subject:"Re\: \[ActiveDir\] Major screwup on AD for my company \- Can't install AD on remote server now"

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-07 Thread Matt Hargraves

Security a goal? It's more of a journey where the destination is we didn't get hacked this week (month/year)BTW, I wasn't saying that it's the worst idea ever to put e-mail on a DC (if it's a GC it will save you the journey for authentication), but in an organization where you have 2+ sites (and probably more than 500 users), I would tend to recommend putting Exchange on a separate server.
I know that SBS isn't the *worst* tool ever (well... if you used it back in 1997 - which I did - it was), in fact, I've set up my sister/brother-in-law's network with an SBS box. Of course, they don't have 500+ users, they have 4. It's a matter of scale I guess.
On 10/6/06, Al Mulnick [EMAIL PROTECTED] wrote:
Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :)

Putting other apps on a server that is designed to be a security server is not best practice on any platform SBS or not.SBS exists because it makes more economic sense thanmom's75 person company buying one server per person to run Microsoft software. It's still aFrankensteinin myopinion. I have a slanted view of course, but I alsoknow some of what goes on to make those apps magically work on the same machine. Security is not my concern in that arena.

Availability also comes to mind as something that's at risk if you mix applications with your authentication services. Sadly, I saw this just the other day when a DC that's also a file/print server sigh crashed due to lack of disk space. Somebody got those picturesdown beforeI got to it darn it. I bet they were some good ones ;)

Steve, I suggested the othertools because you need an accurate and up to date picture of what's going on. Sites andServices is not going to give you what you need in thiscase. Use ADUC and use the other tools I mentioned.

Oh, and don't worry about those on*this* list when it comes to sending yourcompany's private information: we're mostly honest. Those that troll the groups with googMSNSearch on the other hand might be less trustworthy.

If you feel you'd like a second set of eyes, I'm happy to help. You can send to me directly and I'll respond directly as well. If you don't trust me, please giveMicrosoft support a call else find somebody who's more familiarwith AD and your situation that can give you that second set of eyes. You're not screwed yet based on the information you've presented. That could change though

On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
[EMAIL PROTECTED] wrote:
Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well.
As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has
(at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was
with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Steve Egan
(Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.)
(Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb
gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message-
From: [EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys)
Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers.Might as
well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)*
[EMAIL PROTECTED] mailto:
[EMAIL PROTECTED] wrote: Al, will do.I tucked FTPSERVER under a desk and forgot about
it.Experience has taught

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-07 Thread Al Mulnick

We agree on security as a journey. We seem to disagree about putting an application on a DC. Exchange especially. Will it work? Yes. But the tradeoffs in thatsituation can be distasteful from an operational and security point of view if security, flexibility, scalability, and availability are of any concern whatsoever.

I have no issues with SBS. I'm thankfully able to avoid that product line in most of my dealings to date. My issue has more to do with the applications and intended purpose of the functions deployed when you try to put them all on the same box. If those applications were meant to be together, then Microsoft would have built them with that in mind. Until then, I'll continue to be leery of them working together.

-ajm
On 10/7/06, Matt Hargraves [EMAIL PROTECTED] wrote:
Security a goal? It's more of a journey where the destination is we didn't get hacked this week (month/year)
BTW, I wasn't saying that it's the worst idea ever to put e-mail on a DC (if it's a GC it will save you the journey for authentication), but in an organization where you have 2+ sites (and probably more than 500 users), I would tend to recommend putting Exchange on a separate server.
I know that SBS isn't the *worst* tool ever (well... if you used it back in 1997 - which I did - it was), in fact, I've set up my sister/brother-in-law's network with an SBS box. Of course, they don't have 500+ users, they have 4. It's a matter of scale I guess.

On 10/6/06, Al Mulnick [EMAIL PROTECTED] wrote:

Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :)

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-06 Thread Steve Egan $Temp$









Boy, Al, Id dearly *love* to step away from the
keyboard, keep your hands where we can see em! but I am the
monkey in charge of doing this.



Problem was (is?), I stupidly shut down
the FTPSERVER without seeing if it was a time server, the OU master, the AD
controller, and/or the PDC. Chalk it up to inexperience/stupidity.
I went into this task DUMB. (FTPSERVER is the old, inactivated server, FTP1 is
now the only ftp server in the organization)



Id like to flatten the Sweden server
and start over, but what if the problem is still there? Something is
going to be broken within the AD on the Headquarters end. Im going
to suck the filesystem over here to the States, then probably bare metal the
little bugger.



DNS seems to be working okay, replication
and all. I have the HQ NAT address in the 192.168.1.x range, with Poland on 192.168.2.x and Sweden on
192.168.3.x, and the only IN-ADDR I really replicate is the 192.168.1.x Class
C. I VPN tunnel to them, and Im able (when DNS is working) to
login with the AD login permissions available here. Im pretty sure
its working, because when I add the Sweden DNS server to
the purcellsystems.com domain everything works in the Sweden office.



