At a high level, I'd look to create a filter within the sec
mon tool, such that objects updated by their owners were trapped in a different
to those not changed by the owner.
I'd ensure the tool used / purchased was capable of meeting
any requirements.
neil
From: [EMAIL PROTECTED]
er, no :) if you have more than 1 DC, then the task becomes
too convoluted.
Use a 3rd party sec monand auditing tool. I mentioned
several vendors below.
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James
CarterSent: 07 August 2006 17:08To:
Hi all
Thisa
reminder that there are a couple of methods by which your can share your AD
knowledge and experience with thewider
community.In
addition to the ability to create your own acticles on ActiveDir.org (http://www.activedir.org/Register.aspx)
you can also have your ownblog space
Hello :)I have my ADw2k3sp1 hard disk configured as this: hdd1: AD logs. hdd2: ntds.dit + sysvol.I would like to change my hdd2, so i move the ntds.dit in hdd1 and that's ok. But how to move the sysvol folder in hdd1 ? is there a way to do this ?Thanks for your replies.Yann
http://support.microsoft.com/?kbid=842162
Robert
Rutherford
QuoStar
Solutions Limited
The Enterprise
Pavilion
Fern Barrow
Wallisdown
Poole
Dorset
BH12 5HH
T:
+44 (0) 8456 440
Yes, you can relocate the SYSVOL.
It's just a little more involved (couple of extra steps, not difficult) than
moving the DIT. See:
-- http://support.microsoft.com/?id=842162
However, if I might be so bold as to make
a suggestion here, I would recommed you leave SYSVOL where it is, giving
Hmmm this was blank as well.taps Is this thing on? /taps
On 8/7/06, Bahta, Nathaniel V CTR USAF NASIC/SCNA [EMAIL PROTECTED] wrote:
Try this MS
article:
http://support.microsoft.com/?kbid=842162
neil
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
YannSent: 08 August 2006 13:14To:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Moving Sysvol
.
Hello :)
I have my ADw2k3sp1 hard disk configured as
I've always viewed HT as that in-between technology while dual core chips were being developed for the x86 platform and until 64b could come of age.
The thinking generally was always back and forth between use it and disable it for various Microsoft server applications. It was discouraged for
Thanks a lot :)Next time, I will look first in MS kbCheers,YannRobert Rutherford [EMAIL PROTECTED] a écrit:http://support.microsoft.com/?kbid=842162 Robert RutherfordQuoStar Solutions Limited The Enterprise PavilionFern
Paul,Thanks for your suggestion. I will follow your advice in order to secure my ntds.ditThanks again,YannPaul Williams [EMAIL PROTECTED] a écrit: Yes, you can relocate the SYSVOL. It's just a little more involved (couple of extra steps, not difficult) than moving the DIT.
From Tim Mangan's
whitepaper on hyperthreading under 2003:
The results in this paper are
exclusively related to Windows Server 2003. We are currently running the
tests used in the development of this paper under erver
2000. We can verify reports of performance
and stability problems with
I have a server that we had to rebuild and we tried to
restore the system state and the computer wont boot saying that there is
a disk configuration problem. Can we just rebuild the server and then Just run
DCPROMO again using the same name to add it back in or do we have to go into
On Tue, 8 Aug 2006 09:49:16 -0400, Salandra, Justin A. wrote
I have a server that we had to rebuild and we tried to restore the system state and the computer wont boot saying that there is a disk configuration problem. Can we just rebuild the server and then Just run DCPROMO again using the
... but then there's the school of thought that says you
should:
-
PlaceDITandlogsonseparatespindles,sinceDITisreadintensiveandlogsarewriteintensive
Since
SYSVOL is also read intensive, I'd prefer to place SYSVOL with the DIT.
To be
honest, I don't follow the delegation argument...GPOs
I believe, from a past conversation, that
disabling hyper-threading on bridgehead servers with lots of inbound
connections, i.e. in enterprise deployments, should be *considered* as
the replication queue has two parallel threads for processor, core or hyper
threading processor as the system
Yea, I'm not sure why one has to do with the other (GPO
delegation and security of the DIT). GPO delegation simply involves granting
permissions on a individual GPC objects in AD and individual folders in the GPT
(SYSVOL).The only risk I can see is that it ismarginally easier to
fill up a
I believe the school of thought here is
that the person has write access to the same volume as the DIT, which means he/
she can easily perform DOS attacks, etc. by filling up the disk.
