RE: [ActiveDir] Getting computer name from a username
hey joe - good questions - let me clarify: 1. no we purposely don't - this would cause excessive replication and as you've mentioned, there's no guarantee that we would be able to write the value. But the goal of this information is not to show who is _currently_ logged on a machine (I wouldn't use a distributed system to store this information), actually it doesn't store any time information with the username. Instead it's goal is to document the general relationship between computers and users, which allows helpdesk folks and location admins to easier localize a user's PC or vice versa. 2. naturally, the logon-script solution will only account for those folks that logon interactively. This will never be as accurate as a point in time check against a workstation. However, as mobile users will have logged on interactively to their notebook at one time in the past, their user name is also associated with their notebook in AD. Doesn't matter if they hibernate or disconnect afterwards. 3. good to know - I wasn't aware of that. Still prefer not to request a write operation if I don't have to. I've received a few other questions offline, mainly around how do I grant the permissions for users to change the description attribute on computer objects, so that a user can write to it: if users should be granted permissions to write to the description attribute of all computer objects in a specific OU, this can be done by using the advanced permission options for that OU. Doing so allows the admin to choose the type of objects for which to apply specific permissions to. In this case you would first go to the Properties tab and then choose the option to Apply onto Computer objects. Then grant the Write description permission for the appropriate group. So what's the appropriate group? This depends on your situation - you could use Authenticated Users allowing any user in the domain to update the attribute, or you'd use a location specific group of which all users of the respective location are members (this will limit the scope of users who can update the computer description attribute, which is usually a good thing). Naturally, you can also use DSACLs to set the permissions via commandline: DSACLS OU=Computers,OU=Location-XYZ,DC=mydom,DC=net /I:S /G mydom\AllUsers-Location-XYZ:WP;description;computer /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sonntag, 4. Dezember 2005 16:23 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting computer name from a username The few questions/comments I thought of are... 1. Do you clear the attribute you set when the user logs of?? If you do, how do you account for hibernation, etc that wouldn't let you do anything. 2. What if someone comes up with cached creds and then reconnects the computer (wireless or even purposeful disconnect/reconnect)? 3. If you send an update for an attribute to AD that is identical to the value that is there it will accept it like you made the change but no change is really made to reduce overhead. MS thought of that one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Sunday, December 04, 2005 9:01 AM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Getting computer name from a username I'm using a similar script for a few customers the other way around = it writes the user's name into the description attribute of the computer he's logging onto. To limit the replication impact in AD, the script first checks if the value needs to be updated which is not often the case, as users don't roam much to other machines. It also check if the user is a member of specific administrator groups (such as client admins) which won't update the computer object either as they logon to various clients by nature of their job. Realize that you'll need to grant an appopriate group (e.g. All-Users-SiteXYZ) the rights to update the description field on computer objects in the respective OU. This is not required when leveraging the homepage attribute on the user object as mentioned in the previous post, since every user has the permission to update this attribute by default via the SELF security principal. Nevertheless, we preferred to have this information bound to the computer object. Ideally you might actually want to use the managedBy attribute of the respective computer object to _link_ the user to the computer = this way you could view all computers that the user is actively logging onto via the managedObjects attribute on the user account. These attributes are linked together quite similar to the membership of a user in a group, or to the manager and directReports attributes on a user object - the difference here is (sadly enough), that the managedObjects attribute is not shown in the AD UserComputers MMC that is used by many delegated admins to manage their objects. Also, you
RE: [ActiveDir] Exporting Mailbox rights
Hi Alain,thanks for your response, it all looks very clever.I have tried running the following command:WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs"when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OUany ideas?Amy ;-)Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet. Alain Lissoir [EMAIL PROTECTED] wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder).Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace).Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value]Options:FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if the security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine : Determine the WMI system to connect to. (default=LocalHost)User : Determine the UserID to perform the remote connection. (default=none)Password : Determine the password to perform the remote connection. (default=none)Examples: Viewing Security descriptors ... Files and Folders --- WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+ Share --- WMIManageSD.Wsf /Share:MyDirectory /Decipher+ AD object --- WMIManageSD.Wsf /ADObject:"user;CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ WMIManageSD.Wsf /ADObject:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /ADSI+ Exchange 2000 mailbox --- WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /ADSI+ WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /E2KStore+ Registry WMIManageSD.Wsf /RegistryKey:HKLM\SOFTWARE\Microsoft /Decipher+ /ADSI+ WMI namespace --- WMIManageSD.Wsf /WMINameSpace:Root\CIMv2 /Decipher+ Adding ACE in Security descriptors ... Files (Rights) -- WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt
RE: [ActiveDir] AD Wish list
Title: AD Wish list In my experience, if its going to be in the ,00s, its going to be a script. J Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- Cry 'Havoc!' and let slip the dogs of war - Anthony, in Julius Caesar III i. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, Danny Sent: Thursday, December 01, 2005 4:05 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Wish list Hi I've been asked to contribute to a wish list and was planning on asking for some AD tools - specifically for reporting. I've had a look about, but the prices vary wildly. I know there's no chance of anything that's going to do a great job (Quest) as we're talking ,00's rather than ,000's. :) Trouble is there are a lot of tools out there and often they're doing stuff much of which I can script (or plagiarise :) ), plus the odd extra. Does anyone have good experiences of anything in the ,00's price range that'll report back auditing/stats/security info? All the best Danny
RE: [ActiveDir] SBS Transition Pack installation experience?