AD is working okay ( I *think*), Im doing my level best to
avoid having to tweak it in any way. Im slavishly following the
instructions in Robbie Allens Active Directory Cookbook to
avoid any future screw-ups.



FWIW, Ive torn the servers
DNS and AD down completely, rebooted the server twice, then rebuilt/reinstalled
DNS and was attempting to reinstall AD when this happened. Is bare metal
rebuild the only option at this point?





Steve Egan

Purcell Systems

System/Network Administrator

desk 509 755-0341 x110

cell 509 475-7682

fax 509 755-0345











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Thursday, October 05, 2006
5:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Major
screwup on AD for my company - Can't install AD on remote server now







My first instinct is to say please step away from the
keyboard but that's just to make me chuckle. :)











It looks like the old server, FTP1 was configured as a time
server? Or was it an AD domain controller? 











The answer to that guides the rest of the conversation, but the best
thing to do regardless is to flatten the Sweden server. Rebuild it
completely with a new name and everything. Because you're not sure of the
state, be sure to get a backup should you need it. 











If everything else is fine, then you'll want to rebuild that server,
rejoin it to the appropriate domain and let it settle. Before you
continue, you'll want to ensure that everything else is in good shape including
dns, replication and authentication at a minimum. 











DNS would be my primary concern at this point. Don't mess with the
forest, domain or any of the other pieces if you can help it. Upgrading
the forest functional level or the domain functional level is not something you
want to just walk out and pull the trigger on without understanding what it
means and what the implications are. 











Al







On 10/5/06, Steve
Egan (Temp) [EMAIL PROTECTED]
wrote: 

I'm the System/Network Engineer for Purcell Systems, and I'm afraid
I've
screwed the pooch on my network. Here's how: 

Shut down an antiquated FTP server after transferring files to the
new
FTP server.The old one's OS was Win2K, the new one is Win2003.

I *did not* do anything to AD at the time this occurred. 

A day before I started working here (8/8/06) the server in Sweden was
rebuilt by a local consultant.Hardware failure.He
rebuilt from bare
metal, and set up the DNS and AD incorrectly.The end result was a 
server sitting in its own domain.DNS was somehow told to replicate
to
the server, and was working fine.

I next tried to put/rename/move the Sweden server into the Purcell.com 
domain.Oops, have to upgrade out of Win2000 mixed
mode.No problem,
I'll just transfer the AD, DNS, and PDC to a master machine running
Win2003 and have lotsa machines (okay, one or two) running as PDCs and 
alternate DNS and AD, right?

Here's where the pooch got this way - I'm a n00b when it comes to AD,
and somehow in the transfer of functions I've messed up the domain
something fierce.AD and DNS work just fine (replicate) on the USA and 
Poland servers, but I tried
upgrading the Sweden
server to the forest
and things got cranky - it wouldn't upgrade because it swore up and down
that the domain was still in pre-Win2003 mode.In frustration, I
tore 
down DNS and AD on the Sweden
server, and rebuilt them - not an easy
task by remote control...

The DNS rebuilt just peachy on the Sweden server, but when I go to
install AD on it, it tells me that the domain ain't ready for prime time 
- I have to run adprep on the domain.I ran adprep the first time,
and
everything appeared to work just fine.Subsequent attempts are
rebuffed
- I've already prepared the domain, it tells

Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-06 Thread Al Mulnick

Glad you're able to retain a sense of humor. That's important too. :)

You're in good shape if AD and DNS is working fine or at least as expected. You can find out if the old FTP server held any roles etc and clean up based on that. 

I don't have the links handy, but you'll want to check for the following: 
1) time server settings for the Domain - check PDC (by default it's the time master for the domain but yours may be custom/different)
2) find out if the FTP server was a DC. For this, open the ADUC and see what it shows in the domain controllers container. Not foolproof but it's an indication
3) Use DCDIAG on the domain controllers and check the information that comes back. Look for issues in there. Easiest if you pipe it to a text file and use the /v switch, so that you can search it later. Before you take action, feel free to drop a note back with the results. Some things can be easy, while others might be better left alone or better yet, you might need to involve Microsoft Support. 

4) Leave the sweden server alone until you have the other questions answered. It's fine the way it is for now, even if it leaves them degraded.
5) once you've been able to clear the rest, then we can go back and find out why the server doesn't want to be added to the domain as a dc (keep in mind it should be a domain member server now without issue). 

Chances are, based on your description, that there's nothing to be terribly concerned about. Verify and then figure out why the server won't join as a DC. There are logs for the dcpromo process that should give an indication of that issue, but I highly suggest attacking this serially. 


Al
On 10/6/06, Steve Egan (Temp) [EMAIL PROTECTED] wrote:



Boy, Al, I'd dearly *love* to "step away from the keyboard, keep your hands where we can see 'em!" but I am the monkey in charge of doing this.


