RE: [ActiveDir]DHCP Client service failing
Title: Removing A W2K Domain Where The Host Server No Longer Exists Jeff, My guess would be that the DHCP client service permissions have been changed. What I would do is from the particular server run RSoP.msc and check the resultant set of policy on Computer Configuration/Windows Settings/System Services. I would check the permissions and verify whether or not SYSTEM and Administrators have Full Control, INTERACTIVE can have Read permissions... Out of curiosity why the reserved IP as opposed to a fixed IP on a server thereby negating the requirement for the DHCP client service? James From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Thursday, 7 October 2004 9:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir]DHCP Client service failing Can you manually start the service as an admin? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: 06 October 2004 23:29 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir]DHCP Client service failing Not sure if there were any replies. I may have missed them. But still having this issue. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Saturday, September 25, 2004 2:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir]DHCP Client service failing Its on a 2003 server. Its failing to start. And I did check the policy and even set policy to enable. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, September 24, 2004 1:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir]DHCP Client service failing If you receive this message in error, please notify the sender immediately and delete all copies of this message.- Do people really do this? ;-)) can you be more specific in your error description? The DHCP client is failing to do what? To start, to register DNS records, to get a lease (hope not on a server)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, September 24, 2004 3:03 AM To: [EMAIL PROTECTED] Subject: [ActiveDir]DHCP Client service failing ON a 2k3 server the DHCP client is failing with access denied. This started after importing a policy into a GPO that is assigned to this server. I cannot figure out what policy setting is causing this. Any ideas. Jeff This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] Windows XP SP2
Justin, A quick handy setting until you get to play with additional AD settings in XPSP2 is, run from a command prompt: netsh firewall set opmode mode = disable profile = domain netsh firewall set opmode mode = enable profile = standard This turns off the firewall when connected to the domain and turns it on when not connected to the domain. James -Original Message- From: Dale, Rick [mailto:[EMAIL PROTECTED] Sent: Saturday, 21 August 2004 12:12 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows XP SP2 Hi Justin, Check out: http://www.microsoft.com/downloads/details.aspx?FamilyID=4454e0e1-61fa-447a- bdcd-499f73a637d1DisplayLang=en and http://www.microsoft.com/downloads/details.aspx?FamilyID=dacf095f-fdbd-4c50- bdaa-96ff9f00e007displaylang=en Or http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx under the Managing the Environment section HTH Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, August 20, 2004 9:05 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows XP SP2 Everyone, Is there some additional GPO Settings that I can add to a policy to manipulate some of the settings that are on by default in SP2? Like turning off the Firewall and stuff. Please let me know. Justin List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RIS Headaches
Edwin, Get the latest driver set from Intel and copy the *.cat; *.sys *.inf directly into: \\%ServerPath%\REMINST\Setup\English\Images\%ImageName%\i386 folder This has worked for me in past and also subverts the necessity to use $OEM$ etc. which in my experience is not always reliable... James From: Edwin [mailto:[EMAIL PROTECTED] Sent: Monday, 23 August 2004 4:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RIS Headaches I did add the drivers. I did that according to the article at URL http://support.microsoft.com/default.aspx?scid=kb;EN-US;315279 and http://support.microsoft.com/default.aspx?scid=kb;EN-US;246184 Are you talking about adding the drivers a different way? If so, how? I thought by me adding the \$oem$\$1\Drivers\NIC and updating the *.sif file I would be defining an alternate driver installation location. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe L. Casale Sent: Sunday, August 22, 2004 2:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RIS Headaches You need to add the drivers, then download the updated inf on the same page, then purge all the oem?.inf/pnf files, then restart the services... jlc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Sunday, August 22, 2004 11:32 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] RIS Headaches I am attempting to perform a RIS installation on a machine that continues to fail. The error that I am getting and other related information can be found via the URL http://support.microsoft.com/?kbid=315074 "The operating system image you selected does not contain the necessary drivers for your network adapter. Try selecting a different operating system image. If the problem persists, contact your system administrator. Setup cannot continue. Press any key to exit." The network card that I have within the machine is supported by RIS (Intel(R) PRO/100 Desktop Adapter) and is successfully initialized, receives an IP Address and allows for domain authentication. As part of the resolution in the above URL, I am asked to download the latest service pack for Windows 2000. I am not sure how I am supposed to download and install that since I have yet to install the new image. Under the notes section, it does mention that I can receive this error if I am running RIS on a Win2003 machine. This is exactly what I am doing. I am trying to use RIS on Win2K3 to deploy Win2K Pro. I have read and followed the instructions from the below URL's but the status still has not changed. http://support.microsoft.com/default.aspx?scid=kb;EN-US;246184 http://support.microsoft.com/default.aspx?scid=kb;EN-US;254078 http://support.microsoft.com/default.aspx?scid=kb;en-us;325862 I have also reviewed and downloaded the latest available version of the drivers from the Microsoft Windows Catalog from within Windows Update. I am at a loss here. Can anyone please help? Thank you in advance, Edwin
[ActiveDir] GPO Issue...
All,
AD GPO issues. Have the dreaded Event ID 1030
1058 issues. DC's Windows 2003 and clients XPSP1. DC's had the
issue but I was able to resolve this using: dfsutil /PurgeMupCache, have been
clean for a week now...XPSP1 clients however still have the error messages
and I have done the following on the server side:
Made sure DFS Service is
running.
