I'd look at it as two separate problems - infrastructure services and client services.
On the infrastructure side, I'd consider using IPSec (tunnelling only, not encryption) for RPC based services because of their natural disdain for firewalls. Things like DNS and SMTP mail flow are easily dealt with in firewalled environments. I assume that few if any of the 25 domains actually exist across firewalls - which should make it easy to use SMTP based replication, although I wonder if other aspects of AD wouldn't still require RPC access. I also think the DMZ concept is interesting. I remember at MEC 2001 I was talking with a gentleman from a smaller university[1] about his security issues, and we discussed the possibility of setting up "rings" of security. The core infrastructure sits in the center ring, with more open access systems in the next ring out, and student access systems being the farthest ring out. I could see something like that being used in your environment. For instance, the core infrastructure (AD and DNS) existing in an inner circle of relatively higher trust subnets. A second ring providing network peering between the client networks and the core networks - basically a massive routing network with no hosts and only firewalls and routers. Then a third ring of client machine domains. Now that I think about it, I'd probably make 2 routing networks, a 'core' network and an 'access' network. The core functions as an interconnect between the infrastructure networks, while the access network provides interconnects between the client subnets and the core subnets. I don't know how easily that could be executed, but it strikes me as similar to what you're doing. On the client side, I'm not a big fan of encapsulating or encrypting traffic unless absolutely necessary. Using a scheme like I described above, it seems you could probably allow authentication to happen from any client network to any domain without much effort, and manage services on a more granular level. I doubt any of this is easy, however.... Good luck. -------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. [1] Can't for the life of me remember who he was or what school it was. > -----Original Message----- > From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 8:38 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > This still requires a list of semi trusted networks. I am > curious would you > use the IPSEC to limit the port range to the DC's for > replication, or both > the client level traffic and the DCs traffic? > > On problem with client traffic being encrypted is that we > support multiple > hosts connecting to our domains, (Mac, UNIX, old NTLM > clients). I have to > be honest, I have spoken with several engineers who have > tried to do IPSEC > on large scale deployments and they say it is more trouble > than it is worth > when you are not standardized on Windows 2000 or XP. > > The problem I am having is that some of the organizations in > my operation > want to view all traffic from outside their organization as totally > untrusted. So basically their "security experts" want us to identify > specific ports and trusted inbound communication from > specific host for > every domain in the forest. We have about 24 domains, and > about 75 DC's. > That's one big list to keep maintaining and coordinating for > just the DC > traffic. We also have 5 Class B address ranges of ports in our design > (Remember we are the government) so exposing planning for > client exposure is > also somewhat an issue. > > So far I came up with two solutions to this, use DMZ's and > limited/Static > RPC replication, and allow inbound traffic from "trusted networks" to > community network services (DNS, AD, Exchange Servers, > Intranet servers), > then separate mission critical servers and clients by connecting them > through a second firewall to the border DMZ. Allow all outbound > communication to occur, and allow limited inbound from DMZ > servers to occur. > What this basically will probably require is that AD replication and > operations will work as expected for host inside the firewall > and traveling > users who work at other departments with in the