON, BEN]

Hmm, getting closer but not quite there yet!  Thanks Tony and James for
the excellent responses.

Both of your attempted solutions do grant the ability to modify what I
want to modify in the GUI (ADUC) in the sense that they are no longer
grayed out to members of the delegated security group, however, when a
change is attempted I get a nice error message stating, "Dial-in profile
changes were not saved because: Access is Denied.".

When I try James's method, the entire dial-in tab is not grayed out, but
I get the error message.  When I try Tony's suggestion (grant read/write
to msNPAllowDialin specifically), I am able to do a more granular
delegation in which only the Remote Access Permission portion of the
Dial-in tab is not grayed out (the rest is still grayed out), however
this also results in the same error when a change is attempted.

Any thoughts on what else I may need to grant permissions on so this can
be properly delegated?  The GUI seems to be a hurdle I've jumped over,
but the actual implementation of the change doesn't want to take.

Thanks guys,
~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Thursday, November 30, 2006 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Delegate VPN rights

You will need to modify dssec.dat to expose the property.

http://www.activedir.org/article.aspx?aid=24#11

Tony
-- Original Message ----------
From: "WATSON, BEN" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
Date:  Thu, 30 Nov 2006 09:34:39 -0800

I'm attempting to delegate out the permissions to adjust the Remote
Access Permissions under the Dial-In tab in Active Directory for user
accounts.  When performing an LDAP query, I notice that changes to this
setting are recorded in the msNPAllowDialin attribute.  Set to False
when Deny Access is set, True when Allow Access is set, and "not set"
when Control Access through Remote Access Policy is set.

 

However when I attempt to delegate out the rights to a security group so
they can modify this, it is not listed as a selectable property.  Am I
missing something here?  Should I be looking for a different property to
delegate out this right?

 

Thanks,

~Ben Watson



 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Split pagefile

[WATSON, BEN]

Ah, that's a nice clarification.  I actually wasn't aware of the 16MB
limitation for page file size on the boot partition, especially since I
had done just what you said.  Set the boot partition to "no paging file"
and just set it manually on an alternative disk.

Very good to know, thanks for the info Laura.

~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Thursday, November 30, 2006 10:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Split pagefile

That's only if you select the "custom size" radio button and try to set
it
to less than 16MB. If you select the "no paging file" option, it works
fine.

Laura 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, November 30, 2006 12:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Split pagefile
> 
> I think 2k3r2 requires at least 16MB on C:.  At least that is 
> the error message I have gotten before when I tried to make 
> it smaller than that.
> In 2000 I could make it 10MB without it complaining.  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
> Sent: Thursday, November 30, 2006 11:09 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Split pagefile
> 
> Sorry for the reply to my own post, but this article:
> 
> http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003
> /AdminTips
> /Miscellaneous/EnhancePerformancebyMovingthePagefile.html
> 
> says I can move the whole thing to a different partition. 
> I'll leave a meg on the C drive just for the dumpfile, which 
> we limit to 64K, in case the system crashes and I can 
> actually figure out how to read the dumpfile.
> 
> But, really, is it OK to leave absolutely NO pagefile on C:/? 
> We normally leave at least 200Mb on the C: partition when we 
> move the rest to a different drive.
> 
> 
> --
> Larry Wahlers
> Concordia Technologies
> The Lutheran Church - Missouri Synod
> mailto:[EMAIL PROTECTED]
> direct office line: (314) 996-1876
> 
> 
> 
> > > -Original Message-
> > > From: [EMAIL PROTECTED] 
> > > [mailto:[EMAIL PROTECTED] On 
> > > Behalf Of Larry Wahlers
> > > Sent: Thursday, November 30, 2006 9:55 AM
> > > To: Exchange Discussions
> > > Subject: Split pagefile
> > > 
> > > Colleagues,
> > > 
> > > Is there a best practice for splitting the pagefile on 
> Exchange 2003
> > > across multiple drives? My C drive is up to nearly 9GB used 
> > > out of 10GB,
> > > and I'd like to move off most of the 3GB pagefile to maybe 
> > > the database
> > > drive. We have only 500 users on that system, so 
> > performance shouldn't
> > > be too much of an issue.
> > > 
> > > Thanks in advance, folks.
> > > 
> > > -- 
> > > Larry Wahlers
> > > Concordia Technologies
> > > The Lutheran Church - Missouri Synod
> > > mailto:[EMAIL PROTECTED]
> > > direct office line: (314) 996-1876
> > > 
> > > _
> > > List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> > > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
> > > To subscribe: 
> > http://e-newsletters.internet.com/discussionlists.html/
> > > To unsubscribe send a blank email to 
> > > [EMAIL PROTECTED]
> > > Exchange List admin:[EMAIL PROTECTED]
> > > To unsubscribe via postal mail, please contact us at:
> > > Jupitermedia Corp.
> > > Attn: Discussion List Management
> > > 475 Park Avenue South
> > > New York, NY 10016
> > > 
> > > Please include the email address which you have been 
> contacted with.
> > > 
> > > 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir@mail.activedir.org/
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.430 / Virus Database: 268.15.2/559 - Release 
> Date: 11/30/2006 5:07 AM
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.430 / Virus Database: 268.15.2/559 - Release Date:
11/30/2006
5:07 AM
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

[ActiveDir] Delegate VPN rights

[WATSON, BEN]

I'm attempting to delegate out the permissions to adjust the Remote
Access Permissions under the Dial-In tab in Active Directory for user
accounts.  When performing an LDAP query, I notice that changes to this
setting are recorded in the msNPAllowDialin attribute.  Set to False
when Deny Access is set, True when Allow Access is set, and "not set"
when Control Access through Remote Access Policy is set.

 

However when I attempt to delegate out the rights to a security group so
they can modify this, it is not listed as a selectable property.  Am I
missing something here?  Should I be looking for a different property to
delegate out this right?

 

Thanks,

~Ben Watson

RE: [ActiveDir] Split pagefile

[WATSON, BEN]

It really shouldn't matter whether or not the page file resides on the
boot partition or not.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Thursday, November 30, 2006 9:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Split pagefile

Sorry for the reply to my own post, but this article:

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips
/Miscellaneous/EnhancePerformancebyMovingthePagefile.html

says I can move the whole thing to a different partition. I'll leave a
meg on the C drive just for the dumpfile, which we limit to 64K, in case
the system crashes and I can actually figure out how to read the
dumpfile.

But, really, is it OK to leave absolutely NO pagefile on C:/? We
normally leave at least 200Mb on the C: partition when we move the rest
to a different drive.


-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876



> > -Original Message-
> > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] On 
> > Behalf Of Larry Wahlers
> > Sent: Thursday, November 30, 2006 9:55 AM
> > To: Exchange Discussions
> > Subject: Split pagefile
> > 
> > Colleagues,
> > 
> > Is there a best practice for splitting the pagefile on Exchange 2003
> > across multiple drives? My C drive is up to nearly 9GB used 
> > out of 10GB,
> > and I'd like to move off most of the 3GB pagefile to maybe 
> > the database
> > drive. We have only 500 users on that system, so 
> performance shouldn't
> > be too much of an issue.
> > 
> > Thanks in advance, folks.
> > 
> > -- 
> > Larry Wahlers
> > Concordia Technologies
> > The Lutheran Church - Missouri Synod
> > mailto:[EMAIL PROTECTED]
> > direct office line: (314) 996-1876
> > 
> > _
> > List posting FAQ:   http://www.swinc.com/resource/exch_faq.htm
> > Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange
> > To subscribe: 
> http://e-newsletters.internet.com/discussionlists.html/
> > To unsubscribe send a blank email to 
> > [EMAIL PROTECTED]
> > Exchange List admin:[EMAIL PROTECTED]
> > To unsubscribe via postal mail, please contact us at:
> > Jupitermedia Corp.
> > Attn: Discussion List Management
> > 475 Park Avenue South
> > New York, NY 10016
> > 
> > Please include the email address which you have been contacted with.
> > 
> > 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] [OT] Vista Admin Tools Pack

[WATSON, BEN]

Ah nice!  I'll find out on Monday when I install Vista on my workstation.  
Thanks for the link Susan.

-Ben

-Original Message-
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 11/18/06 8:01 PM
Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack

http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=437266&SiteID=17&PageID=1

Try the RTM .. it appears to work

(98% complete on my Vista download so I can't confirm yet)

WATSON, BEN wrote:
> Yeah, I found that page when beta 2 came out.  While it did allow the tools 
> to install, several critical snap-ins wouldn't function such as ADUC. 
>
> -Original Message-
> From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]>
> To: "ActiveDir@mail.activedir.org" 
> Sent: 11/18/06 6:25 PM
> Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack
>
> http://windowsconnected.com/blogs/nick/archive/2006/07/11/3235.aspx
> Try installing it like that
>
> WATSON, BEN wrote:
>   
>> With the release of Vista to MSDN as well as the Microsoft Licensing site 
>> for download, I would assume that an Administration Tools Pack should be 
>> quickly on the way soon for Vista.  Anyone have any information on when a 
>> Vista compatible Adminpak will be available?
>>
>> I would've run Vista Beta 2 full time on my work desktop to test it out, but 
>> with the inability to install the adminpak that severly limited Vista's 
>> usefulness to me.
>>
>> Thanks,
>>
>> ~Ben
>>
>>   
>> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
>
>   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] [OT] Vista Admin Tools Pack

[WATSON, BEN]

Yeah, I found that page when beta 2 came out.  While it did allow the tools to 
install, several critical snap-ins wouldn't function such as ADUC. 

-Original Message-
From: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 11/18/06 6:25 PM
Subject: Re: [ActiveDir] [OT] Vista Admin Tools Pack

http://windowsconnected.com/blogs/nick/archive/2006/07/11/3235.aspx
Try installing it like that

WATSON, BEN wrote:
> With the release of Vista to MSDN as well as the Microsoft Licensing site for 
> download, I would assume that an Administration Tools Pack should be quickly 
> on the way soon for Vista.  Anyone have any information on when a Vista 
> compatible Adminpak will be available?
>
> I would've run Vista Beta 2 full time on my work desktop to test it out, but 
> with the inability to install the adminpak that severly limited Vista's 
> usefulness to me.
>
> Thanks,
>
> ~Ben
>
>   
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] AD Replication Problem

[WATSON, BEN]

It looks to me like this domain controller has not replicated for a very long 
time and has passed the tombstone lifetime.  You will probably never get this 
DC to function properly in it's current state and you would probably be best 
served by simply demoting and repromoting the domain controller.
 
Is the replication problems only associated with this particular domain 
controller?
 
~Ben



From: [EMAIL PROTECTED] on behalf of Haritwal, Dhiraj
Sent: Sat 11/18/2006 7:57 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Replication Problem



Dear All,

 

I am facing some problem in AD Replication. I m sending you the dcdiag logs.

 

Kindly help me to get rid from this problem.

 

 

 

Domain Controller Diagnosis

 

Performing initial setup:

   Done gathering initial info.

 

Doing initial required tests

   

   Testing server: AP-IN-KOL\INSIDADC52

  Starting test: Connectivity

 . INSIDADC52 passed test Connectivity

 

Doing primary tests

   

   Testing server: AP-IN-KOL\INSIDADC52

  Starting test: Replications

 [INSIDADC50] DsBindWithSpnEx() failed with error -2146893022,

 The target principal name is incorrect..

 REPLICATION-RECEIVED LATENCY WARNING

 INSIDADC52:  Current time is 2006-11-18 20:17:07.

CN=Schema,CN=Configuration,DC=sony,DC=com

   Last replication recieved from HKSIHADC03 at 2006-07-14 15:28:03.

   WARNING:  This latency is over the Tombstone Lifetime of 60 days!

 

  . INSIDADC52 passed test Replications

  Starting test: NCSecDesc

 [INSIDADC52] LDAP bind failed with error 8341,

 A directory service error has occurred..

 . INSIDADC52 failed test NCSecDesc

  Starting test: NetLogons

 . INSIDADC52 passed test NetLogons

  Starting test: Advertising

 . INSIDADC52 passed test Advertising

  Starting test: KnowsOfRoleHolders

 [USBMAGDC03] DsBindWithSpnEx() failed with error 5,

 Access is denied..

 Warning: USBMAGDC03 is the Schema Owner, but is not responding to DS 
RPC Bind.

 [USBMAGDC03] LDAP bind failed with error 1323,

 Unable to update the password. The value provided as the current 
password is incorrect..

 Warning: USBMAGDC03 is the Schema Owner, but is not responding to LDAP 
Bind.

 Warning: USBMAGDC03 is the Domain Owner, but is not responding to DS 
RPC Bind.

 Warning: USBMAGDC03 is the Domain Owner, but is not responding to LDAP 
Bind.

 [SGAPADC04] DsBindWithSpnEx() failed with error -2146893022,

 The target principal name is incorrect..

 Warning: SGAPADC04 is the PDC Owner, but is not responding to DS RPC 
Bind.

 [SGAPADC04] LDAP bind failed with error 8341,

 A directory service error has occurred..

 Warning: SGAPADC04 is the PDC Owner, but is not responding to LDAP 
Bind.

 Warning: SGAPADC04 is the Rid Owner, but is not responding to DS RPC 
Bind.

 Warning: SGAPADC04 is the Rid Owner, but is not responding to LDAP 
Bind.

 [SGSINSISSAPIPS3] DsBindWithSpnEx() failed with error -2146893022,

 The target principal name is incorrect..

 Warning: SGSINSISSAPIPS3 is the Infrastructure Update Owner, but is 
not responding to DS RPC Bind.

 [SGSINSISSAPIPS3] LDAP bind failed with error 8341,

 A directory service error has occurred..

 Warning: SGSINSISSAPIPS3 is the Infrastructure Update Owner, but is 
not responding to LDAP Bind.

 . INSIDADC52 failed test KnowsOfRoleHolders

  Starting test: RidManager

 . INSIDADC52 failed test RidManager

  Starting test: MachineAccount

 . INSIDADC52 passed test MachineAccount

  Starting test: Services

 . INSIDADC52 passed test Services

  Starting test: ObjectsReplicated

 . INSIDADC52 passed test ObjectsReplicated

  Starting test: frssysvol

 . INSIDADC52 passed test frssysvol

  Starting test: frsevent

 . INSIDADC52 passed test frsevent

  Starting test: kccevent

 An Warning Event occured.  EventID: 0x8785

Time Generated: 11/18/2006   20:03:00

Event String: The attempt to establish a replication link for

 

An Warning Event occured.  EventID: 0x8785

Time Generated: 11/18/2006   20:03:09

Event String: The attempt to establish a replication link for

 

 An Warning Event occured.  EventID: 0x8786

Time Generated: 11/18/2006   20:03:10

Event String: The attempt to establish

[ActiveDir] [OT] Vista Admin Tools Pack

[WATSON, BEN]

With the release of Vista to MSDN as well as the Microsoft Licensing site for 
download, I would assume that an Administration Tools Pack should be quickly on 
the way soon for Vista.  Anyone have any information on when a Vista compatible 
Adminpak will be available?

I would've run Vista Beta 2 full time on my work desktop to test it out, but 
with the inability to install the adminpak that severly limited Vista's 
usefulness to me.

Thanks,

~Ben

<>

RE: [ActiveDir] [Semi-OT] AD Integrated DNS entries

[WATSON, BEN]

Hi Al,

 

Thanks for the response.  

 

Yeah, that was much of what I expected.  I figured what I was
looking for would be somewhere in the realm of extremely difficult to find or
impossible and I guess I was right.

 

I’ll definitely look into the DNSCMD and DSACLS to see if that
can provide any of the information I am looking for.

 

Thanks again,

~Ben

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Wednesday, November 08, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [Semi-OT] AD Integrated DNS entries



 

One of the "nice to
have's" that was left out of Microsoft's integrated implementation was the
ability to easily gather this type of information. 

IIRC, DNSCMD coupled with dsacls will give you some of that information.  There
are also some api's that are available to try and roll your own, but nothing
that really gives good information IMHO. 

There's a kb somewhere out there that describes how to set the ownership of
each record using dsacls due to a problem with dhcp registration of records
using a particular service account. I don't recall exactly the kb, but take a
look and see if you can't modify the dsacls command to report the ownership of
the records. 

Al



On 11/7/06, WATSON, BEN <[EMAIL PROTECTED]> wrote:





Hey guys,

 

Simple question I hope.  I
was looking for a way to determine a couple things about DNS (A & PTR
records) entries in an Active Directory Integrated DNS environment…

 

1) 
Is there a way to determine whether the entry has been manually defined (and
thus is never scavenged) or registered through dynamic updates?

2) 
Is there a way to determine the current age of a DNS entry?

3) 
Is there a way to determine who has the rights to make modifications to an
entry through dynamic updates?

 

Thanks as always,

~Ben







 

[ActiveDir] [Semi-OT] AD Integrated DNS entries

[WATSON, BEN]

Hey guys,

 

Simple question I hope.  I was looking for a way to determine
a couple things about DNS (A & PTR records) entries in an Active Directory
Integrated DNS environment…

 

1) 
Is there a way to determine whether the entry has been manually
defined (and thus is never scavenged) or registered through dynamic updates?

2) 
Is there a way to determine the current age of a DNS entry?

3) 
Is there a way to determine who has the rights to make
modifications to an entry through dynamic updates?

 

Thanks as always,

~Ben

RE: [ActiveDir] DC crashed

[WATSON, BEN]

Hi Bruce,

 

First, you’ll probably want to seize the FSMO roles held
by the crashed domain controller.  It’s probably not a good idea to
bring up another domain controller with the same name as the previous one that
used to hold the FSMO roles until you’ve moved those roles to another
DC.  You can do this through the use of the NTDSUTIL utility.

 

Secondly, also through the use of the NTDSUTIL utility, you’ll
want to perform a metadata cleanup to remove all aspects of the previous domain
controller from your directory.  

 

Once you have done both steps, you should have no issues in
promoting this domain controller.  You may find it faster to recover if
you simply use a different name for this new domain controller, although if you
properly remove all references to the previous domain controller through the
metadata cleanup, then using the same name shouldn’t pose any serious
issues.

 

Be sure to check DNS to ensure that all references to the older
Domain Controller are properly removed before attempting to re-promote the new
domain controller in using the same hostname.

 

~Ben

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Clingaman, Bruce
Sent: Friday, November 03, 2006 2:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC crashed





 



I
apologize for not doing my homework first, but I'm in a pickle and need help
fast.





 





One
of my domain controllers (which held all the fsmo roles) crashed and I had to
reinstall. 





Now
that I've reinstalled, I'm ready to rejoin and promote. But I can't; I get
"User already exists" when trying to join.





I
am using the same computer name as before. I have not deleted or changed
anything in the directory on the other server yet.





What
do I need to do to get my old server back as a domain controller? 





Links
to articles or even words to search by would be of great help.





 





Thanks
for any advice.





 





Bruce.

[ActiveDir] LastlogonTimestamp Missing

[WATSON, BEN]

I have a Windows 2003 R2 single domain/forest.  This domain/forest was built 
upon Windows 2003 R2 so it has never had to go through any upgrades.
 
I wanted to query for the "true" last logon time/date for various users and 
noticed that the LastlogonTimestamp is not an available attribute for the user 
accounts.  The standard non-replicated LastLogon attribute is there, but I 
would obviously be more interested in the replicated LastlogonTimestamp.  The 
LastlogonTimestamp schema attribute has been defined and it is listed as a 
systemmaycontain of the user class.
 