Problem was (is?), I stupidly shut down the FTPSERVER without seeing if it was a time server, the OU master, the AD controller, and/or the PDC. Chalk it up to inexperience/stupidity. I went into this task DUMB. (FTPSERVER is the old, inactivated server, FTP1 is now the only ftp server in the organization)


I'd like to flatten the Sweden server and start over, but what if the problem is still there? Something is going to be broken within the AD on the Headquarters end. I'm going to suck the filesystem over here to the States, then probably bare metal the little bugger.


DNS seems to be working okay, replication and all. I have the HQ NAT address in the 192.168.1.x range, with Poland on 
192.168.2.x and Sweden on 192.168.3.x, and the only IN-ADDR I really replicate is the 192.168.1.x Class C. I VPN tunnel to them, and I'm able (when DNS is working) to login with the AD login permissions available here. I'm pretty sure it's working, because when I "add" the Sweden DNS server to the 
purcellsystems.com domain everything works in the Sweden office.

AD is working okay ( I *think*), I'm doing my level best to avoid having to tweak it in any way. I'm slavishly following the instructions in Robbie Allen's "Active Directory Cookbook" to avoid any future screw-ups.


FWIW, I've torn the server's DNS and AD down completely, rebooted the server twice, then rebuilt/reinstalled DNS and was attempting to reinstall AD when this happened. Is bare metal rebuild the only option at this point?



Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Al MulnickSent: Thursday, October 05, 2006 5:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now



My first instinct is to say please step away from the keyboard but that's just to make me chuckle. :)



It looks like the old server, FTP1 was configured as a time server? Or was it an AD domain controller? 



The answer to that guides the rest of the conversation, but the best thing to do regardless is to flatten the Sweden server. Rebuild it completely with a new name and everything. Because you're not sure of the state, be sure to get a backup should you need it. 




If everything else is fine, then you'll want to rebuild that server, rejoin it to the appropriate domain and let it settle. Before you continue, you'll want to ensure that everything else is in good shape including dns, replication and authentication at a minimum. 




DNS would be my primary concern at this point. Don't mess with the forest, domain or any of the other pieces if you can help it. Upgrading the forest functional level or the domain functional level is not something you want to just walk out and pull the trigger on without understanding what it means and what the implications are. 




Al

On 10/5/06, Steve Egan (Temp) 
[EMAIL PROTECTED] wrote: 

I'm the System/Network Engineer for Purcell Systems, and I'm afraid I'vescrewed the pooch on my network. Here's how:

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-06 Thread Steve Egan $Temp$









You mean the people on this thread are
less than honest?? ;P





Steve Egan

Purcell Systems

System/Network Administrator

desk 509 755-0341 x110

cell 509 475-7682

fax 509 755-0345











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Friday, October 06, 2006
2:59 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Major
screwup on AD for my company - Can't install AD on remote server now





I know you probably
haven't been there very long, but what in the heck are they thinking, making
DCs mail servers and FTP servers. Might as well load them up with web
services next.

BTW, you probably shouldn't be posting your infrastructure in a message list. 






On 10/6/06, Steve
Egan (Temp) [EMAIL PROTECTED]
wrote:





Al, will do. I tucked FTPSERVER under a desk and forgot
about it. Experience has taught me the hard way not to be in a rush to
tear down machines and cannibalize the parts until you are SURE it's okay to
loot the corpse. Nevermind the smell



AD and DNS is working as well as can be expected with a
thumb-fingered choom hacking away at it! FTPSERVER *was* a DC, I think, but I'll fire up the
box (OFF of the wire!) and start looking at it.

SNIP

Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-06 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]


Yeah next they'll be SBS servers being installed there.

(For some of us having our DCs do other things doesn't freak us out as 
much as it does you big serverland guys)


Matt Hargraves wrote:
I know you probably haven't been there very long, but what in the heck 
are they thinking, making DCs mail servers and FTP servers.  Might as 
well load them up with web services next.


BTW, you probably shouldn't be posting your infrastructure in a 
message list.




On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED] wrote:


Al, will do.  I tucked FTPSERVER under a desk and forgot about
it.  Experience has taught me the hard way not to be in a rush to
tear down machines and cannibalize the parts until you are SURE
it's okay to loot the corpse.  Nevermind the smell…

 


AD and DNS is working as well as can be expected with a
thumb-fingered choom hacking away at it!  FTPSERVER **was** a DC,
I think, but I'll fire up the box (OFF of the wire!) and start
looking at it.

 


Here's what I see for the domain:

 


How the *^($(*^ is Sweden in there??  It's NOT an AD server, it
refuses to become one…  This entry is from an OLD Sweden server
entry – notice how the guy before me spedded Swe(den).