Thanks, Susan. I imagine if we can establish the trust after applying the transition pack, we'll be good to go. Funny about that Setup cannot continue because the version of Windows on your computer is newer than the version on the CD. Warning. Had the same warning and ending experience when installing w2k3 R2/RC. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- Cry 'Havoc!' and let slip the dogs of war - Anthony, in Julius Caesar III i. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, December 02, 2005 8:40 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SBS Transition Pack installation experience? And the documentation is on this side too is a bit sparse. In our SBS MVP ranks we've had one MVP go through it... below are his comments when we asked him to go over the experience... as most folks post in the SBS newsgroup and say we're applying this and we never hear back from them...they get sucked into this blackhole never to post again OK, here's what I found. Installed the Transition pack on SBS SP1 Premium (running SQL but not ISA). It churned for a while and rebooted twice. Note that you are warned all over the place that you'll have to reinstall all service packs after installing the transition pack. Towards the end of the install, I get a message box Setup cannot continue because the version of Windows on your computer is newer than the version on the CD. Warning: If you decide to delete the newer version of Windows that is currently installed on your computer, the files and settings cannot be recovered. To exit, click Cancel. For more information, click Details. Clicking Details got me nowhere, so I clicked Cancel. I thought I was in trouble, and was ready to call PSS. I rebooted after clicking cancel, and much to my surprise, I get prompted that the transition pack was installed successfully. So now the box is in the I think the transition pack is applied state. I moved FSMO roles to another box without a problem (something you're only supposed to be able to do post transition pack). I moved Exchange and SQL each to their own box. I am also now running 2 DHCP servers in the environment, and the old SBS box seems to be stable. I'm not sure what else I can do to confirm that the transition pack is OK, but everything seems to be stable at this point. -- To add to that. yes the transition pack was applied successfuly...the way you check is attempt to disable license logging serivce and sbscore services. If those two services will shut off and stay off, you don't have a SBS box anymore. In this no longer a SBS box state, Remote Web Workplace and all the SBS wizards still work, there are just no guarantees that future patches/service packs will break things. I imagine if all you wanted to do was sucking life out of it...you could have FSMO transferred the AD to a normal Windows 2003 box and sucked that over too. [you know the seize ntdsutil thingy] [EMAIL PROTECTED] wrote: Hi, Anyone have experience/recommendations for applying the SBS Transition pack? We just got the software and the admin who received it says the documentation is sparse. (Feel free to jump in, Susan J) The situation is that a recent acquisition is running SBS and we need to build a trust to their domain so that we can suck the life out of it...I mean, so that we can transition users and resources to the corporate domain. Thanks in advance, AL Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- Cry 'Havoc!' and let slip the dogs of war - Anthony, in Julius Caesar III i. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exporting Mailbox rights
Do you have the Functions folder available? It contains a series of functions used by WMIManageSD.Wsf Next you must register the DLL with REGSVR32 in the resource folder. Then you are all set. By default, WMIManageSD.Wsf must be in Folder XYZ while Functions folder must be at the same level. Root + Functions | +XYZ Otherwise you can change the "..\Functions" reference to an absolute path and point to the exact location of the Functions folder in your installation (you call). To run against a group of MB in an OU, just query the users you have in that OU with DSQUERY (or any equivalent tool) and combine them in a command like: (one single when you type. Line is cut for readability reasons in this mail). For /F "delims=*" %i in ('dsquery * "ou=group mailboxes,OU=,DC=spinnaker,DC=org" -filter "(objectClass=user)"') do WMIManageSD.Wsf /E2KMailbox:"%1" /Decipher+ /ADSI+ HTH. PS: Don't forget the + at the end of the /Decipher+ and /ADSI+ switches. From: Amy Hunter [mailto:[EMAIL PROTECTED] Sent: Monday, December 05, 2005 4:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Hi Alain, thanks for your response, it all looks very clever. I have tried running the following command: WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs" when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OU any ideas? Amy ;-) Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet. /DIV Alain Lissoir [EMAIL PROTECTED] wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder). Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace). Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if th e security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine : Determine the WMI system to connect to. (default=LocalHost)User : Determine the UserID to perform the remote connection. (default=none)Password : Determine the password to perform the remote connection. (default=none)Examples: Viewing Security descriptors ... Files and Folders --- WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ WMIManageSD.Wsf
RE: [ActiveDir] Exporting Mailbox rights
The reference is on line 155 of the script. Go to Alain's site (www.lissware.net) and scroll down to the link for "Script Kit of Volume 2". Download that and extract the whole thing...you should get a directory structure, and themain script is in \Volume_2_ScriptKits\Chapter_04\Sample 4.02 to 4.13. You should also see a \Functions directory, which is where the SecurityInclude.vbs script (and others) reside. To run it against all of the mailboxes in an OU, you'll need to wrap Alain's script with code that queries the OU for all mailboxes, and then pipes the CN for each mailbox to the WMIManageSD.Wsf code. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Monday, December 05, 2005 5:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Hi Alain, thanks for your response, it all looks very clever. I have tried running the following command: WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs" when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OU any ideas? Amy ;-) Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet. /DIV Alain Lissoir [EMAIL PROTECTED] wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder). Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace). Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if th e security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine : Determine the WMI system to connect to. (default=LocalHost)User : Determine the UserID to perform the remote connection. (default=none)Password : Determine the password to perform the remote connection. (default=none)Examples: Viewing Security descriptors ... Files and Folders --- WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+ Share --- WMIManageSD.Wsf /Share:MyDirectory /Decipher+ AD object
RE: [ActiveDir] Ntds.dit file corruption
