[ActiveDir] Integrating IIS and AD
Hmm.. I was thinking.. I am not so familiar with Server 2003. I have 4 servers.. And 2 of them are running the domain. and the last 2 is ment for IISSo here is my question, how do i integrade the 4 servers into each other? and is it possible, to integrade AD and IIS if they are running on different servers?
RE: [ActiveDir] Integrating IIS and AD
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MeWe Subject: [ActiveDir] Integrating IIS and AD : I have 4 servers.. : And 2 of them are running the domain. and the last 2 : is ment for IIS So here is my question, how do i : integrade the 4 servers into each other? and is : it possible, to integrade AD and IIS if they are : running on different servers? What do you mean by integrate IIS and AD? You can certainly add the IIS servers as member servers of an AD domain. Cheers Ken -- IIS Stuff: www.adOpenStatic.com/cs/blogs/ken/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Integrating IIS and AD
MeWe wrote: Hmm.. I was thinking.. I am not so familiar with Server 2003. I have 4 servers.. And 2 of them are running the domain. and the last 2 is ment for IIS So here is my question, how do i integrade the 4 servers into each other? and is it possible, to integrade AD and IIS if they are running on different servers? First question is - what You mean when You are saying integrate? Yes, You can have (and IMO You should) this IIS boxes in a domain. Yes, IIS users can authenticate against AD domain (I'm not convinced if it is best practice but it is possible). What else You want to integrate? -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Integrating IIS and AD
I presume you are asking how can I make the IIS servers use the user accounts and groups in AD? If that is the question The answer is: * Add those IIS servers to the AD domain (right click my computer, select properties, click on tab computername, click on change, select domain, enter the DNS or Netbios name of your domain, click OK, enter credentials with enough permissions to join the computers to the domain) Of course AD and DNS must be available for this to succeed! * The computer accounts (if not pre-created) will be available in the computers container. You can move them to another OU if you have created an OU structure (it is better if you do so you can use Group Policy Objects) Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of MeWe Sent: Tue 8/9/2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Integrating IIS and AD Hmm.. I was thinking.. I am not so familiar with Server 2003. I have 4 servers.. And 2 of them are running the domain. and the last 2 is ment for IIS So here is my question, how do i integrade the 4 servers into each other? and is it possible, to integrade AD and IIS if they are running on different servers? This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: RIS client failing to join domain
Sorry to bug the list with this one, but I am currently pulling large bunches of hair out trying to fix it. I have RIS set up on a fresh install of 2003, and certain clients (well most of them) are failing to join the domain during the build process. I have installed any NIC drivers to i386 and to $OEM$\$1\Drivers\NIC, but during the 'Installing network' phase of XP setup I get this message: An unexpected error has occurred while changing your computer's network identification. Would you like to proceed for now and try joining a domain later? If I click yes, it carries on installing, but as a workgroup machine. If I click no it asks for credentials to join to the domain, but then fails again, with the same message. If I try to join it after clicking yes and finishing the installation, I get an error along the lines no mapping between account names and security ids was done, and it won't join. BUT, if I rename it, restart it, it will join to the domain. It is intermittent - some machines will build with certain names, and not others. Other machines just won't build at all. I have tried different drivers, as I thought it might be a drive issue, leaving out dashes in the computer name, but nothing seems to work. Please help! A soon-to-be hairless Dan. The contents of this email and any attachments do not necessarily represent the views or policies of Ibstock Place School, its employees or pupils. They are intended for the confidential use by the named recipient only and may be legally privileged and should not be communicated to, or relied upon by, any other party without our written consent. Although this message is believed to be virus free, Ibstock Place School does not accept liability for any damage, loss or cost caused by software viruses. If received in error, please advise the sender immediately and delete all record of it from your system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DCPromo Answer file....no DNS.
