i do.. ;-)
See anything "random"
here: Dèjì RANDOM
Akómöláfé?
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server- Directory Services
LogicaCMG
Nederland B.V. (BU RTINC Eindhoven)
(Tel
: +31-(0)40-29.57.777
(Mobile:
a stand alone root cannot
have more than 1 root server (unless on a cluster). only a domain based root
can have more than one root server
that is why I ask the Q
below
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP
Matt,
When you logon, you are 'given' a token which includes a
list of groups (group SIDs actually) to which you have membership. This list
includes groups you are directly a member of, groups you have membership of via
nesting but also groups you have membership of via
SIDhistory.
When
Hello! I work in a small company where we have need of some LDAP
query assistance to identify a group of users out of AD. We only have
basic LDAP knowledge in house and our query is not finding what we need.
I would really appreciate any assistance you could lend to the following:
We
Something like this, against a
GC:
(|((objectCategory=person)(memberOf=dn of group
01))((objectCategory=person)(memberOf=dn of group
02))((objectCategory=person)(memberOf=dn of group
03)))
You can also do it the way you want using
ASQ if you don't mind DN as the output. Here's an
Alex,
The AF is using NetIQ's DRAas the GUI
tocreate and maintain accounts in AD. Have created custom screens
that expose those attributes and several others used to support CAC login.
Eric
From: [EMAIL PROTECTED] on
behalf of Alex FontanaSent: Thu 9/21/2006 3:03 AMTo:
Slighlty hijacking the thread, if I have a 2003 DFS with
replication running and would like to make it 2003 R2 DFSR can
I:
Upgrade to 2003 R2
Magically convert from DFS to DFSR
If so, is there a guide anywhere to what to do?
Steve
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
There's an additional reason you would want those addresses: replies to email will work with that address stamped on there. There was a blog entry last year related to x.500 addresses and their usage on you had me at ehlo or something like that.
I haven't used the IIFP, but I would expect to have
Al Mulnick wrote:
There's an additional reason you would want those addresses: replies to
email will work with that address stamped on there. There was a blog
entry last year related to x.500 addresses and their usage on you had
me at ehlo or something like that.
Yes, that's the case - if
That's it. Wow, how time fliesOn 9/22/06, Tomasz Onyszko [EMAIL PROTECTED] wrote:
Al Mulnick wrote: There's an additional reason you would want those addresses: replies to email will work with that address stamped on there.There was a blog entry last year related to x.500 addresses and their
Separate Trees? That seems a little excessive. Or are we just mixing terms? On 9/21/06, Dave Wade
[EMAIL PROTECTED] wrote:I prefer to keep them in seperate trees. In fact we are just doing that at present...
From: [EMAIL PROTECTED] on behalf of Alberto OviedoSent:
A question came up wether or not a reboot is really necessary after a
DC has been made GC and Exchange would need to use this GC.
I have worked in a pretty large environment (at least to my standards :-
)). Where DC's did not get rebooted afther having been made GC's. The
AD admins simply
This is no longer necessary with current revs of AD. It was necessary
previously to get the NSPI functionality to fire up. Now it does that
automagically.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
chiming in late here, but just want to second Larry's Exmerge
motion. As far as I know it's the only native way to find a message, but
by subject only. I think it may also be possible to turn on full SMTP
logging and do a text search of the logs, but I'm not sure about that, and it
would be
This unfortunately isn't going
towork...
1. Global group membership is not maintained in the GC.
Depending on the domain the GC you query hosts, your results will vary. If you
hit a parent DC GC then you will see memberships for the parent (and Unis). If
you hit a child DC GC, then you
Yeah, I thought so, thanks for the info.
The damn thing is that Exchange still throws event 9176:
Event ID 9176 from MSExchangeSA occurred 1 times (NSPI Proxy can
contact Global Catalog servername but it does not support the NSPI
service. After a Domain Controller is promoted to a Global
Got a strange issue this morning:
Env: Windows 2003 AD
Clients: All XP w/sp 2
1) Machine A maps fine to all local wkstn and servers on its domain
(Domain A) (firewall service disabled)
2) Other machines (diff subnet but same domain) mapped fine to machine A
3) Machine A cannot map to server
Hi,
I have an application that uses LDAP to authenticate (authenticates
against AD).