C:\>adfind -sc scontainsl:lastlogontimestamp
user
 
Is there any reason why the LastlogonTimestamp attribute would not be appearing 
for user accounts?  From what I understand, the LastlogonTimestamp attribute 
may not be instantiated on user accounts if the user accounts have not logged 
on since a domain has been upgraded to Windows 2003, however since this 
domain/forest was built upon Windows 2003 R2 this is not the case.
 
Any ideas on how to get this attribute instantiated properly on the user 
accounts?
 
~Ben
<>

RE: [ActiveDir] Need some advices....

[WATSON, BEN]

There shouldn’t be any reason why this would cause any issues.

 

~Ben

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Yann
Sent: Wednesday, October 25, 2006 7:23 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Need some advices



 



Hello all ;)





 





Due to network outage that is scheduled for 4
hours on a active directory site, i'd like to leave our DCs
up without shut them down.





 





Question:





Could il leave all my DCs up despite they can not
communicate with each others for 4 hours ? Will that cause
any issues (repl, auth,etc..) ? or Do i have to shut them down and
next reboot them when network will up ?





 





Thanks for advices.





 





Cheers, 





 





Yann



  







Découvrez une nouvelle façon d'obtenir des réponses à toutes
vos questions ! Profitez des connaissances, des opinions et des expériences des
internautes sur Yahoo!
Questions/Réponses.

RE: [ActiveDir] OT: Jabber and AD authentication

[WATSON, BEN]

Jabber supports the use of SRV records and works beautifully
against AD for authentication.  I got a Jabber server up and running for my
company as a test about a year ago, however I was extremely let down by the
quality of the clients.  Each client seemed to have its own quirk, bug, or
issue and I eventually dropped the idea for another attempt at a later date
when the clients have reached a reliable level of quality.  Hopefully they have
reached that point now.

 

~Ben

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Akomolafe, Deji
Sent: Thursday, September 28, 2006 1:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Jabber and AD authentication





 





support.Jabber.com





 












Sincerely, 
  
_   

  (, /  | 
/)  
/) /)   
    /---| (/_  __   ___// _  
//  _ 
 ) /    |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/
/)  
  
(/   
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday?
-anon









 







From: Brian Desmond
Sent: Thu 9/28/2006 1:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: Jabber and AD authentication



Assuming it can authenticate against an LDAP source it should work fine- never done Jabber but they're all about the same when it comes tothis... Thanks,Brian Desmond[EMAIL PROTECTED] c - 312.731.3132  > -Original Message-> From: [EMAIL PROTECTED] [mailto:ActiveDir-> [EMAIL PROTECTED] On Behalf Of Michael Miller> Sent: Thursday, September 28, 2006 4:42 PM> To: ActiveDir@mail.activedir.org> Subject: [ActiveDir] OT: Jabber and AD authentication> > The powers that be at my site want to implement IM using Jabber and> would like to leverage our AD for authentication.> > We are just starting to think about this.  It's not yet decided if the> Jabber server will be running on Linux or Windows.> > I would imagine several people in this august body would have> experience> with this.> > I would be interested in your comments before we actually start trying> to implement something.> > TIA,> > -mjm> > --> Michael J. Miller> Computing Services> College of Veterinary Medicine> University of Illinois at Urbana-Champaign> > List info   : http://www.activedir.org/List.aspx> List FAQ    : http://www.activedir.org/ListFAQ.aspx> List archive: http://www.activedir.org/ml/threads.aspxList info   : http://www.activedir.org/List.aspxList FAQ    : http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Ah, this may make more sense, but in a different way possibly.  There
were two extensions that were done now that I got done talking to him.
GroupOfURLs as talked about before, and also memberURL.

Apparantly, for what he was trying to do, groupOfURLs was attached to
this object, but did not work out as what he had hoped for.  So to try
and get it to work, he actually attached memberURL as a maycontain of
the group class.

Basically, the extensions were created.  This object was created.
GroupOfURLs was added as a maycontain to this particular object.  It did
not work out as intended.  Then memberURL was added as a maycontain to
Group.

At least this is the information I am getting from the other admin.  Any
thoughts?

Thanks,
~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Monday, September 25, 2006 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

I am evidently still recovering from jet lag.  Only attributes can be
defined in maycontain.  I am guessing that at one point groupofURLs was
defined as a subclass of group.  Without knowing exactly what was
changed in the schema it is hard to say how you got here.  You could try
changing the subclass assuming you have not instantiated any more
objects using this class.  I am still unclear on how one object has an
additional class listed that is different from the rest.

Thanks,

-Steve

-Original Message-
From: "WATSON, BEN" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 9/25/06 11:12 AM
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects


Well, I just attempted to add group and groupOfNames into the
groupofURLs objectclass as a maycontain and I get an error when
attempting this process that states "Schema update failed: attribute in
may-contain does not exist."

Hmm...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 9:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Yes.

Thanks,

-Steve

-Original Message-
From: "WATSON, BEN" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 9/24/06 11:21 PM
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects


Hi Steve,

Just to make sure I understand, do you mean I should add back group and
groupOfNames as a maycontain to the groupofURLs objectclass?

Thanks,
~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  I believe all of the objects of this class will cause the same problem
because it appears they were created and the schema was changed after
they were instantiated.  One way to correct the problem may be to add
back group and groupOfNames classes to the groupofURLs schema
definition.  I would of course test doing this first and also follow up
with whoever was responsible for the original schema change to determine
exactly what they did which would allow you to reverse the changes.  If
you were on Windows Server 2003 and in Forest Functional Level 2, i.e.
Windows 2003 Forest Functional Level, you could have defunct the schema
change.

Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Sunday, September 24, 2006 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Steve,

So do you see anything obviously wrong that I could make a correction on
to repair replication?  Also, is there anything I can follow up on in
regards to your comments about the objectclass being updated with a
value that is not a subclass?  It's pretty obvious that the blockage is
origination from "something" about this now deleted object (
dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Delete
d Objects,DC=appsig,DC=com).  I just don't know what I can do with it at
this point.

C:\tools\err\Err>err 20b4
# for hex 0x20b4 / decimal 8372 :
  ERROR_DS_OBJ_CLASS_NOT_SUBCLASS
winerror.h
# The specified class is not a subclass.
# 1 matches found for "20b4"

I should be able to get more information for you tomorrow.

~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  We really need to find out exactly what was defined in the schema when
to determine how this occurred.  From the information provided it would
appear that the groupofURLs class was defin

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Well, I just attempted to add group and groupOfNames into the
groupofURLs objectclass as a maycontain and I get an error when
attempting this process that states "Schema update failed: attribute in
may-contain does not exist."

Hmm...

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 9:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Yes.

Thanks,

-Steve

-Original Message-----
From: "WATSON, BEN" <[EMAIL PROTECTED]>
To: "ActiveDir@mail.activedir.org" 
Sent: 9/24/06 11:21 PM
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects


Hi Steve,

Just to make sure I understand, do you mean I should add back group and
groupOfNames as a maycontain to the groupofURLs objectclass?

Thanks,
~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  I believe all of the objects of this class will cause the same problem
because it appears they were created and the schema was changed after
they were instantiated.  One way to correct the problem may be to add
back group and groupOfNames classes to the groupofURLs schema
definition.  I would of course test doing this first and also follow up
with whoever was responsible for the original schema change to determine
exactly what they did which would allow you to reverse the changes.  If
you were on Windows Server 2003 and in Forest Functional Level 2, i.e.
Windows 2003 Forest Functional Level, you could have defunct the schema
change.

Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Sunday, September 24, 2006 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Steve,

So do you see anything obviously wrong that I could make a correction on
to repair replication?  Also, is there anything I can follow up on in
regards to your comments about the objectclass being updated with a
value that is not a subclass?  It's pretty obvious that the blockage is
origination from "something" about this now deleted object (
dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Delete
d Objects,DC=appsig,DC=com).  I just don't know what I can do with it at
this point.

C:\tools\err\Err>err 20b4
# for hex 0x20b4 / decimal 8372 :
  ERROR_DS_OBJ_CLASS_NOT_SUBCLASS
winerror.h
# The specified class is not a subclass.
# 1 matches found for "20b4"

I should be able to get more information for you tomorrow.

~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  We really need to find out exactly what was defined in the schema when
to determine how this occurred.  From the information provided it would
appear that the groupofURLs class was defined in the schema and objects
were instantiated and then its definition was changed.  This could
explain why the in-site DCs have the objects and out of site ones do
not, schema partition changes replicate at a higher priority than domain
partition changes so when these got bulked up for out of site
replication the objects no longer met the schema definition, i.e. the
subclass of group is no longer defined for the object.  These objects do
not appear to fit the definition of the groupofURLs class as it is now
defined and are therefore causing replication to be blocked.  This is of
course all a hypothesis as I do not have the details on exactly what
changes were made when to the schema.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 5:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Hi Steve,

Yes, there were some schema modifications one of the other admins was
working on to deploy an application that would allow for people to use
their Windows accounts to log into our Intrasite (they were formerly
using their Unix accounts).  He had tested this on our test network,
which is a copy of our production network, upgraded to Windows 2003 R2
and also has the Longhorn schema extensions applied as well.  From what
I understand, it experienced no ill effects, however it is a single site
test network.

Here is the output from the groupOfURLs extension.

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

Using server: appsig-av.appsig.com:389
Directory: Windows 2000
Base DN: CN=Schema,CN=Configuration,DC=appsig,

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Hi Steve,

Just to make sure I understand, do you mean I should add back group and
groupOfNames as a maycontain to the groupofURLs objectclass?

Thanks,
~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 8:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  I believe all of the objects of this class will cause the same problem
because it appears they were created and the schema was changed after
they were instantiated.  One way to correct the problem may be to add
back group and groupOfNames classes to the groupofURLs schema
definition.  I would of course test doing this first and also follow up
with whoever was responsible for the original schema change to determine
exactly what they did which would allow you to reverse the changes.  If
you were on Windows Server 2003 and in Forest Functional Level 2, i.e.
Windows 2003 Forest Functional Level, you could have defunct the schema
change.

Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Sunday, September 24, 2006 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Steve,

So do you see anything obviously wrong that I could make a correction on
to repair replication?  Also, is there anything I can follow up on in
regards to your comments about the objectclass being updated with a
value that is not a subclass?  It's pretty obvious that the blockage is
origination from "something" about this now deleted object (
dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Delete
d Objects,DC=appsig,DC=com).  I just don't know what I can do with it at
this point.

C:\tools\err\Err>err 20b4
# for hex 0x20b4 / decimal 8372 :
  ERROR_DS_OBJ_CLASS_NOT_SUBCLASS
winerror.h
# The specified class is not a subclass.
# 1 matches found for "20b4"

I should be able to get more information for you tomorrow.

~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  We really need to find out exactly what was defined in the schema when
to determine how this occurred.  From the information provided it would
appear that the groupofURLs class was defined in the schema and objects
were instantiated and then its definition was changed.  This could
explain why the in-site DCs have the objects and out of site ones do
not, schema partition changes replicate at a higher priority than domain
partition changes so when these got bulked up for out of site
replication the objects no longer met the schema definition, i.e. the
subclass of group is no longer defined for the object.  These objects do
not appear to fit the definition of the groupofURLs class as it is now
defined and are therefore causing replication to be blocked.  This is of
course all a hypothesis as I do not have the details on exactly what
changes were made when to the schema.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 5:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Hi Steve,

Yes, there were some schema modifications one of the other admins was
working on to deploy an application that would allow for people to use
their Windows accounts to log into our Intrasite (they were formerly
using their Unix accounts).  He had tested this on our test network,
which is a copy of our production network, upgraded to Windows 2003 R2
and also has the Longhorn schema extensions applied as well.  From what
I understand, it experienced no ill effects, however it is a single site
test network.

Here is the output from the groupOfURLs extension.

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

Using server: appsig-av.appsig.com:389
Directory: Windows 2000
Base DN: CN=Schema,CN=Configuration,DC=appsig,DC=com

dn:CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>adminDisplayName: groupOfURLs
>cn: groupOfURLs
>defaultObjectCategory:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>governsID: 2.16.840.1.113730.3.2.33
>instanceType: 4
>lDAPDisplayName: groupOfURLs
>mayContain: memberURL
>distinguishedName:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=appsig,DC=com
>objectClass: top
>objectClass: classSchema
>objectClassCategory: 0
>objectGUID: {2B09EA58-1A00-4170-B419-9ADC0AA0B655}
>possSuperiors: container
>name: groupOfURLs
>rDNAttID: cn
>schemaIDGUID: {8B5ACDC4-EAF2-45D9-A596-C196ABD

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Steve,

So do you see anything obviously wrong that I could make a correction on
to repair replication?  Also, is there anything I can follow up on in
regards to your comments about the objectclass being updated with a
value that is not a subclass?  It's pretty obvious that the blockage is
origination from "something" about this now deleted object (
dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Delete
d Objects,DC=appsig,DC=com).  I just don't know what I can do with it at
this point.

C:\tools\err\Err>err 20b4
# for hex 0x20b4 / decimal 8372 :
  ERROR_DS_OBJ_CLASS_NOT_SUBCLASS
winerror.h
# The specified class is not a subclass.
# 1 matches found for "20b4"

I should be able to get more information for you tomorrow.

~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Sunday, September 24, 2006 12:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  We really need to find out exactly what was defined in the schema when
to determine how this occurred.  From the information provided it would
appear that the groupofURLs class was defined in the schema and objects
were instantiated and then its definition was changed.  This could
explain why the in-site DCs have the objects and out of site ones do
not, schema partition changes replicate at a higher priority than domain
partition changes so when these got bulked up for out of site
replication the objects no longer met the schema definition, i.e. the
subclass of group is no longer defined for the object.  These objects do
not appear to fit the definition of the groupofURLs class as it is now
defined and are therefore causing replication to be blocked.  This is of
course all a hypothesis as I do not have the details on exactly what
changes were made when to the schema.

Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 5:07 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Hi Steve,

Yes, there were some schema modifications one of the other admins was
working on to deploy an application that would allow for people to use
their Windows accounts to log into our Intrasite (they were formerly
using their Unix accounts).  He had tested this on our test network,
which is a copy of our production network, upgraded to Windows 2003 R2
and also has the Longhorn schema extensions applied as well.  From what
I understand, it experienced no ill effects, however it is a single site
test network.

Here is the output from the groupOfURLs extension.

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

Using server: appsig-av.appsig.com:389
Directory: Windows 2000
Base DN: CN=Schema,CN=Configuration,DC=appsig,DC=com

dn:CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>adminDisplayName: groupOfURLs
>cn: groupOfURLs
>defaultObjectCategory:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>governsID: 2.16.840.1.113730.3.2.33
>instanceType: 4
>lDAPDisplayName: groupOfURLs
>mayContain: memberURL
>distinguishedName:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=appsig,DC=com
>objectClass: top
>objectClass: classSchema
>objectClassCategory: 0
>objectGUID: {2B09EA58-1A00-4170-B419-9ADC0AA0B655}
>possSuperiors: container
>name: groupOfURLs
>rDNAttID: cn
>schemaIDGUID: {8B5ACDC4-EAF2-45D9-A596-C196ABD02405}
>showInAdvancedViewOnly: TRUE
>subClassOf: top
>systemOnly: FALSE
>uSNChanged: 7985664
>uSNCreated: 7985664
>whenChanged: 20060913180400.0Z
>whenCreated: 20060913180359.0Z

There are currently 4 other objects that have the groupofURLs listed as
an objectClass.

dn:CN=InfowebDept12,OU=InfowebGroups,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

dn:CN=InfowebDept24,OU=InfowebGroups,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: groupOfNames
>objectClass: group

dn:CN=InfowebDept25,OU=InfowebGroups,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

dn:CN=InfowebSection581,OU=InfowebGroups,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

Let me know if you need anything else.

Thanks,
~Ben


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 1:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Actually looking at this further you will probably find that the schemas
are in sync, i.e. the groupofURLs object class is defined across all of
the servers.  I say that because

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Yes, it's a completely isolated test network seperate from our production 
network for any to do testing prior to promotion to production.  We increased 
the schema level to Longhorn level to add in any future schema extensions that 
Longhorn will want so that schema extensions we may want to add won't collide 
with anything Microsoft has in mind now or in the future (Longhorn release), 
and also because I plan on promoting in a Longhorn beta DC for testing in that 
network.
 
~Ben



From: [EMAIL PROTECTED] on behalf of Al Mulnick
Sent: Sat 9/23/2006 5:25 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Replication Problems and Tombstoned Objects


Hmm... That's odd.  

When you say "test site" is that an isolated test site as in isolated from the 
rest of the forest? Or ??

You through longhorn schema in there because (?)

This just sounds like there was more tweaking and adding and configuring then 
you've been led to believe.  I get the strong sense that there's more to this 
than you're able to see at the moment.  

It might be a good idea to open a case with MS support asap cause I think that 
more information is going to have to be collected. 

Al


On 9/23/06, WATSON, BEN <[EMAIL PROTECTED]> wrote: 

Sorry, I keep re-reading the e-mail and realize there was information I 
failed to give you.

>From what I understand of how the schema extension was added, it was 
added manually simply through adsiedit and by entering in the requested 
information as adsiedit asked for it during the objectclass creation and the 
information supplied was the information given to us by the developer of the 
application.

Thanks,
~Ben



From: [EMAIL PROTECTED] on behalf of Steve Linehan 
Sent: Sat 9/23/2006 1:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects



Actually looking at this further you will probably find that the 
schemas are in sync, i.e. the groupofURLs object class is defined across all of 
the servers.  I say that because the error you would have gotten if it did not 
exist on the target would have been either schema mismatch or 
ERROR_DS_OBJ_CLASS_NOT_DEFINED.  So what I suspect is that groupofURLs is not 
defined properly or is being referenced incorrectly.  Can you dump the schema 
entry for this class from one of your servers snd post it?  Also if you have 
the LDIF file that was used to update the schema that includes the definition 
of this object class that would be great as well.  What I do not understand is 
how you have an object defined this way as I would have expected us to block 
creation of the object if this class is not defined/referenced properly.  Any 
information on how the schema was modified and how these objects were created 
would be helpful.  The fix will likely be to remove the groupofurls objectclass 
from the object but you need to determine how you got to this point so that it 
does not occur again.

Thanks,

-Steve


From: [EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 2:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects 

Ben,
  It would appear that the schema was modified on the source servers 
but does not match on the destination servers.  I am not aware of a default 
objectclass called groupofURLs.  Is this something that you modified recently?  
Can you dump the definition of this objectclass from a schema on the source and 
verify that the schema on the target does not match?  Can you also send me a 
repadmin /showreps /v from a source and target.  It would appear that you have 
a schema modification gone bad.  Can you also search and see if you have any 
other objects on the source DC that have that objectclass listed?

Thanks,

-Steve
____
        From: [EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 2:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Hi Steve,

First off, thanks for all your help, you are always incredibly helpful.

HereâEUR(tm)s the output you requested from the source server.


dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Deleted 
Objects,DC=appsig,DC=com 
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

I should note though that this object NEVER replicated to other sites.

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Sorry, I keep re-reading the e-mail and realize there was information I failed 
to give you.
 
>From what I understand of how the schema extension was added, it was added 
>manually simply through adsiedit and by entering in the requested information 
>as adsiedit asked for it during the objectclass creation and the information 
>supplied was the information given to us by the developer of the application.
 