Title: DCPromo Answer fileno DNS. Thanks Brian/Dan, this is now up and running perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Wednesday, August 03, 2005 8:00 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DCPromo Answer fileno DNS. No. DCPromo looks ONLY at the DCPromo section. Run Sysoc.inf against the answer file. For a fresh dc, run SYSOC.INF followed by DCPROMO as your two commands in the [GUIRunOnce] Section From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Wednesday, August 03, 2005 6:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DCPromo Answer fileno DNS. The bit that threw me is that my DCPromo process ignored the section [NetOptionalComponents] DNS = 1 Hence first invoking. C:\WINNT\SYSTEM32\SYSOCMGR /I:C:\WINNT\SYSTEM32\SYSOC.INF /u:C:\my_answer_file.txt Also FYI - This is not the first DC on the network, and is not the first AD based DNS server either (obviously). This is being run after the machine has been sitting on the network, in the domain as a member server for a couple of days (to allow forpatching and prove the h/w isn't immediately faulty). This is all W2K3. Should DCPromo be actioning the [NetOptionalComponents] section ? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan HolmeSent: Tuesday, August 02, 2005 8:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DCPromo Answer fileno DNS. To clarify what Brian meant, you run dcpromo /answer:answer_file and it will use those [DCPromo] settings. It does NOT run automatically as part of setup, unless you ALSO put that command in your GUIRunOnce section, i.e. [GUIRunOnce] dcpromo /answer:answer_file and set up Auto Logon, perhaps BUT In [DCPromo] there is the DNSOnNetwork = No Setting, which installs DNS on the server. That only works for the FIRST dc in the forest. After that, you need to use other means to get DNS on the server. Off the top of my head, that would be [NetOptionalComponents] DNS = 1 You would need to point the second DC to the FIRST DC as its DNS server, until the second DC has been DCPromod HTH Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, August 02, 2005 11:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DCPromo Answer fileno DNS. What do you mean? Thats exactly what the thing does Just call dcpromo and point it to the file. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the FP may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, August 08, 2005 12:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 7. August 2005 00:43To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, August 06, 2005 5:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore.Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context
[ActiveDir] OT - NT System Policy Leftovers
Return Receipt Your [ActiveDir] OT - NT System Policy Leftovers document : was Lucia Washaya/UNAMSIL received by: at: 09/08/2005 10:31:40 GMT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD migration
Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
[ActiveDir] Replication Question
Alright, I'm noticing something that I think is odd and I was wondering if I'm just losing it. We have an multi-domain empty root forest structure and I'm the DA of one of those child domains. Also, our network is not fully routed. (Although my domain is fully routed.) I have a few DCs where the replication seems to be odd. Using sites and services, the NTDS settings displays replication partners: DC01 replicates with DC02, RDC01 DC02 replicates with DC01, DC03, DC04, RDC01 DC03 replicates only with DC01 DC04 replicates with DC01 RDC01 replicates with DC01, DC02, (and three other domain's) DC01, DC02 and RDC01 are all in the same site, DC03 and DC04 are in different sites. What I'm confused about is why DC03 and DC04 would have NTDS settings for DC01 while DC01 doesn't have NTDS settings for those two domain controllers? DC01 holds all domain level FSMO roles as well. Replication is working, I'm just confused as to why this would be display liked this. I thought the NTDS settings were bidirectional and thus should have entries on both servers. Obviously I don't know enough about replication and NTDS settings. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Replication White paper
Hello and good day... I was wondering if someone could direct me to a white paper that would give me a go to on how to setup a fallback exchange server. Basically I just want to setup an identical server and have the data from my front side exchange box replicated to the back house exchange box. Thank you John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication Question
AFAIK topology is a ring. All servers issue pull replication... so they don't necessarily need a one-to-one relationship or bidirectional flow. DC03 for example - replicates with DC01, DC01 replicates with DC02, DC02 replicates with DC03... :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, August 09, 2005 8:41 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Replication Question Alright, I'm noticing something that I think is odd and I was wondering if I'm just losing it. We have an multi-domain empty root forest structure and I'm the DA of one of those child domains. Also, our network is not fully routed. (Although my domain is fully routed.) I have a few DCs where the replication seems to be odd. Using sites and services, the NTDS settings displays replication partners: DC01 replicates with DC02, RDC01 DC02 replicates with DC01, DC03, DC04, RDC01 DC03 replicates only with DC01 DC04 replicates with DC01 RDC01 replicates with DC01, DC02, (and three other domain's) DC01, DC02 and RDC01 are all in the same site, DC03 and DC04 are in different sites. What I'm confused about is why DC03 and DC04 would have NTDS settings for DC01 while DC01 doesn't have NTDS settings for those two domain controllers? DC01 holds all domain level FSMO roles as well. Replication is working, I'm just confused as to why this would be display liked this. I thought the NTDS settings were bidirectional and thus should have entries on both servers. Obviously I don't know enough about replication and NTDS settings. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication White paper
That capability is not present in the current Exchange product. There are a number of third party solutions that fill the feature void. Probably NeverFail and DoubleTake are the most visible solutions in that space. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Tuesday, August 09, 2005 9:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication White paper Hello and good day... I was wondering if someone could direct me to a white paper that would give me a go to on how to setup a fallback exchange server. Basically I just want to setup an identical server and have the data from my front side exchange box replicated to the back house exchange box. Thank you John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Preferred Bridgeheads
