hehe, yep I've seen that (the difference of the Schema.ini
files; i.e. missing entry for the tombstonelifetime property) but didn't think
too much of it because for now I've only had to handle upgrading from Win2000 or
2003 to R2 where the Schema.ini doesn't play a role. It is "only" used to
Brian,
That was a good story, very funny. So what did the guy do? Did he just get up and leave?
I know from reading your posts you are usually straight and to the point. I would be sweating if I had to interview with you.
Going off course a bit. What are some types of AD questions that you all
Oh usually folks stumble all over and give me some bs about how
theyre a committed team player. Ive had that exchange three or four times
interviewing people for this one project.
Metadata cleanup is a midlevel question.
Senior level questions I like quizzing people a bit more
Just a few thoughts to
add since so many others already have given you great answers:
-
Ive heard that any
changes to an network which has production status in a clinic, pharma-manufacturer
or supplier will endanger FDA-approval
-
I know that many clinical devices
are specialized
A senior guy IMO should be more focused on "design" aspects
than "support" and thus should be able to answer questions along the line
of:
"How would you design a schema change process,
encompassing initial request through to implementation."
The answer to the above should help determine
the "look it up in a book" or (preferably!) "look it up on
the MS web site" is not a bad answer - as Joe said, people can't know everything
but should be able to find it out.
Given that, I'd be tempted to give them access to the
internet and then ask some questions which need both factual
I suppose there are several roles
that senior people could hold: some are managerial, some are architectural, and
some are deeply technical (i.e. high level support). Architects, in that taxonomy,
would do design work. Whereas a PSS engineer would probably spend more time
with a debugger
All
Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do
I would say it was probably quite low relatively. Quite low is the norm for
AD logs and by that it is usually barely registering compared to what you
were doing the Log drive would have been hopping. I recall when you were
IM'ing about it you mentioned the Log drive IOPS and I was like wow, I
This all started due to bad documentation on
http://technet2.microsoft.com/WindowsServer/en/library/f3df8a52-81ea-4a1d-9823-4e51fbd3422a1033.mspx?mfr=true
which states
Note the value in the Value column. If the value is not
set, the default value is in effect as follows:
Beautiful, this is bug week
There are actually two bugs here.
1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).
2. When you try to work around it and specify the actual object types to
inline
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Monday, July 24, 2006
16:01To: ActiveDir@mail.activedir.orgSubject: RE:
[ActiveDir] Have you built an R2 Forest?
Thanks for this joe. That doc is more than bad - it's
plain
I have to laugh. This thread is starting to sound like the six blind men describing an elephant.
As was mentioned, it is very hard to find somebody who can do the high-level design at all 8 layers, manage a staff of people, and still fit that into a 23 hour day. If you find one, keep him or her.
I think Matt had some really good advice in terms of figuring out what your needs are prior to coming up with a back plan. As I'm fond of pointing out, backups are worthless, but restores are worth their weight in insert precious metal here. It's very important that you know what you need, what
1. Yes
2. Yes
3. Yes, but this doesn't impact this issue because that
assumes a pre-R2 forest. This issue is strictly with a forest initially built
from an R2 machine.
4. Nope and Nope. The TSL will not revert in an existing
forest, MSFT doesn't touch the existing value in a forest. The only
just to be clear:
step 3 (R2 adprep) is NOT needed at all if you build a new
forest - your not doing an upgrade here.
Whenever you do an upgrade, you do NOT change the
TSL.
The documentation is wrong as the TSL is always the
hardcoded value of 60, if the value is "not set". If you've
I dunno about you guys but I am very disappointed with the tools
available to me for configuring perms. dsacls can configure most perms
but cant configure control access rights to certain attribs of certain
objects. (e.g. when you configure an attribute as confidential and
need to allow certain
Hello, colleagues,
Our HR department wants everybody's IE home page reset to our intranet
home page. I presume the way to do this is via GPO, and apply it only to
the users' OU.
Are there any issues (other than political ones, of course) with doing
this?
(Just an aside: We're back to work
LOL. I'd say it's more like watching 6 people describe a
"wibble", where none of them has been told what a "wibble" actually is
:)
As per most responses here (or at least what we *should*
respond with) - "it depends".
I'd still argue that there's little value in asking very
specific in
I will absolutely let you know of all the gory
details. I sure hope I dont get an $%^$£! for a boss.