Made sure TCP/IP NetBIOS
Service is running.
On clients:
Made sure TCP/IP NetBIOS
Service is running.
Made sure WMI Performance
Adaptor Service is running.
In addition to the above ran NETDIAG and tested
replication on the DC's (no errors). Ran GPRESULT from the XPSP1
workstation which implied that the policies were applied however if I run a
GPUDATE /FORCE from the same workstation the 1030 and 1058 errors return...It
always seems to be on the one policy which is my Global User Settings one. I
deleted the old policy and re-created a new one and get the same error to what
is in essence the same policy but different GUID. I also ran Group Policy
Results from the GPMC which insinuated that the network location cannot be
reached. I also tried the patch in Q329170 and as a last resort even installed
XPSP2 on one of the workstations. One thing I have not done is change our DC
GPO below settings all to disabled:
Network Client: Digitally Sign Client Communications
Always - Disabled
Network Client: Digitally Sign Client Communications (If
Server Agrees) - Enabled
Network Server: Digitally Sign Client Communications
Always - Disabled
Network Server: Digitally Sign Client Communications (If
Server Agrees) - Enabled
Not sure if it is a DNS/DFS issue, if I run \\FQDN\Sysvol from the XPSP1 workstation I get
a network location cannot be reached error however if I do this from the DNS
server which is a DC I get a return...can ping the FQDN and NetBIOS names
to the right IP on the XPSP1 workstations...Any help would be appreciated...
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 18/08/2004
Time: 3:52:29
PM
User: NT
AUTHORITY\SYSTEM
Computer: BRIL-DEV-3
Description:
Windows cannot query for the list of Group Policy
objects. A message that describes the reason for this was previously logged by
the policy engine.
For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 18/08/2004
Time: 3:52:29
PM
User: NT
AUTHORITY\SYSTEM
Computer: BRIL-DEV-3
Description:
Windows cannot access the file gpt.ini for GPO
cn={6A9D1B3F-6298-46CA-B2E4-2F2DC898BF66},cn=policies,cn=system,DC=test, DC=com.
The file must be present at the location
\\upstream.originenergy.com.au\SysVol\upstream.originenergy.com.au\Policies\{6A9D1B3F-6298-46CA-B2E4-2F2DC898BF66}\gpt.ini.
(The network location cannot be reached. For information about network
troubleshooting, see Windows Help. ). Group Policy processing aborted.
For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.
James Blair
RE: [ActiveDir] GPO Issue...
All,
Further development, it is not a DNS/DFS
issue seems as though some attribute in my XP Workstation Baseline GPO is causing
this issue, other workstations in the domain can access the \\FQDN\Sysvol. Will
try and nut it out further...
James
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Wednesday, 18 August 2004
5:14 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO Issue...
All,
AD GPO issues. Have the dreaded Event ID 1030
1058 issues. DC's Windows 2003 and clients XPSP1. DC's had the issue but I was
able to resolve this using: dfsutil /PurgeMupCache, have been clean for a week
now...XPSP1 clients however still have the error messages and I have done the
following on the server side:
*
Made sure DFS Service is
running.
*
Made sure TCP/IP NetBIOS
Service is running.
On clients:
·
Made sure TCP/IP NetBIOS
Service is running.
·
Made sure WMI Performance
Adaptor Service is running.
In addition to the above ran NETDIAG and tested
replication on the DC's (no errors). Ran GPRESULT from the XPSP1 workstation
which implied that the policies were applied however if I run a GPUDATE /FORCE
from the same workstation the 1030 and 1058 errors return...It always seems to
be on the one policy which is my Global User Settings one. I deleted the old
policy and re-created a new one and get the same error to what is in essence
the same policy but different GUID. I also ran Group Policy Results from the
GPMC which insinuated that the network location cannot be reached. I also tried
the patch in Q329170 and as a last resort even installed XPSP2 on one of the
workstations. One thing I have not done is change our DC GPO below settings all
to disabled:
Network Client: Digitally Sign Client Communications
Always - Disabled
Network Client: Digitally Sign Client Communications
(If Server Agrees) - Enabled
Network Server: Digitally Sign Client Communications
Always - Disabled
Network Server: Digitally Sign Client Communications
(If Server Agrees) - Enabled
Not sure if it is a DNS/DFS issue, if I run \\FQDN\Sysvol from the XPSP1 workstation I get
a network location cannot be reached error however if I do this from the DNS
server which is a DC I get a return...can ping the FQDN and NetBIOS names to
the right IP on the XPSP1 workstations...Any help would be appreciated...
Event Type: Error
Event Source: Userenv
Event Category: None
Event
ID: 1030
Date:
18/08/2004
Time:
3:52:29 PM
User:
NT AUTHORITY\SYSTEM
Computer:
BRIL-DEV-3
Description:
Windows cannot query for the list of Group Policy
objects. A message that describes the reason for this was previously logged by
the policy engine.