Thanks,
~Ben



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Sat 9/23/2006 1:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects



Actually looking at this further you will probably find that the schemas are in 
sync, i.e. the groupofURLs object class is defined across all of the servers.  
I say that because the error you would have gotten if it did not exist on the 
target would have been either schema mismatch or 
ERROR_DS_OBJ_CLASS_NOT_DEFINED.  So what I suspect is that groupofURLs is not 
defined properly or is being referenced incorrectly.  Can you dump the schema 
entry for this class from one of your servers snd post it?  Also if you have 
the LDIF file that was used to update the schema that includes the definition 
of this object class that would be great as well.  What I do not understand is 
how you have an object defined this way as I would have expected us to block 
creation of the object if this class is not defined/referenced properly.  Any 
information on how the schema was modified and how these objects were created 
would be helpful.  The fix will likely be to remove the groupofurls objectclass 
from the object but you need to determine how you got to this point so that it 
does not occur again.

Thanks,

-Steve


From: [EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 2:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  It would appear that the schema was modified on the source servers but does 
not match on the destination servers.  I am not aware of a default objectclass 
called groupofURLs.  Is this something that you modified recently?  Can you 
dump the definition of this objectclass from a schema on the source and verify 
that the schema on the target does not match?  Can you also send me a repadmin 
/showreps /v from a source and target.  It would appear that you have a schema 
modification gone bad.  Can you also search and see if you have any other 
objects on the source DC that have that objectclass listed?

Thanks,

-Steve

From: [EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 2:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Hi Steve,

First off, thanks for all your help, you are always incredibly helpful.

HereâEUR(tm)s the output you requested from the source server.

dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Deleted 
Objects,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

I should note though that this object NEVER replicated to other sites.  So the 
only output I can give you is from the source DC.  At least on the surface, 
this object seems to be the source of the replication issues.

Thanks again,
~Ben

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Friday, September 22, 2006 11:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Can you dump the objectclass attribute on the deleted object mentioned in the 
error on one of the source servers and a destination server?  The second error 
code in the internal error event log seems to indicate that the objectclass is 
being updated with a value that is not a subclass.


C:\tools\err\Err>err 20b4
# for hex 0x20b4 / decimal 8372 :
  ERROR_DS_OBJ_CLASS_NOT_SUBCLASS   winerror.h
# The specified class is not a subclass.
# 1 matches found for "20b4"

Thanks,

-Steve

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 1:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Correction, 10 domain controllers in 9 sites.

From: WATSON, BEN
Sent: Friday, September 22, 2006 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Basic info and troubleshooting I've done to gather symptom information...

We are running a single forest, single domain Windows 2000 environment (I know, 
I know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain 
controllers and 8 sites.  Three of the sites are hub sites, and each hub site 
has 2 spoke sites.  Our main hub site has 2 domain c

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Oh, and in reply to this e-mail.  Multiple DC's show proper replication
of the objectclass called groupofURLs.

I have attached the output from repadmin /showreps /v.  From the problem
site it's called AV.TXT.  From a remote DC, it is called LAO.TXT.

Thanks,
~Ben




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 12:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  It would appear that the schema was modified on the source servers but
does not match on the destination servers.  I am not aware of a default
objectclass called groupofURLs.  Is this something that you modified
recently?  Can you dump the definition of this objectclass from a schema
on the source and verify that the schema on the target does not match?
Can you also send me a repadmin /showreps /v from a source and target.
It would appear that you have a schema modification gone bad.  Can you
also search and see if you have any other objects on the source DC that
have that objectclass listed?

Thanks,

-Steve

From: [EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 2:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Hi Steve,

First off, thanks for all your help, you are always incredibly helpful.

Here's the output you requested from the source server.

dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Delete
d Objects,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

I should note though that this object NEVER replicated to other sites.
So the only output I can give you is from the source DC.  At least on
the surface, this object seems to be the source of the replication
issues.

Thanks again,
~Ben

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Friday, September 22, 2006 11:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Can you dump the objectclass attribute on the deleted object mentioned
in the error on one of the source servers and a destination server?  The
second error code in the internal error event log seems to indicate that
the objectclass is being updated with a value that is not a subclass.


C:\tools\err\Err>err 20b4
# for hex 0x20b4 / decimal 8372 :
  ERROR_DS_OBJ_CLASS_NOT_SUBCLASS
winerror.h
# The specified class is not a subclass.
# 1 matches found for "20b4"

Thanks,

-Steve

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 1:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Correction, 10 domain controllers in 9 sites.

From: WATSON, BEN
Sent: Friday, September 22, 2006 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Basic info and troubleshooting I've done to gather symptom
information...

We are running a single forest, single domain Windows 2000 environment
(I know, I know, I'm in the process of getting this ugpraded to Win2k3
R2) with 9 domain controllers and 8 sites.  Three of the sites are hub
sites, and each hub site has 2 spoke sites.  Our main hub site has 2
domain controllers, and all other remote sites have a single domain
controller.

The replication issues are actually affecting an entire site,
unfortunately our main hub site (the one with 2 domain controllers).
Oddly enough, it's not Domain Controller specific, the problem is
actually site specific, and even more specifically, it's only affecting
replication traffic OUTBOUND from the site.  Inbound replication traffic
works fine as well as replication between the two domain controllers
inside the site.  At first, I thought the domain controller that was
acting as a Bridgehead for our site was having issues, so I forced the
other domain controller in the site to be the preferred bridgehead
server, deleted all the connection objects, and allowed the KCC to
recreate the connection objects.  It did this properly.  I then
attempted to force replication to take place, and the same symptoms
still persisted even though it was a completely different domain
controller attempting to perform the intersite replication.

Here are the results of performing a, "REPADMIN /REPLADMIN /BYSRC
/BYDEST /SORT:DELTA" command.
Appsig-AV and Appsig-AD are the two domain controllers in the problem
site.  Appsig-AD was the original DC that began showing problems in the
site, and Appsig-AV is the domain controller I switched over to test
intersite replication using a different DC.

Replication Summary Start Time: 2006-09-22 21:59:43 Beginning data
collection for replication summary, this may take awhile:
  .

Sour

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Hi Steve,

Yes, there were some schema modifications one of the other admins was
working on to deploy an application that would allow for people to use
their Windows accounts to log into our Intrasite (they were formerly
using their Unix accounts).  He had tested this on our test network,
which is a copy of our production network, upgraded to Windows 2003 R2
and also has the Longhorn schema extensions applied as well.  From what
I understand, it experienced no ill effects, however it is a single site
test network.

Here is the output from the groupOfURLs extension.

AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006

Using server: appsig-av.appsig.com:389
Directory: Windows 2000
Base DN: CN=Schema,CN=Configuration,DC=appsig,DC=com

dn:CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>adminDisplayName: groupOfURLs
>cn: groupOfURLs
>defaultObjectCategory:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>governsID: 2.16.840.1.113730.3.2.33
>instanceType: 4
>lDAPDisplayName: groupOfURLs
>mayContain: memberURL
>distinguishedName:
CN=groupOfURLs,CN=Schema,CN=Configuration,DC=appsig,DC=com
>objectCategory:
CN=Class-Schema,CN=Schema,CN=Configuration,DC=appsig,DC=com
>objectClass: top
>objectClass: classSchema
>objectClassCategory: 0
>objectGUID: {2B09EA58-1A00-4170-B419-9ADC0AA0B655}
>possSuperiors: container
>name: groupOfURLs
>rDNAttID: cn
>schemaIDGUID: {8B5ACDC4-EAF2-45D9-A596-C196ABD02405}
>showInAdvancedViewOnly: TRUE
>subClassOf: top
>systemOnly: FALSE
>uSNChanged: 7985664
>uSNCreated: 7985664
>whenChanged: 20060913180400.0Z
>whenCreated: 20060913180359.0Z

There are currently 4 other objects that have the groupofURLs listed as
an objectClass.

dn:CN=InfowebDept12,OU=InfowebGroups,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

dn:CN=InfowebDept24,OU=InfowebGroups,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: groupOfNames
>objectClass: group

dn:CN=InfowebDept25,OU=InfowebGroups,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

dn:CN=InfowebSection581,OU=InfowebGroups,DC=appsig,DC=com
>objectClass: top
>objectClass: groupOfURLs
>objectClass: group

Let me know if you need anything else.

Thanks,
~Ben


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 1:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Actually looking at this further you will probably find that the schemas
are in sync, i.e. the groupofURLs object class is defined across all of
the servers.  I say that because the error you would have gotten if it
did not exist on the target would have been either schema mismatch or
ERROR_DS_OBJ_CLASS_NOT_DEFINED.  So what I suspect is that groupofURLs
is not defined properly or is being referenced incorrectly.  Can you
dump the schema entry for this class from one of your servers snd post
it?  Also if you have the LDIF file that was used to update the schema
that includes the definition of this object class that would be great as
well.  What I do not understand is how you have an object defined this
way as I would have expected us to block creation of the object if this
class is not defined/referenced properly.  Any information on how the
schema was modified and how these objects were created would be helpful.
The fix will likely be to remove the groupofurls objectclass from the
object but you need to determine how you got to this point so that it
does not occur again.

Thanks,

-Steve


From: [EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: Saturday, September 23, 2006 2:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Ben,
  It would appear that the schema was modified on the source servers but
does not match on the destination servers.  I am not aware of a default
objectclass called groupofURLs.  Is this something that you modified
recently?  Can you dump the definition of this objectclass from a schema
on the source and verify that the schema on the target does not match?
Can you also send me a repadmin /showreps /v from a source and target.
It would appear that you have a schema modification gone bad.  Can you
also search and see if you have any other objects on the source DC that
have that objectclass listed?

Thanks,

-Steve

From: [EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 2:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

Hi Steve,

First off, thanks for all your help, you are always incredibly helpful.

Here's the output you requested from the source server.

dn:CN=InfowebA

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Title: RE: [ActiveDir] Replication Problems and Tombstoned Objects








Hi Steve,

 

First off, thanks for all your help, you are always incredibly
helpful.

 

Here’s the output you requested from the source server.

 

dn:CN=InfowebAccess\0ADEL:e988-616b-4944-bbe1-c8265cf4cc89,CN=Deleted
Objects,DC=appsig,DC=com

>objectClass: top

>objectClass: groupOfURLs

>objectClass: group

 

I should note though that this object NEVER replicated to other
sites.  So the only output I can give you is from the source DC.  At least on
the surface, this object seems to be the source of the replication issues.

 

Thanks again,

~Ben

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Steve Linehan
Sent: Friday, September 22, 2006 11:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects





 

Can you dump the objectclass attribute on the deleted object
mentioned in the error on one of the source servers and a destination
server?  The second error code in the internal error event log seems to
indicate that the objectclass is being updated with a value that is not a
subclass.

 

 

C:\tools\err\Err>err 20b4

# for hex 0x20b4 / decimal 8372 :

 
ERROR_DS_OBJ_CLASS_NOT_SUBCLASS  
winerror.h

# The specified class is not a subclass.

# 1 matches found for "20b4"

 

Thanks,

 

-Steve

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN
Sent: Saturday, September 23, 2006 1:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects





 

Correction, 10 domain controllers in 9 sites.

 





From: WATSON, BEN 
Sent: Friday, September 22, 2006 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects





 





Basic info and troubleshooting I've done to gather symptom
information...





 





We
are running a single forest, single domain Windows 2000 environment (I know, I
know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain
controllers and 8 sites.  Three of the sites are hub sites, and each hub
site has 2 spoke sites.  Our main hub site has 2 domain controllers, and
all other remote sites have a single domain controller.





 





The
replication issues are actually affecting an entire site, unfortunately our
main hub site (the one with 2 domain controllers).  Oddly enough, it's not
Domain Controller specific, the problem is actually site specific, and even
more specifically, it's only affecting replication traffic OUTBOUND from
the site.  Inbound replication traffic works fine as well as
replication between the two domain controllers inside the site.  At first,
I thought the domain controller that was acting as a Bridgehead for our site
was having issues, so I forced the other domain controller in the site to be
the preferred bridgehead server, deleted all the connection objects, and
allowed the KCC to recreate the connection objects.  It did this
properly.  I then attempted to force replication to take place, and the
same symptoms still persisted even though it was a completely different domain
controller attempting to perform the intersite replication.





 





Here
are the results of performing a, "REPADMIN /REPLADMIN /BYSRC /BYDEST
/SORT:DELTA" command.





Appsig-AV
and Appsig-AD are the two domain controllers in the problem site. 
Appsig-AD was the original DC that began showing problems in the site, and
Appsig-AV is the domain controller I switched over to test intersite
replication using a different DC.





 





Replication
Summary Start Time: 2006-09-22 21:59:43





Beginning
data collection for replication summary, this may take awhile:
  .






Source DC   largest
delta  fails/total  %%  error
 APPSIG-MDOPC 
14m:06s    0 /  18    0
 APPSIG-LAOPC 
10m:09s    0 /  12    0
 APPSIG-TXOPC 
09m:52s    0 /   3    0
 APPSIG-OCOPC 
09m:52s    0 /   3    0
 APPSIG-OROPC 
02m:48s    0 /   6    0
 APPSIG-UTOPC 
02m:46s    0 /   6    0
 APPSIG-DCOPC 
02m:08s    0 /   3    0
 APPSIG-VAOPC 
02m:08s    0 /   3    0
 APPSIG-AV  
(unknown)    4 /  15  
26  (8442) The replication system encountered an internal error.
 APPSIG-AD  
(unknown)    4 /  15  
26  (8442) The replication system encountered an internal error.






Destination DC    largest delta   
fails/total  %%  error
 APPSIG-VAOPC 
14m:12s    0 /   3    0
 APPSIG-TXOPC 
10m:12s    0 /   3    0
 APPSIG-DCOPC 
07m:42s    0 /   3    0
 APPSIG-OCOPC 
07m:07s    0 /   3    0
 APPSIG-AD
04m:33s    0 /   3    0
 APPSIG-AV
02m:50s    0 /  15    0
 APPSIG-LAOPC   
(unknown)    2 /  15  
13  (8442) The replication

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Title: RE: [ActiveDir] Replication Problems and Tombstoned Objects








Correction, 10 domain controllers in 9 sites.

 





From: WATSON, BEN 
Sent: Friday, September 22, 2006 10:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects





 





Basic info and troubleshooting I've done to gather symptom
information...





 





We
are running a single forest, single domain Windows 2000 environment (I know, I
know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain
controllers and 8 sites.  Three of the sites are hub sites, and each hub
site has 2 spoke sites.  Our main hub site has 2 domain controllers, and
all other remote sites have a single domain controller.





 





The
replication issues are actually affecting an entire site, unfortunately our
main hub site (the one with 2 domain controllers).  Oddly enough, it's not
Domain Controller specific, the problem is actually site specific, and even
more specifically, it's only affecting replication traffic OUTBOUND from
the site.  Inbound replication traffic works fine as well as
replication between the two domain controllers inside the site.  At first,
I thought the domain controller that was acting as a Bridgehead for our site
was having issues, so I forced the other domain controller in the site to be the
preferred bridgehead server, deleted all the connection objects, and allowed
the KCC to recreate the connection objects.  It did this properly.  I
then attempted to force replication to take place, and the same symptoms still
persisted even though it was a completely different domain controller
attempting to perform the intersite replication.





 





Here
are the results of performing a, "REPADMIN /REPLADMIN /BYSRC /BYDEST
/SORT:DELTA" command.





Appsig-AV
and Appsig-AD are the two domain controllers in the problem site. 
Appsig-AD was the original DC that began showing problems in the site, and
Appsig-AV is the domain controller I switched over to test intersite
replication using a different DC.





 





Replication
Summary Start Time: 2006-09-22 21:59:43





Beginning
data collection for replication summary, this may take awhile:
  .






Source DC   largest
delta  fails/total  %%  error
 APPSIG-MDOPC 
14m:06s    0 /  18    0
 APPSIG-LAOPC 
10m:09s    0 /  12    0
 APPSIG-TXOPC 
09m:52s    0 /   3    0
 APPSIG-OCOPC 
09m:52s    0 /   3    0
 APPSIG-OROPC 
02m:48s    0 /   6    0
 APPSIG-UTOPC 
02m:46s    0 /   6    0
 APPSIG-DCOPC 
02m:08s    0 /   3    0
 APPSIG-VAOPC 
02m:08s    0 /   3    0
 APPSIG-AV  
(unknown)    4 /  15  
26  (8442) The replication system encountered an internal error.
 APPSIG-AD  
(unknown)    4 /  15  
26  (8442) The replication system encountered an internal error.






Destination DC    largest delta   
fails/total  %%  error
 APPSIG-VAOPC 
14m:12s    0 /   3    0
 APPSIG-TXOPC 
10m:12s    0 /   3    0
 APPSIG-DCOPC 
07m:42s    0 /   3    0
 APPSIG-OCOPC 
07m:07s    0 /   3    0
 APPSIG-AD
04m:33s    0 /   3    0
 APPSIG-AV
02m:50s    0 /  15    0
 APPSIG-LAOPC   
(unknown)    2 /  15  
13  (8442) The replication system encountered an internal error.
 APPSIG-UTOPC   
(unknown)    2 /  
9   22  (8442) The replication system encountered an internal
error.
 APPSIG-MDOPC   
(unknown)    2 / 
21    9  (8442) The replication system encountered an
internal error.
 APPSIG-OROPC   
(unknown)    2 /  
9   22  (8442) The replication system encountered an internal
error.





 





Now
on to event log errors and warnings in the Directory Service event log.





 





Oddly
enough, the domain controlllers in the problem site show no real errors or
warnings to speak of.  However, the domain controllers that have direct
site connections to this site have plenty of errors when trying to replicate
from these sites.  I'm showing 4 errors/warnings when replication is
attempted.  Here are the errors/events after making the registry changes
Steve suggested.





 





Event
ID: 1173 - Category: Interneal Processing - Type: Warning





Internal
event: Exception e0010002 has occurred with parameters 8442 and 20b4 (Internal
ID 3050bdc).






Event
ID: 1084 - Category: Replication - Type: Error





Replication
error: The directory replication agent (DRA) couldn't update object
CN="InfowebAccessDEL:e988-616b-4944-bbe1-c8265cf4cc89",CN=Deleted
Objects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89) on this
system with changes which have been received from source server
e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error occurred
during the application of the changes to the directory database on this system.


The
error m

RE: [ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

ntroller. 

If this condition is an internal error, a database error, or an object 
relationship or constraint error, manual intervention will be required to 
correct the database and allow the update to proceed. It is valuable to note 
that the problem is caused by the fact that the change on the remote system 
cannot be applied locally. Manually updating the objects on the local system in 
not recommended. Instead, on the source system (which has the changes already), 
try to reverse or back out the change. Then, on the next replication cycle, 
observe whether the change can now be applied locally. 

The record data is the status code. 

Event ID: 1085 - Category: Replication - Type: Warning

Replication warning: The directory replication agent (DRA) couldn't synchronize 
partition DC=appsig,DC=com with partition on directory server 
b04a1a6f-dae6-4795-bb91-9805f458c9d5._msdcs.appsig.com.

The error was: 

The replication system encountered an internal error.

Please verify that the address can be resolved with DNS, and that it is 
reachable via the transport. If this error persists, the KCC will reconfigure 
the links around this server. 