;-)
Cheers
P.S. Anyone want a job? ;0)
--- Al Mulnick [EMAIL PROTECTED] wrote:
I have to laugh. This thread is starting to sound
like the six blind men
describing an elephant.
As was
Byron,
I
thought you might find this a good read. Its an e-mail from Joe
Richards (author of the Active Directory OReilly book). Hes
talking about why a tech lead (architect here at AppSig) should definitely be a
separate role from an actual manager.
Much
like I would rather hit
Hi Steve
Interesting findings. Firstly, yes I am clearing the DNS Cache and not
doing ipconfig /flushdns on the DC.
I have shown the d2 output below but also see the following:
1. Clear the DNS cache on DC
2. Submit query for server1.nyc.test.com - success
3. Explicitly delete the record
Well, that was a forwarded e-mail gone
wrong. Just ignore my inability to properly replace the TO field with the
appropriate e-mail address. L
From: WATSON, BEN
Sent: Monday, July 24, 2006 8:43
AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] OT:
Interview
thanks horhay :)
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge deSent: 24 July 2006 15:38To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Have you built
an R2 Forest?
inline
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
crap, incomplete answer. thanks guido.
correct, my answer for (3) should have been (in addition to
what guido said):
* YES, but only when upgrading (from either W2K,
W2K3/W2K3SP1) AND R2 functionality is needed that requires the schema extension
(DFS-R, Printer Connections through GPOs,
This IE setting can be applied via policy mode or preferences mode.
Policy mode is what you normally think of when configuring GPO settings in
that it'll be reset if a user ever changes it. Preferences mode only
changes the initial value but allows the user to change it afterwards if
they like
My labs are set up so that way. Users can add as many links as they care
to, but at 3:00AM every morning the labs reboot all their links will
be gone excepts the links specified with GPO.
-Z.V.
Larry Wahlers wrote:
Hello, colleagues,
Our HR department wants everybody's IE home page reset
I have done this in the past and the only issue I am aware of is users not liking your choice of home page!
User Configuration\Windows Settings\Internet Explorer Maintenance\URLs
Tim
Date: Mon, 24 Jul 2006 10:33:41 -0500 From: [EMAIL PROTECTED] Subject: [ActiveDir] Reset home page via
Larry-
Yes, you can do this with IE maintenance policy (User Configuration\Windows
Settings\IE Maintenance). Let us know if this causes you any issues.
Darren
Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video
Forgive the reply to my own email. I purposely
prevented typing a word that rhymes with bassdole
below, but my reply with contents included someone
else using the same word in its orginal format! And
I've just been sent an email from the nice postmaster
at sx3 and the administrator at yahoo that I
We do it without issues. Only in case you have a large number of
users, it can give a load on your intranet ofcourse (each time IE is
opened, hitting your intranet).
I see most companies implementing that GPO. Not always that funny, but
you get used to it... :-)
Regards,
Bart
On 7/24/06, Larry
Yes the tools are not quite what they could be. A lot of this is based on
the complexity of the subject. The model is quite cool but it is also quite
complex and getting more so. Look at the confidential attribute hack and the
extended rights for protecting userAccountControl (Update Password Not
And Joseph.
-Original Message-
From: [EMAIL PROTECTED]
Date: Mon, 24 Jul 2006 16:54:41
To:ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Have you built an R2 Forest?
thanks horhay :)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida
Im am LDAP-challenged.
We have an application that appears to be performing LDAP
authentication to a Domain Controller at a remote location vs. the local DC.
Is there a comprehensive site for coming up to speed on
LDAP, how its used, how to adjust its performance, etc?
Is
Does it pay well with good bene's?
While I have a nice job now, I always look at available opportunities. :)
Don't have Brian interview me though, I expect I would come up short and I
would have to show how much I like the phrases it depends and I don't
know. I have no doubt that Brian could
Joe
joe I see you were configuring Full Control (GA) for nTDSConnection
objects by configuring perms on the parent nTDSDSA object. I was
trying to actually configure full control to the nTDSDSA using perms
on the CN=Sites object but the principal is the same I guess. The only
thing is
This is similar to the problem that we had seen before with caching and
TTLs and I believe may be addressed by this fix:
http://support.microsoft.com/kb/903720/en-us. You could confirm it by
disabling the cache but your performance will suffer. It has been a
while since I actually looked at this
The only true way to be sure you don't get one of those for a boss is to not invite me to interview for it ;)
On 7/24/06, Mudha Godasa [EMAIL PROTECTED] wrote:
I will absolutely let you know of all the gorydetails. I sure hope I dont get an $%^$£! for a boss.