For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Userenv
Event Category: None
Event
ID: 1058
Date:
18/08/2004
Time:
3:52:29 PM
User:
NT AUTHORITY\SYSTEM
Computer:
BRIL-DEV-3
Description:
Windows cannot access the file gpt.ini for GPO
cn={6A9D1B3F-6298-46CA-B2E4-2F2DC898BF66},cn=policies,cn=system,DC=test,
DC=com. The file must be present at the location
\\upstream.originenergy.com.au\SysVol\upstream.originenergy.com.au\Policies\{6A9D1B3F-6298-46CA-B2E4-2F2DC898BF66}\gpt.ini.
(The network location cannot be reached. For information about network
troubleshooting, see Windows Help. ). Group Policy processing aborted.
For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.
James Blair
[ActiveDir] Slightly OT Possible AD - Exchange issue
All, After migrating to Windows 2003 from NT4 we are now migrating from Exchange 5.5 to Exchange 2003 however we are having a couple of "strange" issues which did not occur in the lab...After scavenging the web and finding nothing will try here as it could be AD related. When I click on the Primary Windows NT account\Select an existing account in Exchange 5.5 I get the following error: Either a required impersonation level was not provided, or the provided impersonation level is invalid. We have a fairly high security group policies in place and to possibly subvert this issue I added Administrators and Authenticated Users to the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a Client After Authentication attribute of the Default Domain Controllers Baseline security policy we have, rebooted the server...still seem to have the issue however. Was wondering if anyone has seen or heard of this issue as it is bugging the hell out of me...users are able to access their e-mails. Have seen in a post that SERVICES should be added as well however when I do this I get an Event ID 1202 error and run the following syntax from the command prompt: FIND /I Cannot find %SYSTEMROOT%\Security\Logs\winlogon.log which returns SERVICES so I remove it and the Event ID "goes away". If anyone has any ideas I would be greatful. James Blair
RE: [ActiveDir] OT: Exchange 5.5 to 2003 upgrade/migration
Laura, We have recently gone through this procedure and it is not as painful as you would expect...The ADMT (Active Directory Migration Tool) is the way to go if you the target domain is going to be in native mode and if you Google ADMT NT 4.0 - 2003 migration you get all sorts of information, heres a bit to start you off. http://support.microsoft.com/default.aspx?kbid=325851product=winsvr2003 http://www.microsoft.com/technet/community/columns/profwin/pw0402.mspx http://www.computerperformance.co.uk/exchange2003/exchange_2003_ADMT.htm http://techupdate.zdnet.com/techupdate/stories/main/Migrating_Windows_NT_to_ Windows_Server_2003.html If however you are like us and are not able to goto native mode you can do an NT4 - 2003 upgrade which is a fairly painless procedure: http://support.microsoft.com/default.aspx?kbid=326209product=winsvr2003 The Exchange part is pretty interesting however and you can do an in-place upgrade utilising an AD connector...: One Option: http://techrepublic.com.com/5100-6268_11-5268995-2.html Another: http://www.microsoft.com/downloads/details.aspx?FamilyId=77B6D819-C7B3-42D1- 8FBB-FE6339FFA1EDdisplaylang=en Some Ideas: http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q _20801908.html This should keep you out of trouble I can give you more info specific to not using ADMT if you wish. James -Original Message- From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] Sent: Friday, 6 August 2004 12:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 5.5 to 2003 upgrade/migration So I may be inheriting a new network that needs to do the 5.5 on NT4 to 2003 on 2003 shuffle. Your basic Google search returns any number of resources, obviously; but what does my favourite group of smart people have to say? Recommended Books/FAQs/Blogs/Sites that will make me not want to kill myselfquite as much? * Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook 2003 attachment blocking
Manjeet, Is the problem definitely at the Outlook level? The below registry entry would allow exe's and mdb's through. Are you running a content control tool or similar on your Exchange box? Are the customers "E-Mail Solutions" deleting the attachment? Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\Security] Level1Remove=.mdb;.exe James From: Manjeet [mailto:[EMAIL PROTECTED] Sent: Monday, 28 June 2004 3:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Outlook 2003 attachment blocking James, Actually my problem is my company main businness is data conetenting. So we have to send the file with attachment .$$$ to the various customer on dialy basis. Yes we are following the file extension solution as you said, but due this our non technical user and the end customer is not haapy with this. because they are facing problems in renamin and sending and again renaming. and the second thing the cutomer do not want to rename the files which he recieved because the no of file attachment are hundred in no. on daily basis. So i am looking for a permanent solution Regrads Manjeet ginenergy.com.au wrote: Manjeet, Purely from a security perspective I would advise that you leave the default Outlook Level 1 security enabled and train your users to zip (or alternate compression format) or rename the file extensions to an allowed format e.g. *.123, you could even remove the file extension temporarily. James From: Caple, Andrew [mailto:[EMAIL PROTECTED] Sent: Monday, 28 June 2004 3:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Outlook 2003 attachment blocking Have you tried the registry hack? (Please see: http://support.microsoft.com/default.aspx?scid=kb;en-us;829982Product=out2003) Regards, Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Sent: Monday, June 28, 2004 2:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Outlook 2003 attachment blocking Hi, I have this probem. Recently we have upgraded Microsoft Outlook 2000 client to Outlook 2003. Our production need to send the file attachment with the name $$$. But due to outlook local security policy, the recipeitn is not able to opne the sent attachment. I have already tried to to disable the Leve1 1 and Level 2 option recommended by microsoft knowledge base but no successfull results. If you any idea how to disable these file attachment security in outlook 2003 then please hep me. Thanks in advance. Manjeet System admins Innodata India Pvt Ltd. Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages!