 


IF it ain't broke, don't break it!.  Maybe I should just quit
screwing with it – for now…

 


I'll keep plugging away at it, I guess.

 


Steve Egan

Purcell Systems

System/Network Administrator

desk 509 755-0341 x110

cell 509 475-7682

fax 509 755-0345



*From:* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]] *On Behalf Of *Al Mulnick
*Sent:* Friday, October 06, 2006 1:30 PM

*To:* ActiveDir@mail.activedir.org
mailto:ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Major screwup on AD for my company -
Can't install AD on remote server now

 


Glad you're able to retain a sense of humor.  That's important too. :)

 


You're in good shape if AD and DNS is working fine or at least as
expected.  You can find out if the old FTP server held any roles
etc and clean up based on that.

 


I don't have the links handy, but you'll want to check for the
following:

1) time server settings for the Domain - check PDC (by default
it's the time master for the domain but yours may be custom/different)

2) find out if the FTP server was a DC. For this, open the ADUC
and see what it shows in the domain controllers container. Not
foolproof but it's an indication

3) Use DCDIAG on the domain controllers and check the information
that comes back. Look for issues in there.  Easiest if you pipe it
to a text file and use the /v switch, so that you can search it
later.  Before you take action, feel free to drop a note back with
the results.  Some things can be easy, while others might be
better left alone or better yet, you might need to involve
Microsoft Support.

4) Leave the sweden server alone until you have the other
questions answered. It's fine the way it is for now, even if it
leaves them degraded.

5) once you've been able to clear the rest, then we can go back
and find out why the server doesn't want to be added to the domain
as a dc (keep in mind it should be a domain member server now
without issue).
 


Chances are, based on your description, that there's nothing to be
terribly concerned about.  Verify and then figure out why the
server won't join as a DC.  There are logs for the dcpromo process
that should give an indication of that issue, but I highly suggest
attacking this serially.

 


Al
 


On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:

Boy, Al, I'd dearly **love** to step away from the keyboard, keep
your hands where we can see 'em! but I am the monkey in charge of
doing this.

 


Problem was (is?), I stupidly shut down the FTPSERVER without
seeing if it was a time server, the OU master, the AD controller,
and/or the PDC.  Chalk it up to inexperience/stupidity.  I went
into this task DUMB. (FTPSERVER is the old, inactivated server,
FTP1 is now the only ftp server in the organization)

 


I'd like to flatten the Sweden server and start over, but what if
the problem is still there?  Something is going to be broken
within the AD on the Headquarters end.  I'm going to suck the
filesystem over here to the States, then probably bare metal the
little bugger.

 


DNS seems to be working okay, replication and all.  I have the HQ
NAT address in the 192.168.1.x range, with Poland on 192.168.2.x
and Sweden on 192.168.3.x, and the only IN-ADDR I really replicate
is

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-06 Thread Steve Egan $Temp$

Well, the servers running the DC, mail, PDC, etc. are quad-processor
SuperMicros, so they aren't even sweatin' hard.  I'm watching them,
they're golden.  (Thanks, Susan - we think alike.)

(Ahem... don't look now, but we already have 8 IBM e-Business servers
(quad xeon) and are getting more.  Don' neeed no steeenkin'
SBS's!  ;P )

(Let me just unequivocally state right here that SAP is a 10,000lb
gorilla...)

Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, October 06, 2006 3:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now

Yeah next they'll be SBS servers being installed there.

(For some of us having our DCs do other things doesn't freak us out as 
much as it does you big serverland guys)

Matt Hargraves wrote:
 I know you probably haven't been there very long, but what in the heck

 are they thinking, making DCs mail servers and FTP servers.  Might as 
 well load them up with web services next.

 BTW, you probably shouldn't be posting your infrastructure in a 
 message list.



 On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] 
 mailto:[EMAIL PROTECTED] wrote:

 Al, will do.  I tucked FTPSERVER under a desk and forgot about
 it.  Experience has taught me the hard way not to be in a rush to
 tear down machines and cannibalize the parts until you are SURE
 it's okay to loot the corpse.  Nevermind the smell...

  

 AD and DNS is working as well as can be expected with a
 thumb-fingered choom hacking away at it!  FTPSERVER **was** a DC,
 I think, but I'll fire up the box (OFF of the wire!) and start
 looking at it.

  

 Here's what I see for the domain:

  

 How the *^($(*^ is Sweden in there??  It's NOT an AD server, it
 refuses to become one...  This entry is from an OLD Sweden server
 entry - notice how the guy before me spedded Swe(den).

  

 IF it ain't broke, don't break it!.  Maybe I should just quit
 screwing with it - for now...

  

 I'll keep plugging away at it, I guess.