;-)CheersP.S. Anyone want a job?
shit I need to submit a bug fix for that! ;-)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile :
a justice! ;-)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :
Yeah but see when I focus in on the areas you're weak in you could still talk
your way out of it instead of making up some goofy ass bs that I have to write
down when I get off the phone and file in my resumes and interviews folder.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
Now Al, have you been making your employees drop and give you 20
again? Really, I thought we'd talked about that? ;-)
- Laura
On 7/24/06, Al Mulnick [EMAIL PROTECTED] wrote:
The only true way to be sure you don't get one of those for a boss is to not
invite me to interview for it ;)
On
Thanks, everybody, for your replies. I thought it would work fine with
no technical issues (political ones are inevitable, of course).
Meanwhile, David Adner wrote:
This IE setting can be applied via policy mode or
preferences mode.
Policy mode is what you normally think of when configuring
Couple of things to get you started down the right path:
1) ldap is not an authentication protocol. Remember that as there will be a test later.
2) NTDSUTIL is not the tool to test with. LDP.EXE or one of the joeware tools might be better. There are several freeware tools that are also out
That's the point, but they will get used to it. It's like implementing
strong password policy in an environment which doesn't have it yet.
First there will be complaints, but after a while they stop nagging
and just follow the flow :-)
Bart
On 7/24/06, Tim Foster [EMAIL PROTECTED] wrote:
I
I should have answered my own post, my
apologies for being slack.
The symptoms were slow application launch on
the first occurrence, faster the 2nd and subsequent launches.
We solved the problem in the low-tech
method.LMHOSTS to direct use of the local DCs.
Thanks for the
Settle down princess
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, July 24, 2006 3:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE:
Yeah from your initial description I am guessing you
specified your domain name for host. If you do that, depending on the underlying
code for the resolution to a specific domain controller you can get ANY DC in
the forest. This is a very common issue with folks using LDAP libraries that
Yeah what I was doing was setting a FC ACE for connection objects only. If
you want to cover multiple objects for this you would need to specify
multiple objectclasses which would result in multiple ACEs which is not a
good option. Which means, use a different tool as the bugs in the current
you're getting slow joe? it took you about an hour! ;-)
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile :
Thanks for your take on it, Joe. I'm finding the same thing when it comes to
the ideology. It's not baked in very well yet... so trying to make a judgment
on strategy is a bit difficult. :) I think I'll start looking down what
Microsoft offers... problem is I'm not even sure what the
We built a DFS Root on a windows 2000 domain controller and
the root of the share has Everyone Full Control. E.g. if I go to
\\domain.com, right click on the dfs roots
properties, the security tab.
Can I simply take FC away? Im a bit hesitant because
it lives on the DC and came this way
I have never had any problems caused by
changing permissions on a DFS root. One thing to consider before you move too
far down the road of configuration though is if you really want to invest in a
2000 DFS structure when the 2003 R2 DFS structure is so much more robust and
reliable. I have
Re Access System Security checkbox. We removed it from the latest
versions of ldp.exe because it does not do what you want. Even if you
grant this right to some principal, he will still be unable to read or
tweak the SACLs. The only way to be able to do this is to grant
SE_ACCESS_SYSTEM_SECURITY
Look here:
http://technet2.microsoft.com/WindowsServer/en/library/1f105ee4-b025-478c-a0
3e-77fcd91a64e41033.mspx?mfr=true
-Original Message-
This IE setting can be applied via policy mode or preferences
mode.
Policy mode is what you normally think of when configuring GPO
Not working today, just running around doing errands and popping in and
looking at email occasionally. The rest of the week I will probably be even
slower. I decided to take the week off and get caught up on things that I
have been putting off.
--
O'Reilly Active Directory Third Edition -
Does anybody have
recommendations for what attribute to store a users mail run in? Im
looking for something that shows up in the GAL but Im drawing a blank.
Thanks,
Brian Desmond
[EMAIL PROTECTED]
c - 312.731.3132
Al is correct. There is no QFE number at this
point.
The first step would be to present a solid business case
and then Microsoft would officially review it and determine if a QFE which would
mean an official pback port makes sense. A QFE is an official release and takes
some work to get
58 matches
Mail list logo