RE: [ActiveDir] Outlook 2003 attachment blocking
Title: Message Manjeet, Purely from a security perspective I would advise that you leave the default Outlook Level 1 security enabled and train your users to zip (or alternate compression format) or rename the file extensions to an "allowed" format e.g. *.123, you could even remove the file extension temporarily. James From: Caple, Andrew [mailto:[EMAIL PROTECTED] Sent: Monday, 28 June 2004 3:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Outlook 2003 attachment blocking Have you tried the registry hack? (Please see: http://support.microsoft.com/default.aspx?scid=kb;en-us;829982Product=out2003) Regards, Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Sent: Monday, June 28, 2004 2:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Outlook 2003 attachment blocking Hi, I have this probem. Recently we have upgraded Microsoft Outlook 2000 client to Outlook 2003. Our production need to send the file attachment with the name $$$. But due to outlook local security policy, the recipeitn is not able to opne the sent attachment. I have already tried to to disable the Leve1 1 and Level 2 option recommended by microsoft knowledge base but no successfull results. If you any idea how to disable these file attachment security in outlook 2003 then please hep me. Thanks in advance. Manjeet System admins Innodata India Pvt Ltd. Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages!
RE: [ActiveDir] Setting Desktop Settings via Group Policy
Raymond, You may want to take a look at assigning a mandatory profile for your users... http://support.microsoft.com/default.aspx?scid=kb;en-us;307800sd=tech http://www.tweakxp.com/tweak1591.aspx Under group policy take a closer look at User Config-Administrative Templates in Group Policy you set thousands (slight exaggeration) of things in here for example a wallpaper can be set through: User Config-Administrative Templates-Desktop-Active Desktop The good old days just got better... James -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Tuesday, 8 June 2004 9:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Setting Desktop Settings via Group Policy Hi all, I need to push out a standard desktop to all users in my company. I found where to set up the Active Desktop and the like, but I can't find where to set things like background color and pattern. I remember in the good ol' days (under NT4) you could set these things up (or at least I thought I remembered). Thanks in Advance, Raymond McClinnis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Group Policy Security Templates:
All, We are in the process of testing security templates on a new windows 2003 domain model and there is one attribute I am having trouble putting a value on. The particular node is the Windows Settings/Security Settings/Local Policies/Security Options/Interactive Login/Number of previous logins to cache (In case a domain controller is unavailable). I have a template for workstations and this value is set to 0 logins. For laptops I have another template and this is the one I am having trouble with I am unsure what value to put on this. We have numerous users who are at our remote sites on laptops and they do not log onto the domain for weeks at a time...this would however never exceed a 30 day period. What would you advise I set this value to. I suppose what I am asking is if I set this value to 1 does this only allow one login or one users cached profile infinitely however subject to other settings eg. password age etc. Thanks. James
RE: [ActiveDir] Unable to demote Additional DC
Title: Unable to demote Additional DC Mohammed, From what you have posted you I would advise the following: Verify what server holds the PDC and RID master roles. The best way to do this is through Active Directory Users and Computers, right mouse click the domain and choose operations masters. If the server you are trying to demote holds these roles then transfer the roles to an alternate DC through Active Directory Users and Computers. Leave the DC online for a while to allow things to stew. Re-try the dcpromo Should the DC you are trying to demote not hold any of the 5 FSMO roles you could take it offline and do a metadata cleanup Q216498. If the server DC is "cactus" and it did hold some of the roles you may need to look at Q255504. From there you would have to do a metadata cleanup Q216498. Hope this helps. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 18 May 2004 5:26 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Unable to demote Additional DC Hello Folks, I am trying to demote an Additional Domain Controller and when I do that thru DCPRMO, I get this error; The operation failed because: The Directory Service was unable to transfer the domain wide FSMO roles (PDC and Rid master) to another Domain Controller in this domain. A possible cause may that no other servers are on line to receive the FSMO, or the Directory Service has a record of a server that no longer exists. The DSA object could not be found. All the servers are online and from this machine, I can ping to the PDC Emulator too. How do I resolve this issue?? Can any one point to some KB articles for explanation? Regards, Mohammed Athif Khaleel Asst.Network Engineer AlFaisaliah Group Information Technology Tel.: +966-1-461-0077 x.209 Moble.: +966-509774015 Email: [EMAIL PROTECTED] Have you installed the patch for Microsoft Security Bulletin MS04-11? Save Internet, Keep all the systems patched Web: http://alfaisaliah.com - This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom/which they are addressed. If you have received this email in error please notify the system manager at the following email address: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Al Faisaliah Group. Internet communications cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, arrive late or contain viruses. The sender therefore does not accept liability for any errors or omissions in the context of this message, which arise as a result of Internet transmission. Finally, the recipient should check this email and any attachments for the presence of viruses. Al Faisaliah Group accepts no liability for any damage caused by any virus transmitted by this email. -
RE: [ActiveDir] Win2k SP4
