Hello,
We have three domains controller in w2000 server, and
Windows XP SP2 workstations. All users and machines are configure with group
policies, in one of this GPO there are several _vbscript_, one of the scripts
execute some applications.
I try to execute the applications with
Kerberos, DFS, replication etc etc. The usual suspects.
I responded to joe's post, specifically.
neil
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
Magalhaes
Sent: 17 May 2006 16:40
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS
Correct.
Normally "alwite, me ol
mucker?" though :)
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Dean WellsSent: 17 May 2006 21:35To:
Send - AD mailing listSubject: RE: [ActiveDir][OT] DNS on a DC or
NOT
Try again -
http://www.peevish.co.uk/slang/m.htm-
"Noun.
what's this? - the 'how many dialects can I squeeze into
one post' competition? :))
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich
MilburnSent: 17 May 2006 22:09To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir][OT] DNS on a DC
or NOT
Whats all this mucking
Totally agree joe, and that's why 3rd party vendors offer
GPO mgmt tools and why Longhorn (or later)may introduce similar tools
(allegedly).
That aspect is badly needed in the world of GPOs
:)
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 18 May 2006
Just to clarify:
W2k3 Forestprep adds attributes to the schema
When the forest func level is raised from 0 to 1 or from 0 to 2, several
of those attributes are added to the PAS.
Is that correct?
Having performed several forest func raises in the last couple of years,
this surprised me since
Hey joe,
I actually think we're in agreement here
:)
In a large org with an existing BIND impl - run with it. If
it's mature, well understood and well managed, then why not use it.
Unfortunately, when AD hit the streets, there were many DNS impl which did not
meet its DNS reqs.
As you
It does not even have to be a logon script. I remember years ago some
one put a trojan on one of our Pr1me's. It was a simple game, unless you
ran it from a privileged account. All was well until the operators ran
it at 2am from an operators account. It removed all the ACL's from the
file system.
Return Receipt
Your RE: [ActiveDir] OT: Overriding local computer logon scripts
document: - anyway to do it?
Return Receipt
Your RE: [ActiveDir] Is there a way to force users to logon to
document domain?
:
This link has been posted before but it should help you out.
http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx
Once again Joe's tools save the day!!
Thanks
Mike
On 5/18/06, James Carter [EMAIL PROTECTED] wrote:
Hi There,
I have been askedon short noticeto provide a list of mail
Well currently to have a GC you need that machine to be a DC and as we
all know you don't put Exchange on a DC ;)
Exchange already feels special ;)
Carlos Magalhaes
Krenceski, William wrote:
Why can't exchange just have the GC on it somehow. I'm not a developer
by any means of the word. It
Milton,
Try deleting the local Outlook profile and re-create it.
Configure RPC over HTTPS in the new profile with cached mode enabled. After
configuring the local client and having it connect to the exchange server,
itmay take time downloading a local copy of the user's mailbox from the
Title: Message
Hi
I have a text file
holding a list of approx 400 global groups such as:
Group1
Group2
Group3
Group4
etc
I need to query the
membershipto find out which of the above global groups have other global
groups as members and then to list the group names, output
example:
I am running the application pool for this website as Network Service.
It is not explicitly defined in my IE Intranet Security Zone, but we
have a proxy script that enables bypass from proxy server and we have
that condition in IE security zone enabled, so yes its there. I know it
is using
trying this in rich text from gmail to see if it floats; let me know if you can't see the text joe :)
Um, no.(Yes, it does have to be a DC to be a GC.)But other than scalability and simplicity related to troubleshooting/recoverability, what exactly do you sacrifice if you put Exchange on a GC?
I forgot one detail. I am accessing this site from a computer that is
joined up to a different forest. That metabase key
NTAuthenticationProviders also didn't do what I was hoping for.
-Brandon
-Original Message-
From: Bernier, Brandon (.)
Sent: Thursday, May 18, 2006 8:56 AM
To:
Yep. Now if we could just make it illegal to operate a GPO
without a license or required the gomers of the world to get someone to drive
them... Or if in order to enable powerful things you had prove you knew how to
undo them or what they actually meant. We need a "completely undo everything
Correct. Pretty smooth how they did that yeah?
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, May 18, 2006 4:09 AM
To:
I was simply stating that when DNS as a service is compared
to otherservices which run on a DC (such as Kerberos etc) then DNS
accounts for very little overhead.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: 18 May 2006 14:03To:
Title: RE: ADAM Schema Questions
Please ignore part two of my question, I figured it out. I was only running
dn: CN=MyClass,CN=Schema,CN=Configuration,DC=X
changetype: modify
replace: isDefunct
isDefunct: TRUE
-
dn:
changetype: modify
add: schemaUpdateNow
schemaUpdateNow:
Hey Al,
Good to hear from you again :)
1. Exchange 12 -- Now known as -- Microsoft Exchange Server 2007
How many times have we heard and or recommenced not to run anything on
the precious domain controller (unless you running SBS but thats another
story), installing Exchange with IIS is also
Well, this is possible with 3rd party apps. I'm actually
looking at some right now (the link below contains one such
vendor).