The other David pretty much covered it with perhaps the exception of Virtual DCs; in the past I'vetended to avoid placing intersite load on Virtual DCs though I prefer to achieve sucha result using staging/lag/latent (or whichever term you prefer) sites assuming the customer in question fully grasps the purpose and importance of the extra site(s) ... even that to some extent depends on the perf. characteristics of the Virtual DC though. Outside of that, the only additional comment I'd make is that, in my experience, preferred bridgeheads are more frequently used to designate who's not a bridgehead rather than who is ... thought that worth a mention. One final and somewhat related comment, manual designation of the ISTG can prove to be a much more valuable exercise in larger environments than manual designation of bridgeheads since the ISTG process itself is computationally expensive and warrants placement on suitably (proc. memorywise) high-performance hardware. This is a lesser concern these days due to the exponential leaps in performance we've seen over the past few years but, obviously, the scale and complexity of the forest and its replication topology impact the validity of that statement. It may also become necessary to manipulate the failover detection timers to prevent the role from being inadvertently moved during scheduled downtime. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Monday, August 08, 2005 9:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred Bridgeheads In the same spirit - but on the other side of the coin :) - I wouldn't mind hearing a brief elaborationon your earlier statement: "I've found only a few scenarios in which they proved valuable" Perhaps one reason might be when one of the servers in a site is underpowered/waiting to be upgraded, etc..? -DaveC ReutersIST Service Delivery From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 08, 2005 6:14 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads Without wishing to labor the point Russ, what aspect of replication 'speed' was thought to be improved? I ask as I often lecture on AD (and related technologies) and am interested to understand some of the misconceptions. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 6:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred Bridgeheads We thought it would "help" with replication speed. I guess it was more of a WAG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads If you constrain the list of bridgeheads you may be incapable of replicating an app. NC in and out of a site since in order to replicate a particular partition,the bridgehead in question must hold a copy of it ... if the preferred list contains only 2K DCs, that can't happen .. for the most part ...a 2K3 ISTG will override your choices and allocate a suitable bridgehead for you, it will however whine and whine and whine and ... you get the idea. I've found only a few scenarios in which they proved valuable ... may I ask why you're using them? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the
[ActiveDir] OT: quick cluster question
On a windows 2003 cluster running A/P. If you manually failover the cluster. I would think the passive node would not show the shared drive in 'My Computer' but on my new cluster they do, but they are not accessible. If I reboot the passive node, they don't show in 'My Computer' This cluster is running on our SAN. I just wanted to confirm with someone else that this is the correct behavior. Thanks,jb -- Jason Benway [EMAIL PROTECTED] GHSP 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 Required space inevitably expands to exceed available space... List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Loosing Printer Connectivity on clients regularly - W2K3 LAN
It would be helpful to know exactly how the print queues are mounted and what you mean by 'lose printer connectivity'
Re: [ActiveDir] OT: quick cluster question
This is the case at least with Windows 2000.
RE: [ActiveDir] Replication Question
I think what was just throwing me off is all conceptual. I was wondering why DC03 and DC04 don't replicate but now I think I figured it out. The sites they are in aren't adjacent and because we aren't fully routed we prevented the creation of non-adjacent links to be established unless we do it manually. So these two wont make a ring in the replication but they will get the changes through the central hub. Sorry bout that, I guess I didn't have enough coffee before I started thinking this morning. Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Question AFAIK topology is a ring. All servers issue pull replication... so they don't necessarily need a one-to-one relationship or bidirectional flow. DC03 for example - replicates with DC01, DC01 replicates with DC02, DC02 replicates with DC03... :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, August 09, 2005 8:41 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Replication Question Alright, I'm noticing something that I think is odd and I was wondering if I'm just losing it. We have an multi-domain empty root forest structure and I'm the DA of one of those child domains. Also, our network is not fully routed. (Although my domain is fully routed.) I have a few DCs where the replication seems to be odd. Using sites and services, the NTDS settings displays replication partners: DC01 replicates with DC02, RDC01 DC02 replicates with DC01, DC03, DC04, RDC01 DC03 replicates only with DC01 DC04 replicates with DC01 RDC01 replicates with DC01, DC02, (and three other domain's) DC01, DC02 and RDC01 are all in the same site, DC03 and DC04 are in different sites. What I'm confused about is why DC03 and DC04 would have NTDS settings for DC01 while DC01 doesn't have NTDS settings for those two domain controllers? DC01 holds all domain level FSMO roles as well. Replication is working, I'm just confused as to why this would be display liked this. I thought the NTDS settings were bidirectional and thus should have entries on both servers. Obviously I don't know enough about replication and NTDS settings. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Preferred Bridgeheads