Russ, MS04-001 (Q835732): Windows2000-KB835732-x86-ENU.EXE http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Sasser worm... http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html James From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Saturday, 1 May 2004 6:11 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Win2k SP4 OK I finally broke down and upgraded the rest of our Win2k DC's to SP4. Is there any important post SP4 hotfixes I should be aware of that apply to AD? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] Windows XP time sync
Title: Message In XP you are able to set a local time server through a registry entry, you can run this as a login script if you like. Have not tried this on servers yet. TEST BEFORE YOU USE IT IN A PRODUCTION ENVIRONMENT... Windows Registry Editor Version 5.00 ; Delete Time Server Defaults From Registry[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers] ; Add Domain Specific Time Server [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers]@="1""1"="IPAddressTimeServer" ; Change W32 Time Polling Interval To Every Hour[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient]"SpecialPollInterval"=dword:e10 James -Original Message-From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Thursday, 19 February 2004 9:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows XP time sync Okay the MS consultant who worked on our AD upgrade answered that adding an XP computer to a domain should set the time to sync using NT5DS, which is what I thought I remembered was supposed to happen. But it's not happening. If I run the w32tm commands and the setsntp: then it fixes the registry settings to use NT5DS. Anyone know why we might be seeing this issue, or know more about this? Thanks - Rich From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Byrd, ToddSent: Wednesday, February 18, 2004 9:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows XP time sync The servers in a domain will automatically update from each other, progressing upward toward the root PDC (ie each server in a child domain will sync with the child domain PDC by default, and the child PDC will sync with the root PDC, while all servers in the root domain will sync with the root PDC. ) the Root domain PDC should be allowed to sync with an outside SNTP server For the workstations, the time server needs to be mandated through a GPO, or through DHCP The GPO for setting a specific time server is set under Computer Configuration Admin templates windows components system windows time service time providers Hope this helps... Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Wednesday, February 18, 2004 10:09 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Windows XP time sync I've seen it talked about on this list that time should be sync'd automatically in a domain. I was going along checking the SMS logs and found a number of them that said the computers' time was offset. I thought that was odd, and I looked into it. The XP computers are set to time.windows.com when you do a net time /querysntp on them. If they are actually trying to use that, it's a problem because SNTP is not allowed out. Besides, we want them getting their time from the domain, not MS. So I can run a command against them to clear this (/setsntp: ) and I can run w32tm /config /computer:name /update /syncfromflags:domhier and it works - the time gets sync'd. I looked into the issue further though, and see that all the XP computers are set like that. This does not seem like what we want, so what am I missing here? Do we have to set this up in the login script or is there a setting I missed in GP that fixes it or ?? I assumed joining a computer to a domain would fix this issue (never really paid attention to it before) but apparently it doesn't. Thanks Rich ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the
RE: [ActiveDir] Windows 2000 startup screen
Title: Message Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING -DODGYAUTHORISED USERSONLY""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software inDODGYis to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed byDODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 2000 startup screen
Title: Message Russ, Sorry about that...an idea...you can have a legal message integrated into the CTRL+ALT+DEL bitmap... What you could do is use reshacker http://www.users.on.net/johnson/resourcehacker/, getan MSGINA.DLL from a machine of the same type and service pack that you are using and amend the: "bitmap file 1033 image". You then need to intergrate the "new" msgina.dll file into your install i386 dir, you may have to extract and compresscab files here. If you want to head down this path ping me off list and I can help you out... James -Original Message-From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:45 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 2000 startup screen That's legal notice caption text which our top execs didn't like because they had to click "OK" (its so difficult!) So now we're replacing the startup splashscreen with a legal notice BMP. I know which registry key does it now in Winxp and win2k, but I am trying to see if I can use a JPG or if it MUST be a BMP. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Thursday, February 05, 2004 5:36 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, As Kathrine advised or registry entry, see below...your choice: Windows Registry Editor Version 5.00 ; Add Legal Notice Caption Legal Notice[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"LegalNoticeCaption"="WARNING -DODGYAUTHORISED USERSONLY""LegalNoticeText"="Any unauthorised access or use of this workstation is prohibited and could be subject to claims for damages and/or penalties at law. To protect this system from unauthorised use and to ensure that it is functioning properly, activities on it are monitored and recorded and subject to audit. ALL software inDODGYis to be AUTHORISED prior to purchase using the normal acquisition and purchasing rules that apply at these sites. ANY software installation is to be performed byDODGY IT or personnel NOMINATED by DODGY IT. Use of this system is express consent to such monitoring, recording and conditions. To protect from unauthorised access once logged in users should press CTRL+ALT+DEL then "Lock Computer" when away from their workstations for extended periods of time." James --Original Message-From: Katherine Coombs [mailto:[EMAIL PROTECTED] Sent: Friday, 6 February 2004 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 2000 startup screen Russ, You can do this through GPO by changing the following settings: Interactive logon: message text for users attempting to logon Interactive logon: message title for users attempting to logon The are found in the following location within the GPO editor: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Friday, 6 February 2004 1:51 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 2000 startup screen Thanks to all who helped me with the GC Disaster recovery issue!!! Now, I've been asked to replace all the Windows 2000 and XP startup splash screens (the one you see in the background when you hit ctrl-alt-del. We're going to have our legal notice there since our top dogs don't like the legal notice GPO. Question is, is there a GPO for this, and if not, is there a registry entry or something we can automate on login? I know XP's solution is here http://www.updatexp.com/tip12.html What about Win2000? Any easy ways to do this? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation
RE: [ActiveDir] OT: slipstreaming Win2K
Title: Message Mark, Easily done, maybe the rep meantthat you couldn't roll the hotfixes directly into the i386 dir like the service packs, they have to be added as an "after thought"we usean unattendedbootable CD for our more remote locations and roll all the available hotfixes into it, I do the same with RIS (Roll hotfixes into install that is...), a good site to look at is: http://www.msfn.org/unattended/xp/index.htm I know it is XP but I have done it utilising the same method for W2K, only slightly different for RIS: http://www.winnetmag.com/Articles/ArticleID/24892/pg/2/2.html Rogers suggestion looks pretty good will look into that... James -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, 14 January 2004 6:53 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: slipstreaming Win2K Nope. I mean this: http://www.nextwish.org/geek.php?page=susutil Its an exe that sets the correct registry settings and restarts the update service, and the system gets the updates in about 10 minutes, then following the reboot it sets the settings back (which would be done by the GPO anyway, if you're using one). I use it quite a bit for servers when I'm ready to patch them. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 2:08 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OT: slipstreaming Win2K You mean this? http://support.microsoft.com/default.aspx?scid=kb;en-us;828930Product=win2000 Mike From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 13, 2004 11:06 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OT: slipstreaming Win2K I've successfully slipstreamed service packs into a Win2K install media before, but never looked into adding any hotfixes to it. So I started looking into how to do it, and was surprised to find dialog from one of Microsoft's online tech chats, in which the rep said you can't do that. Did I misunderstand, or can I really not add hotfixes to a slipstream image? Thanks...oh, and Tony - thanks also from me for a great list! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do
RE: [ActiveDir] GPOs for Spyware
Title: Message Russ, SpyWareBlaster http://www.javacoolsoftware.com/spywareblaster.htmlis Freeware/Donationware and can be installed "silently" using a login script using the Inno Setup command line parameter /VERYSILENT eg. code used during a batch: ECHO.ECHO Installing SpyWareBlaster release 2.6.1ECHO Please wait...start /wait \\NetworkLocation\spywareblastersetup.exe /VERYSILENT ECHO. The only downside is that you geta popup disclaimer window coming up on the client side machine... The product is able to be updated however this is a manual process. I would advise a layered approach to this and install SpyWareGuard http://www.wilderssecurity.net/spywareguard.htmlwhich is Freeware/Donationware as well and can also be updaetd manually: ECHO.ECHO Installing SpyWareGuard release 2.2.0 ECHO Please wait...start /wait \\NetworkLocation\spywareguardsetupmin.exe /VERYSILENT ECHO. I have had a look at the licence agreement on these products and there seems to be no problems with companies installing this product, thiscould however be subject to change: SpywareBlaster License Agreement Disclaimer of Warranty: THIS PRODUCT IS PROVIDED FREE OF CHARGE, AND, THEREFORE, ON AN 'AS IS' BASIS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, OR FOR ANY SPECIFIC PURPOSE, INCLUDING WITHOUT LIMITATION THE WARRANTIES THAT IT IS FREE OF DEFECTS, ABLE TO OPERATE ON AN UNINTERRUPTED BASIS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. While every effort has been made to ensure the proper and correct operation of this program, you agree (by using/installing it) that you will not hold the author, anyone or any business related to the author, or any distributors responsible for any problems or damages occuring from the use of this program. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THE LICENSE AGREEMENT. NO USE OF THE PRODUCT IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. You agree, as the user of this product, to take full responsibility for any and all actions it performs. Some of the spyware it protects your system against may be included in commercial programs, and you may not be allowed to disable the spyware without uninstalling those programs. See each program's license agreement for details. Restrictions: Without the author's prior written consent, Licensee may not: (1) modify or create any derivative works of the Product;(2) decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code for the Product (except to the extent applicable laws specifically prohibit such restriction)(3) sell the SpywareBlaster software, or this license, in any way(4) remove or alter any trademark, logo, copyright or other proprietary notices, legends, symbols or labels in the Product By using SpywareBlaster and/or by clicking the "Yes" button to install SpywareBlaster, you agree to be legally bound by the statements located above and below. SpywareBlaster is released as freeware. This means you may make copies of the software for backup purposes, give the software to friends, or mirror it on your own site IF AND ONLY IF ALL FILES REMAIN UNCHANGED AND INTACT, AND NO FILES ARE