All changes can be made offline and the ultimate 'make it
so' action needs to be approved and can be configured to occur within the
context of a service account.
Almost. Forestprep adds the attributes to the schema when you run
adprep. It does not add them to the PAS though. The attributes are added
to the PAS when the FFL is raised. This is because 2k3 introduced the
capability to add attributes to the PAS without a full resync. So, by
adding the
Title: Linking an auxiliary class to a structural class
I've got a billion ADAM instances and I want to add an auxiliary class to a structural one, both class already exist. This is cake in the ADAM Schema MMC or via ADSI, but I'm going for LDF format. Can someone tell me where I fudged
You can get an explorer window using runas several ways, but by far the
easiest is:
Runas /user:administrator explorer /separate
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 18, 2006 3:44 AM
To:
Nevermind - that's what you said. I need to stop working maintenance
windows and getting up at 8AM the next day.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Brian Desmond
Title: The KCC and detecting DC failures
The following article describes how the KCC will detect a DC failure if replication fails n times and for a period of m hours.
Between sites, n is 1 and m is 2, within sites, n is 0 or 1 and m is 2 or 12 (direct neighbours and non-direct neighbours,
Usinga RAID
controller's configuration utility I can build and initialize a RAID 5
container. When installing the OS, I can, if I choose, create a
partition. Is this a good or bad idea? In other words, if I
partition RAID 5 container during the OS install will it make any difference if
I
Tim-
It doesnt really matter. The RAID controller has no idea
about the partition table. It just presents a LUN to the OS and the OS writes
to it.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Is there a tool or
script that will allow me to query all of the groups in AD and find those with
particular security rights? For example, I would like to be able to view all of
the groups that can reset passwords or query for all groups that can create
groups. I am not savvy with scripting
Thanks, Brian. That makes sense.
So if I havea 4 disk array on a single backplane, and
given that I want the benefits of RAID 5, is there any argument for configuring
more than one partition on thearray? I realize that this is
potentially too much of an open-ended question, but I'm curious
I always do 12GB for C and the rest for D for Data.
I can format C and not worry about the Data.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Timothy Foster
Sent: Thursday, May 18, 2006
The SelfUpdate Tree is not working. Clients
may not be able to update to the latest WUA client software and communicate
with the WSUS Server.
Any one have any ideas?
Justin A. Salandra
MCSE Windows 2000 2003
Network and Technology Services Manager
Catholic Healthcare System
PatchAholic...The WSUS Blog! : WSUS: SelfUpdate Tree is not working:
http://msmvps.com/blogs/athif/articles/67954.aspx
And there's a WSUS listserve at www.patchmanagement.org that might be
better suited for this. Trust me.. you don't want to overrun the AD
list with the wackiness of WSUS.
I know this is not exactly the RAID 5 Best practices but this is how I
usually setup and recommend the customers to setup their disks (if they
can afford the hardware)
RAID1 for the OS
RAID1 for the logs
RAID0+1 for the database
Carlos
Brian Desmond wrote:
I always do 12GB for C and the
These days I am much more curious as to the benifits of RAID5? It slows the I/O
down. It can really crawl if you loose a drive and the server has to rebuild
the missing volume?
As for multiple partitions, I can't actually see any real advantage on a file
server. You can easily move the files
One advantage of RAID 5 over RAID 1 mirroring is that with a RAID 5 hot
spare, 2 drives can fail and you don't lose the data which is not possible with
2 RAID 1 mirrored drives. However RAID 5 is faster. Another
advantage is that you have to buy double the disks for RAID 1 as compared with
but then you may have issues with the permissions on the second drive
if you get a different SID on the re-build
On a file server? Do you typically use local file server accounts for your
permissioning?
Sincerely,
_
(, / | /)
These are good questions. With all the DFS goodness
in R2 maybe it is better to use, say RAID 1 and replicate out to other disk
arrays elsewhere on the network (e.g. NAS). Which brings up the whole
question of 'where is the weakest link?' - it is it the disk, the controller,
the backplane,
Sorry for grotty format OWA2000...
-Original Message-
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Thu 18/05/2006 20:52
To: ActiveDir@mail.activedir.org
Cc:
Subject: Re: [ActiveDir] [OT] RAID 5 Best Practice
I said may not typically. There are reasons for using local accounts (or
groups)...
-Original Message-
From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Thu 18/05/2006 19:29
To: ActiveDir@mail.activedir.org
Cc:
Subject: RE:
The cable harness and backplane are two places for single point of failure
on a single server, but if something can be clustered this resolves those
issues. However, the disk since it's one of the few mechanical components
of a server system is something to be concerned about since the
Title: RE: [ActiveDir] [OT] RAID 5 Best Practice
Whats a reason for using a local group or
account on a file server?