Correction. I meant to say: Esentutl utility with the /d switch . Not Eseutil /d. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jose Medeiros Sent: Sunday, December 04, 2005 12:42 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Even if it's SCSI on a RAID 5 Array, you can still have corrupt clusters. A power outage or a hard reboot could have damaged the clusters on the drives. Try running Chkdsk /r. And I have an idea, but have not tried it yet, try running Eseutil /d after the chkdsk completes since it creates a new database, it may repair the problem. http://www.mcpmag.com/columns/article.asp?EditorialsID=330 Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, December 04, 2005 12:13 AM Subject: Re: [ActiveDir] Ntds.dit file corruption Nope just confirmed SCSI ...but there's still Dell hardware to lay blame on here ;-) Brian Desmond wrote: I think those are SATA only? Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sunday, December 04, 2005 2:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption http://www.dell.com/downloads/global/products/pedge/en/sc1420_specs.pdf Well he said it's a Dell [ugh] 1420 but do not know if SATA or SCSI. Jose Medeiros wrote: Hmm.. I have never experienced this with either McAfee or Symantec AV on any of the DC's that I have built and or maintened. Have you had a chance to run chkdsk /r yet? More then likely the problem is bad clusters on the drive which caused the NTDS.DIT file to become corrupt. Was this server built using IDE /ATA/SATA drives? Jose - Original Message - From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, December 03, 2005 10:58 PM Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on. Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the consultant opened a support case of SRX051202605433]. Bottom line they are about going to give up and start a restore but before they do that I'd like to get the view of the AD gods and goddesses around here. From all that I've seen, read, seen in the SBS newsgroup, the corruption of ntds.dit is rare to nil and an underlying cause is hardware issues [raid, disk subsystem]. This doesn't just happen. The VAP asked if not properly excluding the ad databases from the a/v would cause this/trigger this and my expectation is 'no', given that I doubt the majority of us in SBSland properly set up exclusions Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003 domain controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 If this were my hardware and box, I'd be putting this sucker on the operating table and getting an autopsy before putting it back online. Are we right in being paranoid now about this hardware? For you guys in big server land you'd just slide over another box into that server role. --- Stupid question alert Okay so we know that having a secondary/additional domain controller is a good thing even in SBSland...but question many times the second server in SBSland is a terminal server box because we do not support TS in app mode on our PDCs. So we've established that having a domain controller and a terminal server is a security issue [see Windows Security resource kit, NIST Terminal services hardening guide, etc etc] If our second server is a member server handing out TS externally, should that be a candidate for the additional DC? Are the issues of TS on a DC ... true for 'any' DC? Would it be better than to Vserver/VPC a Win2k3 inside a workstation in the network if a third server box was not feasible? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Ntds.dit file corruption
She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress. You might give that a try. If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time): - Try making sure you have the latest driver and motherboard / controller firmware. Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5. - Try swapping out the hard drives, one at a time. - Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on. Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the consultant opened a support case of SRX051202605433]. Bottom line they are about going to give up and start a restore but before they do that I'd like to get the view of the AD gods and goddesses around here. From all that I've seen, read, seen in the SBS newsgroup, the corruption of ntds.dit is rare to nil and an underlying cause is hardware issues [raid, disk subsystem]. This doesn't just happen. The VAP asked if not properly excluding the ad databases from the a/v would cause this/trigger this and my expectation is 'no', given that I doubt the majority of us in SBSland properly set up exclusions Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003 domain controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 If this were my hardware and box, I'd be putting this sucker on the operating table and getting an autopsy before putting it back online. Are we right in being paranoid now about this hardware? For you guys in big server land you'd just slide over another box into that server role. --- Stupid question alert Okay so we know that having a secondary/additional domain controller is a good thing even in SBSland...but question many times the second server in SBSland is a terminal server box because we do not support TS in app mode on our PDCs. So we've established that having a domain controller and a terminal server is a security issue [see Windows Security resource kit, NIST Terminal services hardening guide, etc etc] If our second server is a member server handing out TS externally, should that be a candidate for the additional DC? Are the issues of TS on a DC ... true for 'any' DC? Would it be better than to Vserver/VPC a Win2k3 inside a workstation in the network if a third server box was not feasible? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Ntds.dit file corruption
I did? :-) I think I still said all I know is what the poster said :-) I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun. The directory services one is filled with events 'post' blow up. What is interesting is that it seems to me big server land goes .. oh yeah... ntds.dit corruption... and sbsland freaks out. Either we do indeed need to ensure we have a secondary DC or we need to park a second copy of a system state offsite [say at the vap/var] Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress. You might give that a try. If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time): - Try making sure you have the latest driver and motherboard / controller firmware. Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5. - Try swapping out the hard drives, one at a time. - Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on. Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the consultant opened a support case of SRX051202605433]. Bottom line they are about going to give up and start a restore but before they do that I'd like to get the view of the AD gods and goddesses around here. From all that I've seen, read, seen in the SBS newsgroup, the corruption of ntds.dit is rare to nil and an underlying cause is hardware issues [raid, disk subsystem]. This doesn't just happen. The VAP asked if not properly excluding the ad databases from the a/v would cause this/trigger this and my expectation is 'no', given that I doubt the majority of us in SBSland properly set up exclusions Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003 domain controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 If this were my hardware and box, I'd be putting this sucker on the operating table and getting an autopsy before putting it back online. Are we right in being paranoid now about this hardware? For you guys in big server land you'd just slide over another box into that server role. --- Stupid question alert Okay so we know that having a secondary/additional domain controller is a good thing even in SBSland...but question many times the second server in SBSland is a terminal server box because we do not support TS in app mode on our PDCs. So we've established that having a domain controller and a terminal server is a security issue [see Windows Security resource kit, NIST Terminal services hardening guide, etc etc] If our second server is a member server handing out TS externally, should that be a candidate for the additional DC? Are the issues of TS on a DC ... true for 'any' DC? Would it be better than to Vserver/VPC a Win2k3 inside a workstation in the network if a third server box was not feasible? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
Re: [ActiveDir] Ntds.dit file corruption