  

 Steve Egan

 Purcell Systems

 System/Network Administrator

 desk 509 755-0341 x110

 cell 509 475-7682

 fax 509 755-0345




 *From:* [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED]] *On Behalf Of *Al
Mulnick
 *Sent:* Friday, October 06, 2006 1:30 PM

 *To:* ActiveDir@mail.activedir.org
 mailto:ActiveDir@mail.activedir.org
 *Subject:* Re: [ActiveDir] Major screwup on AD for my company -
 Can't install AD on remote server now
SNIP
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

[ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-06 Thread Tim Vander Kooi

It's not speed or resources that scare most of us when it comes to
sharing DC space with other apps, it's security. With SBS Microsoft has
(at least in theory) covered most of those security bases for the admin.
The last time I allowed another admin to install FTP on a server he
inadvertently put no security on it whatsoever and the company I was
with at the time ended up serving up 200 GB of German p0rn. He had lots
of fun explaining why our new server had crashed due to lack of
diskspace.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, October 06, 2006 6:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now

Well, the servers running the DC, mail, PDC, etc. are quad-processor
SuperMicros, so they aren't even sweatin' hard.  I'm watching them,
they're golden.  (Thanks, Susan - we think alike.)

(Ahem... don't look now, but we already have 8 IBM e-Business servers
(quad xeon) and are getting more.  Don' neeed no steeenkin'
SBS's!  ;P )

(Let me just unequivocally state right here that SAP is a 10,000lb
gorilla...)

Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, October 06, 2006 3:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now

Yeah next they'll be SBS servers being installed there.

(For some of us having our DCs do other things doesn't freak us out as 
much as it does you big serverland guys)

Matt Hargraves wrote:
 I know you probably haven't been there very long, but what in the heck

 are they thinking, making DCs mail servers and FTP servers.  Might as 
 well load them up with web services next.

 BTW, you probably shouldn't be posting your infrastructure in a 
 message list.



 On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] 
 mailto:[EMAIL PROTECTED] wrote:

 Al, will do.  I tucked FTPSERVER under a desk and forgot about
 it.  Experience has taught me the hard way not to be in a rush to
 tear down machines and cannibalize the parts until you are SURE
 it's okay to loot the corpse.  Nevermind the smell...

  

 AD and DNS is working as well as can be expected with a
 thumb-fingered choom hacking away at it!  FTPSERVER **was** a DC,
 I think, but I'll fire up the box (OFF of the wire!) and start
 looking at it.

  

 Here's what I see for the domain:

  

 How the *^($(*^ is Sweden in there??  It's NOT an AD server, it
 refuses to become one...  This entry is from an OLD Sweden server
 entry - notice how the guy before me spedded Swe(den).

  

 IF it ain't broke, don't break it!.  Maybe I should just quit
 screwing with it - for now...

  

 I'll keep plugging away at it, I guess.

  

 Steve Egan

 Purcell Systems

 System/Network Administrator

 desk 509 755-0341 x110

 cell 509 475-7682

 fax 509 755-0345




 *From:* [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] [mailto:
 [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED]] *On Behalf Of *Al
Mulnick
 *Sent:* Friday, October 06, 2006 1:30 PM

 *To:* ActiveDir@mail.activedir.org
 mailto:ActiveDir@mail.activedir.org
 *Subject:* Re: [ActiveDir] Major screwup on AD for my company -
 Can't install AD on remote server now
SNIP
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-06 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]

Granted external FTP isn't one that SBSers recommend either and we're 
freaking out going WHAT ARE YOU THINKING? as well.

As we say down here we don't get hacked... we get stupid.



Tim Vander Kooi wrote:

It's not speed or resources that scare most of us when it comes to
sharing DC space with other apps, it's security. With SBS Microsoft has
(at least in theory) covered most of those security bases for the admin.
The last time I allowed another admin to install FTP on a server he
inadvertently put no security on it whatsoever and the company I was
with at the time ended up serving up 200 GB of German p0rn. He had lots
of fun explaining why our new server had crashed due to lack of
diskspace.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Egan
(Temp)
Sent: Friday, October 06, 2006 6:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now

Well, the servers running the DC, mail, PDC, etc. are quad-processor
SuperMicros, so they aren't even sweatin' hard.  I'm watching them,
they're golden.  (Thanks, Susan - we think alike.)

(Ahem... don't look now, but we already have 8 IBM e-Business servers
(quad xeon) and are getting more.  Don' neeed no steeenkin'
SBS's!  ;P )

(Let me just unequivocally state right here that SAP is a 10,000lb
gorilla...)

Steve Egan
Purcell Systems
System/Network Administrator
desk 509 755-0341 x110
cell 509 475-7682
fax 509 755-0345
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP]
Sent: Friday, October 06, 2006 3:55 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now

Yeah next they'll be SBS servers being installed there.

(For some of us having our DCs do other things doesn't freak us out as 
much as it does you big serverland guys)


Matt Hargraves wrote:
  

I know you probably haven't been there very long, but what in the heck



  
are they thinking, making DCs mail servers and FTP servers.  Might as 
well load them up with web services next.