Thanks for your comments David A. and Dean :-) You may have surmised my reason for asking. We have a few sites where a single preferred BH has been designated and although it puzzled me, I never really questioned it before. Our enivornment is such that this seems unnecessary, so it's time to dig a little deeper. Thanks again. -DaveC ReutersIST Service Delivery From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, August 09, 2005 10:04 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads The other David pretty much covered it with perhaps the exception of Virtual DCs; in the past I'vetended to avoid placing intersite load on Virtual DCs though I prefer to achieve sucha result using staging/lag/latent (or whichever term you prefer) sites assuming the customer in question fully grasps the purpose and importance of the extra site(s) ... even that to some extent depends on the perf. characteristics of the Virtual DC though. Outside of that, the only additional comment I'd make is that, in my experience, preferred bridgeheads are more frequently used to designate who's not a bridgehead rather than who is ... thought that worth a mention. One final and somewhat related comment, manual designation of the ISTG can prove to be a much more valuable exercise in larger environments than manual designation of bridgeheads since the ISTG process itself is computationally expensive and warrants placement on suitably (proc. memorywise) high-performance hardware. This is a lesser concern these days due to the exponential leaps in performance we've seen over the past few years but, obviously, the scale and complexity of the forest and its replication topology impact the validity of that statement. It may also become necessary to manipulate the failover detection timers to prevent the role from being inadvertently moved during scheduled downtime. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Monday, August 08, 2005 9:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred Bridgeheads In the same spirit - but on the other side of the coin :) - I wouldn't mind hearing a brief elaborationon your earlier statement: "I've found only a few scenarios in which they proved valuable" Perhaps one reason might be when one of the servers in a site is underpowered/waiting to be upgraded, etc..? -DaveC ReutersIST Service Delivery From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 08, 2005 6:14 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads Without wishing to labor the point Russ, what aspect of replication 'speed' was thought to be improved? I ask as I often lecture on AD (and related technologies) and am interested to understand some of the misconceptions. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 6:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred Bridgeheads We thought it would "help" with replication speed. I guess it was more of a WAG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads If you constrain the list of bridgeheads you may be incapable of replicating an app. NC in and out of a site since in order to replicate a particular partition,the bridgehead in question must hold a copy of it ... if the preferred list contains only 2K DCs, that can't happen .. for the most part ...a 2K3 ISTG will override your choices and allocate a suitable bridgehead for you, it will however whine and whine and whine and ... you get the idea. I've found only a few scenarios in which they proved valuable ... may I ask why you're using them? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read,
[ActiveDir] OT: VP Programming in Access
I need some programming help How do I get this to work, I have a form and when I click a button I want it to place in the date in a date field if there is no date there, if there is a date there then I don't want it to do anythying If Date_Created is null then Date_Created = Date Else End If Thanks in Advance Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD migration
Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same
RE: [ActiveDir] Replication Question
That must be why I drink so much of it! :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, August 09, 2005 10:59 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Replication Question I think what was just throwing me off is all conceptual. I was wondering why DC03 and DC04 don't replicate but now I think I figured it out. The sites they are in aren't adjacent and because we aren't fully routed we prevented the creation of non-adjacent links to be established unless we do it manually. So these two wont make a ring in the replication but they will get the changes through the central hub. Sorry bout that, I guess I didn't have enough coffee before I started thinking this morning. Charlie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 8:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication Question AFAIK topology is a ring. All servers issue pull replication... so they don't necessarily need a one-to-one relationship or bidirectional flow. DC03 for example - replicates with DC01, DC01 replicates with DC02, DC02 replicates with DC03... :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, August 09, 2005 8:41 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Replication Question Alright, I'm noticing something that I think is odd and I was wondering if I'm just losing it. We have an multi-domain empty root forest structure and I'm the DA of one of those child domains. Also, our network is not fully routed. (Although my domain is fully routed.) I have a few DCs where the replication seems to be odd. Using sites and services, the NTDS settings displays replication partners: DC01 replicates with DC02, RDC01 DC02 replicates with DC01, DC03, DC04, RDC01 DC03 replicates only with DC01 DC04 replicates with DC01 RDC01 replicates with DC01, DC02, (and three other domain's) DC01, DC02 and RDC01 are all in the same site, DC03 and DC04 are in different sites. What I'm confused about is why DC03 and DC04 would have NTDS settings for DC01 while DC01 doesn't have NTDS settings for those two domain controllers? DC01 holds all domain level FSMO roles as well. Replication is working, I'm just confused as to why this would be display liked this. I thought the NTDS settings were bidirectional and thus should have entries on both servers. Obviously I don't know enough about replication and NTDS settings. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD migration
why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan [EMAIL PROTECTED] wrote: Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old.