Those are fine ideas. You may want to have a closer look at that hardware. Whichever the vendor, they usually have their own diagnostics. It's time consuming, but often worth checking along with checking for known issues with drivers, firmware, etc. In my experience, I've mostly seen this type of corruption with faulty hardware. Sometimes drive cache can hurt (not battery backed up array controller, but on the disk) as can bad run of hardware or cracked motherboards. Giving the machine the once-over is a great idea. And if you can't spot it, I might still consider the machine suspect and not worth reinstalling on. Vote of no-confidence so to speak. Keeping good backups (by good, I mean tested) is always recommended regardless of size of company. Keep with that any and all information needed to recover the machine if it were to become a smoking puddle of goo in the wiring closet. Unless the data is not worth recovering. :) From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Date: Mon, 05 Dec 2005 08:52:48 -0800 I did? :-) I think I still said all I know is what the poster said :-) I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun. The directory services one is filled with events 'post' blow up. What is interesting is that it seems to me big server land goes .. oh yeah... ntds.dit corruption... and sbsland freaks out. Either we do indeed need to ensure we have a secondary DC or we need to park a second copy of a system state offsite [say at the vap/var] Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress. You might give that a try. If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time): - Try making sure you have the latest driver and motherboard / controller firmware. Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5. - Try swapping out the hard drives, one at a time. - Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on. Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the consultant opened a support case of SRX051202605433]. Bottom line they are about going to give up and start a restore but before they do that I'd like to get the view of the AD gods and goddesses around here. From all that I've seen, read, seen in the SBS newsgroup, the corruption of ntds.dit is rare to nil and an underlying cause is hardware issues [raid, disk subsystem]. This doesn't just happen. The VAP asked if not properly excluding the ad databases from the a/v would cause this/trigger this and my expectation is 'no', given that I doubt the majority of us in SBSland properly set up exclusions Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003 domain controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 If this were my hardware and box, I'd be putting this sucker on the operating
RE: [ActiveDir] Ntds.dit file corruption
Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest. Maybe I am just being a worry wort and this really is not an issue. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Monday, December 05, 2005 8:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption I did? :-) I think I still said all I know is what the poster said :-) I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun. The directory services one is filled with events 'post' blow up. What is interesting is that it seems to me big server land goes .. oh yeah... ntds.dit corruption... and sbsland freaks out. Either we do indeed need to ensure we have a secondary DC or we need to park a second copy of a system state offsite [say at the vap/var] Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress. You might give that a try. If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time): - Try making sure you have the latest driver and motherboard / controller firmware. Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5. - Try swapping out the hard drives, one at a time. - Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on. Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the consultant opened a support case of SRX051202605433]. Bottom line they are about going to give up and start a restore but before they do that I'd like to get the view of the AD gods and goddesses around here. From all that I've seen, read, seen in the SBS newsgroup, the corruption of ntds.dit is rare to nil and an underlying cause is hardware issues [raid, disk subsystem]. This doesn't just happen. The VAP asked if not properly excluding the ad databases from the a/v would cause this/trigger this and my expectation is 'no', given that I doubt the majority of us in SBSland properly set up exclusions Virus scanning recommendations on a Windows 2000 or on a Windows Server 2003 domain controller: http://support.microsoft.com/default.aspx?scid=kb;en-us;822158 If this were my hardware and box, I'd be putting
Re: [ActiveDir] Ntds.dit file corruption
Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on.Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the consultant opened a support case of SRX051202605433]. Bottom line they are about going to give up and start a restore but before they do that I'd like to get the view of the AD gods and goddesses around here.From all that I've seen, read, seen in the SBS newsgroup, the corruption of ntds.dit is rare to nil and an underlying cause is hardware issues [raid, disk subsystem].This doesn't just happen. The VAP asked if not properly excluding the ad databases from the a/v would cause this/trigger this and my expectation is 'no', given that I doubt the majority of us in SBSland properly set up
RE: [ActiveDir] Ntds.dit file corruption
I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define "ntds.dit file corruption" for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan
RE: [ActiveDir] Ntds.dit file corruption
We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define "ntds.dit file corruption" for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Ntds.dit file corruption SBS box [with Windows 2003 sp1 since September] RE: [ActiveDir] Database Corruption: http://www.mail-archive.com/activedir@mail.activedir.org/msg32676.html We have a SBS 2003 sp1 box with a corrupt ntds.dit that the Consultant and PSS have been banging on.Could not get the services back running, changed the RPC service to local system and some service came back up [I don't have all the details but the
Re: [ActiveDir] Ntds.dit file corruption
I was thinking about Longhorn :) It has been brought up here as a possible longhorn feature a couple of times, but yeah that doesn't help much for the immediate future. Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time): - Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define ntds.dit file corruption for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have any. From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Sat 12/3/2005 10:58 PM To: ActiveDir@mail.activedir.org
RE: [ActiveDir] Ntds.dit file corruption
RODCs are a LongHorn feature. It will be one-way replication to the RODCs. They will not replicate out anything. If you are on the LongHorn beta you should be able to test this right now. But as Steve (one of the really good PSS guys)said and I can concur as I have seen my share of corrupted DITs, the corruption doesn't replicate. In every case I have seen it the problem has been hardware failure or a firmware/driver matchup issue in the disk subsystem. Fixing them is easy, wipe the machine, do hardware tests, if it passes, do it again. If it passes do it a third time. If it passes, reload and repromo. If it fails one of the tests, get the hardware fixed, reload, and repromo. If SBS, well you have all sorts of issues in that basket as your eggs leak. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as
[ActiveDir] remove logon script?
How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] remove logon script?
Try ADmodify for a GUI tool... Diane http://tinyurl.com/5ruog From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, December 05, 2005 12:40 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] remove logon script?
Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, December 05, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] remove logon script?