ADDED. If you do wish to mirror this program, please leave a post in one of the SpywareBlaster threads at www.wilderssecurity.com . You may NOT include this program on any compilation mediums where you charge more than the cost of the medium it is included on (i.e. you may not charge for this freeware, but you may recoup the cost of the CD-ROM or other media it is placed on). Again, you must keep all files intact and unchanged, and you must add no files to this distribution. AND SpywareGuard License Agreement Disclaimer of Warranty: THIS PRODUCT IS PROVIDED FREE OF CHARGE, AND, THEREFORE, ON AN 'AS IS' BASIS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, OR FOR ANY SPECIFIC PURPOSE, INCLUDING WITHOUT LIMITATION THE WARRANTIES THAT IT IS FREE OF DEFECTS, ABLE TO OPERATE ON AN UNINTERRUPTED BASIS, MERCHANTABLE, FIT FOR A PARTICULAR PURPOSE OR NON-INFRINGING. While every effort has been made to ensure the proper and correct operation of this program, you agree (by using/installing it) that you will not hold the author, anyone or any business related to the author, or any distributors responsible for any problems or damages occuring from the use of this program. THIS DISCLAIMER OF WARRANTY CONSTITUTES AN ESSENTIAL PART OF THE LICENSE AGREEMENT. NO USE OF THE PRODUCT IS AUTHORIZED HEREUNDER EXCEPT UNDER THIS DISCLAIMER. You agree, as the user of this product, to take full responsibility for any and all actions it performs. Some of the spyware it protects your system against may be included in commercial programs, and you may not be allowed to disable the spyware without uninstalling those programs. See each program's license agreement for details. Restrictions: Without the author's prior written consent, Licensee may not:
RE: [ActiveDir] Strange Windows 2003 behavior after joining AD do main
Title: Message Ninet, Try the following on the 2003 servers: From within a command prompt: ipconfig /flushdns nbtstat -RR route print (check and see whether or not you have inadvertantly put in a persistent route) Make sure that you don't have any "rogue" entries in the host file... Goto TCP properties of the NIC and explicitly put DNS server IP address...under Advanced-DNS check and see whether or notitems such as DNS suffixes etc. are correct. Goto the DNS server itself anddo a refresh and delete any entries that may have pertained to the server/s when they were in the different domains or workgroups??? James -Original Message-From: Ninet Segar [mailto:[EMAIL PROTECTED] Sent: Friday, 12 September 2003 2:28 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Strange Windows 2003 behavior after joining AD domain Several Windows 2003 Servers have been joined to my domain after operating properly independently. After joining the domain they cannot resolve names properly. Infact they cannot even ping localhost?! Pinging by name doesn't work. Pinging by IP works. NSlookups work! The DNS server did not change, only the domain membership of the computer changed and there user profile for a new user in the domain is created. I looked at GPO's, the only one that affects this machine is very simple and it has only loopback processing enabled. ipconfig looks right, dns server seems fine, dns settings seem fine, netsh diag gui seems fine. Can anyone help me diagnose this name resolution problem?
RE: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER)
Charles, Our remote satellite sites were hit and infected 3/7 (broadband satellite), Internally no problems. Info @: Trend describes best way to do a manual removal. Easy Way: If you were infected and PC keeps restarting goto Services-Remote Procedure Call (RPC). Right Mouse Click goto Properties, goto Recovery tab and choose Take No Action for all three options, hit Apply. This will give you enough time to apply Microsoft patch Goto Task Manager-Processes tab. End MBLAST.exe process/task dependant on OS. Goto Regedit32.exe HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun. In the right panel, locate and delete the entry: windows auto update = MSBLAST.EXE Update virus defs and do a full system scan. http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MSBLAST .A http://www.symantec.com/avcenter/venc/data/w32.blaster.worm.html Patch, choose OS, @: http://support.microsoft.com/?kbid=823980 Hope that no one is affected too badly by this one. James -Original Message- From: Charles Campbell [mailto:[EMAIL PROTECTED] Sent: Tuesday, 12 August 2003 11:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER) I've been getting hammered on this one myself... My firewall logs are packed with hits to ports 135 and 445. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, August 11, 2003 19:41 To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] RPC DCOM WORM (MSBLASTER) In case you been sleeping on the RPC DCOM hole (MS03-26), the time to patch was a couple of weeks ago, but if you still didn't... Duck... No actually patch! Now is not the time for your company to discover that a firewall doesn't protect all entrances to your network. http://isc.sans.org/diary.html?date=2003-08-11 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Printer Moves
Title: Message Haven't been very helpful for a while hope this makes up for it... http://support.microsoft.com/?kbid=315983 Microsoft Printer Migrator 3.0: http://www.microsoft.com/windows2000/technologies/fileandprint/print/download.asp James -Original Message- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, 25 June 2003 2:05 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Printer Moves Sure ya can. Create a new port and point it at the new printer in the old printer. -Original Message- From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 11:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Printer Moves Installthe new printer usinga logon script. I don't think you can re-route things that are already in the print queue. -Original Message- From: Daniel Chaveco [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 24, 2003 11:17 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Printer Moves Is there a way to move printers/queues in one Windows 2000 print server to another new Windows 2000 print server without having to recreate them and go to each client PC to set upthe new printer session as well. Thanks -Dan Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month!