organization. > > If the organization chooses to limit basically all inbound > communication > request except from the direct replication partners this > potentially can > break authentication from outside sources to local resources, > provisioning > via LDAP, and single sign-on using only Microsoft technology. > So if the > user ever visits another part of the organization that is > behind a closed > firewall DMZ design, they will have to VPN into their portion > of the network > to properly authenticate and access resources. > > So the question I posed earlier has still gone un-answered. > Do you think > RPC NTDS and FRS replication is fine with just on port being > open, or do you > think it would be better to open a range? > > Thanks, > > Todd Myrick > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Wednesday, August 06, 2003 9:37 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > Correct. > > One option is to run IPSec tunnels without encryption - that > allows for full > content inspection while still having reduced requirements > for open ports. > > -------------------------------------------------------------- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, August 06, 2003 9:12 AM > > To: ActiveDir > > Subject: Re: [ActiveDir] WOT Unreadable code (was Connection String) > > > > > > I would like to see his thoughts on the matter. MS's > > published recommendations for using ipsec tunnels to traverse > > firewalls is fine between trusted environments, but most > > trusted environments can create their own vpn tunnels using > > firewalls more efficiently. And between untrusted > > environments it would be generally irresponsible (security-wise). > > > > -------------------------- > > Sent from my BlackBerry Wireless Handheld > > > > > > > > ----- Original Message ----- > > From: ActiveDir-owner > > Sent: 08/05/2003 11:10 PM > > To: <[EMAIL PROTECTED]> > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > Todd, > > > > If you're working with Microsoft, have them contact or engage > > Steve Riley. > > He's a 'softie that has specific experience in large environments > > (previously telecoms) and I seem to remember the last time we > > talked he was > > with some area of the Security practices - though I can't > > specifically state > > where. He is in Redmond now (last I knew), and has published > > some very > > interesting and promising work on AD over/through/around > > firewalls using > > IPSec and other advanced technologies. > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > Myrick, Todd > > (NIH/CIT) > > Sent: Tuesday, August 05, 2003 3:31 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > Well we are currently redesigning our Site Topology due to several > > organizations setting up firewalls and thinking they are > > guarding against > > Neo and the Matrix Gang. One thing we are working with > > Microsoft on is > > optimized Hub and Spoke topology by creating sites for > > networks that are > > behind firewalls. We want to address a couple of things here > > in the design > > as well. Failover DDNS service, Deployment of an Enterprise > > Level Directory > > Tripwire tool, and Enterprise Directory Monitoring. What > > would be cool is > > if there was a directory optimization tool as well. One that > > would set DNS > > SRV record Priorities. I haven't had a chance to look at the > > latest version > > of DT to see if it is in there yet. > > > > Part of the Firewall configuration is to set a static port. > > The question is > > "Is one port enough?". I was reading some Backup Exec > > Documents and they > > recommended that their application have at least 20 ports > > open for their > > DCOM object. Anyone have experience here and what to help a > > brother out? > > > > Toddler > > > > > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 3:58 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > > > What's up Todd? You have a hankerin' for some chicken? > > > > And I probably should stop wasting everyone's inbox > capacity with this > > silliness... Doesn't someone have some AD problems that need fixing? > > > > -gil > > > > > > -----Original Message----- > > From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 