This is a fairly old and ugly vbs script, and it only works for one OU in the domain, but it should get the job done. Youll need to modify strPathToContainer and strDomain. Option Explicit Dim strPathToContainer, strDomain Dim oUser, oUserContainer strPathToContainer = OU=Student strDomain = ,DC=evangel,DC=edu Set oUserContainer = GetObject(LDAP:// strPathToContainer strDomain) oUserContainer.Filter = Array(User) For Each oUser In oUserContainer oUser.PutEx 1, profilePath, vbNullString oUser.SetInfo() Next Set oUserContainer = nothing MsgBox Done From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, December 05, 2005 2:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Ntds.dit file corruption
If that failsafe is built in then I am just being a worry wort and I have to admit, I have yet to experience this particular problem. Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Steve LinehanSent: Monday, December 05, 2005 11:26 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption We do not replicate corruption so if you have local corruption as noted below there is no worry that it would replicate around to other servers in the environment. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, December 05, 2005 1:04 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define "ntds.dit file corruption" for us? What sort of corruption? What errors/events lead you to believe this? Specifically, I'm interested in errors from NTDS ISAM or ESE if you have
RE: [ActiveDir] remove logon script?
One tiny correction :) Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath:- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, December 05, 2005 4:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] remove logon script? Adfind and admod from joeware.net Adfind f ((objectCategory=person)(objectClass=user)(scriptpath=logon.bat)) default dsq | admod unsafe scriptpath- Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, December 05, 2005 3:40 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? Ive switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] AD Wish list
Title: AD Wish list I would have to concur, reporting is pretty heavy duty stuff. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, December 05, 2005 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Wish list In my experience, if its going to be in the ,00s, its going to be a script. J Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com --"Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McCann, DannySent: Thursday, December 01, 2005 4:05 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Wish list Hi I've been asked to contribute to a wish list and was planning on asking for some AD tools - specifically for reporting. I've had a look about, but the prices vary wildly. I know there's no chance of anything that's going to do a great job (Quest) as we're talking ,00's rather than ,000's. :) Trouble is there are a lot of tools out there and often they're doing stuff much of which I can script (or plagiarise :) ), plus the odd extra. Does anyone have good experiences of anything in the ,00's price range that'll report back auditing/stats/security info? All the best Danny
RE: [ActiveDir] Exporting Mailbox rights
Here is a little code snippet I posted here previously for enumerating mailbox permissions http://www.mail-archive.com/activedir@mail.activedir.org/msg14221.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Amy HunterSent: Monday, December 05, 2005 7:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Exporting Mailbox rights Hi Alain, thanks for your response, it all looks very clever. I have tried running the following command: WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /adsi WMIManageSD.Wsf /E2KMailbox:"cn=POTrust,ou=group mailboxes,OU=,DC=spinnaker,DC=org" /decipher I receive this error "c:\WMIManageSD.Wsf(155, 39) Windows Script Host: Cannot retrieve referenced URL : ..\Functions\SecurityInclude.vbs" when I open this script, i can't see any reference to this Also, How can I run this against all group mailboxes in an OU any ideas? Amy ;-) Ps...sorry if I sound lame, scripting is not an area I spent too much time with Yet. Alain Lissoir [EMAIL PROTECTED] wrote: You can look at http://www.lissware.net, volume 2, Sample 4.02 to 4.13 - WMIManageSD.Wsf (and associated sub-functions in the Functions folder). Syntax to use in red below (the script supports Filesystem, Share, ADObject with Extended Rights, Exchange Mailbox, Registry Key, WMI namespace). Microsoft (R) Windows Script Host Version 5.6Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. Usage: WMIManageSD.Wsf [/FileSystem:value] [/Share:value] [/ADObject:value] [/E2KMailbox:value] [/E2KStore[+|-]] [/RegistryKey:value] [/WMINameSpace:value] [/ViewSD[+|-]] [/Owner:value] [/Group:value] [/SDControls:value] [/AddAce[+|-]] [/DelAce[+|-]] [/Trustee:value] [/ACEMask:value] [/ACEType:value] [/ACEFlags:value] [/ObjectType:value] [/InheritedObjectType:value] [/SACL[+|-]] [/Decipher[+|-]] [/ADSI[+|-]] [/SIDResolutionDC[+|-]] [/Machine:value] [/User:value] [/Password:value] Options: FileSystem : Get the security descriptor of the specified file or directory path.Share : Get the security descriptor of the specified share name.ADObject : Get the security descriptor of the specified distinguished name AD object.E2KMailbox : Get the security descriptor of the Exchange 2000 mailbox specified by AD user distinguished name.E2KStore : Specify if the security descriptor must come from the Exchange 2000 store.RegistryKey : Get the security descriptor of the specified registry key.WMINameSpace : Get the security descriptor of the specified WMI Name space.ViewSD : Decipher the security descriptor.Owner : Set the security descriptor owner.Group : Set the security descriptor group.SDControls : Set the security descriptor control flags.AddAce : Add a new ACE to the ACL.DelAce : Remove an existing ACE from the ACL.Trustee : Specify the ACE mask (granted user, group or machine account).ACEMask : Specify the ACE mask (granted rights).ACEType : Specify the ACE type (allow or deny the ACE mask).ACEFlags : Specify the ACE flags (ACE mask inheritance).ObjectType : Specify which object type, property set, or property an ACE refers to.InheritedObjectType : Specify the GUID of an object that will inherit the ACE.SACL : Manage the System ACL (auditing) (default=Discretionary ACL).Decipher : Decipher the security descriptor.ADSI : Retrieve the security descriptor with ADSI.SIDResolutionDC : Domain Controller to use for SID resolution.Machine : Determine the WMI system to connect to. (default=LocalHost)User : Determine the UserID to perform the remote connection. (default=none)Password : Determine the password to perform the remote connection. (default=none)Examples: Viewing Security descriptors ... Files and Folders --- WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory /Decipher+ /ADSI+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ WMIManageSD.Wsf /FileSystem:C:\MyDirectory\MyFile.Txt /Decipher+ /ADSI+ Share --- WMIManageSD.Wsf /Share:MyDirectory /Decipher+ AD object --- WMIManageSD.Wsf /ADObject:"user;CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ WMIManageSD.Wsf /ADObject:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ /ADSI+ Exchange 2000 mailbox --- WMIManageSD.Wsf /E2KMailbox:"CN=MyUser,CN=Users,DC=LissWare,DC=Net" /Decipher+ WMIManageSD.Wsf
RE: [ActiveDir] Getting computer name from a username