The record data is the status code. 

Event ID: 1061 - Category: Replication - Type: Warning

Internal error: The directory replication agent (DRA) call returned error 8442. 

That's all of it.  If you need me to get any further information, let me know 
and I'll get it immediately.

Thank you for your help!

~Ben

 



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Fri 9/22/2006 8:34 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects



You could also turn up additional logging which would give more details as to 
what the internal error is.  I would suggest starting with the following:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics

1. Locate the "5 Replication Events" value under the above key.
2. On the Edit menu, click DWORD, type 4, and then click OK.
3. Locate the "9 Internal Processing" value under the same key.
4. On the Edit menu, click DWORD, type 1, and then click OK.

After you do this post the full event text for the error and any additional 
replication or internal processing errors.  I would expect to get back an 
Exception value with parameters and an internal id.  These can be used to 
determine what is causing the problem.  To answer your original question the 
tombstoned object will only be removed once the tombstone lifetime is reached 
and garbage collection has run.  I would not recommend changing the tombstone 
lifetime to correct this as it is forest wide and can lead to more serious 
problems than you currently have.  We should be able to determine the cause of 
the internal error and correct it without taking such risky and drastic 
measures.

Thanks,

-Steve


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vinnie Cardona
Sent: Friday, September 22, 2006 9:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Replication Problems and Tombstoned Objects

What event id are you seeing associate with this error?

Vinnie Cardona
Systems Administrator
Ernest Health, Inc
Information Technology Dept
505.798.6472

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Friday, September 22, 2006 6:18 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Replication Problems and Tombstoned Objects

Our forest is currently experiencing some replication issues.  The
common error we have been receiving has revolved around a single object.
To summarize, how do you permanently delete Active Directory objects?
More specifically, how do you remove an object that is already
tombstoned?  Here is why I need to do this, here is the full error...

---
Replication error: The directory replication agent (DRA) couldn't update
object CN=InfowebAccess,OU=InfowebGroups,DC=appsig,DC=com (GUID
e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which
have been received from source server
e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error
occurred during the application of the changes to the directory database
on this system.

 The error message is:
 The replication system encountered an internal error.

 The directory will try to update the object later on the next
replication cycle. Synchronization of this server with the source is
effectively blocked until the update problem is corrected.
 If this condition appears to be related to a resource shortage, please
stop and restart this Windows Domain Controller.
 If this condition is an internal error, a database error, or an object
relationship or constraint error, manual intervention will be required
to correct the database and allow the update to proceed.  It is valuable
to note that the problem is caused by the fact that the c

[ActiveDir] Replication Problems and Tombstoned Objects

[WATSON, BEN]

Our forest is currently experiencing some replication issues.  The
common error we have been receiving has revolved around a single object.
To summarize, how do you permanently delete Active Directory objects?
More specifically, how do you remove an object that is already
tombstoned?  Here is why I need to do this, here is the full error...

---
Replication error: The directory replication agent (DRA) couldn't update
object CN=InfowebAccess,OU=InfowebGroups,DC=appsig,DC=com (GUID
e988-616b-4944-bbe1-c8265cf4cc89) on this system with changes which
have been received from source server
e928ad23-039d-4dbd-b214-f88b4ae54819._msdcs.appsig.com. An error
occurred during the application of the changes to the directory database
on this system. 
 
 The error message is: 
 The replication system encountered an internal error.
 
 The directory will try to update the object later on the next
replication cycle. Synchronization of this server with the source is
effectively blocked until the update problem is corrected. 
 If this condition appears to be related to a resource shortage, please
stop and restart this Windows Domain Controller. 
 If this condition is an internal error, a database error, or an object
relationship or constraint error, manual intervention will be required
to correct the database and allow the update to proceed.  It is valuable
to note that the problem is caused by the fact that the change on the
remote system cannot be applied locally. Manually updating the objects
on the local system in not recommended. Instead, on the source system
(which has the changes already), try to reverse or back out the change.
Then, on the next replication cycle, observe whether the change can now
be applied locally. 
 The record data is the status code.
---

After I deleted this object, I continue to get the same error, except it
now references the deleted (tombstoned) object as a roadblock.

---
Replication error: The directory replication agent (DRA) couldn't update
object CN="InfowebAccess
DEL:e988-616b-4944-bbe1-c8265cf4cc89",CN=Deleted
Objects,DC=appsig,DC=com (GUID e988-616b-4944-bbe1-c8265cf4cc89)
etc...  (same as error above)
---

What would be the proper method to permanently remove a tombstoned
object?  If I'm following the error messages, then removing the object
permanently should (hopefully) resolve the issues.

Thanks,
~Ben
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] Block Inheritance on DC OU

[WATSON, BEN]

The company I am currently working for has “block
inheritance” enabled for the Domain Controller’s OU and apparently whoever
enabled this setting is no longer with the company (or they won’t fess up
to why they did this).

 

Although I am curious, what sort of ramifications does
enabling “block inheritance” on the Domain Controller’s OU
pose?  And what reason would you have to enable this setting on the Domain
Controller’s OU?  With any other OU, it would be fairly obvious, but
being that these are the Domain Controllers it would seem to be a unique
situation.

 

Thanks as always for your input,

~Ben

RE: [ActiveDir] Strange password issue

[WATSON, BEN]

Yep, your e-mail definitely hit the list.



 



I'm confused as to why the 512 UAC flag is making anybody
think that passwd_notreqd is set. A setting of 512 indicates a normal account.
544 would indicate a normal account with passwd_notreqd set.

 



Laura



 

If that is the e-mail you are talking about.

 

~Ben

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Laura A. Robinson
Sent: Thursday, September 07, 2006 8:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue





 



Since the OP has said that the accounts' UAC flags are 512, not
544, the entire discussion around this is moot.





 





BTW, did anybody notice if my post about the 512/544 value hit the
list yesterday? I don't remember seeing it and am wondering if I actually sent
it. :-)





 





Thanks,





 





Laura





 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, September 07, 2006 7:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue



But you cannot set UAC to 512 if the password is blank, as it
doesn't comply with the password policy.  Try it.  The other half of
my post shows the error.  I also tried it through the GUI (ADSIEDIT gives
errors that are easier on the eyes, although less specific) and it said it wasn't
compliant with the security policy, so it is checking the password when you do
this.





 





p.s. your query, while illustrating the point, isn't really
appropriate.  The following is how you should be looking for people with
this bit set.





 





(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))





 





 





Remember, unless you've made it so, objectClass isn't indexed and
although UAC is, this also applies to non-people objects, e.g. computers.





 





 





--Paul







-
Original Message - 





From: [EMAIL PROTECTED] 





To: ActiveDir@mail.activedir.org 





Sent: Thursday, September 07, 2006 11:35 AM





Subject: RE: [ActiveDir] Strange password
issue





 



UAC bitmask is 32. A normal user then gets UAC = 544. 

Try doing a ldap query for
(&(objectClas=user)(useraccountcontrol=544)) 

You could then modify the attribute to 512 on these users either
with adsiedit or in a nice tool such as ADModify.net.

 

Note: if the option password not required is set. Then you can
either have a blank password or comply with the password policy in defdom GPO.

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: den 6 september 2006 21:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Strange password issue

Pressed send before I finished typing!  : (

 

Following on from the last mail…

 

You can, however, modify the policy so that you can have shorter
passwords, create the user, and then change the password policy back. 
Perhaps someone did this?

 

If you test this, when you set the policy to zero it says no
password required (in the Window).

 

 

--Paul

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: 06 September 2006 19:28
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Strange password issue



 

>From what
I recall, if the password is not required, then there's no need to check the
minimum length.  Since it would be overridden at the user object level,
that does not affect the domain. 

I don't recall the UAC bitmask, and I'm not going to figure it out at the
moment.  I'll take your word that the password not required is true for
this user. 

If you remove that setting (i.e. require the user to have a password) then that
password would, by policy, have to be at least 6 chars in length. 





On 9/6/06, Tom
Kern <[EMAIL PROTECTED]> wrote:





This is a domain account.





 





To rehash-





 





The Default Domain Policy is set to min
password length- 6 charcters.





This was created 2 years ago and never
changed.





User account is a domain account created a
month ago.





It was bought to my attention that the user
can log in with no password.





I confirmed.





The userAccountControl attribute of the
user object was set to 512(not that i'm certain if setting the passwd_notreqd
overrides the DDP).





The domain/forest is at w2k3 FL.





 





Thanks











 





On 9/6/06, Laura
A. Robinson <[EMAIL PROTECTED]
> wrote: 







Impossible/irrelevant. If it's a domain account, the policy
applies regardless, because the account is stored in AD. If it's a local
account, then the policy doesn't apply regardless; domain account policies
don't apply to local accounts. Is this a local account or a domain account? 





 





Laura





 









From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Tom Kern





Sent:
Wednesday, September 06, 2006 11:44 AM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Strange password issue

 

RE: [ActiveDir] deleting subdomain

[WATSON, BEN]

Hi Rezuma,

You would want to perform a metadata cleanup through NTDSUTIL to remove
the child domain.

~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramon Linan
Sent: Wednesday, August 30, 2006 1:57 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] deleting subdomain

Hi,

We had a DC that was taking out of AD without being demote. That DC was
also the only domain controller for that child domain, child.domain.com

I want to remove entirely that domain from the AD, any ideas on the step
I should follow?

I don't have access to that DC, so I cant do a clean removal.

Thanks

Rezuma
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] FYI - You cannot perform a system state backup on a domain controller that is running Windows Server 2003 SP1

[WATSON, BEN]

I ran into this a few weeks ago.  I have a domain running on an old
crappy box with two hard drives, and put the log files on the 2nd hard
drive.  When all my system state backups were failing, I ended up
finding this KB article and found that the "workaround" in my case was
to move the log files over to the first hard drive.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Monday, August 28, 2006 12:56 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] FYI - You cannot perform a system state backup on a
domain controller that is running Windows Server 2003 SP1

You cannot perform a system state backup on a domain controller that is
running Windows Server 2003 SP1:
http://support.microsoft.com/?kbid=913642

--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com

If you are a SBSer and you don't subscribe to the SBS Blog... man ... I
will hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] [OT] Longhorn Beta

[WATSON, BEN]

That was definitely the first place I
checked, and unless I’m blind (which I’ve been accused of many
times by the way), I don’t believe it’s an available option on the
connect website to test.

 

I’ll probably end up just using my
MSDN copy in our test environment to create a Longhorn DC.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Thursday, August 17, 2006
10:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [OT]
Longhorn Beta



 



http://connect.microsoft.com/





 





 





--Paul







- Original Message - 





From: WATSON, BEN






To: ActiveDir@mail.activedir.org






Sent: Thursday, August
17, 2006 4:35 PM





Subject: [ActiveDir] [OT]
Longhorn Beta





 



Outside of my MSDN account is there a preferred way to obtain
Longhorn Beta’s for testing?

 

~Ben

[ActiveDir] [OT] Longhorn Beta

[WATSON, BEN]

Outside of my MSDN account is there a preferred way to
obtain Longhorn Beta’s for testing?

 

~Ben

RE: [ActiveDir] ADFind Query

[WATSON, BEN]

Yes I was Dean, thanks for providing such a great utility.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Tuesday, August 15, 2006 6:04 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] ADFind Query

I'll assume for the moment that you were able to get it from the web
site,
let me know if otherwise.

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of WATSON, BEN
> Sent: Monday, August 14, 2006 8:22 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] ADFind Query
> 
> Hi Dean,
> 
> Any chance you could password protect that zip and simply place the
> password in the body of the e-mail?  Our e-mail gateway was all too
> happy to empty out the contents.
> 
> Thanks,
> ~Ben
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Monday, August 14, 2006 5:12 PM
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] ADFind Query
> 
> Hey Tony,
> 
> I tried posting it earlier but it hasn't appeared as yet nor did it
> bounce.
> I'm uncertain as to the version on the activedir.org site so I've
tried
> posting another, smaller zipped enclosure in the hopes that this one
> will make it through.
> 
> --
> Dean Wells
> MSEtechnology
> t Email: [EMAIL PROTECTED]
> http://msetechnology.com
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of Tony Murray
> > Sent: Monday, August 14, 2006 8:03 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] ADFind Query
> >
> > Have a look at Dean's SchemaDiff on the download page:
> >
> > http://www.activedir.org/Downloads/Downloads.aspx
> >
> > Tony
> > -- Original Message --
> > From: "WATSON, BEN" <[EMAIL PROTECTED]>
> > Reply-To: ActiveDir@mail.activedir.org
> > Date:  Mon, 14 Aug 2006 14:28:47 -0700
> >
> > Hey guys,
> >
> >
> >
> > Simple question.  I'm trying to perform a search to locate all the
> > schema extensions that have been added in by our company.
> >
> >
> >
> > I thought some simple syntax like this would work to find all schema
> > attributes with an attrbituteID prefixed with our OID.
> >
> >
> >
> > adfind -schema -f attributeID=1.3.6.1.4.1.14376.*
> >
> > ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No
> Such
> > Attribute
> >
> >
> >
> > I'm obviously missing something, any thoughts?
> >
> >
> >
> > Thanks,
> >
> > ~Ben
> >
> >
> >
> >
> >
> >
> >
> >
> > 
> > Sent via the WebMail system at mail.activedir.org
> >
> >
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: http://www.activedir.org/ml/threads.aspx
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] ADFind Query

[WATSON, BEN]

I’m familiar with grep on *nix, but didn’t
realize it was available on Windows.  Where did you get your port of grep for
Windows at?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 14, 2006 6:16
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind
Query



 

Yeah something like

 

adfind -sc s:* ldapdisplayname attributeid
-csv |grep -i 1.3.6.1.4.1.14376

 

would work fine. 

 

But still... the OP is hopefully prefixing
schema attributes and classes with a corporate value... Otherwise they could
run into collisions with vendors with bad schema practices. 

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 14, 2006 6:17
PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] ADFind
Query

If not, though less
efficient, dump them all and pipe it through find …













--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com













 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 14, 2006 5:53
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind
Query





 

You shouldn't be getting that error with
that command... Even if the attribute name was incorrect you wouldn't get that
error, you would get 0 objects returned as the query processor doesn't output
errors because of incorrect attributes being specified. 

 

However, that being said, this isn't going
to work. You can't wildcard OIDs (or more accurately 2.5.5.2/6 data types).

 

Hopefully you guys prefixes all of the
classes and attributes you added with a company prefix so you can search on
that like so

 

adfind -schema -f name=joeware*
ldapdisplayname -sl

 

or the shortcut

 

adfind -sc sl:joeware*

 

 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
 BEN
Sent: Monday, August 14, 2006 5:29
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADFind Query

Hey guys,

 

Simple question.  I’m trying to perform a search
to locate all the schema extensions that have been added in by our company.

 

I thought some simple syntax like this would work to find
all schema attributes with an attrbituteID prefixed with our OID.

 

adfind -schema -f attributeID=1.3.6.1.4.1.14376.*

ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16)
- No Such Attribute

 

I’m obviously missing something, any thoughts?

 

Thanks,

~Ben

RE: [ActiveDir] ADFind Query

[WATSON, BEN]

Oh yes, we absolutely prefix our extensions...  now.  A few years ago (before I 
was here), someone decided to add a UID attribute to the schema with a bad OID, 
bad syntax, bad everything, and unfortunately this directly collided with the 
UID attribute that Windows 2003 wanted to add.  It required an enormous amount 
of work to deal with since I don't have the ability to defunct the attribute.
 



From: [EMAIL PROTECTED] on behalf of joe
Sent: Mon 8/14/2006 6:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind Query


Yeah something like
 
adfind -sc s:* ldapdisplayname attributeid -csv |grep -i 1.3.6.1.4.1.14376
 
would work fine. 
 
But still... the OP is hopefully prefixing schema attributes and classes with a 
corporate value... Otherwise they could run into collisions with vendors with 
bad schema practices. 
 
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 
 
 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 14, 2006 6:17 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] ADFind Query



If not, though less efficient, dump them all and pipe it through find ...

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com <http://msetechnology.com/> 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 14, 2006 5:53 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADFind Query

 

You shouldn't be getting that error with that command... Even if the attribute 
name was incorrect you wouldn't get that error, you would get 0 objects 
returned as the query processor doesn't output errors because of incorrect 
attributes being specified. 

 

However, that being said, this isn't going to work. You can't wildcard OIDs (or 
more accurately 2.5.5.2/6 data types).

 

Hopefully you guys prefixes all of the classes and attributes you added with a 
company prefix so you can search on that like so

 

adfind -schema -f name=joeware* ldapdisplayname -sl

 

or the shortcut

 

adfind -sc sl:joeware*

 

 

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Monday, August 14, 2006 5:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADFind Query

Hey guys,

 

Simple question.  I'm trying to perform a search to locate all the schema 
extensions that have been added in by our company.

 

I thought some simple syntax like this would work to find all schema attributes 
with an attrbituteID prefixed with our OID.

 

adfind -schema -f attributeID=1.3.6.1.4.1.14376.*

ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such Attribute

 

I'm obviously missing something, any thoughts?

 

Thanks,

~Ben

<>

RE: [ActiveDir] ADFind Query

[WATSON, BEN]

Hi Dean,

Any chance you could password protect that zip and simply place the
password in the body of the e-mail?  Our e-mail gateway was all too
happy to empty out the contents.

Thanks,
~Ben

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 14, 2006 5:12 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] ADFind Query

Hey Tony,

I tried posting it earlier but it hasn't appeared as yet nor did it
bounce.
I'm uncertain as to the version on the activedir.org site so I've tried
posting another, smaller zipped enclosure in the hopes that this one
will
make it through.

--
Dean Wells
MSEtechnology
t Email: [EMAIL PROTECTED]
http://msetechnology.com


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Tony Murray
> Sent: Monday, August 14, 2006 8:03 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] ADFind Query
> 
> Have a look at Dean's SchemaDiff on the download page:
> 
> http://www.activedir.org/Downloads/Downloads.aspx
> 
> Tony
> -- Original Message --
> From: "WATSON, BEN" <[EMAIL PROTECTED]>
> Reply-To: ActiveDir@mail.activedir.org
> Date:  Mon, 14 Aug 2006 14:28:47 -0700
> 
> Hey guys,
> 
> 
> 
> Simple question.  I'm trying to perform a search to locate all the
> schema extensions that have been added in by our company.
> 
> 
> 
> I thought some simple syntax like this would work to find all schema
> attributes with an attrbituteID prefixed with our OID.
> 
> 
> 
> adfind -schema -f attributeID=1.3.6.1.4.1.14376.*
> 
> ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16) - No Such
> Attribute
> 
> 
> 
> I'm obviously missing something, any thoughts?
> 
> 
> 
> Thanks,
> 
> ~Ben
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Sent via the WebMail system at mail.activedir.org
> 
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] ADFind Query

[WATSON, BEN]

Hey guys,

 

Simple question.  I’m trying to perform a search to
locate all the schema extensions that have been added in by our company.

 

I thought some simple syntax like this would work to find
all schema attributes with an attrbituteID prefixed with our OID.

 

adfind -schema -f attributeID=1.3.6.1.4.1.14376.*

ldap_get_next_page_s: [appsig-ad.appsig.com] Error 0x10 (16)
- No Such Attribute

 

I’m obviously missing something, any thoughts?

