I don’t deploy any servers which are connected to a monitoring
system that calls me at night or calls my manager without fault-tolerant NIC
teaming. Inevitably it will be my fault when the network team crashes a
supervisor in a 6509 or a line card dies. I have no second thoughts
I did indeed, but I was trying to introduce another acronym to the IT almanac,
Defending Security Infrastructures DSI it is then.
Boss, Boss, the DSI boss.
-Original Message-
From: Brian Desmond [EMAIL PROTECTED]
Date: Thu, 13 Jul 2006 11:01:49
To:ActiveDir@mail.activedir.org
Can't your spyware just change/delete the host entries again? Or use an IP
address (or do you configure static routes for the subnets that the IP
addresses reside in that those host entries point to?)
Has this tactic ever helped anyone in a spyware-on-the-server situation?
(except possibly in a
I quite like the oxymoron -
Attacking Defending Security Infrastructures
Perhaps we could call it - ADSI for short?
-Original Message-
From: Mark Parris [EMAIL PROTECTED]
Date: Thu, 13 Jul 2006 06:17:04
To:ActiveDir.org ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [List
One point that is nearly always overlooked is the
following, if a DC points to itself for DNS name res:
The DNS server service starts *after* NETLOGON, at
startup
The DNS server service stops *before* NETLOGON, at
shutdown
i.e.
at
startup netlogon cannot register DNS records on the
Al,
This sure helped, we are by the way indeed talking about W2K DC's.
Victor
- Oorspronkelijk bericht -
Van: Al Mulnick [EMAIL PROTECTED]
Datum: donderdag, juli 13, 2006 3:58 am
Onderwerp: Re: [ActiveDir] Always point a DC with DNS installed to
itself as the preferred DNS
Hi,I need to rename some of my AD Sites, is this likely to cause any issues I am unaware off?I use DFS if thats any help.Windows 2003 Single Domain/Forest FFL.thanks James
Do you Yahoo!? Next-gen email? Have it all with the all-new Yahoo! Mail Beta.
I can vouch for the Aelta/Quest Migration
tools and say they are pretty good for NT to AD migrations, and AD to AD
migrations. There was a lot of innovation in the space a couple years ago,
but I think most of the solutions today are pretty stable and offer comparable
features. The value
If you create a new domain in your forest for this requirement, and in the
future they are bought by another company, then your only supported option
is to migrate to the new or existing forest on the other side.
It is probably easier, and safer, to create a new forest with an external
trust.
The last place I worked, we used WinSSH for this
purpose. Trivial to setup and cheap (about $100/ £65). This allows
you to tunnel FTP and use Windows auth. There's also additional options to
allow some additional access control, e.g. only specific groups can use the
tunnel, etc.
If I
Well, I don't think the driving factor is the size of the IT operation
in terms of # DC's necessarily.
In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 x
Sharepoint), the factors are
My client facing network is 100 Mbs Ethernet
Major vendor's servers have come
Jeff,
If you back them up over the client-facing LAN conn or over your Gb
back-end I wouldn't have any concerns. If you want to just standardise
your setup then just go for it.
Cheers.
Rob
Robert Rutherford
QuoStar Solutions Limited
The Enterprise Pavilion
Fern Barrow
Wallisdown
We team everything. It seems stupid not too. Use fault tolerance only (as
opposed to load balancing) and you've got additional resilliency. FT works
fine with different paths, e.g. different switches.
--Paul
- Original Message -
From: Freddy HARTONO [EMAIL PROTECTED]
To:
FWIW - I too have teamed NICs in FT mode on DCs on many occasions and
have never experienced any issues.
The NIC driver only presents one NIC to the OS so I don't why that
should cause an issue. The FT aspects are transparent to the OS.
neil
-Original Message-
From: [EMAIL PROTECTED]
Yeah except the fact that thin clients
have about twice the useful life, are less prone to failure by virtue of
having no moving parts, and use a fraction of the power. There's still
a TCO argument to be made, but the initial outlay argument is gone.