In my AD I have a domain and subdomain or child domain.
I assume that both domain and subdomain uses the same LDAP, right?
Also, if the application is using a user from the subdomain to query the
LDAP, what
sub-domain query base: dc=subdomain,dc=domain,dc=comdomain query base: dc=domain,dc=comWhen the search is initiated, it will start looking at the query base and, if so configured, everything below it (subtree search).
In your case, that won't likely happen depending on how you configured it. If
You might have them try to work with the GC. You should be able to
authenticate and find users from any domain via the GC.
I think Joe Richards might also suggest that the vendor learn what they are
doing and either integrate with AD the right way or don't claim they can.
I'll bet they need
Thanks both of you. I understand the concept of X.500 addresses being
useful for maintaining the ability to reply to senders whose mailbox has
moved elswhere. It doesn't explain why:
A) they are required for the IIFP. At a basic level I can manually emulate
the GAL sync behaviour by creating a
Our forest is currently experiencing some replication issues. The
common error we have been receiving has revolved around a single object.
To summarize, how do you permanently delete Active Directory objects?
More specifically, how do you remove an object that is already
tombstoned? Here is why
Of course you know that stuff with addressing. I'm certainly interested in hearing what you hear from them, but I have to admit I completely expected the IIFP to do that work. It's intended purpose is to join Exchange orgs in the first place and I'd totally expect to have the addresses put in by
What is the rev of the DC? Using RPC Dump do you see MS NT Directory NSP
Interface interfaces listed?
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL
I won't put words in his mouth either, but I'll certainly say the same thing. I had to hold back a shudder when I responded earlier 'cause ldap and authentication might be ok in the same paragraph, but never in the same sentence (except to point out that it should not be in the same sentence :)
After you fix the domain controller problem what do you see?
You should not remove the item manually at this point because you seem to have a problem with that domain controller. Check the logs and correct what you see. If that doesn't help, then have a look at dcdiag /v output. Repadmin should
The first thing I would say and I am shocked Al didn't say is
LDAP IS NOT AN AUTHENTICATION PROTOCOL
For the the managers and vendors let me repeat ;o)
LDAP
IS
NOT
AN
AUTHENTICATION
PROTOCOL
LDAP has to authenticate as a part of giving secure access to data but that
doesn't
LOL. You should have sent this before I started typing.
;o)
Why wasn't it in your first answer, you always take that
one right out in the first paragraph and when I read your response I was like
hey who the heck are you?
--
O'Reilly Active Directory Third Edition -
What event id are you seeing associate with this error?
Vinnie Cardona
Systems Administrator
Ernest Health, Inc
Information Technology Dept
505.798.6472
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN
Sent: Friday, September 22, 2006 6:18 PM
Title: Conditional Forward to a Reverse Zone - Acceptable?
The GUI will let me add a conditional forward to a 10.in-addr-arpa zone on another box and it changes the name to 10.x.x.x subnet. However, it won't let me edit the forward later. Is this a hack, or is it supported? Thx,RM
Title: Re: [ActiveDir] Conditional Forward to a Reverse Zone - Acceptable?
I meant to type 10.in-addr.arpa, but you get the idea On Fri, 22 Sep 2006 20:23:57 -0700, RM [EMAIL PROTECTED] said:
The GUI will let me add a conditional forward to a 10.in-addr-arpa zone on another box
You could also turn up additional logging which would give more details as to
what the internal error is. I would suggest starting with the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
1. Locate the 5 Replication Events value under the above key.
2. On the
Although a do tend to agree that LDAP does not define a good authentication
protocol at all, it is definitely the case that LDAP is used as an
authentication mechanism all over the place. I also don't thing there is
really anything wrong with using it for that per say, as long as it is used
Basic info and troubleshooting I've done to gather symptom information...
We are running a single forest, single domain Windows 2000 environment (I know,
I know, I'm in the process of getting this ugpraded to Win2k3 R2) with 9 domain
controllers and 8 sites. Three of the sites are hub sites,
34 matches
Mail list logo