BTW, you probably shouldn't be posting your infrastructure in a 
message list.




On 10/6/06, *Steve Egan (Temp)* [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED] wrote:


Al, will do.  I tucked FTPSERVER under a desk and forgot about
it.  Experience has taught me the hard way not to be in a rush to
tear down machines and cannibalize the parts until you are SURE
it's okay to loot the corpse.  Nevermind the smell...

 


AD and DNS is working as well as can be expected with a
thumb-fingered choom hacking away at it!  FTPSERVER **was** a DC,
I think, but I'll fire up the box (OFF of the wire!) and start
looking at it.

 


Here's what I see for the domain:

 


How the *^($(*^ is Sweden in there??  It's NOT an AD server, it
refuses to become one...  This entry is from an OLD Sweden server
entry - notice how the guy before me spedded Swe(den).

 


IF it ain't broke, don't break it!.  Maybe I should just quit
screwing with it - for now...

 


I'll keep plugging away at it, I guess.

 


Steve Egan

Purcell Systems

System/Network Administrator

desk 509 755-0341 x110

cell 509 475-7682

fax 509 755-0345





  

*From:* [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]] *On Behalf Of *Al


Mulnick
  

*Sent:* Friday, October 06, 2006 1:30 PM

*To:* ActiveDir@mail.activedir.org
mailto:ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Major screwup on AD for my company -
Can't install AD on remote server now


SNIP
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

  


--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-06 Thread Al Mulnick

Hmm... I'm becoming more and more convinced that security on any platform is more of a goal than a destination anyway :)

On 10/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote:
Granted external FTP isn't one that SBSers recommend either and we'refreaking out going WHAT ARE YOU THINKING? as well.
As we say down here we don't get hacked... we get stupid.Tim Vander Kooi wrote: It's not speed or resources that scare most of us when it comes to sharing DC space with other apps, it's security. With SBS Microsoft has
(at least in theory) covered most of those security bases for the admin. The last time I allowed another admin to install FTP on a server he inadvertently put no security on it whatsoever and the company I was
with at the time ended up serving up 200 GB of German p0rn. He had lots of fun explaining why our new server had crashed due to lack of diskspace. -Original Message- From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steve Egan
(Temp) Sent: Friday, October 06, 2006 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now Well, the servers running the DC, mail, PDC, etc. are quad-processor SuperMicros, so they aren't even sweatin' hard.I'm watching them, they're golden.(Thanks, Susan - we think alike.)
(Ahem... don't look now, but we already have 8 IBM e-Business servers (quad xeon) and are getting more.Don' neeed no steeenkin' SBS's!;P ) (Let me just unequivocally state right here that SAP is a 10,000lb
gorilla...) Steve Egan Purcell Systems System/Network Administrator desk 509 755-0341 x110 cell 509 475-7682 fax 509 755-0345 -Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Susan Bradley,
CPA aka Ebitz - SBS Rocks [MVP] Sent: Friday, October 06, 2006 3:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Major screwup on AD for my company - Can't
install AD on remote server now Yeah next they'll be SBS servers being installed there. (For some of us having our DCs do other things doesn't freak us out as much as it does you big serverland guys)
Matt Hargraves wrote: I know you probably haven't been there very long, but what in the heck are they thinking, making DCs mail servers and FTP servers.Might as
well load them up with web services next. BTW, you probably shouldn't be posting your infrastructure in a message list. On 10/6/06, *Steve Egan (Temp)*
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Al, will do.I tucked FTPSERVER under a desk and forgot about
it.Experience has taught me the hard way not to be in a rush to tear down machines and cannibalize the parts until you are SURE it's okay to loot the corpse.Nevermind the smell...
AD and DNS is working as well as can be expected with a thumb-fingered choom hacking away at it!FTPSERVER **was** a DC, I think, but I'll fire up the box (OFF of the wire!) and start
looking at it. Here's what I see for the domain: How the *^($(*^ is Sweden in there??It's NOT an AD server, it
refuses to become one...This entry is from an OLD Sweden server entry - notice how the guy before me spedded Swe(den). IF it ain't broke, don't break it!.Maybe I should just quit
screwing with it - for now... I'll keep plugging away at it, I guess. Steve

Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-05 Thread Al Mulnick

My first instinct is to say please step away from the keyboard but that's just to make me chuckle. :)

It looks like the old server, FTP1 was configured as a time server? Or was it an AD domain controller? 

The answer to that guides the rest of the conversation, but the best thing to do regardless is to flatten the Sweden server. Rebuild it completely with a new name and everything. Because you're not sure of the state, be sure to get a backup should you need it. 


If everything else is fine, then you'll want to rebuild that server, rejoin it to the appropriate domain and let it settle. Before you continue, you'll want to ensure that everything else is in good shape including dns, replication and authentication at a minimum. 