[ActiveDir] Adding custom fields to AD
Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication White paper
Thank you... We are looking into the Failover solution. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 8:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Replication White paper That capability is not present in the current Exchange product. There are a number of third party solutions that fill the feature void. Probably NeverFail and DoubleTake are the most visible solutions in that space. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Tuesday, August 09, 2005 9:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Replication White paper Hello and good day... I was wondering if someone could direct me to a white paper that would give me a go to on how to setup a fallback exchange server. Basically I just want to setup an identical server and have the data from my front side exchange box replicated to the back house exchange box. Thank you John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: quick cluster question
This, too, has been my experience with Windows Server 2003 in a SAN (EMC) environment. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Tuesday, August 09, 2005 9:19 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: quick cluster question This is the case at least with Windows 2000.
RE: [ActiveDir] AD migration
Tom, The solution that I gave you is the only one that I know of. If you are able to get DNS to work (doubtful) or are able to get WINS to replicate across a trust that at the present time doesn't exist, more power to you. However, given the trials and tribulations that you have discussed with us over the past couple of weeks - *I* would be looking for the easiest, accepted, maintainable best practice method for getting your job done. A piece of personal advice - and you can choose to ignore it or use it - it's free. In your new position, they are looking for results - not the most trick way of doing something. I am sure that the company that has retained your services is being billed for the time that you work to migrate their user base and Exchange to something that they can control. Finding a DNS or a WINS solution when the LMHosts solution is 'best practice' is simply not a good idea. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan [EMAIL PROTECTED] wrote: Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain
RE: [ActiveDir] Adding custom fields to AD
Certainly it is possible. And, it's not overly difficult to DO, but the upfront planning that SHOULD be done can be tedious. Remember - this is the schema. My opinion - and it seems to be free today (as if I've ever been afraid to give it...) - This is a job that just screams SQL server. I can't imagine WHY AD would be a better choice in this case. As long as the apps are all able to connect via a SQL provider in some method (and goodness knows Microsoft has made a lot of them available), this should be no pain at all. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 11:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: VB Programming in Access
I need some programming help How do I get this to work, I have a form and when I click a button I want it to place in the date in a date field if there is no date there, if there is a date there then I don't want it to do anythying If Date_Created is null then Date_Created = Date Else End If Thanks in Advance Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: VB Programming in Access
Justin, I know we go off-topic at times, but I suspect that VB assistance, not related to ADSI programming, might be stretching it a bit. That's just my take. There are forums and newsgroups (the VB NG hosted by MSFT for one) that are going to be much more responsive to your need in this case. If someone who knows VB happens on today and decides to answer the question - happy days. I don't work enough in VB to be able to help. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 09, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: VB Programming in Access I need some programming help How do I get this to work, I have a form and when I click a button I want it to place in the date in a date field if there is no date there, if there is a date there then I don't want it to do anythying If Date_Created is null then Date_Created = Date Else End If Thanks in Advance Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adding custom fields to AD
...or ADAM. These kinds of requests have a tendency to creep beyond the original scope, which can have unintended consequences if the upfront planning falls short. Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Certainly it is possible. And, it's not overly difficult to DO, but the upfront planning that SHOULD be done can be tedious. Remember - this is the schema. My opinion - and it seems to be free today (as if I've ever been afraid to give it...) - This is a job that just screams SQL server. I can't imagine WHY AD would be a better choice in this case. As long as the apps are all able to connect via a SQL provider in some method (and goodness knows Microsoft has made a lot of them available), this should be no pain at all. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 11:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] NT 4 Permissions
It has been a while I have had to deal with this, but I am about to migrate another one of my domains and I have a question about NT 4 Share and NTFS Permissions. Is it the same in NT as it is in 2000/2003 that the scenario below is true Root Folder - NTFS Everyone Full Control, Share Permissions Domain Users Read Sub Folder - NTFS Everyone Full Control If user1 trys to save a file into subfolder, they should be denied access to do so since they have a lower permissions level on the share. Is this right? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NT 4 Permissions
Correct. Effective permissions for anyone who is a member of Domains Users is READ on the files in the folder. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 09, 2005 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NT 4 Permissions It has been a while I have had to deal with this, but I am about to migrate another one of my domains and I have a question about NT 4 Share and NTFS Permissions. Is it the same in NT as it is in 2000/2003 that the scenario below is true Root Folder - NTFS Everyone Full Control, Share Permissions Domain Users Read Sub Folder - NTFS Everyone Full Control If user1 trys to save a file into subfolder, they should be denied access to do so since they have a lower permissions level on the share. Is this right? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: VB Programming in Access