Ah, sorry I must have missed the intent. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, December 05, 2005 4:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting computer name from a username hey joe - good questions - let me clarify: 1. no we purposely don't - this would cause excessive replication and as you've mentioned, there's no guarantee that we would be able to write the value. But the goal of this information is not to show who is _currently_ logged on a machine (I wouldn't use a distributed system to store this information), actually it doesn't store any time information with the username. Instead it's goal is to document the general relationship between computers and users, which allows helpdesk folks and location admins to easier localize a user's PC or vice versa. 2. naturally, the logon-script solution will only account for those folks that logon interactively. This will never be as accurate as a point in time check against a workstation. However, as mobile users will have logged on interactively to their notebook at one time in the past, their user name is also associated with their notebook in AD. Doesn't matter if they hibernate or disconnect afterwards. 3. good to know - I wasn't aware of that. Still prefer not to request a write operation if I don't have to. I've received a few other questions offline, mainly around how do I grant the permissions for users to change the description attribute on computer objects, so that a user can write to it: if users should be granted permissions to write to the description attribute of all computer objects in a specific OU, this can be done by using the advanced permission options for that OU. Doing so allows the admin to choose the type of objects for which to apply specific permissions to. In this case you would first go to the Properties tab and then choose the option to Apply onto Computer objects. Then grant the Write description permission for the appropriate group. So what's the appropriate group? This depends on your situation - you could use Authenticated Users allowing any user in the domain to update the attribute, or you'd use a location specific group of which all users of the respective location are members (this will limit the scope of users who can update the computer description attribute, which is usually a good thing). Naturally, you can also use DSACLs to set the permissions via commandline: DSACLS OU=Computers,OU=Location-XYZ,DC=mydom,DC=net /I:S /G mydom\AllUsers-Location-XYZ:WP;description;computer /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sonntag, 4. Dezember 2005 16:23 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting computer name from a username The few questions/comments I thought of are... 1. Do you clear the attribute you set when the user logs of?? If you do, how do you account for hibernation, etc that wouldn't let you do anything. 2. What if someone comes up with cached creds and then reconnects the computer (wireless or even purposeful disconnect/reconnect)? 3. If you send an update for an attribute to AD that is identical to the value that is there it will accept it like you made the change but no change is really made to reduce overhead. MS thought of that one. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Sunday, December 04, 2005 9:01 AM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Getting computer name from a username I'm using a similar script for a few customers the other way around = it writes the user's name into the description attribute of the computer he's logging onto. To limit the replication impact in AD, the script first checks if the value needs to be updated which is not often the case, as users don't roam much to other machines. It also check if the user is a member of specific administrator groups (such as client admins) which won't update the computer object either as they logon to various clients by nature of their job. Realize that you'll need to grant an appopriate group (e.g. All-Users-SiteXYZ) the rights to update the description field on computer objects in the respective OU. This is not required when leveraging the homepage attribute on the user object as mentioned in the previous post, since every user has the permission to update this attribute by default via the SELF security principal. Nevertheless, we preferred to have this information bound to the computer object. Ideally you might actually want to use the managedBy attribute of the respective computer object to _link_ the user to the computer = this way you could view all computers that the user is actively logging onto via the managedObjects attribute on the user account. These attributes are linked together quite similar
RE: [ActiveDir] Obsolete Domain groups
Nope, there is no last used. Kind of hard to define last used for a group anyway, for instance for a security group it would be the last time anyone from the group logged in and the group SID was stuffed in the user's token. If you are talking security groups, the best to do is change the group to a DL and then it won't get added to security groups. If there is no screaming for a couple of months, you are probably safe. If the group is used for non-Windows security or to send IMs or emails to a group of people or otherwise group items (like OUs or whatever) then a solution would be to put the groups in a heavily protected OU so nothing can read the membership for a while and make sure no one screams. Either way, dump the membership to some other format so you can repopulate as needed and before final delete, clear the membership for a while. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Sunday, December 04, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Obsolete Domain groups Does anyone know of a way to identify old\obsolete domain groups? Are the group objects in AD stamped with something like a last used date stamp?. I am thinking a member server with some resources and domain permissions on those resources has to ask the domain some questions about it. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Saved Query for Distinguished Name Contains
It seems I have been answering a lot of questions like this lately... You can not put parts of the DN into the LDAP query. The only way to control what branches a query looks at are 1. Permissions 2. Search base 3. Search scope. You need to be the most specific you need to be to either include or exclude various branches of the tree. That being said, someone who wanted to have those specific branches filtered out or filtered in to the outputted return set but didn't mind actually returning a lot more data could look to see if they can find a tool that was written by someone bright enough to add options to let you do that. Hey there is one... It is called adfind and has excldn and incldn switches to allow you to specify portions of a DN of objects you would like outputted. FYI, there is a bug in the objects returned counter when using incldn, I have to go in and fish it out of there. It is because I cut and pasted the excldn code to produce the incldn section. ;o) Anyway, your query would look something like adfind -default -f objectcategory=computer -incldn ou=workstations Keep in mind though that every computer in your org will be passed back to your client so if you have 100k computers and only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get around that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Sunday, December 04, 2005 2:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Saved Query for Distinguished Name Contains Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan Holme
RE: [ActiveDir] Obsolete Domain groups
Got it. Thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Obsolete Domain groups Nope, there is no last used. Kind of hard to define last used for a group anyway, for instance for a security group it would be the last time anyone from the group logged in and the group SID was stuffed in the user's token. If you are talking security groups, the best to do is change the group to a DL and then it won't get added to security groups. If there is no screaming for a couple of months, you are probably safe. If the group is used for non-Windows security or to send IMs or emails to a group of people or otherwise group items (like OUs or whatever) then a solution would be to put the groups in a heavily protected OU so nothing can read the membership for a while and make sure no one screams. Either way, dump the membership to some other format so you can repopulate as needed and before final delete, clear the membership for a while. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Sunday, December 04, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Obsolete Domain groups Does anyone know of a way to identify old\obsolete domain groups? Are the group objects in AD stamped with something like a last used date stamp?. I am thinking a member server with some resources and domain permissions on those resources has to ask the domain some questions about it. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] remove logon script?