12:31 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > > > Gil, you should give one out for every Enterprise purchase of Netpro > > Products. > > > > Todd Myrick > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 3:22 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > > > John, > > > > Stella has put the world-famous Official DEC Screaming Yellow > > Rubber Chicken > > in the mail, so you should get it by the end of the week or > > so. When you do > > get it, be sure to give it a good squeeze. > > > > When I spoke at the 2002 AFITC, a general from ACC (I've > > forgotten his name) > > told me that someone in his office had received one and the > noise was > > driving him crazy. Scratch the chicken off the list of how to > > win friends > > and influence people. > > > > -gil > > > > > > -----Original Message----- > > From: Bjelke John A Contr AFRL/VSIO > > [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 12:01 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > > > Gil, > > I'm not THAT old! Man, next you'll be implying that I built the > > DARPAnet! > > (and we all know it was Al Gore who's responsible for that!) > > *grin* Nah, I > > just have a fondness for old, dead languages and remembered > > seeing that one > > before. I actually had a book mark to a "history of > > computing" type doc that > > had this very example of MUMPS code. As for DEC Ottawa, I > > doubt it, times > > and budgets being what they are. But I'll take the chicken... > > sounds like > > cool geek-schwag :^) > > > > John A. Bjelke > > Unisys > > 505.853.6774 > > [EMAIL PROTECTED] > > Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput > > tuum saxum immane > > mittam. > > > > > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 12:01 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > > > Wow John! I'm impressed. Were you at Unisys when MUMPS > actually ran on > > Unisys minis? Or did you just get lucky with Google? :) > > > > I'm thinking that your answer deserves a world-famous > > Official DEC Screaming > > Yellow Rubber Chicken, whose hideous screech is known to > > strike fear in the > > hearts of dogs, cats, and small children. > > > > Are you coming to DEC Ottawa? I can give it to you there, > > along with your > > free beer. Otherwise, send me your shipping info offlist, and > > no beer for > > you. > > > > -gil > > > > -----Original Message----- > > From: Bjelke John A Contr AFRL/VSIO > > [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 10:39 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > > > prints a table of primes, formatting it into columns. What's > > my prize :^) > > > > > > John A. Bjelke > > Unisys > > 505.853.6774 > > [EMAIL PROTECTED] > > If it's as difficult as pulling teeth through an elephants > > rump, then the > > approach needs to be reevaluated. > > > > > > > > -----Original Message----- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 9:56 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] WOT Unreadable code (was Connection String) > > > > > > Have you ever coded in MUMPS? It doesn't matter who the > > programmer is; its > > ALWAYS unreadable. I think MUMPS programmers invented the > > term "write-only > > programs". > > > > Typical MUMPS program: f p=2,3:2 s q=1 x "f f=3:2 q:f*f>p!'q > > s q=p#f" w:q > > p,?$x\8+1*8 > > > > If anyone can guess what this code does, I'll give them a prize. > > > > -g > > > > Gil Kirkpatrick > > CTO, NetPro > > > > > > -----Original Message----- > > From: Robbie Allen [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, August 05, 2003 6:51 AM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Connection String > > > > > > Ha! It is not the language that makes code unreadable, it is > > the PROGRAMMER > > :-) > > > > Robbie Allen > > http://www.rallenhome.com/ > > > > > -----Original Message----- > > > From: Glenn Corbett [mailto:[EMAIL PROTECTED] > > > Sent: Tuesday, August 05, 2003 9:38 AM > > > To: [EMAIL PROTECTED] > > > Subject: Re: [ActiveDir] Connection String > > > > > > > > > HAHAHA....Perl > > > > > > I like to be able to read my code and understand it again > > in 6 months > > > :) > > > > > > Glenn > > > > > > ----- Original Message ----- > > > From: "Robbie Allen" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Tuesday, August 05, 2003 11:14 PM > > > Subject: RE: [ActiveDir] Connection String > > > > > > > > > > > Come over to the 'Dark Side' with VB.NET.....its nice and warm > > > > > here *looks at the fires of hell*. > > > > > > > > Come on guys, why go to VB.NET when you can get most of the > > > benefits of a > > > > compiled language and a whole lot more in a lot fewer lines > > > with Perl! > > > > > > > > muaahh...Muaahh...MUUAAAHH.... > > > > > > > > :-) > > > > > > > > Robbie Allen > > > > http://www.rallenhome.com/ > > > > > > > > > > > > > -----Original Message----- > > > > > From: Glenn Corbett [mailto:[EMAIL PROTECTED] > > > > > Sent: Tuesday, August 05, 2003 8:54 AM > > > > > To: [EMAIL PROTECTED] > > > > > Subject: Re: [ActiveDir] Connection String > > > > > > > > > > > > > > > Roger, > > > > > > > > > > You should be able to convert the Primary Windows NT > > > Account into a > > > > > Domain\Username pair....I did do it some time ago (yeah, > > > it was Ex 5.5 > > > > > timeframe too)....I'll have a dig around (from memory > > it was using > > > > > LookupAccountSID *shudder*) > > > > > > > > > > If your UPN in 2k and Exchange email address use the same > > > format (ie > > > > > [EMAIL PROTECTED]), you could cheat a bit, and use the UPN > > > > > conversion type code: > > > > > > > > > > ADS_NAME_TYPE_USER_PRINCIPAL_NAME = 9 > > > > > User principal name format. For example, > [EMAIL PROTECTED] > > > > > > > > > > *shrug* might be worth a stab. > > > > > > > > > > not sure about mixing NT v4 and 2k servers in the > call, I don't > > > > > think it would work too well (may require AD). > > > > > > > > > > Come over to the 'Dark Side' with VB.NET.....its nice and warm > > > > > here *looks at the fires of hell*. > > > > > > > > > > G. > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > > > > To: <[EMAIL PROTECTED]> > > > > > Sent: Tuesday, August 05, 2003 10:42 PM > > > > > Subject: RE: [ActiveDir] Connection String > > > > > > > > > > > > > > > > Cool.... Might be able to stay away from a compiler for > > > another 3 > > > > > months... > > > > > > > > > > > > I know what it was that didn't work - VBScript can't > > > handle the way > > > > > Exchange > > > > > > 5.5[1] returns the Primary Windows NT Account attribute - > > > > > it comes back as > > > > > a > > > > > > string octet (I think). The VB examples all included the > > > > > same contstant > > > > > > defs, so I was thinking it was the same thing I looked at a > > > > > month or two > > > > > > ago. > > > > > > > > > > > > Now I'm wondering if I can just direct translate using the > > > > > syntax below... > > > > > > I'll have to try that later... > > > > > > > > > > > > > -------------------------------------------------------------- > > > > > > Roger D. Seielstad - MTS MCSE MS-MVP > > > > > > Sr. Systems Administrator > > > > > > Inovis Inc. > > > > > > > > > > > > [1] Yeah, I'm still running it > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Glenn Corbett [mailto:[EMAIL PROTECTED] > > > > > > > Sent: Tuesday, August 05, 2003 8:36 AM > > > > > > > To: [EMAIL PROTECTED] > > > > > > > Subject: Re: [ActiveDir] Connection String > > > > > > > > > > > > > > > > > > > > > >From the online help about NameTranslate, > VBScript Example > > > > > > > (havent tried it, > > > > > > > but looks like it should work) > > > > > > > > > > > > > > Dim nto > > > > > > > const ADS_NAME_INITTYPE_SERVER = 2 > > > > > > > const ADS_NAME_TYPE_1779 = 1 > > > > > > > const ADS_NAME_TYPE_NT4 = 3 > > > > > > > > > > > > > > server = "aDsServer" > > > > > > > user = "jeffsmith" > > > > > > > dom = "Fabrikam" > > > > > > > passwd = "top secret" > > > > > > > dn = "CN=jeffsmith,CN=Users,DC=Fabrikam,DC=COM" > > > > > > > > > > > > > > Set nto = Server.CreateObject("NameTranslate") > > > > > > > nto.InitEx ADS_NAME_INITTYPE_SERVER, server, user, > > > dom, passwd > > > > > > > nto.Set ADS_NAME_TYPE_1779, dn > > > > > > > result = nto.Get(ADS_NAME_TYPE_NT4) > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > From: "Roger Seielstad" <[EMAIL