This is the web-based forums in the MSDN Community: http://forums.microsoft.com/msdn/ShowForum.aspx?ForumID=32 Cheers! Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 09, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: VB Programming in Access Where can I find that forum -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: VB Programming in Access Justin, I know we go off-topic at times, but I suspect that VB assistance, not related to ADSI programming, might be stretching it a bit. That's just my take. There are forums and newsgroups (the VB NG hosted by MSFT for one) that are going to be much more responsive to your need in this case. If someone who knows VB happens on today and decides to answer the question - happy days. I don't work enough in VB to be able to help. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 09, 2005 11:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: VB Programming in Access I need some programming help How do I get this to work, I have a form and when I click a button I want it to place in the date in a date field if there is no date there, if there is a date there then I don't want it to do anythying If Date_Created is null then Date_Created = Date Else End If Thanks in Advance Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NT 4 Permissions
As well as the folders in the in the folders right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT 4 Permissions Correct. Effective permissions for anyone who is a member of Domains Users is READ on the files in the folder. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 09, 2005 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NT 4 Permissions It has been a while I have had to deal with this, but I am about to migrate another one of my domains and I have a question about NT 4 Share and NTFS Permissions. Is it the same in NT as it is in 2000/2003 that the scenario below is true Root Folder - NTFS Everyone Full Control, Share Permissions Domain Users Read Sub Folder - NTFS Everyone Full Control If user1 trys to save a file into subfolder, they should be denied access to do so since they have a lower permissions level on the share. Is this right? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NT 4 Permissions
Yep. Anytime you have ntfs and share perms, the most restrictive wins. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 09, 2005 2:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NT 4 Permissions It has been a while I have had to deal with this, but I am about to migrate another one of my domains and I have a question about NT 4 Share and NTFS Permissions. Is it the same in NT as it is in 2000/2003 that the scenario below is true Root Folder - NTFS Everyone Full Control, Share Permissions Domain Users Read Sub Folder - NTFS Everyone Full Control If user1 trys to save a file into subfolder, they should be denied access to do so since they have a lower permissions level on the share. Is this right? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers Thanks, Brad. That is very good to hear. I also appreciate the tips. JJ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Tuesday, August 09, 2005 3:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers We run multiple DC's on GSX and ESX. Eveyrthing seems have gone fine so far, and MS will give their best endeavours on support. Most of the time they don't even ask us if the DC is virtual ;-) Also, ensure that the time sync capability is disabled in the VMWare Tools, and that the DC boots up completely before the file and print, so that the file and print can authorise itself against it. Otherwise the FP may take up to half an hour (or thereabouts) to realise it can now contact a DC for file/print access authorisation. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Monday, August 08, 2005 12:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers hehe - single DC - must have overread that - I would have called that to be a problem in itself ;-) But then again it's only for 10 users and likely ok. As such, I even doubt that SID reissue is much of a problem as this environment is likely rather static rgd. new objects in AD ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Sonntag, 7. August 2005 00:43To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Well since it is a single domain and a single DC I would say he really doesn't have a worry about USN rollbacks but he does have a possible concern with SID reissue. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Saturday, August 06, 2005 5:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Since it's a single domain server I just take ghost snapshots of the domain and then backup the files not really a useful approach to backup a DC. Might be ok for FS and other roles, but DCs are not really cool with snapshotting and being "rolled back in time" due the distributed nature of the data they store. You could easily cause USN rollback during recovery of a DC stored in this fashion (at least SP1 protects the rest of your DCs now by turning off in- and out-bount replication and disabling the netlogon-service if it finds a DC that's has a USN rollback status). But for AD Backup/Restore you'd be much better off to work with normal SystemState backup/restore.Which is another reason why it's nice to have it on a separate box (virtual or hardware). /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Samstag, 6. August 2005 02:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of
RE: [ActiveDir] AD migration