Andrew Fidel
Matt Hargraves
[EMAIL
Brian,
Could you please explain to me
what you mean by "save for the browsing situation, but who uses that
anyway?" Are you saying that your networks don't have browse
masters? How do people find resources then?
Thanks.
RH
___
-Original
Yeah, I figured you'd have a different experience with nic teaming. :)
On 7/13/06, Brian Desmond [EMAIL PROTECTED] wrote:
I don't deploy any servers which are connected to a monitoring system that calls me at night or calls my manager without fault-tolerant NIC teaming. Inevitably it will be
I think the term is BAN in this case. ;-)
On 7/13/06, Jeff Green [EMAIL PROTECTED] wrote:
Well, I don't think the driving factor is the size of the IT operationin terms of # DC's necessarily.
In my small environment (3 x DC, 1 x Exchange, 2 x Fileserver, 1 xSharepoint), the factors are My client
In that case, then you won't want to make the host a client of itself. Then you would/could run into the island effect.
When you get to R2, you'll want to weigh Neil's comments and see how that plays in your environment.
Al
On 7/13/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Al,This sure
In the Windows Server System Reference Architecture (WSSRA) Microsoft
states:
At this time, Microsoft does not support load balanced network teams on
domain controllers due to potential data corruption issues (Taken from
the Directory Services Blueprint - page 29)
-Original Message-
Not unless you make Netlogon dependent on DNS in the startup order. That should be a standard practice.
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know
Dear font of all knowledge,
I remeber reading a thread a while back about changing the value of
the 'assistant' field, using ADSIEdit.
Somebody's asked me to do this today, so I've given it a go, and
copied/pasted the DN from one user to the other's 'assistant' field -
but the change doesn't
A separate forest for a 30-user environment that may (or may not) be sold at some point in the future? What would that give you -except unneeded complications, over-engineering and heart burns? Just dump the objects into an OU and be done with it. If you end up selling that entity later, you've
Really the advantage is that the server can not easily get to the
spyware to begin with. The list is basically a list of spyware and
adware servers on the internet, but the addresses are all pointed at
127.0.0.1.
Here's a few lines :
127.0.0.1 007arcadegames.com
127.0.0.1 101com.com
127.0.0.1
Nevermind - figured it out myself after finding an account with N/A
in the field- the correct field is called 'telephoneAssistant', and is
a freetext input, rather than a DN.
On 13/07/06, AdamT [EMAIL PROTECTED] wrote:
Dear font of all knowledge,
I remeber reading a thread a while back about
http://www.ranum.com/security/computer_security/calendar/
Sorry to spam all your inboxes with this,
but It is pretty amusing and given the number of security discussions we get in
here, I figured it was worth passing on. I wonder if we as a group could come
up with ones for AD
Many thanks, everybody. The big meeting is today at 1:30 CDT. The
determining factor, I believe, will probably be cost right now. So, we
will probably follow the advice of some folks here and just make them an
OU. If they get sold, we'll get the buyers to pay for the migration :)
But, of course, I
Yes, I can imagine MSFT using that as a get out of jail card as that is
specifiying NLB teaming and not FT teaming. FT teaming is fine as you're
only using one NIC at any given time.
--Paul
- Original Message -
From: Almeida Pinto, Jorge de [EMAIL PROTECTED]
To:
You prolly have the outdated one, Jorge :)
I've written and read materials that speak to MS actively supporting NIC Teaming on DCs. I believe that the latest WSSRA DC Build Guide has NIC Teaming in it.
Generally, though, my designs tend to preach simplicity and NIC Team on DC and I fail to
Absolutely - you will want the DC to do a DNS query for itself first and then the second DNS entry to the next nearest DNS server. Hopefully you are using AD-integrated zones where possible.
Chuck
.
I'd rather not make fundamental changes like that - I'd
need to spend time testing, which I can better allocate to other tasks
:)
It's also not a "visible" change and one which may be
overlooked and falls into my 'over engineering' bucket.
