I can't see how you can get a duplicate NDNC as the creation of such objects
is targetted at the DN master. The DN master will check the existing
crossRefs and stop this happening, as we can't rely on the DS stopping it as
the RDN is different for each NDNC (unless they've used well-known GUIDs
Just looking further in to this, it seems telephoneAssistant and
secretary are the fields that appear in outlook - both of which are
free text input.
It begs the question of what the DN field of 'assistant' actually
does. Surely if it is expecting a distinguished name, it must be used
for
yes Tony, this is standard behaviour - you'll only see domains that
are directly trusted. Trust type doesn't matter. Even though a forest
trust will be transitive to all child domains by default, you'll have to
use UPN to authenticate to a child domain. Which is another reason why
empty
Title: ADAM pwdLastSet
We need to delegate an ADAM Group the ability to change any other ADAM Users pwdLastSet to 0 under a certain OU. This way we can force ADAM Users to change their password if they meet specific criteria.
So we add an ACE to the parent OU where the ADAM Users live for
Or you could just get users accustomed to using UPNs for logon and avoid the
problem. :-)
Laura
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Grillenmeier, Guido
Sent: Friday, July 14, 2006 10:42 AM
To: ActiveDir@mail.activedir.org
Subject:
ADAM pwdLastSetAre you sure you want to do this? My experience with setting
pwdLastSet to 0 in AD is that doing that will break the ability to do an
LDAP bind for the user, so they can't do an LDAP change password operation.
This would be a problem for ADAM users if the same behavior applies
This is an interesting question. I'm going to posit a guess that the
assistant field comes from a standard schema definition and is included in
AD as a result of that.
The DN field has many advantages, in that it is rename/move-safe, etc. One
other interesting point about this attribute is
If the client is modern, Windows XP SP1 or later then you can type
domain\username in the username field and it will crack it as well just
in case your users do not want to type their UPN or it is to long. :-)
Thanks,
-Steve
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
I'd have to do some more digging as to *why* the duplicate
app-partitions were created, but I've had to troubleshoot this prior to
SP1. This was during a global Win2003 DC rollout - we used the IFM
feature to rollout the DCs. But prior to SP1 you couldn't add the
application partitions to the
Here is the output file
cert-ds.txt as requested. To me, everything appears proper, but perhaps
you might be able to glean more information from it than I can.
Thanks Steve.
~Ben
From: [EMAIL PROTECTED] on
behalf of steve patrickSent: Thu 7/13/2006 4:41 PMTo:
Title: Replication Problem After DC Demotion
Thats good to know Brian.
The information that we came across and
thought might be relevant is posted below for anyone who may find it of value.
Return Receipt
Your RE: [ActiveDir] Replication Problem After DC Demotion
document:
I've
not looked at the log, but you can't just move a CA to another machine with the
same name. You have to back up the old CA's keys anddatabase and install
Certificate Services on the new machine, performing an advanced setup and
telling it that you have an existing key to use for the
I don't want to do this. One of the directories we are moving in is
coming from iPlanet and you can do whatever you want there. That team
has asked us to look into ramifications using pwdLastSet and from
testing and your input, it's a bad idea. Basically we just need to
expire someones password,
Guido, have you checked this lately? I know there were several changes to that behavior in several revs IIRC. The problems you describe were better than a challenge, as I recall. they had a tenedancy to wreak havoc with integrated dns zones when a dc would come up and create a new zone and then
Ah,
gotcha. Quick question, then- have you tried backing up the keys and certs
again, then uninstalling and reinstalling certificate services on the
machine?
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON,
BENSent: Friday, July 14, 2006 1:30
Also,
one last item- you said that this is a standalone CA, correct? (sorry for
missing your first e-mails; I didn't read far enough down. I blame
ADD.)
Standalone CAs don't use or store information in AD; enterprise CAs do.
