that may bea matter of personal preference and of the
way that your DNS is currently setup.
Granted - in the scenario I described, Stubs would have the
benefit of being AD integrated and would thus replicate to any DC-DNS server,
but if you have to combine two different DNS worldswith a
Hello Dèjì, good thoughts, but not sure thatI agree
with all you say - Ibelieve Dave's scenario could benefit from a separate
forest- see some comments below.
Cheers,
Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Deji
AkomolafeSent: Saturday, January 08, 2005
that's also my understanding Dean and that's how I've tested it that it
works - but I certainly wouldn't mind the lengthy version of the
explanation...
I do have to say, that the statement to require FFL2 to use SA for
forests trusts is somewhat of a joke though: you'll have to have both
forests
Ok I could see it now, sorry, thanks its working great
I have only one question, whats the use of the -uci option if I can't
pass the parameteres in an input file? and I have to make the command
each time I want to create a new user?
Also in the addusers.exe windows2k tool, the username was used,
Actually Dean, would like to hear that explanation as to why if it's not
too much trouble. It often helps to make the idea stick :)
As for the replication, Dave I understood the replication differences to be
more for security reasons than performance etc. Something along the lines
of not
Thanks! I'd tried clicking, right clicking, and double clicking on the
entries to see if I could find the class ID in that window, all to no
avail! Never thought the CLSID might be there in a column... Sheesh.
Nothing like making it easy on us poor admins... Now if there was some
way to
Good point ... it is somewhat redundant isn't it :)
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Monday, January 10, 2005 5:16 AM
To:
Joe,
You can download BHODemon and install it, double-click on any entry and you
will see the CLSID in that entry.
http://www.pcworld.com/downloads/file_description/0,fid,23611,00.asp
HTH,
Rick
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Hi Rubix,
I'm not sure what you mean, but HTH. A user in AD has the following names:
A. CN = common name = Name column in tools = RDN (e.g. Jack Brown or CN=Jack
Brown)
B. First name = givenName (e.g. Jack)
C. Last name = sn (e.g. Brown)
D. Display name = displayName (e.g. Jack Brown)
E. User
This might not be the right forum for this question, but, does anyone
have any templates for what needs to be locked-down for servers in the
domain and in a DMZ. What ports and services that do not need to be
running/open.
Ron Pennell
Institute For Defense Analyses
[EMAIL PROTECTED]
List
The -uci switch you mention in dsadd isn't for input from a file, it is
referencing input from pipe (ie: | ). You can use information from a
tool like dsquery to pipe information to dsadd (you can pipe the DN for
an account for example).
Phil
-Original Message-
From: [EMAIL PROTECTED]
To reply to myself, I made a dumb statement...you can't pipe the DN from
dsquery to dsadd since the user wouldn't exist yet, but that is one
thing that you can do with dsquery and some of the dstools (dsget, dsmod
etc.)
Phil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
You're correct, Al - the thought regarding replication is that there's
no reason to put information from the internal domain on those DCs in
the less-trusted domain. There is no need for it there in the first
place, and if I don't replicate it there I have that much less to worry
about if that
I keep getting an error on a win2k pro sp4 laptop when renewing an ip
address-an operation was attempted on something that is not a socket
also when i try to start my linksys wlan adapter, i get 10093:Successful
WSAStartup not yet performed
I've uninstalled and reinstalled tcp/ip but no go.
I
Pennell, Ronald B. wrote:
This might not be the right forum for this question, but, does anyone
have any templates for what needs to be locked-down for servers in the
domain and in a DMZ. What ports and services that do not need to be
running/open.
I don't know what role this server plays but
Have you got something else interfacing with the stack on the box, i.e.
f/w software?
Also... uninstall the wlan card and see if you still get the same issue
on the internal nic.
BR
Rob
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent:
its uninstalled.
this user has no firewall sw that i can tell. though i get a pop up saying
outlook express is trying to send a email. do you want to let it send it?
i have no idea whats making that pop up. its made to look like its coming from
OE. the email is just the welcome message OE sends
Simplified question is - why do we require domain (external trust) or
forest (forest trust) functional level 2 when using selective
authentication? -
Let's begin with what selective authentication (SA) does ... when configured
across a particular trust it tells the KDCs within the domain at the
Title: time server
Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and
hmmm ... could be a virus trying to send the mail through outlook.
Can you see any other protocols, services, etc bound to the adapter?
From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Mon 1/10/2005 4:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
Thanks, but BHODemon only shows Browser Helper Objects. It doesn't show
ActiveX controls or Browser Extensions which are also add-ins for IE
that need to be defined for the GPO to effectively manage all the
activex controls.
Joe Pochedley
A computer terminal is not some clunky old television
http://support.microsoft.com/default.aspx?scid=kb;en-us;318584
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 10, 2005 7:39 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:winsock
I keep getting an error on a win2k pro
When we do an nslookup on an external host, we often get a timeout 3 or 4
times before it finally resolves. We are using our child domain controllers
for all our desktops DNS. The child DCs are forwarding to the root DCs.
The root DCs have the root-hints on them, and are allowed by the firewall
Open C:\WINDOWS\Downloaded Program Files, double-click the control,
highlight and copy the ID from the property page.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Monday, January 10, 2005 10:49 AM
To: ActiveDir@mail.activedir.org
Have you tried doing a network trace to see the DNS queries and responses?