:)
neil
From: [EMAIL PROTECTED]
Hi Al
I did want to throw in a personl experience I had with W2K3 that validates
the Point your DNS server to a replication partner theory. I did see in
one environment where every DC had DNS and the msdcs partition was a forest
partition. An unfortunate DNS scavenge was done deleting some of
Hi Jorge
Aha, does that happen to be a link somewhere on the net that I can
reference to?
Personally for DC I never find a need for adapter teaming, if the nic
dies and I get an alert from the monitoring server that's all good for
me - clients should failover elsewhere anyway...
So any bullets
Thanks everyone for your feedback - much appreciated. I received a quote from Quest, and we are looking at minimum commitment of $40,000 CDN. Still working out the budget, but I think a business decision will be made by management to go the ADMT route. :)
Please keep the opinions and experiences
Don't domain controllers register their SRV records with both primary
and secondary DNS?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, July 13, 2006 10:02 AM
To: ActiveDir@mail.activedir.org
Cc:
I am hoping someone can help us out
with a loopback processing issue we are having.
We are trying to add our lab
computers to our Active Directory and are going to have our students login
using their child domain credentials. All the computers are added as objects
to the child domain
The tools are great from Quest - use either the Consolidator tool or the Domain Migration Wizard (DMW) depending on your scenario. The tools are a must for medium to large-scale customers.
Chuck
Pat-
Have you tried using GPMC's GP Results wizard to ensure
that the loopback policy is actually applying to the computers? Also, are you
using merge or replace loopback?
Darren
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Piper,
PatSent: Thursday, July 13, 2006 9:48
note that DNS startup behavious changes with SP1, which is another
reason not to choose the DC itself as the preferred DNS server: with
SP1, AD will not allow the DNS service to read any records, until it has
successfully replicated with one of it's replication partners. This is
to avoid false or
not a problem for AD or most apps that use it - potentially
an issue with scripts that use hardcoded names.
Clients will fail to find their DC that they've last used
and will need to do a generic DNS query prior to finding the renamed site
again. Usually no big deal.
If your DFS root
Will be fine unless you have some app hardcoded to them and well
it should break so you can demand to have it fixed.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of James Carter
Sent: Thursday, July
I don’t know anyone who goes in network neighborhood. My last AD
gig had 90K windtel devices and 500K users at almost 800 WAN locations – going in
nethood was a pretty silly idea…
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
Make sure that the permissions are set to
Apply Group Policy for both the computers AND the student accounts. Otherwise
it will not apply the User Settings.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Piper, Pat
Sent: Thursday, July 13, 2006
11:48 AM
To:
Is it possible to audit the creation/deletion and more
importantly, the movement of OUs? One of our admins dragged and dropped an
entire OU into another OU that had a desktop lockdown GPO linked to it, thereby
locking down the PCs of a bunch of important people, and making them very
upset.
I usually don't like loopback. It's just kinda messy in most situations.But for reference to Darren's question, you might want to look at:http://support.microsoft.com/?id=231287
On 7/13/06, Darren Mar-Elia [EMAIL PROTECTED] wrote:
Pat-
Have you tried using GPMC's GP Results wizard to ensure
Hi,
I'm not saying that teaming should not be used...
I'm saying that teaming in load balancing mode should not be used as MS does
not support it. Teaming in fault tolerance mode can be used for this.
More info can be found here:
I'd have to check out myself if an OU move is possible to
audit with the built-in auditing events - I'm pretty sure though it is possbile
with AD specific auditing software such as NetPro's ChangeAuditor AD and Quest's
Intrust for AD.
you may also want to disable drag drop in your
forest,
See how quickly thinking changes? :)
I almost think this is a better reason not to have AD-integrated DNS. Shall have to ponder a bit more, but I detest the idea of a DNS server being a client to a peer name res server. I'm still inclined to continue to use the self-as-primary deployment. I
On the Account tab
of the User Properties window in ADUC there is a'Log On To...' button which - I thought -limited the
user's ability to logon to only workstations specified.