Select all the accounts at once, then select the properties, then remove the logon.bat file name from the AD account attribute. It will change it on all of them at once. This capability was first introduced in NT4 somewhere around sp5or sp6. Or you can of course script it using the command net user /scriptpath:path. BTW: This also works with passwords. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Harding, Devon Sent: Monday, December 05, 2005 12:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] remove logon script? How can I remove the logon.bat from all my user (2000+) accounts at one time in my domain? I've switch to GPO for the logon scripts. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Ntds.dit file corruption
Novell. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 11:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ... Cheers, BrettSh On Sun, 4 Dec 2005, Eric Fleischman wrote: Going back to the original post, I'm not sure I fully understand the problem yet. Susan, can you define "ntds.dit file corruption" for us? What sort of corruption?
RE: [ActiveDir] Saved Query for Distinguished Name Contains
Thanks For the scoop, Joe!!! And yes, I LOVE ADFIND, but it doesnt provide a result set within the MMC Im trying to do an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad Sorry I wasnt clear about that. Guess Im out of luck. Thanks again, though! At least I know not to keep beating my head against the wall! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Saved Query for Distinguished Name Contains It seems I have been answering a lot of questions like this lately... You can not put parts of the DN into the LDAP query. The only way to control what branches a query looks at are 1. Permissions 2. Search base 3. Search scope. You need to be the most specific you need to be to either include or exclude various branches of the tree. That being said, someone who wanted to have those specific branches filtered out or filtered in to the outputted return set but didn't mind actually returning a lot more data could look to see if they can find a tool that was written by someone bright enough to add options to let you do that. Hey there is one... It is called adfind and has excldn and incldn switches to allow you to specify portions of a DN of objects you would like outputted. FYI, there is a bug in the objects returned counter when using incldn, I have to go in and fish it out of there. It is because I cut and pasted the excldn code to produce the incldn section. ;o) Anyway, your query would look something like adfind -default -f objectcategory=computer -incldn ou=workstations Keep in mind though that every computer in your org will be passed back to your client so if you have 100k computers and only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get around that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Sunday, December 04, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Saved Query for Distinguished Name Contains Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan Holme
RE: [ActiveDir] Saved Query for Distinguished Name Contains
Hi Dan, as joe said you can also modify the search base, so when creating the saved query select the seach base (its on the first screen of the dialog which lets you add a saved query, not in the definition of the query itself). Sorry dont have the interface in front of me so Im not sure about the wording, but there are just three options: name of the saved query, search base and query. If you have any further questions ... Ulf From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Tuesday, December 06, 2005 12:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Saved Query for Distinguished Name Contains Thanks For the scoop, Joe!!! And yes, I LOVE ADFIND, but it doesnt provide a result set within the MMC Im trying to do an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad Sorry I wasnt clear about that. Guess Im out of luck. Thanks again, though! At least I know not to keep beating my head against the wall! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, December 05, 2005 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Saved Query for Distinguished Name Contains It seems I have been answering a lot of questions like this lately... You can not put parts of the DN into the LDAP query. The only way to control what branches a query looks at are 1. Permissions 2. Search base 3. Search scope. You need to be the most specific you need to be to either include or exclude various branches of the tree. That being said, someone who wanted to have those specific branches filtered out or filtered in to the outputted return set but didn't mind actually returning a lot more data could look to see if they can find a tool that was written by someone bright enough to add options to let you do that. Hey there is one... It is called adfind and has excldn and incldn switches to allow you to specify portions of a DN of objects you would like outputted. FYI, there is a bug in the objects returned counter when using incldn, I have to go in and fish it out of there. It is because I cut and pasted the excldn code to produce the incldn section. ;o) Anyway, your query would look something like adfind -default -f objectcategory=computer -incldn ou=workstations Keep in mind though that every computer in your org will be passed back to your client so if you have 100k computers and only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get around that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan Holme Sent: Sunday, December 04, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Saved Query for Distinguished Name Contains Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan Holme
RE: [ActiveDir] Saved Query for Distinguished Name Contains
What is this MMC thing you speak of? ;o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Monday, December 05, 2005 6:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for Distinguished Name Contains Thanks For the scoop, Joe!!! And yes, I LOVE ADFIND, but it doesnt provide a result set within the MMC Im trying to do an MMC (AD UC snap-in) Saved Query as the basis for a custom Taskpad Sorry I wasnt clear about that. Guess Im out of luck. Thanks again, though! At least I know not to keep beating my head against the wall! Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 3:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Saved Query for Distinguished Name Contains It seems I have been answering a lot of questions like this lately... You can not put parts of the DN into the LDAP query. The only way to control what branches a query looks at are 1. Permissions 2. Search base 3. Search scope. You need to be the most specific you need to be to either include or exclude various branches of the tree. That being said, someone who wanted to have those specific branches filtered out or filtered in to the outputted return set but didn't mind actually returning a lot more data could look to see if they can find a tool that was written by someone bright enough to add options to let you do that. Hey there is one... It is called adfind and has excldn and incldn switches to allow you to specify portions of a DN of objects you would like outputted. FYI, there is a bug in the objects returned counter when using incldn, I have to go in and fish it out of there. It is because I cut and pasted the excldn code to produce the incldn section. ;o) Anyway, your query would look something like adfind -default -f objectcategory=computer -incldn ou=workstations Keep in mind though that every computer in your org will be passed back to your client so if you have 100k computers and only 10 are in the ou=workstations ou's it will seem AWFULLY SLOW There is no way for me to get around that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Sunday, December 04, 2005 2:18 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Saved Query for Distinguished Name Contains Hey, all! I am trying to create a saved query to pull out computers that exist within a WORKSTATIONS ou; and that OU may exist within several higher-level OUs, i.e. distinguishedName=*OU=Workstations* but the Saved Queries interface in ADUC doesnt seem to like distinguishedName (Ive also tried dn= and DN=). Any ideas, please? Dan Holme