I agree it's unlikely, but there you
go. Take the [real] examples of where people with write access to
Is it normal to see a person logging in and out over and
over all day long every 90 minutes or so
I am getting a bunch of Event ID 540 and 538s over
and over for the same user every 90 minutes or so, is this just the Group
Policy refreshing? How can I pin point the actual user login and
I hear what you're saying with respect to DOS attacks and
filling up the disk with Ghost images but I think what you're talking about is
trying to design around dumb mistakes. When has that ever been a task without
end ? :-) I'm all for designing for performance, availability, etc. but I
All fair points, Paul - I guess I'd view these concerns in
a different way:
- Use a GPO management tool to abstract away native
GPO rights
- If admins cannot be trusted not to fill SYSVOL with
sh** then don't give them any rights in SYSVOL [similar to above
point]
- If SYSVOL has its own
Yeah, I'm not disagreeing with what you
and Darren say. In fact, I mostly agree. I'm just working in a high
security environment where every detail is scruitinised and extra care needs to
be taken with everything. I've always been one of these people that try
and look at both sides of the
One of 12 today...but since it's DNS related
Microsoft Security Bulletin MS06-041 Vulnerability in DNS Resolution
Could Allow Remote Code Execution (920683):
http://www.microsoft.com/technet/security/Bulletin/MS06-041.mspx
For an attack to be successful the attacker would either have to be on
We had a similar issue here(much more
frequently) and tracked it down to the WhatsUp process running under their
credentials and logging into the servers to check process state. Changed
the whatsup process to run under alternate credentials (duh) and the problem
went away. My guess would be
Metadata was already mentioned. If the server was holding any of the FSMO roles then you will need to seize those roles.
Jorge has some good pages on his blog that will help you
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/373.aspx
Moving FSMO roles from one DC to another DC
HAL the same?
What's the exact error as there are times we have to mess with HALs
and drivers and what not...
E-Bitz - SBS MVP the Official Blog of the SBS Diva : Disaster Myths of
SBS:
http://msmvps.com/blogs/bradley/archive/2006/07/26/105867.aspx
Boot critical conditions:
Compatible HAL
Accurate boot.ini, consistent boot device order
boot critical drivers installed
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
HAL the same?
What's the exact error as there are times we have to mess with
HALs and drivers and what not...
Hi,
I just started working for a company.
I am finding out that they have 3 DC in the DMZ (firewall is Cisco PIX)
2 of them are NS servers that handle our external records to the domain (mx
records, A record, www record, etc). The other one is unluckily an exchange
2003 (not good thing to
Yes, you should be worried. What do you do about it? Well, you start by asking them the reasoning behind the decision to place these servers where they are. Then you take the reasoning and technically deconstruct them in such a way that shows the stake-holders that the things they are trying to
Antonio Aranda wrote:
I wrote a script that will create user account, join them to security
groups and create them a directory the automatically map at logon. It
works great but for one thing. I need to edit the directory’s security
tab so that only the user and the administrator have access
http://www.akomolafe.com/Portals/1/userprof-xcacls.txt
HTH
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the
We
have our FMSO roles split between 2 dc's. They are Schema Master/Domain Tree
Operator on 1 and on 2, the roles PDC Emulator/Rid Pool/Intrastate on the
other.After I apply the patches from Microsoft what is the beat practices
for the boot order...or does it matter?
1.
Remote DC/GC's
It doesn't matter.
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
The main thing it to test and approve 06-040 and get that one on the
fast track IMHO.
Deji Akomolafe wrote:
It doesn't
matter.
Sincerely,
_
(, / | /) /) /)
/---| (/_ __ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP -
We are in the process of bringin in a couple hundred users from a
Novell Groupwise system to our AD 2003 + Exchange 2003 system. Our AD
is in Windows 2003 Native mode for forest and domain.
Because of the need to integrate Groupwise and Exchange, we need to
use Microsoft Exchange Connector for
Greetings,
Have a network that even after 3 calls to PSS in 1 week is still not having
KCC working properly. Replication has been forced to work so the network
could be upgraded to R2. But to me and a couple of others KCC is just not
working properly. I could use your help in resolving this
This is a non-issue
Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.akomolafe.com- we know IT-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday?
I suggest stop trying to understand why any one support engineer happens to
disagree with another since the answers aren't going to help your issue.
But, if you must know...
1. Because there's no one right way. People who tell you there's only 1
right way are wrong.
2. You'd have to ask the
38 matches
Mail list logo