I applied
restrictions to an account in our domain and they did not work. In other
words, the restricted account
You best bet to learn how to audit changes
is to standup a Virtual AD turn on Directory auditing, and Make the changes you
would like to track to see what event ID and messages are generated. Then
you can use Microsofts Eventcombmt tool to search your DCs for the
information.
We use the
We use this setting heavily for certain
classes of users and it works great. We do exactly what youre saying,
only put the workstations they should use in the list and it does restrict them
from logging in elsewhere. Maybe replication is your culprit?
From: [EMAIL PROTECTED]
Great input, it's really getting more and more interesting, I'm glad I
raised the question.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
MulnickSent: donderdag 13 juli 2006 21:32To:
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Always point a
DC with DNS
I cant think of a group policy that
would override this. Is it possible that when you checked the user account
after you had made the changes that you hadnt waited for the replication
to take place? You may have made the changes on DC1, and when the user account
attempted to log in, it may
I am at a complete loss here
as to what to do to resolve this issue.
Domain has been uprgaded from 2000 to 2003
and the stand-alone CA has been moved from a very old Windows 2000 server to a
new Windows 2000 server with the same name. It was at this point that
clients became unable to
Well, you could always ACL your AD better and make it where only a small number (2 or 3 accounts) of users can make AD organizational changes. Moving, creating and deleting OUs isn't necessary that often to where it's really all that necessary of a right for most admins. I think that in our
Please run "certutil -ds
cert-ds.txt"
and sendus ( or me ) the text
file.
steve
- Original Message -
From:
WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Thursday, July 13, 2006 1:42
PM
Subject: RE: [ActiveDir] Moving a
Certificate Authority
IIRC, the migration from citrix to your forest should be quite interesting. Better bet might be to create a new deployment of citrix in your target (if that's the way you intend to go) and as the new users get migrated you put them into the new environment. That gives the advantage of having a
Title: Replication Problem After DC Demotion
We just demoted a W2K DC in our primary site. The demotion was successful and the NTDS object associated with the DC was removed from AD Sites Services.
In our only other site, the one domain controller is reporting replication problems. Replmon
Title: Replication Problem After DC Demotion
From that machine can you run and post the output of repadmin /showreps
/v ? Is the affected server Windows 2000 or Windows Server 2003 and what SP
levels? I assume you also did not set any preferred bridgehead settings? You
could also use
Title: Replication Problem After DC Demotion
Are the DNS client settings on the DC in the remaining site maybe pointing
to the old DC?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Riley, Devin
Sent: Friday, 14 July 2006 12:35 p.m.
To: ActiveDir@mail.activedir.org
Title: Replication Problem After DC Demotion
The DNS settings are pointing to active DNS
servers.
A coworker has researched the issue and found that the KCC
could take two hours to fix the replication link. We have about a half hour to
go to see if this is the case.
Thanks for the reply.
Title: Replication Problem After DC Demotion
A coworker has researched the issue and found that
the KCC could take two hours to fix the replication link. We have about a half
hour to go to see if this is the case. So I think
your idea of letting it bake a little while longer may do the
Title: Replication Problem After DC Demotion
You can run repadmin /kcc to force the KCC
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Riley, Devin
Sent: Thursday, July 13, 2006 8:19 PM
To:
Here's the scenario
Forest trust between ForestA and ForestB.
ForestA has two domains DomA1 (placeholder root) and DomA2
ForestB has one domain DomB
Users from DomA2 sometimes log into DomB member machines. DomA2 is
not shown in the drop-down list of domain names in the login dialog.
DomA1 is
cough
Since ...uh.. you know ..me.. and uh... well...
I hang in the 'hood at times..what can I say?
Honestly in the 2k3/XP era I can't say I have browse master issues anyway...
Brian Desmond wrote:
*I don’t know anyone who goes in network neighborhood. My last AD gig
had 90K windtel devices
65 matches
Mail list logo