[ActiveDir] OT RIS ISSUE:
Title: OT RIS ISSUE: I am currently trying to RIS servers on a tested and am able to do so however I wish to set partition sizes so that the system partition is 10GB but RIS seems to just format and utilise ALL the available space even when I have FDISK'd and set the primary partition size. My thoughts were that if I FDISK'd and set the partition size RIS would format the partition as NTFS and away we go...any feedback would be appreciated. James
[ActiveDir] OT Password Policy:
http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc022703/wcblurb022703.asp The below is referenced from: http://winxp.bink.nu/ : Interesting password points: Password length and possible permutations 6 characters = 689,869,781,056 7 characters = 64,847,759,419,264 8 characters = 6,095,689,385,410,816 9 characters = 572,994,802,228,616,704 10 characters = 53,861,511,409,489,970,176 Given a 60 day password expiry date and a password of 7 characters, it would require about 7,407,407 logon attempts per second to find the password Play the lottery, the odds are much better! Password security recommendations: Security Category Account Lockout Settings** Password Policy Settings Cost Max Password Age Password Age Password Length Low - - - 3 42 0 0 disabled Low Medium 10 30 30 24 42 1 7 enabled Medium High 10 30 Infinite/0 24 42 1 8 enabled High
[ActiveDir] ADS Replication Through Satellite Connection
All, I was wondering if any of you have utilised this method for ADS replication, I am having a bit of trouble. I have a USB satellite modem with integrated NIC which has a statically assigned IP Address and a class C subnet mask with an assigned default gateway, these were configured by the telco. I have a second NIC in the box which is connected to the LAN. I utilsed WINGATE as a VPN but cannot ping the any DC's on the the other side, they are all however able to ping me??? Needless to say there is no replication. Any ideas I did try a RIPclient to no avail... James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] RIS INSTALLS:
All, Is there any other way to specify a specific partition size to install the OS on or do you have to create the partition "manually" and use the ExtendOemPartion=0 switch in the answer file. This would apply to our servers as we want an 8GB primary partition. James
RE: [ActiveDir] Service Pack 3
Justin, Broke our Adobe Acrobat PDF printer (Had to roll back to SP2 and re-install) and know of issues with Hummingbird Exceed other than I have had no problems... James -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 18 September 2002 8:07 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Service Pack 3 It broke our Network Appliance NutScratch, er, um, I mean NetCache when we put it on our DCs. It will no longer authenticate users against our AD domain. NetApp is working with us to fix it. Other than that, we've seen no problems. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 17, 2002 3:54 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Service Pack 3 So what is the consensus on Service Pack 3 for Windows 2000? I have been running it on my laptop for a while now with no errors. Has anyone had any major problems that resulted from installing Service Pack 3 in their production environment?. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 914.681.8117 office 646.483.3325 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Software Update Services:
Title: Message Dennis, My apologies I must have been on a rant I stand corrected. James -Original Message- From: Dennis M. Depp [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 17 July 2002 3:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Software Update Services: James, I read this white paper and I understand you can redirect Automatic updates to go to your SUS server instead of Windows update. How do these changes ensure the appropriate security patches have been applied to a particular desktop? SUS is still a pull technology. I can setup a client to automatically pull the informaiton, but it is still a pull technology. If I want to ensure the hotfixes are installed, I still need to verify with an applications such as HfNetChk. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Monday, July 15, 2002 7:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Software Update Services: Dennis, Download the SUS Deployment White Paper approx. 2.3MB: http://www.microsoft.com/windows2000/windowsupdate/sus/susdeployment.asp Page 55 of the White Paper starts explaining how to utilise Group Policy and Administrative Templates in order to redirect Automatic Updates to a server running SUS. You will have to install the client on all PCs/ Servers as well approx. 1MB. It is an *.msi so you can roll it out through Group Policy as wellany probs. send me an e-mail. James -Original Message- From: Dennis M. Depp [mailto:[EMAIL PROTECTED]] Sent: Monday, 15 July 2002 9:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Software Update Services: While I think the idea of SUS is good, I fail to see how this eliminates the need for hfnetchk or the security baseline analyser. SUS is a pull technology. You still need some method to ensure the clients are pulling the infromation from the server. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 11, 2002 2:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Software Update Services: All, Havent contributed for a while but this will more than make up for that. In a nut shell Software Update Services (SUS) allows you to synchronise an internal server with the Microsoft Update servers and test and approve updates to deploy...too good to be true, no more hfnetchk, qchain, security baseline analyser seems not. Works on our test bed, give it a godetails @: http://www.microsoft.com/windows2000/windowsupdate/sus/ James List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Software Update Services:
Title: Message Dennis, Download the SUS Deployment White Paper approx. 2.3MB: http://www.microsoft.com/windows2000/windowsupdate/sus/susdeployment.asp Page 55 of the White Paper starts explaining how to utilise Group Policy and Administrative Templates in order to redirect Automatic Updates to a server running SUS. You will have to install the client on all PCs/ Servers as well approx. 1MB. It is an *.msi so you can roll it out through Group Policy as wellany probs. send me an e-mail. James -Original Message- From: Dennis M. Depp [mailto:[EMAIL PROTECTED]] Sent: Monday, 15 July 2002 9:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Software Update Services: While I think the idea of SUS is good, I fail to see how this eliminates the need for hfnetchk or the security baseline analyser. SUS is a pull technology. You still need some method to ensure the clients are pulling the infromation from the server. Dennis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, July 11, 2002 2:24 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Software Update Services: All, Havent contributed for a while but this will more than make up for that. In a nut shell Software Update Services (SUS) allows you to synchronise an internal server with the Microsoft Update servers and test and approve updates to deploy...too good to be true, no more hfnetchk, qchain, security baseline analyser seems not. Works on our test bed, give it a godetails @: http://www.microsoft.com/windows2000/windowsupdate/sus/ James List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Software Update Services:
All, Havent contributed for a while but this will more than make up for that. In a nut shell Software Update Services (SUS) allows you to synchronise an internal server with the Microsoft Update servers and test and approve updates to deploy...too good to be true, no more hfnetchk, qchain, security baseline analyser seems not. Works on our test bed, give it a godetails @: http://www.microsoft.com/windows2000/windowsupdate/sus/ James