[ActiveDir] Moral of this story...don't move the log files
When you perform a system state backup on a domain controller that is running Windows Server 2003 with Service Pack 1, Backup may fail: http://support.microsoft.com/?kbid=909265 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Ntds.dit file corruption
BDC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carpenter Robert A Contr WROCI/Enterprise IT Sent: Monday, December 05, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption Novell. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 11:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway, this kind of thing is usually hardware ... While there are much better disk sub-system testers, one that is freely available to any box with Exchange is jetstress.You might give that a try.If you can reproduce the event / error with jetstress I would not use that box in production. If you do reproduce the issue several times (several times is key, as you want a trend before you start playing the variable game), some things you might vary (one at a time):- Try making sure you have the latest driver and motherboard / controller firmware.Then see if you can reproduce. - Try a different RAID configuration, such as RAID1/RAID1+0 if you're on RAID5.- Try swapping out the hard drives, one at a time.- Adding the jetstress files to the exclude list in the Anti-Virus software. (A low probablility, I've never heard of Anit-Virus causing this paticular type of error, and I can't imagine the mistake an anti-virus product would have to have to cause this side effect) - If you can reproduce it several times, you could followup with Dell. Good luck. I'm not sure if I answered your question ...
RE: [ActiveDir] Ntds.dit file corruption
For full disclosure I am no longer in the Microsoft Services organization, I was the last time Joe talked to me where I was an Advisory Support Engineer (AKA Alliance Support). I am now a Product Technology Specialist for Directories and Identities in Microsoft's technical pre-sales organization. Not that it changes the answer below. :-) Thanks, -Steve Steve Linehan | Technology Specialist Directories Identities | South Central District | Microsoft Corporation From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, December 05, 2005 2:38 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption RODCs are a LongHorn feature. It will be one-way replication to the RODCs. They will not replicate out anything. If you are on the LongHorn beta you should be able to test this right now. But as Steve (one of the really good PSS guys)said and I can concur as I have seen my share of corrupted DITs, the corruption doesn't replicate. In every case I have seen it the problem has been hardware failure or a firmware/driver matchup issue in the disk subsystem. Fixing them is easy, wipe the machine, do hardware tests, if it passes, do it again. If it passes do it a third time. If it passes, reload and repromo. If it fails one of the tests, get the hardware fixed, reload, and repromo. If SBS, well you have all sorts of issues in that basket as your eggs leak. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, December 05, 2005 2:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Ntds.dit file corruption I was not aware that Microsoft had incorporated such a feature in AD 2003. I know for a fact that Microsoft did not have this feature when AD 2000 was first released because I mentioned it to several Microsoft AD premier support specialists and they each confirmed it was not available ( However it may have been added in a service pack ). I would love to know how to enable a read only DC. I think that is a great idea, I wonder who thought of it. :-) Sincerely,Jose MedeirosADP | National Account ServicesProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Phil RenoufSent: Monday, December 05, 2005 11:04 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruption Will Read Only DC's take care of this? I don't know much about them yet, but it makes sense that if the copy of the dit that a DC has is RO that it won't try to replicate that anywhere and would only be the recipient of replication. Anyone with more knowledge about how RO DC's will work to comment on that? Phil On 12/5/05, Medeiros, Jose [EMAIL PROTECTED] wrote: Well at least the corruption occurred on just a single DC. One thing that has bugged me about Active Directory is not being able to select if you want a DC in a remote office to not have the ability to replicate back in a large enterprise environment. Since most remote offices only have a few people at the location and a DC is usually placed for improvised logon and authentication time, many companies will either use a very low end server or a very old decommissioned one from their production data center ( Which is probably close to useable life ). I am always concerned that once the NTDS.DIT file becomes corrupt it will replicate the corruption to the other DC's in the Forrest.Maybe I am just being a worry wort and this really is not an issue.Sincerely,Jose MedeirosADP | National Account Services ProBusiness Division | Information Services925.737.7967 | 408-449-6621 CELL-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Susan Bradley,CPA aka Ebitz - SBS Rocks [MVP]Sent: Monday, December 05, 2005 8:53 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Ntds.dit file corruptionI did? :-)I think I still said all I know is what the poster said:-)I think I need a course in event log reading because even with the logs, and the default size of the logs, I still don't see a smoking gun.Thedirectory services one is filled with events 'post' blow up.What is interesting is that it seems to me big server land goes .. ohyeah... ntds.dit corruption... and sbsland freaks out.Either we doindeed need to ensure we have a secondary DC or we need to park a secondcopy of a system state offsite [say at the vap/var]Brett Shirley wrote: She replied offline, very likely a single bit flip, tragedy, they aren't one release later (Longhorn), where this would've probably been non-disruptively handled, logged, and possibly self-healed: http://blogs.technet.com/efleis/archive/2005/01.aspx Anyway,