Tom, While I am sure that Rick has some document in which using LMHosts files are identified as a best practice, I can assure you that it is quite feasible to use WINS to accomplish the name resolution requirement for the task at hand: creating an external trust between two domains with different names explicitly for the purpose of migrating client systems from one domain to another. In fact I might suggest that in many cases this is a better approach. The Quest products will rely on name resolution (as well as the trust) in order to migrate users, groups, workstations, server and other resources between domains. This name resolution will in fact be even more important during the migration process if users in one domain will need to access resources in the other domain. The existing WINS environment is already populated with necessary records, and has all the information required to resolve the names of DCs, resource servers, workstations, etc. in the existing domain. Assuming you have administrative control over the WINS server, you can certainly configure WINS replication between a WINS server in the new environment and one in the existing environment - and no, a trust is not needed to make this work as WINS replication (and resolution) is generally unauthenticated. If you are planning to migrate your WINS servers to the new environment I might argue that the best approach would be to migrate them first (one by one verifying functionality as you go) to the new environment and continue to point both old *and new systems* to the same WINS servers. Of course this assumes, as stated previously, that you have administrative control over the WINS servers. This implementation should avoid the need to use LMHost files or change primary/secondary WINS assignments on migrated systems. This is an approach I have used many times when migrating between forests and between NT4 domains and AD domains. As for migrating without the availability of the root domain, you should be mostly OK as the Quest representatives stated. However without the root being accessible and the _mscds DNS domain being unavailable, I would certainly look to accelerate the migration as you should start having replication even within your child domain(s). Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Tom, The solution that I gave you is the only one that I know of. If you are able to get DNS to work (doubtful) or are able to get WINS to replicate across a trust that at the present time doesn't exist, more power to you. However, given the trials and tribulations that you have discussed with us over the past couple of weeks - *I* would be looking for the easiest, accepted, maintainable best practice method for getting your job done. A piece of personal advice - and you can choose to ignore it or use it - it's free. In your new position, they are looking for results - not the most trick way of doing something. I am sure that the company that has retained your services is being billed for the time that you work to migrate their user base and Exchange to something that they can control. Finding a DNS or a WINS solution when the LMHosts solution is 'best practice' is simply not a good idea. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner servers... Thanks On 8/9/05, Rick Kingslan [EMAIL PROTECTED] wrote: Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k
RE: [ActiveDir] NT 4 Permissions
Yes - as long as NTFS inheritance of permission is not disrupted. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 09, 2005 1:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT 4 Permissions As well as the folders in the in the folders right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NT 4 Permissions Correct. Effective permissions for anyone who is a member of Domains Users is READ on the files in the folder. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, August 09, 2005 1:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NT 4 Permissions It has been a while I have had to deal with this, but I am about to migrate another one of my domains and I have a question about NT 4 Share and NTFS Permissions. Is it the same in NT as it is in 2000/2003 that the scenario below is true Root Folder - NTFS Everyone Full Control, Share Permissions Domain Users Read Sub Folder - NTFS Everyone Full Control If user1 trys to save a file into subfolder, they should be denied access to do so since they have a lower permissions level on the share. Is this right? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Kerberos Delegation
We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD migration
Sorry, I wasn't trying to be tricky. I actually suggested the lmhosts solution but the consultants from ibm who are planning the migration with MS are going the dns route. MS hacked the formerly AD-intergrated dns from the root zone to be a standard primary zone for our domain for this migration. Also, I just found out that this enterprise has netbios disabled in the forest so that could have something to do with it. I'd really like to know your thoughts because i don't feel the warm and fuzzies from these guys from ibm as to AD/Exchange. I respect your suggestions much more, Rick. P.S.- In this migration solution, would users have to log back in to the old domain to access their Exchange mboxes(while Exchange is still in the old forest) or does sid history make it so they can access exchange while logged into the new forest? I've never been involved in this kind of migration before. Sorry again to have upset you or if I seemed argumentative. On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Tom, While I am sure that Rick has some document in which using LMHosts files are identified as a best practice, I can assure you that it is quite feasible to use WINS to accomplish the name resolution requirement for the task at hand: creating an external trust between two domains with different names explicitly for the purpose of migrating client systems from one domain to another. In fact I might suggest that in many cases this is a better approach. The Quest products will rely on name resolution (as well as the trust) in order to migrate users, groups, workstations, server and other resources between domains. This name resolution will in fact be even more important during the migration process if users in one domain will need to access resources in the other domain. The existing WINS environment is already populated with necessary records, and has all the information required to resolve the names of DCs, resource servers, workstations, etc. in the existing domain. Assuming you have administrative control over the WINS server, you can certainly configure WINS replication between a WINS server in the new environment and one in the existing environment - and no, a trust is not needed to make this