 

Thanks,

~Ben

RE: [ActiveDir] Weak AD passwords

[WATSON, BEN]

Title: Message








I think you might mean the storing of LM
hashes for compatibility with extremely old operating systems.  When using LM
Hash your password at most will consist of 14 characters, while that’s a
good length, the worst part is it is broken up into two 7 character strings.  (At
least if I remember this all correctly, I learned about this quite awhile ago) 
So really, when brute forcing a password that is LM hash compatible, all the
password cracking utility needs to do is crack the password twice.  Once for
the first 7 characters, and again for the second 7 characters.  If you’ve
watched the speed which with a good password cracking utility can chew through
7 character strings then it shouldn’t be surprising that it can crack
even complex passwords this way.

 

http://support.microsoft.com/kb/299656/

 

If you remove the storage of the LM Hash
of your passwords, then the cracking utility will have to crack all 14+
characters in your password at once, making it infinitely more difficult to
brute force.

 

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Wednesday, August 09, 2006
9:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD
passwords



 

Uh, I am the IT security department for a
number of my clients.

 

Yes, complex passwords were used. Here are
a few it cracked, just as samples:

 


 
 
  
  F0ur.Sc0r3
  
 
 
  
  grVnBEqRo*&2Yb
  
 
 
  
  @[EMAIL PROTECTED]@cK
  
 


 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, August 09, 2006
11:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD
passwords

With the assistance, support and
ratification from your IT Security department, of course :)

 

Do you use complex passwords in the below
scenario?

 

neil







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: 09 August 2006 16:25
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD
passwords

I took the time to generate the 64 GB
tables with the full US-ASCII character set (I spread it out over a couple of
dozen servers and it only took about a week) last year.

 

I ran it last week against one of my
environments. It cracked 1,628 passwords out of 1,629 total accounts in 18
hours. Not bad at all.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny
Sent: Wednesday, August 09, 2006
11:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Weak AD
passwords



Hi





 





Haven't used it, but one of my colleagues
swears it's too good. :) Try Rainbow Tables.





 





Cheers





 





Danny





 





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 20 March 2006 21:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Weak AD
passwords



Can anyone recommend any tools to find which of our users
have weak AD passwords?  We used to use L0phtcrack back in the day, but it
doesn't appear to be supported any longer?  Other than enforcing complex
passwords (which we do) and 8 character minimum, we'd like to figure out who
uses things like "Password1" or something silly like that.





 





Thanks in advance



Email has been scanned for viruses
by Altman Technologies' email management service


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 






PLEASE READ: The information contained in this email is
confidential and 





intended for the named recipient(s) only. If you are not an
intended 





recipient of this email please notify the sender immediately
and delete your 





copy from your system. You must not copy, distribute or take
any further 





action in reliance on it. Email is not a secure method of
communication and 





Nomura International plc ('NIplc') will not, to the extent
permitted by law, 





accept responsibility or liability for (a) the accuracy or
completeness of, 





or (b) the presence of any virus, worm or similar malicious
or disabling 





code in, this message or any attachment(s) to it. If
verification of this 





email is sought then please request a hard copy. Unless
otherwise stated 





this email: (1) is not, and should not be treated or relied
upon as, 





investment research; (2) contains views or opinions that are
solely those of 





the author and do not necessarily represent those of NIplc;
(3) is intended 





for informational purposes only and is not a recommendation,
soli

RE: [ActiveDir] Weak AD passwords

[WATSON, BEN]

Title: Message








It seems that Cain & Able development
has picked up greatly since LC5 was discontinued and seems to offer all the
features of LC5 and more.


Check out the list of network security tools that the creator of NMAP has
developed.  Cain & Able is #9.

 

http://sectools.org/

 

And here’s the direct link to Cain
& Able.

 

http://www.oxid.it/index.html

 

~Ben

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Williams
Sent: Wednesday, August 09, 2006
9:07 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Weak AD
passwords



 



Lophcrack was
purchased by Symantec and is now sold as an enterprise security product. 
It's called LC5, I believe, but has recently been discontinued (after symantec
stopped selling it to people outside of North America)
and support runs out at the end of the year.  Which is a real pain as I've
recently recommended it and now need to revise my recommendations!





 





 





--Paul







- Original Message - 





From: McCann, Danny






To: ActiveDir@mail.activedir.org






Sent: Wednesday, August
09, 2006 3:59 PM





Subject: RE: [ActiveDir]
Weak AD passwords





 





Hi





 





Haven't used it, but one of my colleagues
swears it's too good. :) Try Rainbow Tables.





 





Cheers





 





Danny





 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rimmerman, Russ
Sent: 20 March 2006 21:38
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Weak AD
passwords



Can anyone recommend any tools to find which of our users
have weak AD passwords?  We used to use L0phtcrack back in the day, but it
doesn't appear to be supported any longer?  Other than enforcing complex
passwords (which we do) and 8 character minimum, we'd like to figure out who
uses things like "Password1" or something silly like that.





 





Thanks in advance



Email has been scanned for viruses
by Altman Technologies' email management service


 
  
  ~~
  This e-mail is confidential, may contain proprietary information
  of the Cooper Cameron Corporation and its operating Divisions
  and may be confidential or privileged.
  
  This e-mail should be read, copied, disseminated and/or used only
  by the addressee. If you have received this message in error please
  delete it, together with any attachments, from your system.
  ~~
  
 


 

RE: [ActiveDir] Granting Exchange Mailbox Access

[WATSON, BEN]

Nice pointer Hunter!  I had forgotten that
tidbit of info I learned awhile ago that a deny doesn’t always override a
grant privilege.  There was indeed an explicit grant privilege set at the
server level for that individual user account which overrides the deny
privilege set at the organizational level which had propagated downward.  I
granted my Exchange Full Administrators security group the same grant privilege
that the individual account had at the server level, and now everything is
working as I was hoping.

 

Thanks to everyone that responded!

 

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, August 03, 2006
10:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting
Exchange Mailbox Access



 

Check to see if someone removed the
explicit Deny for the individual account on Send-As/Receive-As at the Exchange
Org level, and if not whether it's getting overridden by an explicit Allow
further down the hierarchy.

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN
Sent: Thursday, August 03, 2006
11:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting
Exchange Mailbox Access

That’s actually a very good idea,
and I may enforce that on them.  I suppose if anything, my curiosity is
getting the best of me and I’m really wondering what is different between
that delegated security group and the individual account that installed
Exchange which is granting full mailbox access across the board.

 

I just can’t find anything that
actually is different between the two.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, August 03, 2006
9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting
Exchange Mailbox Access



 

A different approach is for the Exch Full
Admin to simply grant him/herself Full Mailbox Access->Allow on an
individual, as-needed basis. I prefer this because it requires a conscious
effort on the admin's part to access someone else's mailbox, regardless of what
your corporate use policies state about email being the company's property.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, August 02, 2006
5:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting
Exchange Mailbox Access

The perm you’re looking for is
Receive As on the Mailbox store.  The problem is that delegating Exchange
Full Administrator adds an explicit Deny ACE to CN=First
Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that
gets replicated all the way down to the mailboxes.  So even if you grant
your group the required perms, if they’ve been delegated EFA, the Deny
will override it.

 

I’d imagine you can remove the Deny
ACE manually, but we just skipped the delegation wizard and added the ACE for
Receive As for our Mailbox Admins.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
5:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting
Exchange Mailbox Access



 

In an effort to cut down on service account abuse,
I’ve been removing and reducing privileges left and right.  I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003.

 

Sometimes, the Exchange Administrators will need to access a
user’s mailbox to assist with various issues, and I’m having
trouble delegating that right to the members of the Exchange Full
Administrators group.

 

I have created a domain security group named simply “Exchange
Full Administrators”, and I delegated Exchange Full Administrator rights
to that security group at the organizational level.  So anyone in that
security group “should” have full administration rights. 
I’ve had to delegate a few other rights in Active Directory for some
other reasons to this new security group (for instance to give this security
group rights to modify the dynamic mailing list OU); however I’m having
trouble finding exactly where to delegate rights to give this security group
full access to everyone’s mailbox.

 

Any thoughts?

 

Thanks,

~Ben

RE: [ActiveDir] Granting Exchange Mailbox Access

[WATSON, BEN]

That’s actually a very good idea,
and I may enforce that on them.  I suppose if anything, my curiosity is getting
the best of me and I’m really wondering what is different between that
delegated security group and the individual account that installed Exchange
which is granting full mailbox access across the board.

 

I just can’t find anything that
actually is different between the two.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Thursday, August 03, 2006
9:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting
Exchange Mailbox Access



 

A different approach is for the Exch Full
Admin to simply grant him/herself Full Mailbox Access->Allow on an
individual, as-needed basis. I prefer this because it requires a conscious
effort on the admin's part to access someone else's mailbox, regardless of what
your corporate use policies state about email being the company's property.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, August 02, 2006
5:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting
Exchange Mailbox Access

The perm you’re looking for is
Receive As on the Mailbox store.  The problem is that delegating Exchange
Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that
gets replicated all the way down to the mailboxes.  So even if you grant
your group the required perms, if they’ve been delegated EFA, the Deny
will override it.

 

I’d imagine you can remove the Deny
ACE manually, but we just skipped the delegation wizard and added the ACE for
Receive As for our Mailbox Admins.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
5:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting
Exchange Mailbox Access



 

In an effort to cut down on service account abuse,
I’ve been removing and reducing privileges left and right.  I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003.

 

Sometimes, the Exchange Administrators will need to access a
user’s mailbox to assist with various issues, and I’m having
trouble delegating that right to the members of the Exchange Full
Administrators group.

 

I have created a domain security group named simply
“Exchange Full Administrators”, and I delegated Exchange Full
Administrator rights to that security group at the organizational level. 
So anyone in that security group “should” have full administration
rights.  I’ve had to delegate a few other rights in Active Directory
for some other reasons to this new security group (for instance to give this
security group rights to modify the dynamic mailing list OU); however I’m
having trouble finding exactly where to delegate rights to give this security
group full access to everyone’s mailbox.

 

Any thoughts?

 

Thanks,

~Ben

RE: [ActiveDir] Granting Exchange Mailbox Access

[WATSON, BEN]

Hi Scott,

 

Thanks for the reply.  Unfortunately,
it didn’t seem to grant access.  That was definitely one of the
first places I looked to check for permissions that would give me a clue as to
why the username that originally installed Exchange 2003 has access to all
user’s mailboxes, yet the Exchange Full Administrators delegated group
does not.  Oddly enough, I find that the specific account that installed
Exchange has the same exact rights as the delegated group.  Both have a
specific deny set for Send As and Receive As, yet the individual user account
can access any mailbox, and the delegated group cannot.

 

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott
Sent: Wednesday, August 02, 2006
4:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Granting
Exchange Mailbox Access



 

The perm you’re looking for is
Receive As on the Mailbox store.  The problem is that delegating Exchange
Full Administrator adds an explicit Deny ACE to CN=First Organization,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=domain,DC=com for Receive As and that
gets replicated all the way down to the mailboxes.  So even if you grant
your group the required perms, if they’ve been delegated EFA, the Deny will
override it.

 

I’d imagine you can remove the Deny
ACE manually, but we just skipped the delegation wizard and added the ACE for
Receive As for our Mailbox Admins.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
5:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Granting
Exchange Mailbox Access



 

In an effort to cut down on service account abuse,
I’ve been removing and reducing privileges left and right.  I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003.

 

Sometimes, the Exchange Administrators will need to access a
user’s mailbox to assist with various issues, and I’m having
trouble delegating that right to the members of the Exchange Full
Administrators group.

 

I have created a domain security group named simply
“Exchange Full Administrators”, and I delegated Exchange Full
Administrator rights to that security group at the organizational level. 
So anyone in that security group “should” have full administration
rights.  I’ve had to delegate a few other rights in Active Directory
for some other reasons to this new security group (for instance to give this
security group rights to modify the dynamic mailing list OU); however I’m
having trouble finding exactly where to delegate rights to give this security
group full access to everyone’s mailbox.

 

Any thoughts?

 

Thanks,

~Ben

RE: [ActiveDir] Remove Defunct domains..

[WATSON, BEN]

Ah right, I read the initial question
wrong and thought you were trying to rid yourself of an old domain that no
longer exists.  It certainly sounds more like a browsing issue.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Saturday, September 02, 2006
3:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remove
Defunct domains..



 



That would depend upon whether or not the
domains are appearing because of metadata, or whether they're appearing because
of "bad" browsing information. Do the domains appear anywhere besides
Network Neighborhood? Is WINS in use? If so, are there entries in WINS
representing the domains? Without knowing exactly where the defunct domains are
appearing and where they aren't, it's tough to call whether or not it's a
problem of metadata or browsing. 





 





Laura





 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of WATSON, BEN
Sent: Wednesday, August 02, 2006
6:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remove
Defunct domains..

You can remove the orphaned domains
through NTDSUTIL.  Doing a metadata cleanup.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of HBooGz
Sent: Wednesday, August 02, 2006
2:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remove
Defunct domains..



 

Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a way to
remove these domain/domain entries manually ?

ADSI edit ?



-- 
HBooGz:\> 

[ActiveDir] Granting Exchange Mailbox Access

[WATSON, BEN]

In an effort to cut down on service account abuse,
I’ve been removing and reducing privileges left and right.  I have
delegated Exchange Full Administrator rights to a few users who had previously
been using the service account we originally installed Exchange 2003.

 

Sometimes, the Exchange Administrators will need to access a
user’s mailbox to assist with various issues, and I’m having
trouble delegating that right to the members of the Exchange Full
Administrators group.

 

I have created a domain security group named simply “Exchange
Full Administrators”, and I delegated Exchange Full Administrator rights
to that security group at the organizational level.  So anyone in that
security group “should” have full administration rights.  I’ve
had to delegate a few other rights in Active Directory for some other reasons to
this new security group (for instance to give this security group rights to
modify the dynamic mailing list OU); however I’m having trouble finding
exactly where to delegate rights to give this security group full access to
everyone’s mailbox.

 

Any thoughts?

 

Thanks,

~Ben

RE: [ActiveDir] Remove Defunct domains..

[WATSON, BEN]

You can remove the orphaned domains
through NTDSUTIL.  Doing a metadata cleanup.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of HBooGz
Sent: Wednesday, August 02, 2006
2:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remove
Defunct domains..



 

Whenever i browse Network Neighborhood or view the list of availble
networks, there are a few domains that appear that shouldn't. Is there a way to
remove these domain/domain entries manually ?

ADSI edit ?



-- 
HBooGz:\> 

RE: [ActiveDir] OT: XP exploit

[WATSON, BEN]

Interesting exploit.  Although I think this might not be new.  I fired up a 
somewhat old Windows XP VM I had to test it, and despite the fact that standard 
users had permissions to read&execute AT.EXE, they were still denied access.  
Same deal on my company workstation which is absolutely up to date.  I'm 
assuming that may be due to a patch that came through at some point in the past?
 
I just wanted to make sure so I know whether I need to act on this or not.



From: [EMAIL PROTECTED] on behalf of Derek Harris
Sent: Tue 8/1/2006 7:20 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: XP exploit



Use GPO to prevent users from running the scheduler.  Need to do a reg
hack to block local accounts.
http://www.projectstreamer.com/users/r0t0r00t3r/xp_priv_esc/xp_priv_esc.
html
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx


<>

RE: [ActiveDir] W2K3 Upgrade Domain Controller or Exchange Servers?

[WATSON, BEN]

Hi Nate,

 

Just in case you hadn’t seen this
before, you might want to keep your eye on this KB article.

 

http://support.microsoft.com/kb/314649

 

Good luck with your upgrade!

 

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta, Nathaniel V CTR USAF
NASIC/SCNA
Sent: Monday, July 31, 2006 6:37
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] W2K3 Upgrade
Domain Controller or Exchange Servers?



 



All,





 





We are rounding home base in our upgrade
path to 2K3 and have our Exchange Server Cluster running W2K and EXCH2K
and our Domain Controllers to upgrade lastly.  Which of them would you
think would be the best to upgrade first?  We thought to upgrade the DC's
first because it takes care of the extension of the schema and all which has to
be done prior to EXCH2K3 anyhow.  I cant think of a reason to not upgrade
the Domain Controllers before the Exchange Server.  Can anyone else?





 





 





Thanks





 





Nate

RE: [ActiveDir] Question on "restricted group" policy.

[WATSON, BEN]

Is there a way to set a restricted group
membership, yet allow for additional members to not be removed when the group
policy is refreshed?  We have a number of engineers that we grant local
administrator privileges on a case by case basis, and the initial reason I
dismissed the use of “Restricted Groups” was due to the fact that
it prevented the ability to add any additional admins so I went back to a “Net
localgroup” script to accomplish what I was looking for.

 

I’m just looking for a way to have
the GPO look at the restricted group and make sure that the groups/users I
specify are a part of the restricted group, and not worry about anything in
addition that might be there.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Wednesday, July 26, 2006
9:39 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Question
on "restricted group" policy.



 

>From my experience,
Restricted Groups settings simply state what the computer (or domain controller
if you stick the setting in your DCs GPO) will make sure what the group
memberships are going to be when it checks the GPO.  If you set the
"Administrators" group to be "Domain Admins; groupa;
groupb" then when the computer applies the GPO settings, it will check to
make sure that the local Administrators group (Or domain group for a DC)
contains "Domain Admins; groupa; groupb;
builtin\Administrator".  

Just so you know, like with any GPO setting, anyone who has the right to change
that group can still change it, but when the GPO applies, the group memberships
will be verified again, removing whatever was added, or adding whatever was
removed.  This may be 2 minutes later or 2 hours later.  This is the
same if you set a service to disabled an administrator can still change it
to enabled, but when the GPO goes back through, it will re-disable the service
(though if the user also started the service it will remain started until the
computer is restarted or someone manually stops it). 

If you remove the GPO setting, then it simply won't check the group memberships
for those groups any more.  Or at least that's my interpretation. 
Kind of like when you move a computer out of an OU where there is a GPO applied
to it and into an OU without any GPOs applied to it; it won't change the
current settings, though you can now manually change them and they won't be
reverted. 

I guess I think of a GPO being a "Go make sure that everything is like
this and if it isn't, make it like this" kind of thing and that's the way
I always see it actually get applied.  If the GPO isn't there, then
nothing gets altered to a previous state, but it won't continue reverting
settings to what the prior GPO settings stated that they would be. 





On 7/26/06, Derek
Harris <[EMAIL PROTECTED]>
wrote:





Yes -- I've done that, and that's how it
worked for me.

 







From: Darren Mar-Elia
[mailto:[EMAIL PROTECTED] ] 
Sent: Wednesday, July 26, 2006
5:23 PM




To: ActiveDir@mail.activedir.org





Subject: RE:
[ActiveDir] Question on "restricted group" policy.







This somewhat depends upon which side of
Restricted Groups you're using (i.e. "Members of this Group" or
"This group is a member of"). If its the former, and you clear out
the users in the list but leave the local Administrators group under control,
then it will clear out the members of that local Admin group on the target
machines (but will leave the local Administrator account in (always)). If the
latter, and you clear out the members of the group, I think what you will find
is that those users/groups are simply left in the group that you made them
members of. If you simply delete or unlink the GPO, then the groups should be
left the way they were before you deleted/unlinked it (i.e. the group
membership changes do not get unapplied in the case of restricted group
policy). 