DNS would be my primary concern at this point. Don't mess with the forest, domain or any of the other pieces if you can help it. Upgrading the forest functional level or the domain functional level is not something you want to just walk out and pull the trigger on without understanding what it means and what the implications are. 


Al
On 10/5/06, Steve Egan (Temp) [EMAIL PROTECTED] wrote:
I'm the System/Network Engineer for Purcell Systems, and I'm afraid I'vescrewed the pooch on my network. Here's how:
Shut down an antiquated FTP server after transferring files to the newFTP server.The old one's OS was Win2K, the new one is Win2003.I *did not* do anything to AD at the time this occurred.
A day before I started working here (8/8/06) the server in Sweden wasrebuilt by a local consultant.Hardware failure.He rebuilt from baremetal, and set up the DNS and AD incorrectly.The end result was a
server sitting in its own domain.DNS was somehow told to replicate tothe server, and was working fine.I next tried to put/rename/move the Sweden server into the Purcell.com
domain.Oops, have to upgrade out of Win2000 mixed mode.No problem,I'll just transfer the AD, DNS, and PDC to a master machine runningWin2003 and have lotsa machines (okay, one or two) running as PDCs and
alternate DNS and AD, right?Here's where the pooch got this way - I'm a n00b when it comes to AD,and somehow in the transfer of functions I've messed up the domainsomething fierce.AD and DNS work just fine (replicate) on the USA and
Poland servers, but I tried upgrading the Sweden server to the forestand things got cranky - it wouldn't upgrade because it swore up and downthat the domain was still in pre-Win2003 mode.In frustration, I tore
down DNS and AD on the Sweden server, and rebuilt them - not an easytask by remote control...The DNS rebuilt just peachy on the Sweden server, but when I go toinstall AD on it, it tells me that the domain ain't ready for prime time
- I have to run adprep on the domain.I ran adprep the first time, andeverything appeared to work just fine.Subsequent attempts are rebuffed- I've already prepared the domain, it tells me.The Sweden server just
refuses to accept that the AD in the domain is Win2003 mode.I'vechecked - it's mode 2 on all the AD machines.The necessary containersfor a Win2003 AD have been built!SOMEthing is preventing the ADPREP
from executing properly.Here's a partial log entry from the Swedenserver (adprep.log?):10/05 01:34:26 [INFO] Searching for a domain controller for the domain
PURCELLSYSTEMS.COM that contains the account PURCELLABSWE$10/05 01:34:27[INFO] Located domain controller FTP1.PURCELLSYSTEMS.COM
 for domainPURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Using site PURCELLSYSTEMS forserver \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Forcing time sync10/05 01:34:27 [INFO] Forcing a time synch with\\FTP1.PURCELLSYSTEMS.COM10/05 01:34:29 [ERROR] Failed to get the
current time on \\FTP1.PURCELLSYSTEMS.COM: 510/05 01:34:29 [ERROR] NON-FATAL error forcing a time sync (5).Ignoring10/05 01:34:32 [INFO] Stopping service NETLOGON10/05 01:34:32 [INFO]Stopping service NETLOGON10/05 01:35:32 [INFO] Configuring service
NETLOGON to 1 returned 010/05 01:35:32 [INFO] Stopped NETLOGON10/05 01:35:32 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL10/05 01:35:36 [INFO] Created system volume path10/05 01:35:36 [INFO] Copying initial Directory Service database file
C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit10/05 01:35:36[INFO] Installing the Directory Service10/05 01:35:36 [INFO] CallingNtdsInstall for PURCELLSYSTEMS.COM
10/05 01:35:36 [INFO] Starting Active Directory installation10/05 01:35:36 [INFO] Validating user supplied options10/05 01:35:36 [INFO] Determining a site in which to install10/05 01:35:36 [INFO] Examining an existing Active Directory forest
10/05 01:35:40 [INFO] Error - The Active Directory Installation Wizardcannot continue because the forest is not prepared for installingWindows Server 2003. Use the Adprep command-line tool to prepare boththe forest and the domain. For more information about using the Adprep,
see Active Directory Help. (8467)10/05 01:35:40 [INFO] NtdsInstall for

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

2006-10-05 Thread Almeida Pinto, Jorge de

are you by any chance trying to promote a R2 DC? If yes, use ADPREP from the 
SECOND CD from the R2 distribution set
 
Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services
 
LogicaCMG Nederland B.V. (BU RTINC Eindhoven)
(   Tel : +31-(0)40-29.57.777
(   Mobile : +31-(0)6-26.26.62.80
*   E-mail : see sender address



From: [EMAIL PROTECTED] on behalf of Steve Egan (Temp)
Sent: Thu 2006-10-05 22:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Major screwup on AD for my company - Can't install AD on 
remote server now



I'm the System/Network Engineer for Purcell Systems, and I'm afraid I've
screwed the pooch on my network. Here's how:

Shut down an antiquated FTP server after transferring files to the new
FTP server.  The old one's OS was Win2K, the new one is Win2003.