If you're trying to obtain certificates from a standalone CA via
This is sort of a hard problem. If our investigations regarding the
behavior of pwdLastSet are true in ADAM, then you don't really have a
reasonable way of forcing a password change or expiring it outside of the
defined policy. I still haven't had a chance to test it today. :)
What you
Okay,
skimming back to your original mail, I suspect that you did not have a
standalone CA in the first place, which may be the cause of your problem. You
probably should try reinstalling the CA as an enterprise CA and see if your
problems clear up. Sorry for the multiple responses; I'm
- Original Message -
From:
WATSON,
BEN
To: ActiveDir@mail.activedir.org
Sent: Friday, July 14, 2006 10:29
AM
Subject: RE: [ActiveDir] Moving a
Certificate Authority
Hi
Laura,
Indeed, I have moved
the CA to a new server of the same name using
there was no need to check on this issue again - with SP1
it doesn't happen ;-)
I'm sure there were several pre-SP1 fixes targeted at this
issue and were then integrated into SP1.
but rgd. the startup behaviour of DNS in SP1, I'm rather
sure that's unchanged at this point.
Would be happy
I believe I covered most of this on a
previous posting to ActiveDir but here are all of the details into what change
was made and why:
First of all the change that was
made requires that an Initial Sync is completed before DNS will load the
zones. This change was made after a customer
just found the description of the error and the pre-SP1
hotfix to the duplicate DNS app-partitions issue:
http://support.microsoft.com/kb/836534/en-us
From: Grillenmeier, Guido Sent:
Freitag, 14. Juli 2006 20:34To:
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Always point a
DC
Yeah, that looks a lot more familiar now. I recall working with several of the hotfixes for a similar issue.
Thanks Guido and Steve for taking the time and Steve for suggesting to the owners that recommendations get updated.
As I've mentioned before, the thinking changes but I'd still prefer
thanks for the additional information Steve - I would also
be interested to hear the official recommendation rgd. DNS configuration on DCs
in Win2003 SP1/SP2 and Longhorn.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
LinehanSent: Friday, July 14, 2006 8:41
Title: Group Policy won't rerun
I'm new to group policy and this is my first group policy with software installation. I have successfully created 2 msi files and placed them in a group policy. Earlier in the week, I was able to install the msi files via group policy on a test laptop. I then
Title: Group Policy won't rerun
Are you seeing any errors in the event
log? If you right-click on the Software Package, there is an option to
Redeploy the application. You may want to try that.
Kevin
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Title: Group Policy won't rerun
By the way, the errors would be in the
Application log on the client, not the server.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Stu Packett
Sent: Friday, July 14, 2006 5:17
PM
To: ActiveDir@mail.activedir.org
Subject:
Title: Group Policy won't rerun
Stu-
When you uninstalled, did you do it through GP or by
removing from Add/Remove Programs? If the latter, than that is your problem.
Doing that leaves metadata in the registry related to the GP-deployed app that
the Software Installation CSE is probably
Title: Group Policy won't rerun
I uninstalled via Add/Remove Programs. I thought that
doing it that way would lead to problems, so I have ghosted the laptop and kept
the same computer name. Is there anything lingering in AD that could be
causing the same effect?
From: [EMAIL PROTECTED]
Title: Group Policy won't rerun
Nope. Its all client side stuff. Nothing is tracked in AD
or SYSVOL as far as which machines got which apps.
Darren
Darren Mar-Elia
For
comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best
source for GPO tips, video training,
Title: Group Policy won't rerun
No,
but if you ghosted the laptop after you uninstalled via Add/Remove programs, you
ghosted the registry entries that are keeping it from
reinstalling.
Laura
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Stu
PackettSent:
Title: Group Policy won't rerun
Is there anything else I should try to get this
going?
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren
Mar-EliaSent: Friday, July 14, 2006 4:22 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Group Policy
won't rerun
Nope.
Title: Group Policy won't rerun
a few random ideas - not having any idea where the
problem really lies...
You can gather some basic app deployment
extensionlogs - see q249621
You can make sure you check the event logs for any
related userenv \ related errors
You can enable MSI logging ( if
34 matches
Mail list logo