 

Darren

 

Darren Mar-Elia

For comprehensive
Windows Group Policy Information, check out www.gpoguy.com -- the best
source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows
Group Policy Guide, the definitive resource for Group Policy
information.

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of John Strongosky
Sent: Wednesday, July 26, 2006
4:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question on
"restricted group" policy.

Hey,

 

   Created a restricted group
policy for my domain that's adds some groups to the local administrators group
of the workstations. My question is now management wants me to delete it. If I
understand the way this works is that if I delete it then it will delete the
groups that were associated with this policy thus leaving nobody in the local
admin group. Am I correct...

 

v/r

john



 











 

RE: [ActiveDir] Question on "restricted group" policy.

[WATSON, BEN]

When I wanted to do this with my domain
workstations, I simply used a group policy object to deploy a startup script
that added the proper security groups to the local administrators group.  If I
wanted to then remove these groups, I would simply edit the script and switch
the /add to a /delete.

 

net localgroup administrators "DOMAIN\SECURITY
GROUP" /add

 

to 

 

net localgroup administrators "DOMAIN\SECURITY
GROUP" /delete

 

Others may have an alternative solution,
but that is what would work in my environment.

 

~Ben

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John Strongosky
Sent: Wednesday, July 26, 2006
4:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Question on
"restricted group" policy.



 

Hey,

 

   Created a restricted group
policy for my domain that's adds some groups to the local administrators group
of the workstations. My question is now management wants me to delete it. If I
understand the way this works is that if I delete it then it will delete the
groups that were associated with this policy thus leaving nobody in the local
admin group. Am I correct...

 

v/r

john



 

RE: [ActiveDir] Enumerating Group type and Mebership...

[WATSON, BEN]

Ugh, this sounds exactly like the SOX audit
our company is currently going through.  People asking for reports and
screenshots of things they simply don’t understand.  It’s a joy.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:54
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Enumerating Group type and Mebership...



 

Getting a list of groups
is easy... getting it all enumerated will be a bit more complex, though not
terribly so.

The ADUC allows you to create queries and list all security groups.  You
can then export this list to a file.  Once you have the file, you need to
import that list into Excel (pretty easy), then run a _vbscript_ against with
LDAP or ADSI scripting in it (or something like that) to enumerate group
members.  If they want nested members also, then you've got a lot more
complex issue, but I would just state that it's not practical and let him work
with the current list. 

Hopefully the resulting gargantuan file will be enough to make anyone choke and
stop making rediculous requests that they don't understand the futility
of.  Enumerating 10k groups simply so that you can toss the list out later
that week because it's just going to get more and more out of date is worse
than silly, it's a waste of company effort (and money).  Make it too easy
for him to generate that report and soon he'll be wanting to see what items
they have access to in the environment, so you'll end up enumerating out all
files and shares and rights assignments on computers. 






On 7/25/06, Mike
Hogenauer <[EMAIL PROTECTED]>
wrote:







We're medium size – and yes someone does want a current
outdated list J - 

Just trying to make it happen…. 

 



From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02
PM






To: ActiveDir@mail.activedir.org





Subject: Re:
[ActiveDir] Enumerating Group type and Mebership...







 

You either have a small environment or someone wants a
document that will be completely outdated 12 minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and
show their members and continue to follow the '+' if there is nesting. 
That would be an awesome feature in the ADUC.  Maybe I should submit that
feature request to Quest and Microsoft. 



On
7/25/06, Mike Hogenauer <[EMAIL PROTECTED]> wrote:







I need all Security Groups and Distribution groups – and
their members 

 

Thanks Laura!

 





From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00
PM






To: ActiveDir@mail.activedir.org






Subject: RE: [ActiveDir] Enumerating Group
type and Mebership...









 



What is "everything [you] need", specifically?





 





Thanks,





 





Laura





 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49
PM
To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] Enumerating
Group type and Mebership...

All, 

 

I'm
trying to enumerate all groups in my AD environment. I need to get Group name
group type and group members for each group… 

 

I've
tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx


 

Then I
tried (below) but It still doesn't seem to pull back everything I need- Any
help would be great! In a perfect world - J -  I need a list of all
security groups and distribution groups and their members 

Thanks,

Mike 

 

Enumerate Security Groups and Member in Domain

 

csvde -f
c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640"
-j c:\tmp

 

 

Enumerate Distribution Groups and Member in Domain

 

csvde -f
c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2"
-j c:\tmp

 

 











 











 

RE: [ActiveDir] Test Environments

[WATSON, BEN]

Those were my thoughts as well on the
issue and I’ve had to tell several people not to expect production-like
uptime.  I really couldn’t think of a better way to provide a test
environment and there’s no way I’m going to build multiple
environments like this.  Even though it’s a test environment, it often
requires more of my time to maintain than the production environment.

 

I may tell people to create their own
development environment as Jonathan suggested and allow testing to be performed
when they feel their app has outgrown a development environment of their own
creation.

 

Thanks guys, it’s good to know I’m
on track here.

 

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 12:04
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Test
Environments



 

It sounds like you have a
good test environment.  The only problem is that people may be scheduling
their testing a little too tightly.  They need to understand that this is
a *TEST* environment.  That means it's in a constant state of relative
flux and that at any point in time, it could possibly go down for an hour or
even possibly a day or two.  It will largely be available, but it's not
production and they shouldn't be expecting to receive the level of support and
uptime that they receive in the production environment.  If they expect
that, they need to find a way to test outside your test environment.  If
their schedules are slipping because of the availability of the test
environment, then they're not putting enough extra time into their plans and
need to start consulting you before deciding when to test and how much time
it's going to take. 

It may sound like I'm being harsh on them, but it sounds like they are really
expecting too much from a test environment and that's because there isn't
enough consulting occuring.  It really sounds like you need to possibly
make a "Testing calendar" so that everyone (or maybe even just you)
have a list of applications that are being tested in the environment and when
schema updates and other items which can affect multiple tests that are ongoing
occur, the relevant persons can be notified so if they need to reschedule their
testing or adjust their testing schedule, they can. 





On 7/25/06, WATSON,
BEN <[EMAIL PROTECTED]>
wrote:







I
was hoping to get some input from some of you to better understand how you
handle the design of test environments for application testing.  For
example, I built a so-called "Offnet" which is a duplicate of our
production domain.  We have a couple domain controllers restored from tape
backup, we have Exchange running, and various other production services using
the same domain name and hostnames providing for a very production-like test
environment.  As time progressed, other production servers duplicated
themselves into this test environment and we now have quite a number of people
doing the majority of their testing in this environment.  Unfortunately,
as more and more people have begun to use this environment for testing, we have
found that people are beginning to step on each others toes.  For
instance, I used this test environment to walk through the domain upgrade to
2003 and when there was some downtime other people were unable to do their own
testing.

 

So
I was curious, how do you handle providing a working test environment for
people that need it?  At this point, we are trying to determine a better
way for people to do their testing away from production.

 

Thanks,

~Ben









 

[ActiveDir] Test Environments

[WATSON, BEN]

I was hoping to get some input from some of you to better
understand how you handle the design of test environments for application
testing.  For example, I built a so-called “Offnet” which is a
duplicate of our production domain.  We have a couple domain controllers
restored from tape backup, we have Exchange running, and various other
production services using the same domain name and hostnames providing for a
very production-like test environment.  As time progressed, other production
servers duplicated themselves into this test environment and we now have quite
a number of people doing the majority of their testing in this
environment.  Unfortunately, as more and more people have begun to use
this environment for testing, we have found that people are beginning to step
on each others toes.  For instance, I used this test environment to walk
through the domain upgrade to 2003 and when there was some downtime other
people were unable to do their own testing.

 

So I was curious, how do you handle providing a working test
environment for people that need it?  At this point, we are trying to
determine a better way for people to do their testing away from production.

 

Thanks,

~Ben

RE: [ActiveDir] OT: Interview Techniques

[WATSON, BEN]

Well, that was a forwarded e-mail gone
wrong.  Just ignore my inability to properly replace the TO field with the
appropriate e-mail address.  L

 









From: WATSON, BEN 
Sent: Monday, July 24, 2006 8:43
AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] OT:
Interview Techniques



 



Byron,

 

I thought you might find this a good
read.  It’s an e-mail from Joe Richards (author of the Active
Directory O’Reilly book).  He’s talking about why a tech lead
(architect here at AppSig) should definitely be a separate role from an actual
manager.

 

Much like I would rather hit the role of
an architect before I would like to begin thinking of moving into any
managerial role.

 

~Ben

 

 



 

 

Interesting, I have a pretty different
view on tech lead. The things you mention (handing out tasks, interfacing with upper management,
discipline, etc...) are out and out
managerial tasks from my viewpoint and if I had a manager and a tech lead, I
wouldn't take any of that from the tech lead. I consider tech lead as senior
techy, the guy whom you go to when you are out of ideas on what to do next to
solve a technical problem. The manager is you go to for interfacing with
anyone outside of the group, personnel issues and getting your
tasks.  I think the manager and the tech lead need to work very
closely but that is mostly to keep the manager in a good place,
informed, and pointed in the right direction such that managerial
decisions don't adversely impact the technical aspects of the work too much as
well as letting the manager know what the technical priorities are from the
tech leads viewpoint and so the manager can tell the tech lead what the real
priorities are as they are decided by the manager. For instance if going into a
meeting with a "customer"[1] the tech lead feeds the manager with as
much knowledge as necessary so the manager isn't completely at a loss in the
meeting and as things dive into tech, if they do, the tech lead is either there
(if it is known ahead of time it will get deep) or available via phone to
help.

 

Tech and managerial pieces do not normally
fit together well, very different skill sets and strengths needed to do one or
the other well. Very few people, IMO, can be good at tech and good at
managerial. Unfortunately many companies do not see this and in order for
someone to move up through the ranks they must assume managerial duties when in
fact the company should have a managerial track and a technical track for the
folks to follow so they can stick with the areas in which they have the
greatest strength. Hopefully it is getting more and more obvious to companies
that trying to make people spend all of the their time trying to
improve on their weaknesses versus utilizing their strengths is a losing
proposition. To put it another way, if someone is an amazing techy and a
horrible manager, you don't force them to spend their time trying to be a
mediocre manager. That is the person that everyone will point at and say they
are a sucky manager. 

 

  joe

 

 

[1] Define as you wish, different groups
have different customers. IT has the business, the business could have another
aspect of the business or external, etc.

 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

RE: [ActiveDir] OT: Interview Techniques

[WATSON, BEN]

Byron,

 

I
thought you might find this a good read.  It’s an e-mail from Joe
Richards (author of the Active Directory O’Reilly book).  He’s
talking about why a tech lead (architect here at AppSig) should definitely be a
separate role from an actual manager.

 

Much
like I would rather hit the role of an architect before I would like to begin
thinking of moving into any managerial role.

 

~Ben

 

 



 

 

Interesting, I have a pretty different
view on tech lead. The things you mention (handing out tasks, interfacing with upper management,
discipline, etc...) are out and out
managerial tasks from my viewpoint and if I had a manager and a tech lead, I
wouldn't take any of that from the tech lead. I consider tech lead as senior
techy, the guy whom you go to when you are out of ideas on what to do next to
solve a technical problem. The manager is you go to for interfacing with anyone
outside of the group, personnel issues and getting your tasks.  I
think the manager and the tech lead need to work very closely but that is
mostly to keep the manager in a good place, informed, and pointed in the
right direction such that managerial decisions don't adversely impact the
technical aspects of the work too much as well as letting the manager know what
the technical priorities are from the tech leads viewpoint and so the manager
can tell the tech lead what the real priorities are as they are decided by the
manager. For instance if going into a meeting with a "customer"[1]
the tech lead feeds the manager with as much knowledge as necessary so the
manager isn't completely at a loss in the meeting and as things dive into tech,
if they do, the tech lead is either there (if it is known ahead of time it will
get deep) or available via phone to help.

 

Tech and managerial pieces do not normally
fit together well, very different skill sets and strengths needed to do one or
the other well. Very few people, IMO, can be good at tech and good at
managerial. Unfortunately many companies do not see this and in order for
someone to move up through the ranks they must assume managerial duties when in
fact the company should have a managerial track and a technical track for the
folks to follow so they can stick with the areas in which they have the
greatest strength. Hopefully it is getting more and more obvious to companies
that trying to make people spend all of the their time trying to improve on
their weaknesses versus utilizing their strengths is a losing proposition. To
put it another way, if someone is an amazing techy and a horrible manager, you
don't force them to spend their time trying to be a mediocre manager. That is
the person that everyone will point at and say they are a sucky manager. 

 

  joe

 

 

[1] Define as you wish, different groups
have different customers. IT has the business, the business could have another
aspect of the business or external, etc.

 



 



--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

I went ahead and renamed the UID attribute to oldUID, imported the original UID 
schema extension, and then attempted the 2003 R2 extension and received an 
error relating back to the attributeID that the now defunct oldUID attribute 
had.  I was under the impression that defunct attributes are treated as though 
they did not exist.  It turned out to be necessary to change the attributeID of 
the oldUID to something different as the new UID I imported had the same 
attributeID.  As soon as I did that, the schema extension to 2003 R2 went 
perfectly.

As always, thanks for the help you guys have offered.  It's been invaluable for 
my first time domain upgrade.

~Ben



-Original Message-
From: WATSON, BEN 
Sent: Wednesday, July 19, 2006 9:28 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Forestprep Failure

Thank you to both Matheesha and Steve, this worked very well and I was able to 
locate the UID attributes and remove them, and now defunct the UID attribute.

I have the original LDF entry from the schema extensions that are included in 
the Windows 2003 schema extension LDF files, and I pulled out the UID extension 
and created a separate LDF file so I can re-import the UID attribute.

What is the proper way to "recreate" the UID attribute so I don't run into any 
conflicts with the now defunct UID attribute that already exists?

I'm thinking that I will need to rename the original UID attribute to something 
else, much like I did the roomNumber attribute that was causing issues 
previously.  And after I have renamed the UID attribute, I can then import UID 
using ldifde.

Is there anything else I may need to do?  I'll use this issue moving forward 
when dealing with defunct attributes and repairing them.

Thanks again for all your help everyone.

~Ben

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha 
Weerasinghe
Sent: Tuesday, July 18, 2006 8:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Forestprep Failure

adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with
the base set to the schema and pass the following filter.

(&(objectcategory=classschema)(maycontain=uid))

The above tries to do a search for classes where the maycontain
attribute contains uid.

HTH
M@

On 7/19/06, WATSON, BEN <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I am at the point where I now have a smooth running Windows 2003 forest and 
> domain with the one exception of the UID attribute which I bypassed thanks to 
> the hidden ADPREP switch Steve informed me of.
>
> So I am now attempting to go back and defunct this UID attribute so I can 
> repair it.  Unfortunately, I am unable to do so at this point.  When 
> attempting to defunct the object through Active Directory Schema, I receive 
> an error stating it cannot be done because, "this schema object may be in use 
> as part of the definition of another schema object".  When attempting to set 
> the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more 
> informative error,"Schema deletion failed: attribute is used in may-contain."
>
> How can I find out which attributes have UID as part of the may-contain 
> attribute so I can defunct this attribute?  If you might have any further 
> advice for me I would greatly appreciate it.
>
> I've been doing my best to study the schema over the past few days thanks to 
> Joe's Active Directory book, however I'll readily admit that advanced 
> searching and filtering are still beyond my grasp at this point.
>
> Thanks,
> ~Ben
>
>
> 
>
> From: [EMAIL PROTECTED] on behalf of Steve Linehan
> Sent: Thu 7/6/2006 10:19 PM
> To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Ben,
>   These errors generally occur when a third party application has extended 
> the schema and it conflicts with the base schema we are trying to put in 
> place.  There were many conflicts found during the initial upgrades to 
> Windows Server 2003 which is why additional information was put into adprep 
> to help guide you, in the past it failed with a generic conflict error not 
> telling you what attributes it had issues with.  In your case you appear to 
> have a problem with the Attribute Syntax for UID and an OID conflict with 
> roomnumber as well as issinglevalue mismatch with roomnumber.  The OID for 
> RoomNumber that you gave below used to be in a sample application that showed 
> how to extend the schema and unfortunately many third party developers took 
> the OID value in the sample code as literal and used it when defining there 
> objects for schema extensions even though they were told to provide a unique 
> OID.  The sam

RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

Thank you to both Matheesha and Steve, this worked very well and I was able to 
locate the UID attributes and remove them, and now defunct the UID attribute.

I have the original LDF entry from the schema extensions that are included in 
the Windows 2003 schema extension LDF files, and I pulled out the UID extension 
and created a separate LDF file so I can re-import the UID attribute.

What is the proper way to "recreate" the UID attribute so I don't run into any 
conflicts with the now defunct UID attribute that already exists?

I'm thinking that I will need to rename the original UID attribute to something 
else, much like I did the roomNumber attribute that was causing issues 
previously.  And after I have renamed the UID attribute, I can then import UID 
using ldifde.

Is there anything else I may need to do?  I'll use this issue moving forward 
when dealing with defunct attributes and repairing them.

Thanks again for all your help everyone.

~Ben

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha 
Weerasinghe
Sent: Tuesday, July 18, 2006 8:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Forestprep Failure

adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with
the base set to the schema and pass the following filter.

(&(objectcategory=classschema)(maycontain=uid))

The above tries to do a search for classes where the maycontain
attribute contains uid.

HTH
M@

On 7/19/06, WATSON, BEN <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I am at the point where I now have a smooth running Windows 2003 forest and 
> domain with the one exception of the UID attribute which I bypassed thanks to 
> the hidden ADPREP switch Steve informed me of.
>
> So I am now attempting to go back and defunct this UID attribute so I can 
> repair it.  Unfortunately, I am unable to do so at this point.  When 
> attempting to defunct the object through Active Directory Schema, I receive 
> an error stating it cannot be done because, "this schema object may be in use 
> as part of the definition of another schema object".  When attempting to set 
> the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more 
> informative error,"Schema deletion failed: attribute is used in may-contain."
>
> How can I find out which attributes have UID as part of the may-contain 
> attribute so I can defunct this attribute?  If you might have any further 
> advice for me I would greatly appreciate it.
>
> I've been doing my best to study the schema over the past few days thanks to 
> Joe's Active Directory book, however I'll readily admit that advanced 
> searching and filtering are still beyond my grasp at this point.
>
> Thanks,
> ~Ben
>
>
> 
>
> From: [EMAIL PROTECTED] on behalf of Steve Linehan
> Sent: Thu 7/6/2006 10:19 PM
> To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Ben,
>   These errors generally occur when a third party application has extended 
> the schema and it conflicts with the base schema we are trying to put in 
> place.  There were many conflicts found during the initial upgrades to 
> Windows Server 2003 which is why additional information was put into adprep 
> to help guide you, in the past it failed with a generic conflict error not 
> telling you what attributes it had issues with.  In your case you appear to 
> have a problem with the Attribute Syntax for UID and an OID conflict with 
> roomnumber as well as issinglevalue mismatch with roomnumber.  The OID for 
> RoomNumber that you gave below used to be in a sample application that showed 
> how to extend the schema and unfortunately many third party developers took 
> the OID value in the sample code as literal and used it when defining there 
> objects for schema extensions even though they were told to provide a unique 
> OID.  The sample code was pulled but there are still many applications out 
> there that used the literal OID value in the sample.  Since you are running 
> Windows 2000 you do not have a way to defunct these.  Do you know what 
> application is using the information in the roomnumber attribute?  I would 
> suggest in a test environment renaming the roomnumber attribute using the 
> following steps:
>
> a. Open ldp on the Schema FSMO (make sure you have Checked the option 
> "The Schema may be modified on this Domain Controller" using the Schema 
> Manager Snap-in).
> b. From the Connection menu option select Bind.
> c. Type is the user name, password and domain name (use a schema 
> admin account) and keep (NTLM/Kerberos) checked. Click OK.
> d. From the View Menu option selec

RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

Thank you Steve, those links are extremely helpful.  Especially when trying to 
find where an attribute is used at the various domain levels.
 