I *did not* do anything to AD at the time this occurred.

A day before I started working here (8/8/06) the server in Sweden was
rebuilt by a local consultant.  Hardware failure.  He rebuilt from bare
metal, and set up the DNS and AD incorrectly.  The end result was a
server sitting in its own domain.  DNS was somehow told to replicate to
the server, and was working fine.

I next tried to put/rename/move the Sweden server into the Purcell.com
domain.  Oops, have to upgrade out of Win2000 mixed mode.  No problem,
I'll just transfer the AD, DNS, and PDC to a master machine running
Win2003 and have lotsa machines (okay, one or two) running as PDCs and
alternate DNS and AD, right?

Here's where the pooch got this way - I'm a n00b when it comes to AD,
and somehow in the transfer of functions I've messed up the domain
something fierce.  AD and DNS work just fine (replicate) on the USA and
Poland servers, but I tried upgrading the Sweden server to the forest
and things got cranky - it wouldn't upgrade because it swore up and down
that the domain was still in pre-Win2003 mode.  In frustration, I tore
down DNS and AD on the Sweden server, and rebuilt them - not an easy
task by remote control...

The DNS rebuilt just peachy on the Sweden server, but when I go to
install AD on it, it tells me that the domain ain't ready for prime time
- I have to run adprep on the domain.  I ran adprep the first time, and
everything appeared to work just fine.  Subsequent attempts are rebuffed
- I've already prepared the domain, it tells me.  The Sweden server just
refuses to accept that the AD in the domain is Win2003 mode.  I've
checked - it's mode 2 on all the AD machines.  The necessary containers
for a Win2003 AD have been built!  SOMEthing is preventing the ADPREP
from executing properly.  Here's a partial log entry from the Sweden
server (adprep.log?):

10/05 01:34:26 [INFO] Searching for a domain controller for the domain
PURCELLSYSTEMS.COM that contains the account PURCELLABSWE$10/05 01:34:27
[INFO] Located domain controller FTP1.PURCELLSYSTEMS.COM for domain
PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Using site PURCELLSYSTEMS for
server \\FTP1.PURCELLSYSTEMS.COM10/05 01:34:27 [INFO] Forcing time sync
10/05 01:34:27 [INFO] Forcing a time synch with
\\FTP1.PURCELLSYSTEMS.COM10/05 01:34:29 [ERROR] Failed to get the
current time on \\FTP1.PURCELLSYSTEMS.COM: 5
10/05 01:34:29 [ERROR] NON-FATAL error forcing a time sync (5).
Ignoring
10/05 01:34:32 [INFO] Stopping service NETLOGON10/05 01:34:32 [INFO]
Stopping service NETLOGON10/05 01:35:32 [INFO] Configuring service
NETLOGON to 1 returned 0
10/05 01:35:32 [INFO] Stopped NETLOGON
10/05 01:35:32 [INFO] Deleting current sysvol path C:\WINDOWS\SYSVOL
10/05 01:35:36 [INFO] Created system volume path
10/05 01:35:36 [INFO] Copying initial Directory Service database file
C:\WINDOWS\system32\ntds.dit to C:\WINDOWS\NTDS\ntds.dit10/05 01:35:36
[INFO] Installing the Directory Service10/05 01:35:36 [INFO] Calling
NtdsInstall for PURCELLSYSTEMS.COM
10/05 01:35:36 [INFO] Starting Active Directory installation
10/05 01:35:36 [INFO] Validating user supplied options
10/05 01:35:36 [INFO] Determining a site in which to install
10/05 01:35:36 [INFO] Examining an existing Active Directory forest
10/05 01:35:40 [INFO] Error - The Active Directory Installation Wizard
cannot continue because the forest is not prepared for installing
Windows Server 2003. Use the Adprep command-line tool to prepare both
the forest and the domain. For more information about using the Adprep,
see Active Directory Help. (8467)
10/05 01:35:40 [INFO] NtdsInstall for PURCELLSYSTEMS.COM returned 8467
10/05 01:35:40 [INFO] DsRolepInstallDs returned 8467
10/05 01:35:40 [ERROR] Failed to install to Directory Service (8467)
10/05 01:35:49 [INFO] Starting service NETLOGON10/05 01:35:49 [INFO]
Configuring service NETLOGON to 2 returned 0
10/05 01:35:49 [INFO] The attempted domain controller operation has
completed10/05 01:35:49 [INFO] DsRolepSetOperationDone returned 0

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

[ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

Re: [ActiveDir] RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

Re: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

RE: [ActiveDir] Major screwup on AD for my company - Can't install AD on remote server now

12 matches

Site Navigation

Mail list logo

Footer information