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Wade
Sent: Thursday, May 18, 2006 11:42
AM
To: ActiveDir@mail.activedir.org
Subject: RE:
Perhaps I need to clarify this a little. What I mean is
that a mailbox that has been moved to another Administrative Group, still has
the Administrative Group in it's Full Mailbox Directory Name frow which it was
moved.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Victor
because you want something to work if no domain is available, perhaps
-Original Message-
From: [EMAIL PROTECTED] on behalf of Abouelnasr, Jerry
Sent: Thu 18/05/2006 21:16
To: ActiveDir@mail.activedir.org
Cc:
Subject: RE: [ActiveDir]
Justin,
WSUS is fantastic...when it works!!!
1. Have a look for any errors in the C:\%systemroot%\Windows Update.log
- Google theses...
2. Download the Client Diagnostic tool, extract and run on a problem
child:
http://www.microsoft.com/windowsserversystem/updateservices/downloads/de
Also this was extremely popular in NT4 days in large orgs and there are a
lot of people that still design that way. In general, I have no problem with
using localgroups on servers. If you use an intelligent ACLing system and
take the time to set it up you can configure things so you could bring
Classic Exchange type design. ;o)
For AD, I pretty generally recommend people do a single 0+1/10[1] first and
then 5 second and go with either because usually they don't have enough
slots for the disk internally to break it all up into a bunch of 1's and I
prefer the disk internal for AD and you
Don't underestimate the power of a small guy with good
ideas. :)
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Thursday, May 18, 2006 9:42
AMTo:
For file sharing, I would consider 0Ư but 5 would be more likely since you
probably want/need the space more than the speed. File sharing doesn't
really beat the disks up relative to a busy DC even in large multi-thousand
user file servers I have seen.
What about when some idiot user sets up
Hey I can read it! Good show Al!
Dean is a complete noob in terms of Exchange next to me.
;o) But I am not an Exchange guy by any stretch, I am an AD guy who digs into
Exchange problems as if they were just any other problem. I know nothing about
E5.5. I constantly hear how the admin tools
I would be shocked almost to death in fact to see it pushing the disks
anywhere near what AD or Exchange will do. Access doesn't run server side,
it is client side. It is very unlikely that a remote app will mash your
disks like a busy local app will.
--
O'Reilly Active Directory Third Edition
Title: RE: [ActiveDir] [OT] RAID 5 Best Practice
Access database will likely get cached on the client in memory,
in any case it’d be all read ops. Access doesn’t cache report output.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From: [EMAIL PROTECTED]
Title: Message
Yeah, this is going to have to be a script or custom
code.
You have the option of using ADSI and enumerating each of
the groups and chasing the properties of each group or writing something that
calls out to a tool that uses ASQ queries (assumes K3 AD) which would be a world
Aw shucks... twerent nuttin
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike
klineSent: Thursday, May 18, 2006 6:58 AMTo:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Export
I actually think we're in agreement here
:)
Phew... good thing, I was getting tired of typing.
:o)
AD can definitely do more
than NOS stuff, but in my heart, that is its primary purpose. For instance, I
will let Exchange into one of my forests, but the minute it starts making it so
Sorry to bounce off topic.But what would you recommend for Exchange hard drive config ?even better where i can look for information on how to troubleshoot ( what to look for ) the diisk subsystem on an exchange box.
Thanks.On 5/18/06, joe [EMAIL PROTECTED] wrote:
Classic Exchange type design.
Title: RE: ADAM Schema Questions
1. What was the exact error you saw, with DSID? I have done
schema mods of instances where one or more of the other instances were powered
down so they couldn't replicate.
2. Which MMC app are you trying to hide it from? Could be a
bug, but depending on the
1) Exchange Hard Drive Config.
a) Many Drives, prefereably Raid 0+1. At least one miror pair per 250 users
for database.
b) Seperate data that is accessed sequentially (logs) from random access
data (data bases)
c) Use one of the manufactueres tools. I know the HP one (see below) will
Return Receipt
Your RE: [ActiveDir] [OT] RAID 5 Best Practice
document:
wasJustin Leney/US/DCI
received
by:
at:05/18/2006 08:55:07 PM
NEW! COSMEO, THE ONLINE HOMEWORK HELP TOOL BROUGHT TO YOU BY DISCOVERY CHANNEL.
FREE TRIAL AT
If someone was lucky enough to have been running AD as a NOS directory for some time they had enough understanding and ammo to tell those MCS guys to bag it when they were saying Exchange-centric things.
Why are you picking on me, joe? :)
I think there's a philosophical issue there: Does the
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Bernier, Brandon (.)
: Subject: RE: [ActiveDir] [OT] IIS6 - Kerb/NTLM
:
: I am running the application pool for this website as Network
: Service.
: It is not explicitly defined in
Well, you need to ensure that referrals are happening properly (so that the
DC in your domain is referring you to the correct KDC in the foreign domain
in the foreign forest)
Cheers
Ken
: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of
64 matches
Mail list logo