Thanks again,
~Ben



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Tue 7/18/2006 8:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forestprep Failure



Also note you could use the schema documentation tool found here: 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/schemadoc.asp
 if you feel that you may have a schema extension referring to this attribute 
as well.  Simply look at the containedIn field for UID.

Thanks,

-Steve

 

From: Steve Linehan 
Sent: Tuesday, July 18, 2006 10:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forestprep Failure

 

Unless something else has extended the schema you should be able to look at the 
definition in MSDN and find the classes it is used in: 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_uid.asp
 in your case you only care about the 2003 classes since that is the version of 
the schema that you are running.  Remember to put these back once you are 
finished and of course as always test your procedure in a test environment to 
ensure success in production.

Thanks,

-Steve

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 18, 2006 7:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forestprep Failure

 

Hello all,

 

I am at the point where I now have a smooth running Windows 2003 forest and 
domain with the one exception of the UID attribute which I bypassed thanks to 
the hidden ADPREP switch Steve informed me of.

 

So I am now attempting to go back and defunct this UID attribute so I can 
repair it.  Unfortunately, I am unable to do so at this point.  When attempting 
to defunct the object through Active Directory Schema, I receive an error 
stating it cannot be done because, "this schema object may be in use as part of 
the definition of another schema object".  When attempting to set the isDefunct 
attribute within UID to TRUE via ADSIEDIT, I receive a more informative 
error,"Schema deletion failed: attribute is used in may-contain."

 

How can I find out which attributes have UID as part of the may-contain 
attribute so I can defunct this attribute?  If you might have any further 
advice for me I would greatly appreciate it.

 

I've been doing my best to study the schema over the past few days thanks to 
Joe's Active Directory book, however I'll readily admit that advanced searching 
and filtering are still beyond my grasp at this point.

 

Thanks,

~Ben

 



From: [EMAIL PROTECTED] on behalf of Steve Linehan
Sent: Thu 7/6/2006 10:19 PM
To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
Subject: RE: [ActiveDir] Forestprep Failure

Ben,
  These errors generally occur when a third party application has extended the 
schema and it conflicts with the base schema we are trying to put in place.  
There were many conflicts found during the initial upgrades to Windows Server 
2003 which is why additional information was put into adprep to help guide you, 
in the past it failed with a generic conflict error not telling you what 
attributes it had issues with.  In your case you appear to have a problem with 
the Attribute Syntax for UID and an OID conflict with roomnumber as well as 
issinglevalue mismatch with roomnumber.  The OID for RoomNumber that you gave 
below used to be in a sample application that showed how to extend the schema 
and unfortunately many third party developers took the OID value in the sample 
code as literal and used it when defining there objects for schema extensions 
even though they were told to provide a unique OID.  The sample code was pulled 
but there are still many applications out there that used the literal OID value 
in the sample.  Since you are running Windows 2000 you do not have a way to 
defunct these.  Do you know what application is using the information in the 
roomnumber attribute?  I would suggest in a test environment renaming the 
roomnumber attribute using the following steps:

a. Open ldp on the Schema FSMO (make sure you have Checked the option 
"The Schema may be modified on this Domain Controller" using the Schema Manager 
Snap-in).
b. From the Connection menu option select Bind.
c. Type is the user name, password and domain name (use a schema admin 
account) and keep (NTLM/Kerberos) checked. Click OK.
d. From the View Menu option select Tree and type the following in the 
field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=. Click OK
e. On the left pane, double click CN=roomNumber...
f.  Right click on the roomNumber attribute and select Modify
g. In the attribute text field add lDAPDisplayName. 
h. In 

RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

Ah, excellent.  Thank you for a couple different search queries as an example.  
That really helps me to have a better understanding of developing effective 
search queries for the future.



From: [EMAIL PROTECTED] on behalf of Matheesha Weerasinghe
Sent: Tue 7/18/2006 8:41 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Forestprep Failure



adfind -sc scontainsl:uid is the easiest. Or use dsquery or ldp with
the base set to the schema and pass the following filter.

(&(objectcategory=classschema)(maycontain=uid))

The above tries to do a search for classes where the maycontain
attribute contains uid.

HTH
M@

On 7/19/06, WATSON, BEN <[EMAIL PROTECTED]> wrote:
> Hello all,
>
> I am at the point where I now have a smooth running Windows 2003 forest and 
> domain with the one exception of the UID attribute which I bypassed thanks to 
> the hidden ADPREP switch Steve informed me of.
>
> So I am now attempting to go back and defunct this UID attribute so I can 
> repair it.  Unfortunately, I am unable to do so at this point.  When 
> attempting to defunct the object through Active Directory Schema, I receive 
> an error stating it cannot be done because, "this schema object may be in use 
> as part of the definition of another schema object".  When attempting to set 
> the isDefunct attribute within UID to TRUE via ADSIEDIT, I receive a more 
> informative error,"Schema deletion failed: attribute is used in may-contain."
>
> How can I find out which attributes have UID as part of the may-contain 
> attribute so I can defunct this attribute?  If you might have any further 
> advice for me I would greatly appreciate it.
>
> I've been doing my best to study the schema over the past few days thanks to 
> Joe's Active Directory book, however I'll readily admit that advanced 
> searching and filtering are still beyond my grasp at this point.
>
> Thanks,
> ~Ben
>
>
> 
>
> From: [EMAIL PROTECTED] on behalf of Steve Linehan
> Sent: Thu 7/6/2006 10:19 PM
> To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
> Subject: RE: [ActiveDir] Forestprep Failure
>
>
>
> Ben,
>   These errors generally occur when a third party application has extended 
> the schema and it conflicts with the base schema we are trying to put in 
> place.  There were many conflicts found during the initial upgrades to 
> Windows Server 2003 which is why additional information was put into adprep 
> to help guide you, in the past it failed with a generic conflict error not 
> telling you what attributes it had issues with.  In your case you appear to 
> have a problem with the Attribute Syntax for UID and an OID conflict with 
> roomnumber as well as issinglevalue mismatch with roomnumber.  The OID for 
> RoomNumber that you gave below used to be in a sample application that showed 
> how to extend the schema and unfortunately many third party developers took 
> the OID value in the sample code as literal and used it when defining there 
> objects for schema extensions even though they were told to provide a unique 
> OID.  The sample code was pulled but there are still many applications out 
> there that used the literal OID value in the sample.  Since you are running 
> Windows 2000 you do not have a way to defunct these.  Do you know what 
> application is using the information in the roomnumber attribute?  I would 
> suggest in a test environment renaming the roomnumber attribute using the 
> following steps:
>
> a. Open ldp on the Schema FSMO (make sure you have Checked the option 
> "The Schema may be modified on this Domain Controller" using the Schema 
> Manager Snap-in).
> b. From the Connection menu option select Bind.
> c. Type is the user name, password and domain name (use a schema 
> admin account) and keep (NTLM/Kerberos) checked. Click OK.
> d. From the View Menu option select Tree and type the following in 
> the field (BaseDN:)cn=roomNumber,cn=schema,cn=configuration,dc=. Click OK
> e. On the left pane, double click CN=roomNumber...
> f.  Right click on the roomNumber attribute and select Modify
> g. In the attribute text field add lDAPDisplayName.
> h. In the Value field give this to OldroomNumber.
> i.  Select the replace radio button.
> j.  Click Enter to add to the Entry List
> k.  Click Run to confirm success in left pane.
> l.  Remove the attribute from the entry list.
> m.In the attribute text field add adminDisplayName.
> n. In the Value field type OldRoomNumber
> o. Select the replace radio button.
> p. Click Enter to add to the Entry List
&g

RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

 it can be done but it would leave you in 
an unsupportable state.  To fix this issue I would recommend running ADPREP 
/forestprep /nosyntaxcheck, yes this is a hidden switch and should only be used 
in cases where one cannot make changes to the conflicting attribute to make it 
compliant with the base schema also note you must be using ADPREP from SP1 or a 
QFE that was used to distribute adprep from SP1 to use this switch.  You can 
then upgrade to Windows Server 2003 and after this is successful then take the 
forest to Windows Server 2003 Forest Functional Level which will allow you to 
defunct this attribute and fix it to match the expected definition.  Note in 
both cases you may break the third party application that defined these values 
that are in conflict.  I would suggest testing to ensure that the third party 
application works after making the above changes or that steps are taken to 
mitigate the loss of functionality in the third party application.  I would 
also suggest opening a case with Microsoft Support if further assistance or 
issues arise and fully testing before doing any of this in production.

 

Thanks,

-Steve

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Thursday, July 06, 2006 4:34 PM
To: ActiveDir@mail.activedir.org; Mathieu CHATEAU
Subject: RE: [ActiveDir] Forestprep Failure

 

To try and answer everyone's question all at once...

At this point, we don't have Exchange running in our test environment, we do 
have copies of the servers there, but have not re-added them to the domain to 
bring them up.  I don't think that having the actual Exchange servers online 
should really matter at this point since all that FORESTPREP is attempting to 
do is extend the schema which already contain the extensions that Exchange 2003 
had made previously.

Mark, yes, I am absolutely sure SFU had not been installed or more importantly, 
ever extended the schema.  Just to be sure, I contacted Microsoft this morning 
and requested the hotfix for it and when I ran it, it could not find the schema 
extensions SFU would have made.

Could you elaborate a little more on what you mean by running Schema Admins 
empty?  At this point, I have my account added to the Schema Admins so I can 
(hopefully) perform the FORESTPREP.

~Ben

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Thursday, July 06, 2006 1:42 PM
To: ActiveDir@mail.activedir.org; 'Mathieu CHATEAU'
Subject: RE: [ActiveDir] Forestprep Failure

 

Ben,


Are you sure SFU has not been installed? Do you run Schema Admins Empty?

Mark

____

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: 06 July 2006 21:13
To: Mathieu CHATEAU
Cc: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Forestprep Failure

 

Hello Mathieu,

Yes, we run a fairly simple domain setup.  Single domain, single forest.

We are running in Windows 2000 native mode for domain and forest.  Exchange 
2003 is also in native mode.

And nice catch on SMS, I deployed it myself and should've remembered to mention 
that.  We do have SMS 2003 in our environment with the schema extended of 
course.

~Ben

 



From: Mathieu CHATEAU [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 06, 2006 11:21 AM
To: WATSON, BEN
Cc: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Forestprep Failure

 

Hello BEN,

 

 

are you in Windows 2000 native mode ? the forest too ? exchange native mode ?

 

Do you have SMS ? it extends the schema as well.

 

 

Cheers,

Mathieu CHATEAU

 

Thursday, July 6, 2006, 7:43:21 PM, you wrote:

 

> 

I am working to perform a domain upgrade from 2000 to 2003 R2 and I am running 
into problems right from the start when attempting an ADPREP /FORESTPREP.  The 
domain also has Exchange 2003 running as well.  Also, we have never extended 
the schema with Services for Unix 2.0 which I know can create some issues as 
well.

 

I am currently working in a test environment in which we took a recent full 
tape backup of one of our domain controllers, and restored it in a separate 
network.  As this is a test environment, this restored domain controller is the 
ONLY domain controller in existence and all FSMO roles have been transferred to 
it.

 

Here is the output from my ADPREP /FORESTPREP attempt.  I'm looking for 
assistance on how to fix these schema attributes so the FORESTPREP will be 
successful.  As I'm working in a test environment, I am afforded the ability to 
make the necessary changes and see what it breaks to determine what made these 
schema changes (if anything).

 

C:\WIN2K3R2\CMPNENTS\R2\ADPREP>adprep /forestprep

 

ADPREP WARNING:

 

Before running adprep, all Windows 2000 domain controllers in the forest should

be upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089, or to Windows

2000 SP2

RE: [ActiveDir] Moving a Certificate Authority

[WATSON, BEN]

Here is the output file 
cert-ds.txt as requested.  To me, everything appears proper, but perhaps 
you might be able to glean more information from it than I can.
 
Thanks Steve.
 
~Ben


From: [EMAIL PROTECTED] on 
behalf of steve patrickSent: Thu 7/13/2006 4:41 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Moving a 
Certificate Authority

Please run "certutil -ds > 
cert-ds.txt"
and send us ( or me )  the  text 
file.
 
steve

  - Original Message ----- 
  From: WATSON, 
  BEN 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Thursday, July 13, 2006 1:42 
  PM
  Subject: RE: [ActiveDir] Moving a 
  Certificate Authority
  
  
  I am at a complete loss 
  here as to what to do to resolve this issue.
   
  Domain has been uprgaded from 2000 to 
  2003 and the stand-alone CA has been moved from a very old Windows 2000 server 
  to a new Windows 2000 server with the same name.  It was at this point 
  that clients became unable to request new certificates from the new CA.  
  I then upgraded the new Windows 2000 CA Server to Windows 2003 in the hopes 
  that would help.  It did in fact eliminate one of two errors in the event 
  logs I was seeing, but I'm still left with one recurring event log entry and a 
  still unusable CA.
   
  Here is the one relevant entry in the 
  event log that appears on the new CA server.
   
  Source:  CertSvc
  Event ID: 44
  Type: Error
  The "Windows default" Policy Module "Initialize" method returned an error. 
  Element not found. The returned status code is 0x80070490 (1168). Certificate 
  Services could not find required Active Directory information.
   
  Any thoughts?
  ~Ben
   
  
  
  From: WATSON, BENSent: Wed 
  7/12/2006 3:27 PMTo: 
  'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Moving a 
  Certificate Authority
  
  
  I am mostly complete 
  with the domain upgrade and the subsequent certificate authority move.  
  I’ve run into what “should” be the final problem before I can say 
  everything is now successful.
  I have moved the 
  Certificate Authority from one Windows 2000 Server to another Windows 2000 
  Server.  Everything appears happy on the new server running as a new 
  certificate authority; however domain clients are unable to request a 
  certificate at this point.  For instance, when attempting to request a 
  user certificate from a Windows 2000 member server, I get the pretty standard 
  error message stating, “Windows cannot 
  find a certification authority that will process the 
  request”.
  I have followed the 
  instructions from KB298138 
  in the Windows 2000 section and while the certificate authority itself seems 
  happy, all the clients don’t seem to know where it is located.  The new 
  certificate authority has the exact same name as the old certificate 
  authority, and I backed up the old CA certs and keys along with a registry key 
  and restored these on the new CA as directed in the KB 
  article.
  Any advice on where 
  to look to resolve this?  I did find KB271861 
  which talked about the same error I was getting, and I did not have the Enroll 
  right given to Domain Users, however even after giving Domain Users that right 
  it still has not changed anything.  
  Thanks,
  ~Ben
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Kevin 
  BrunsonSent: Tuesday, July 
  11, 2006 6:48 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a 
  Certificate Authority
   
  Have you thought 
  about putting a new server (or an older one with good hardware) in the mix as 
  2000, moving the CA to it, and then upgrading it to 2k3?  That way you 
  don’t have to worry about the hardware not supporting 2003 or something 
  terrible like that.  Then if you want you could move it from that 2003 
  server to another 2003 server, or you could just leave it where it is.  
  
  Kevin 
  Brunson
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of WATSON, 
  BENSent: Tuesday, July 11, 
  2006 6:05 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Moving a 
  Certificate Authority
   
  And will it ever be a 
  slooow 2k3 machine indeed.  After continuing to do some reading and 
  researching, it does appear that my only option is to…
  1)    
  Upgrade the old DC to 
  2k3
  2)    
  Backup the CA and the 
  registry key as stated in the KB298138 article.
  3)    
  Remove the CA 
  services, demote server and rename it.
  4)    
  Promote a 2k3 server 
  with the same name as the old DC and install the CA 
services.
  5)    
  Restore the CA data 
  and registry key
  6)    
  Cross my fingers and 
  hope that I have a CA once again
  I’ll give this a 
  shot tomorrow.  I just wonder what would be my backup plan should the CA 
  restoration fail on the new server?  The old server will have been 
  demoted and removed from Active Directo

RE: [ActiveDir] Moving a Certificate Authority

[WATSON, BEN]

it the same. I think that the article 
doesnt mention moving to a new name, because it would vary from customer to 
customer and cause more trouble then its worth.

 

my .02

 

steve

  
  - Original Message - 
  
  
  From: WATSON, 
  BEN 
  
  To: ActiveDir@mail.activedir.org 
  
  
  Sent: Tuesday, 
  July 11, 2006 3:08 PM
  
  Subject: 
  [ActiveDir] Moving a Certificate Authority
  
   
  As part of my 
  on-going journey into upgrading a 2000 domain to 2003, I’ve run into the issue 
  of moving the Certificate Authority on one of the original domain controllers 
  to a new Windows 2003 domain controller.
  I have found a couple 
  KB articles that seem to put me down a good path, but then don’t pan 
  out.  Here is the situation…
  I am at the point in 
  the domain upgrade process where I need to eliminate the Windows 2000 Servers 
  from the domain so I can raise the functional level to 2003 native.  
  However, the CA is currently on such old hardware that an OS upgrade to 
  Windows 2003 from Windows 2000 is simply not possible so it will need to be 
  demoted.  It was originally a Windows NT 4.0 domain controller back in 
  the day.  So I am in a situation where I need to take a Certificate 
  Authority from a Windows 2000 Server, and transfer that over to a Windows 2003 
  Server.
  As stated before, one 
  KB article seemed to be the most promising KB298138.  
  However the instructions seem to be focused on moving a CA from a 2000 server 
  to a 2000 server, or a 2003 server to a 2003 server.
  Is anyone familiar 
  with the process of moving a CA from a 2000 DC to a 2003 DC?  Also, is 
  there a possibility of moving the CA to a server with a different hostname 
  than the original CA?
  Thanks,
  ~Ben

RE: [ActiveDir] Log On To...

[WATSON, BEN]

I can’t think of a group policy that
would override this.  Is it possible that when you checked the user account
after you had made the changes that you hadn’t waited for the replication
to take place?  You may have made the changes on DC1, and when the user account
attempted to log in, it may have authenticated against a DC other than DC1.

 

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Timothy Foster
Sent: Thursday, July 13, 2006 1:03
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Log On To...



 







On the Account tab of the User Properties window in ADUC
there is a 'Log On To...' button which - I thought - limited the
user's ability to logon to only workstations specified.





 





I applied restrictions to an account in our domain and they
did not work.  In other words, the restricted account was able to logon to
a workstation not specified in the list.





 





What did I miss?  Is there a group policy setting
that may be over-riding the setting?  How do I go about troubleshooting
this?





 





Thank in advance.





 



Tim







 



 



 

RE: [ActiveDir] Moving a Certificate Authority

[WATSON, BEN]

I am mostly complete with the domain
upgrade and the subsequent certificate authority move.  I’ve run
into what “should” be the final problem before I can say everything
is now successful.