That should help you determine where the delay is.
- Original Message -
From: Rimmerman, Russ [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, January 10, 2005 12:41 PM
Subject: [ActiveDir] DNS
Are you referring to a tracert or something more in-depth?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines
Sent: Monday, January 10, 2005 12:27 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS timeouts
Have you tried doing a
Title: time server
Does your switch use/support SNTP (Simple NTP)? That is
what Windows DCs support, not NTP.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer,
MarkSent: Monday, January 10, 2005 11:27 AMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] time
Title: time server
Thanks Joe, I suspect thats it
then. There wasnt anything in the interface about an SNTP server.
mc
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, January 10, 2005
1:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
Something more in depth like network monitor?
- Original Message -
From: Rimmerman, Russ [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Monday, January 10, 2005 1:51 PM
Subject: RE: [ActiveDir] DNS timeouts
Are you referring to a tracert or something more in-depth?
Title: time server
Uncertain as to the OS in question here but Windows
2003 supports both NTP and SNTP -
http://www.microsoft.com/technet/security/guidance/secmod118.mspx
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL PROTECTED]
Title: time server
Thiscomment is accurate for
Windows 2000, but not for Windows XP/2003.
References: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> and
Conflicting information:
(http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/use
cdirw/06wsdsu.mspx)
To sum it up, SNTP and NTP are supposed to be interchangeable and
compatible. Reality is, some verbs/commands aren't.
When setting up a time server from a non-Microsoft
I have had a winsock problem on a few different machines that was only
fixable with an exe I downloaded somewhere. I will look for the link, or
if I can't find it, I can probably at least find the file.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ok, I really don't have the time to go searching for the link, but I do
have the file if you want it. I don't think I am supposed to attach
files to messages in here, so just let me know if and how you want the
file.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Title: time server
From my understandingit (2K and K3) supports NTP for
reading time from a source, not as a source.
I.E. Windows with the default time service is not a NTP
Source, it is a SNTP Source.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean
WellsSent:
Title: time server
I own the time service for Windows, so I
can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC
compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesnt
seem to recognize, is there an error message? How does
Title: time server
That's
a good point Joe, I've never sniffed the traffic off the wire to be sure (nor
used ~any other means) but the link I supplied certainly implies it's NTP
based.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
From: [EMAIL
Title: time server
As Al
pointed out, some MS docs need to be
reviewed...
The one Al specifically pointed out "http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/06wsdsu.mspx"
says straight out that the Time Server is SNTP based.
WindowsServer2003 time
Title: time server
I've had problems with machines that are not part of the
domain being unable to synch with the time service on a DC. It seems that
if the machine is not part of the domain you are unable to use it as a time NTP
or SNTP server.
Mike
From: Creamer, Mark [mailto:[EMAIL
Title: Message
510
software has a windows port of NTP that works very well (all of my servers were
running it back in the NT4 days).
I
suppose a person could usew32timeto sync to the forest, and run ntp
acting as a local time master to provide sync to the phone switch. You'd have to
Hi Ron,
Use could use the Windows Server 2003 Security Guide from MS.
#
Windows Server 2003 Security Guide
The Windows Server 2003 Security Guide provides guidance to assist in
hardening Domain Controllers, Infrastructure servers, File servers, Print
servers, IIS servers, IAS
In the documents shown to you so far, you should find all the services
(including ports, etc) that you need to open up such a configuration.
A good, basic hardening rule is: Shut everything down (apart from the
most basic services, you'll find those in the documents mentioned
earlier) and then
Have you checked the DC in question to see what it's reporting?
You may also want to grab a net trace to see the packets on the wire. Those
two things might help to clarify the issue faster (permissions, incompat,
etc) faster. If the phone switch has a log file or output, that also might
be
Is there anything on the network in between your AD domain and the phone
switch? I know it's fairly common for phone switches to be behind some
type of NATing firewall, although it doesn't happen everywhere.
Phil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Title: time server
The packets are identical, and NTP
actually came first. I just spoke with my time developer and he confirmed that time
syncs should be able to work ntp - sntp, and sntp - ntp. Most of the
problems weve seen with interoperability have been caused by client side
logic in
Title: time server
Mark,
I've got a number of Avayas (S8700's) at work. I can
check with our on-staff Avaya folks, as I know that they are synching time
internally. However, I think that it's going back against our AIX
systems.
But, as to it being Linux - it's how you order the
modules. I
Apparently I'm now the new parent of an(misconfigured, I thnk ) AD that
was unceremoniously dumped in my lap. Not having any 'real' experience
with AD I set off on a search. I've used my trusty O'Reilly Bookshelf to
grab some of the more recomended books (AD Cookbook, AD Forestry and
Inside Active
1,2. The first DC in a Forest will hold all 5 roles. Moving the roles
around when additional DC's are introduced has some factors involved. For
small/simple environments, leaving them all on one DC is probably fine. I
would make each DC a GC, too. More specifically, there's little need to
Sorry about the subject on the previous post, That was another question
I was going to ask.
Alonzo
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Hi I mean when I see the properties of the user, in the Account tab,
in teh User logon name I find it empty, even in the script am putting
A and F, and in the User logon name (pre-windows2000) there is the
user name, but in the User logon name there is nothing, is this ok?
thank u
On Mon, 10 Jan
50 matches
Mail list logo