PROTECTED]> > > > > > > > To: <[EMAIL PROTECTED]> > > > > > > > Sent: Tuesday, August 05, 2003 10:31 PM > > > > > > > Subject: RE: [ActiveDir] Connection String > > > > > > > > > > > > > > > > > > > > > The only problem with that is you can't call the > > same methods > > > > > > > from VBScript > > > > > > > - which is where I seem to need it the most.. > > > > > > > > > > > > > > Better brush up on my mAd VB.net skilz... > > > > > > > > > > > > > > > > -------------------------------------------------------------- > > > > > > > Roger D. Seielstad - MTS MCSE MS-MVP > > > > > > > Sr. Systems Administrator > > > > > > > Inovis Inc. > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: Glenn Corbett [mailto:[EMAIL PROTECTED] > > > > > > > > Sent: Tuesday, August 05, 2003 8:17 AM > > > > > > > > To: [EMAIL PROTECTED] > > > > > > > > Subject: Re: [ActiveDir] Connection String > > > > > > > > > > > > > > > > > > > > > > > > Pablo, > > > > > > > > > > > > > > > > here is some code I use in VB.NET to do a similar > > > > > thing, should be > > > > > > > > convertable to C# without much hassle > > > > > > > > > > > > > > > > strUserName = the fully qualified LDAP path of a user > > > > > or group, ie > > > > > > > > LDAP://CN=GroupName,DC=testdomain,DC=local > > > > > > > > > > > > > > > > 'Constants required, rest are in the online doco for > > > > > NameTranslate > > > > > > > > Const ADS_NAME_INITTYPE_GC = 3 > > > > > > > > Const ADS_NAME_TYPE_1779 = 1 > > > > > > > > Const ADS_NAME_TYPE_NT4 = 3 > > > > > > > > > > > > > > > > Dim Translate As New ActiveDs.NameTranslate > > > > > > > > Dim strUser As String > > > > > > > > > > > > > > > > 'We want to chat to a GC server, any one will do > > > > > > > > Translate.Init(ADS_NAME_INITTYPE_GC, "") 'Pass in > > the FQDN > > > > > > > > name of the object Translate.Set(ADS_NAME_TYPE_1779, > > > > > > > > Mid(strUserName, 8)) <-- the call doesnt like the > > LDAP:// on > > > > > > > > the front, so strip it 'Get back the NT v4 Equivalent > > > > > > > > strUser = Translate.Get(ADS_NAME_TYPE_NT4) Translate = > > > > > > > > Nothing > > > > > > > > > > > > > > > > strUser now = the DOMAIN\UserName pair > > > > > > > > > > > > > > > > You can easily go the other way, ie pass in the > > > > > > > > Domain\username pair, and get back the LDAP path. > > Its all in > > > > > > > > the online doco, > > > just do a > > > > > > > > search for > > > > > > > > NameTranslate > > > > > > > > > > > > > > > > Very cool actually, was hacking around trying to > > pull apart > > > > > > > > LDAP strings and massage them myself, this is > MUCH easier > > > > > > > > (and faster) > > > > > > > > > > > > > > > > HTH > > > > > > > > > > > > > > > > Glenn > > > > > > > > (lucky you asked today, worked out how to to this last > > > > > night *grin*) > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > > > From: "Pablo Curello" <[EMAIL PROTECTED]> > > > > > > > > To: <[EMAIL PROTECTED]> > > > > > > > > Sent: Tuesday, August 05, 2003 9:44 PM > > > > > > > > Subject: RE: [ActiveDir] Connection String > > > > > > > > > > > > > > > > > > > > > > > > That's right, but what if the user Pablo Curello is > > > inside an > > > > > > > > organizational > > > > > > > > group ? > > > > > > > > In that case, the LDAP string should be (for example): > > > > > > > > "LDAP://cn=Pablo Curello, ou=Sales, > > dc=yourdomain, dc=com". > > > > > > > > It doesn´t work with: "LDAP://cn=Pablo Curello, > > > > > > > dc=yourdomain, dc=com" > > > > > > > > Thanks. > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: Costanzo, Ray [mailto:[EMAIL PROTECTED] > > > > > > > > Sent: Monday, August 04, 2003 2:34 PM > > > > > > > > To: [EMAIL PROTECTED] > > > > > > > > > > > > > > > > I believe that you mean DOMAIN\Username, and if so: > > > > > > > > > > > > > > > > Function GetFullName(sUser) > > > > > > > > Dim sUsername, sDomain > > > > > > > > sUserInfo = Split(sUser, "\") > > > > > > > > sDomain = sUserInfo(0) > > > > > > > > sUsername = sUserInfo(1) > > > > > > > > Set oUser = GetObject("WinNT://" & sDomain & "/" > > & sUsername > > > > > > > > & ",user") > > > > > > > > GetFullName = oUser.Fullname > > > > > > > > Set oUser = Nothing > > > > > > > > End Function > > > > > > > > > > > > > > > > That will give you the full name, such as: > > > "Curello\, Pablo" > > > > > > > > > > > > > > > > And then you can use: > > > > > > > > > > > > > > > > sFullname = GetFullName("pcurello") > > > > > > > > sLDAP = "LDAP://cn="; & sFullname & > ",dc=yourdomain,dc=com" > > > > > > > > > > > > > > > > How you get the dc= part from the oldschool > netbios name, > > > > > > > I'm not sure > > > > > > > > though. And I can't translate this to C for you. :] > > > > > > > > > > > > > > > > Ray at work > > > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: Pablo Curello [mailto:[EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hello all. > > > > > > > > Does anybody know how to transform a user's identity > > > > > > > > "DOMAIN/USERNAME" to an ldap connection string > "CN=name, > > > > > > > > DC=..." ? I know how to do it in COM (C++) using > > > > > > > > IADsNameTranslate interface, but now I´m using > C#. Thanks. > > > > > > > > > > > > > > > > > > > > > > > > > > > ************************************************************** > > > > > > > > ************** > > > > > > > > ****************************** > > > > > > > > The information contained in this e-mail message > > is intended > > > > > > > > only for the personal and confidential use of the > > > > > > > > recipient(s) named above. Distribution, > > > publication, or > > > > > > > > retransmission of this message is strictly > > prohibited. This > > > > > > > > message may be a bank to client communication and > > as such is > > > > > > > > priviliged and confidential. If the reader of > > this message > > > > > > > > is not the intended recipient or an agent > responsible for > > > > > > > > delivering it to the intended recipient, you are hereby > > > > > > > > notified that you have received this document in > > error and > > > > > > > > that any review, dissemination, distribution, or > > copying of > > > > > > > > this message is strictly > > > > > > > > prohibited. If you have received > > > > > > > > this communication in error, please notify us > > immediately by > > > > > > > > e-mail, and > > > > > > > > delete the original message. > > > > > > > > > > > > > > > > The sender of this e-mail specifically "opts-out" of > > > > > the Electronic > > > > > > > > Signatures and Global and National > > > > > > > > Commerce Act (E-Sign) and any and all similar state and > > > > > > > federal acts. > > > > > > > > Accordingly, but without limitation, > > > > > > > > any and all documents, contracts, and ageements > > must contain > > > > > > > > a handwritten signature of the sender to be > legal, valid, > > > > > > > > and enforceable. > > > > > > > > > > > ************************************************************** > > > > > > > > ************** > > > > > > > > ****************************** > > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > > > List archive: http://www.mail-archive.com/activedir%> > > > 40mail.activedir.org/ > > > > > > > > > > > > > > > > List info : > > > > > > > > http://www.activedir.org/mail_list.htm > > > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > > > List archive: http://www.mail-archive.com/activedir%> > > > 40mail.activedir.org/ > > > > > > > > > > > > > > > > > > > > > > > > List info : > > > > > > > > http://www.activedir.org/mail_list.htm > > > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > > > List archive: http://www.mail-archive.com/activedir%> > > > 40mail.activedir.org/ > > > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > > List archive: > > > > > > > http://www.mail-archive.com/activedir%> > > 40mail.activedir.org/ > > > > > > > > > > > > > > > > > > > > > List info : > > > > > > > http://www.activedir.org/mail_list.htm > > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > > List archive: > > > > > > > http://www.mail-archive.com/activedir%> > > 40mail.activedir.org/ > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > > > > > List info : > > > > > http://www.activedir.org/mail_list.htm > > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > > List archive: > > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