I have moved the Certificate Authority
from one Windows 2000 Server to another Windows 2000 Server.  Everything
appears happy on the new server running as a new certificate authority; however
domain clients are unable to request a certificate at this point.  For
instance, when attempting to request a user certificate from a Windows 2000
member server, I get the pretty standard error message stating, “Windows cannot find a certification authority that
will process the request”.

I have followed the instructions from KB298138
in the Windows 2000 section and while the certificate authority itself seems
happy, all the clients don’t seem to know where it is located.  The
new certificate authority has the exact same name as the old certificate
authority, and I backed up the old CA certs and keys along with a registry key
and restored these on the new CA as directed in the KB article.

Any advice on where to look to resolve
this?  I did find KB271861
which talked about the same error I was getting, and I did not have the Enroll right
given to Domain Users, however even after giving Domain Users that right it
still has not changed anything.  

Thanks,

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, July 11, 2006 6:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority



 

Have you thought about putting a new
server (or an older one with good hardware) in the mix as 2000, moving the CA
to it, and then upgrading it to 2k3?  That way you don’t have to
worry about the hardware not supporting 2003 or something terrible like that. 
Then if you want you could move it from that 2003 server to another 2003
server, or you could just leave it where it is.  

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority



 

And will it ever be a slooow 2k3
machine indeed.  After continuing to do some reading and researching, it
does appear that my only option is to…

1)    Upgrade the old DC to 2k3

2)    Backup the CA and the registry key as stated in the KB298138
article.

3)    Remove the CA services, demote server and rename it.

4)    Promote a 2k3 server with the same name as the old DC and install
the CA services.

5)    Restore the CA data and registry key

6)    Cross my fingers and hope that I have a CA once again

I’ll give this a shot
tomorrow.  I just wonder what would be my backup plan should the CA
restoration fail on the new server?  The old server will have been demoted
and removed from Active Directory along with the CA services removed, not to
mention a new server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority



 



You cannot move
from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this
would be temporary ) and then move to another 2k3 server. I know that you said
that the HW was old - but perhaps a temporary sloow 2k3 machine?





 





You should keep the
hostname the same - if you took the defaults  for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.





 





my .02





 





steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority





 



As part of my on-going journey into
upgrading a 2000 domain to 2003, I’ve run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then don’t pan out.  Here is
the situation…

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native.  However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted.  It was
originally a Windows NT 4.0 domain controller back in the day.  

RE: [ActiveDir] OT: Free Virtual PC

[WATSON, BEN]

Thanks for the heads up on this.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Wednesday, July 12, 2006 8:22 AM
To: ActiveDir.org
Subject: [ActiveDir] OT: Free Virtual PC

If anyone cares,

http://www.microsoft.com/windows/virtualpc/default.mspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Moving a Certificate Authority

[WATSON, BEN]

Excellent idea.  I have a couple Vmware
GSX servers in our test environment so I think I’ll follow your
suggestion and create a new 2000 server, try and transfer the CA services to
the new 2000 server and then upgrade the box to 2003 if successful.

~Ben









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Tuesday, July 11, 2006 9:22
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority



 

The other advantage to doing it this way,
now that I think about it, is a little clearer recovery path if everything
blows up.  A system state restore on your old ca and an authoritative
restore on AD should (please everyone check me on this) get you back where you
were without having to reload the original un-upgraded OS on your original CA.

 

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Tuesday, July 11, 2006 8:48
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority



 

Have you thought about putting a new
server (or an older one with good hardware) in the mix as 2000, moving the CA
to it, and then upgrading it to 2k3?  That way you don’t have to
worry about the hardware not supporting 2003 or something terrible like
that.  Then if you want you could move it from that 2003 server to another
2003 server, or you could just leave it where it is.  

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Tuesday, July 11, 2006 6:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Moving a
Certificate Authority



 

And will it ever be a slooow 2k3
machine indeed.  After continuing to do some reading and researching, it
does appear that my only option is to…

1)    Upgrade the old DC to 2k3

2)    Backup the CA and the registry key as stated in the KB298138
article.

3)    Remove the CA services, demote server and rename it.

4)    Promote a 2k3 server with the same name as the old DC and install
the CA services.

5)    Restore the CA data and registry key

6)    Cross my fingers and hope that I have a CA once again

I’ll give this a shot
tomorrow.  I just wonder what would be my backup plan should the CA
restoration fail on the new server?  The old server will have been demoted
and removed from Active Directory along with the CA services removed, not to
mention a new server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority



 



You cannot move from
2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this would
be temporary ) and then move to another 2k3 server. I know that you said that
the HW was old - but perhaps a temporary sloow 2k3 machine?





 





You should keep the
hostname the same - if you took the defaults  for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.





 





my .02





 





steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority





 



As part of my on-going journey into
upgrading a 2000 domain to 2003, I’ve run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then don’t pan out.  Here is
the situation…

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native.  However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted.  It was
originally a Windows NT 4.0 domain controller back in the day.  So I am in
a situation where I need to take a Certificate Authority from a Windows 2000
Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138. 
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of
moving a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of
moving the CA to a server with a different hostnam

RE: [ActiveDir] Moving a Certificate Authority

[WATSON, BEN]

Ah, good point.  I haven’t dealt
with CA’s in this regard in the past, and just assumed that CA’s
had to involve a DC since I couldn’t demote the DC until the CA was
removed.

I’ll certainly make it a point to
move the CA to a server that is not a DC when this domain upgrade is complete. 
Thanks for the heads up.

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 7:56
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority



 



One more point
- you dont have to have the CA on a DC  just wanted to make sure you knew
this. So, in the future ,you dont have to worry about removing\moving the CA in
order to upgrade DC's





 





steve





 





 





 







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 4:05 PM





Subject: RE: [ActiveDir]
Moving a Certificate Authority





 



And will it ever be a slooow 2k3
machine indeed.  After continuing to do some reading and researching, it
does appear that my only option is to…

1)   Upgrade the old DC to 2k3

2)   Backup the CA and the registry key as stated in the KB298138
article.

3)   Remove the CA services, demote server and rename it.

4)   Promote a 2k3 server with the same name as the old DC and install
the CA services.

5)   Restore the CA data and registry key

6)   Cross my fingers and hope that I have a CA once again

I’ll give this a shot
tomorrow.  I just wonder what would be my backup plan should the CA
restoration fail on the new server?  The old server will have been demoted
and removed from Active Directory along with the CA services removed, not to
mention a new server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority



 



You cannot move
from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this
would be temporary ) and then move to another 2k3 server. I know that you said
that the HW was old - but perhaps a temporary sloow 2k3 machine?





 





You should keep the
hostname the same - if you took the defaults  for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.





 





my .02





 





steve







- Original
Message ----- 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority





 



As part of my on-going journey into
upgrading a 2000 domain to 2003, I’ve run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then don’t pan out.  Here is
the situation…

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native.  However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted.  It was
originally a Windows NT 4.0 domain controller back in the day.  So I am in
a situation where I need to take a Certificate Authority from a Windows 2000
Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138. 
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of
moving a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of
moving the CA to a server with a different hostname than the original CA?

Thanks,

~Ben

RE: [ActiveDir] Moving a Certificate Authority

[WATSON, BEN]

And will it ever be a slooow 2k3
machine indeed.  After continuing to do some reading and researching, it
does appear that my only option is to…

1)    Upgrade the old DC to 2k3

2)    Backup the CA and the registry key as stated in the KB298138
article.

3)    Remove the CA services, demote server and rename it.

4)    Promote a 2k3 server with the same name as the old DC and install
the CA services.

5)    Restore the CA data and registry key

6)    Cross my fingers and hope that I have a CA once again

I’ll give this a shot tomorrow. 
I just wonder what would be my backup plan should the CA restoration fail on
the new server?  The old server will have been demoted and removed from
Active Directory along with the CA services removed, not to mention a new
server now has its name.

Thanks for your .02 Steve, it seems to be
spot on.

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of steve patrick
Sent: Tuesday, July 11, 2006 3:17
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Moving a
Certificate Authority



 



You cannot move
from 2000 to 2003 as the database has changed. You could upgrade to 2k3 ( this
would be temporary ) and then move to another 2k3 server. I know that you said
that the HW was old - but perhaps a temporary sloow 2k3 machine?





 





You should keep the
hostname the same - if you took the defaults  for install ( 90% of CA's
out there ) then you have paths in all of your issued certs which hardcode to
this server, not to mention the name is also in AD as well as the CA web pages.
Unless you have a very good reason - it'd be best to keep it the same. I think
that the article doesnt mention moving to a new name, because it would vary
from customer to customer and cause more trouble then its worth.





 





my .02





 





steve







- Original
Message - 





From: WATSON, BEN 





To: ActiveDir@mail.activedir.org






Sent: Tuesday,
July 11, 2006 3:08 PM





Subject: [ActiveDir]
Moving a Certificate Authority





 



As part of my on-going journey into
upgrading a 2000 domain to 2003, I’ve run into the issue of moving the
Certificate Authority on one of the original domain controllers to a new
Windows 2003 domain controller.

I have found a couple KB articles that
seem to put me down a good path, but then don’t pan out.  Here is
the situation…

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native.  However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted.  It was
originally a Windows NT 4.0 domain controller back in the day.  So I am in
a situation where I need to take a Certificate Authority from a Windows 2000
Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138. 
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of
moving a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of
moving the CA to a server with a different hostname than the original CA?

Thanks,

~Ben

[ActiveDir] Moving a Certificate Authority

[WATSON, BEN]

As part of my on-going journey into upgrading
a 2000 domain to 2003, I’ve run into the issue of moving the Certificate
Authority on one of the original domain controllers to a new Windows 2003 domain
controller.

I have found a couple KB articles that
seem to put me down a good path, but then don’t pan out.  Here is
the situation…

I am at the point in the domain upgrade
process where I need to eliminate the Windows 2000 Servers from the domain so I
can raise the functional level to 2003 native.  However, the CA is
currently on such old hardware that an OS upgrade to Windows 2003 from Windows
2000 is simply not possible so it will need to be demoted.  It was
originally a Windows NT 4.0 domain controller back in the day.  So I am in
a situation where I need to take a Certificate Authority from a Windows 2000
Server, and transfer that over to a Windows 2003 Server.

As stated before, one KB article seemed to
be the most promising KB298138. 
However the instructions seem to be focused on moving a CA from a 2000 server
to a 2000 server, or a 2003 server to a 2003 server.

Is anyone familiar with the process of moving
a CA from a 2000 DC to a 2003 DC?  Also, is there a possibility of moving
the CA to a server with a different hostname than the original CA?

Thanks,

~Ben

RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

the syntax of an attribute and renaming it will not work since the 
OID is the one we are expecting, yes there are ways it can be done but it would 
leave you in an unsupportable state.  To fix this issue I would recommend 
running ADPREP /forestprep /nosyntaxcheck, yes this is a hidden switch and 
should only be used in cases where one cannot make changes to the conflicting 
attribute to make it compliant with the base schema also note you must be using 
ADPREP from SP1 or a QFE that was used to distribute adprep from SP1 to use this 
switch.  You can then upgrade to Windows Server 2003 and after this is 
successful then take the forest to Windows Server 2003 Forest Functional Level 
which will allow you to defunct this attribute and fix it to match the expected 
definition.  Note in both cases you may break the third party application 
that defined these values that are in conflict.  I would suggest testing 
to ensure that the third party application works after making the above changes 
or that steps are taken to mitigate the loss of functionality in the third party 
application.  I would also suggest opening a case with Microsoft Support 
if further assistance or issues arise and fully testing before doing any of this 
in 
production. Thanks,-Steve  From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of WATSON, BEN Sent: Thursday, July 06, 2006 4:34 
PM To: ActiveDir@mail.activedir.org; Mathieu CHATEAU Subject: 
RE: [ActiveDir] Forestprep Failure To try and answer 
everyone’s question all at once…At this point, we don’t have 
Exchange running in our test environment, we do have copies of the servers 
there, but have not re-added them to the domain to bring them up.  I 
don’t think that having the actual Exchange servers online should really 
matter at this point since all that FORESTPREP is attempting to do is extend the 
schema which already contain the extensions that Exchange 2003 had made 
previously.Mark, yes, I am absolutely sure SFU had not been installed or 
more importantly, ever extended the schema.  Just to be sure, I contacted 
Microsoft this morning and requested the hotfix for it and when I ran it, it 
could not find the schema extensions SFU would have made.Could you 
elaborate a little more on what you mean by running Schema Admins empty?  
At this point, I have my account added to the Schema Admins so I can (hopefully) 
perform the 
FORESTPREP.~Ben From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Mark Parris Sent: Thursday, July 06, 2006 1:42 
PM To: ActiveDir@mail.activedir.org; 'Mathieu 
CHATEAU' Subject: RE: [ActiveDir] Forestprep 
Failure Ben, Are you sure SFU has not 
been installed? Do you run Schema Admins 
Empty?MarkFrom: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of WATSON, BEN Sent: 06 July 2006 21:13 To: Mathieu 
CHATEAU Cc: ActiveDir@mail.activedir.org Subject: RE: 
[ActiveDir] Forestprep Failure Hello Mathieu,Yes, 
we run a fairly simple domain setup.  Single domain, single 
forest.We are running in Windows 2000 native mode for domain and 
forest.  Exchange 2003 is also in native mode.And nice catch on 
SMS, I deployed it myself and should’ve remembered to mention that.  We 
do have SMS 2003 in our environment with the schema extended of 
course.~Ben ----From: 
Mathieu CHATEAU [mailto:[EMAIL PROTECTED]] Sent: 
Thursday, July 06, 2006 11:21 AM To: WATSON, BEN Cc: 
ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Forestprep 
Failure Hello 
BEN,  are you in Windows 2000 native mode ? 
the forest too ? exchange native mode ? Do you have SMS ? 
it extends the schema as 
well.  Cheers,Mathieu 
CHATEAU Thursday, July 6, 2006, 7:43:21 PM, you 
wrote: > I am working to perform 
a domain upgrade from 2000 to 2003 R2 and I am running into problems right from 
the start when attempting an ADPREP /FORESTPREP.  The domain also has 
Exchange 2003 running as well.  Also, we have never extended the schema 
with Services for Unix 2.0 which I know can create some issues as 
well. I am currently working in a test environment in 
which we took a recent full tape backup of one of our domain controllers, and 
restored it in a separate network.  As this is a test environment, this 
restored domain controller is the ONLY domain controller in existence and all 
FSMO roles have been transferred to it. Here is the output 
from my ADPREP /FORESTPREP attempt.  I’m looking for assistance on how 
to fix these schema attributes so the FORESTPREP will be successful.  As 
I’m working in a test environment, I am afforded the ability to make the 
necessary changes and see what it breaks to determine what made these schema 
changes (if 
anything). C:\WIN2K3R2\CMPNENTS\R2\ADPREP>adprep 
/forestprep ADPREP WARNING: Before 
running adprep, all Windows 2000 domain controllers in the forest 
shouldbe upgraded to Windows 2000 Service Pack 1 (SP1) with QFE 265089,

RE: [ActiveDir] Forestprep Failure

[WATSON, BEN]

To try and answer everyone’s
question all at once…

At this point, we don’t have
Exchange running in our test environment, we do have copies of the servers
there, but have not re-added them to the domain to bring them up.  I don’t
think that having the actual Exchange servers online should really matter at
this point since all that FORESTPREP is attempting to do is extend the schema
which already contain the extensions that Exchange 2003 had made previously.

Mark, yes, I am absolutely sure SFU had
not been installed or more importantly, ever extended the schema.  Just to
be sure, I contacted Microsoft this morning and requested the hotfix for it and
when I ran it, it could not find the schema extensions SFU would have made.

Could you elaborate a little more on what
you mean by running Schema Admins empty?  At this point, I have my account
added to the Schema Admins so I can (hopefully) perform the FORESTPREP.

~Ben

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mark Parris
Sent: Thursday, July 06, 2006 1:42
PM
To: ActiveDir@mail.activedir.org;
'Mathieu CHATEAU'
Subject: RE: [ActiveDir]
Forestprep Failure



 

Ben,


Are you sure SFU has not been installed? Do you run Schema Admins Empty?

Mark









From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of WATSON, BEN
Sent: 06 July 2006 21:13
To: Mathieu CHATEAU
Cc: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]
Forestprep Failure



 

Hello Mathieu,

Yes, we run a fairly simple domain
setup.  Single domain, single forest.

We are running in Windows 2000 native mode
for domain and forest.  Exchange 2003 is also in native mode.

And nice catch on SMS, I deployed it
myself and should’ve remembered to mention that.  We do have SMS
2003 in our environment with the schema extended of course.

~Ben

 









From: Mathieu
CHATEAU [mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 06, 2006
11:21 AM
To: WATSON, BEN
Cc: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Forestprep Failure



 

Hello BEN,

 

 

are you in Windows 2000 native mode ?
the forest too ? exchange native mode ?

 

Do you have SMS ? it extends the schema
as well.

 

 

Cheers,

Mathieu CHATEAU

 

Thursday, July 6, 2006, 7:43:21 PM, you
wrote:

 




 
  
  > 
  
  
  I am working to perform a domain upgrade
  from 2000 to 2003 R2 and I am running into problems right from the start when
  attempting an ADPREP /FORESTPREP.  The domain also has Exchange 2003
  running as well.  Also, we have never extended the schema with Services
  for Unix 2.0 which I know can create some issues as well.
   
  I am currently working in a test
  environment in which we took a recent full tape backup of one of our domain
  controllers, and restored it in a separate network.  As this is a test
  environment, this restored domain controller is the ONLY domain controller in
  existence and all FSMO roles have been transferred to it.
   
  Here is the output from my ADPREP
  /FORESTPREP attempt.  I’m looking for assistance on how to fix
  these schema attributes so the FORESTPREP will be successful.  As
  I’m working in a test environment, I am afforded the ability to make
  the necessary changes and see what it breaks to determine what made these
  schema changes (if anything).
   
  C:\WIN2K3R2\CMPNENTS\R2\ADPREP>adprep
  /forestprep
   
  ADPREP WARNING:
   
  Before running adprep, all Windows 2000
  domain controllers in the forest should
  be upgraded to Windows 2000 Service Pack
  1 (SP1) with QFE 265089, or to Windows
  2000 SP2 (or later).
   
  QFE 265089 (included in Windows 2000 SP2
  and later) is required to prevent poten
  tial domain controller corruption.
   
  For more information about preparing your
  forest and domain see KB article Q3311
  61 at http://support.microsoft.com.
   
  [User Action]
  If ALL your existing Windows 2000 domain
  controllers meet this requirement, type
   C and then press ENTER to continue.
  Otherwise, type any other key and press ENT
  ER to quit.
   
  c
   
  =
  "attributeSyntax" attribute
  value for objects defined in Windows 2000 schema and
   extended schema do not match.
   
  A previous schema extension has defined
  the attribute value as "2.5.5.5" for obj
  ect "CN=uid,CN=Schema,CN=Configuration,DC=appsig,DC=com"
  differently than the sc
  hema extension needed for Windows 2003
  server .
  [Status/Consequence]
  Adprep cannot extend your existing schema
  [User Action]
  Contact the vendor of the application
  that previously extended the schema to res
  olve the inconsistency. Then run adprep
  again.
   
  =
  "attributeId" attribute value
  for objects defined in Windows 2000 schema and ext
  ended schema do not match.
   
  A previous schema extensio