work as WINS replication (and resolution) is generally unauthenticated. If you are planning to migrate your WINS servers to the new environment I might argue that the best approach would be to migrate them first (one by one verifying functionality as you go) to the new environment and continue to point both old *and new systems* to the same WINS servers. Of course this assumes, as stated previously, that you have administrative control over the WINS servers. This implementation should avoid the need to use LMHost files or change primary/secondary WINS assignments on migrated systems. This is an approach I have used many times when migrating between forests and between NT4 domains and AD domains. As for migrating without the availability of the root domain, you should be mostly OK as the Quest representatives stated. However without the root being accessible and the _mscds DNS domain being unavailable, I would certainly look to accelerate the migration as you should start having replication even within your child domain(s). Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 9:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Tom, The solution that I gave you is the only one that I know of. If you are able to get DNS to work (doubtful) or are able to get WINS to replicate across a trust that at the present time doesn't exist, more power to you. However, given the trials and tribulations that you have discussed with us over the past couple of weeks - *I* would be looking for the easiest, accepted, maintainable best practice method for getting your job done. A piece of personal advice - and you can choose to ignore it or use it - it's free. In your new position, they are looking for results - not the most trick way of doing something. I am sure that the company that has retained your services is being billed for the time that you work to migrate their user base and Exchange to something that they can control. Finding a DNS or a WINS solution when the LMHosts solution is 'best practice' is simply not a good idea. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 11:14 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration why can't you just use stub zones or conditional forwarding for this to work? or if NetBT is involved, can you just configure your wins servers to replicate? I thought wins replication had nothing to do with NT security. you just enter the ip of the partner
RE: [ActiveDir] Kerberos Delegation
Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving this goal and fulfilling the applications need, but like any Domain Admin in your forest the developer and the application must be trusted. I would recommend clear documentation as to the architecture of the application, how and with what other systems it interoperates, and if you have the wherewithal (or can bring in someone who does) a code review to ensure that what is defined is accurate. I know this seems a little over-the-top, but we are taking about you accepting someone else walking around with my ID and saying he told me it was OK that I access fill in the blank on his behalf. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Adding custom fields to AD
The downside of both of these approaches (SQL and ADAM) is that they require some sync of accounts. One nice thing about putting the data into AD is that it is just there for applications to consume if they need it. Your accounts follow your normal account management process. No additional sync is required. You also have the built in high availability and locator services built in to AD. However, this sync isn't necessarily a big deal, especially with ADAM and some of the new tools that do that such as ADAM sync. Personally, I like both approaches, depending on the other details of the deployment. Given that SharePoint was mentioned and the servers are already likely to be domain members that have access to at least some DCs, AD seems like a natural fit to me. Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Tuesday, August 09, 2005 12:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD ...or ADAM. These kinds of requests have a tendency to creep beyond the original scope, which can have unintended consequences if the upfront planning falls short. Hunter -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Certainly it is possible. And, it's not overly difficult to DO, but the upfront planning that SHOULD be done can be tedious. Remember - this is the schema. My opinion - and it seems to be free today (as if I've ever been afraid to give it...) - This is a job that just screams SQL server. I can't imagine WHY AD would be a better choice in this case. As long as the apps are all able to connect via a SQL provider in some method (and goodness knows Microsoft has made a lot of them available), this should be no pain at all. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 11:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Bob, Make no mistake - I'm really not a fan of allowing Act as part of the operating system or the Impersonation privilege. That being said - from the work that I have done with other web developers needing access to SQL or application servers, constrained delegation is the best method that I have seen available - IF it is done correctly. As I suspect you know (and the reason for your asking) it' all about the level of comfort with the solution. However, just the very configuration sets up two things that I like very much. One - in the old(er)methods of delegation, Alice authNs to server Bob, which then impersonates Alice to SQL Server. Bob is then the authenticator to the destination, SQL Server - not Alice, which causes a bit of problem - Trust. Can you trust Server Bob, or the administrator, or who else might have control of server Bob? Maybe not. Auditing, too, becomes a problem. Model two involves, again Alice AuthN to Server Bob, Server Bob authNs to the SQL server as Alice. Server Bob, in and of itself has no permissions to the SQL server and we see that the audit logs show access by Alice - not Bob. Big mitigation in relation to authN. Alice is allowed, not Server Bob. Server Bob is still allowed to do some role based authN and authZ. Now, let's add the constrained delegation. Pretty much the same thing as model two - except we are allowed to limit the scope of servers, services, ports, etc. that the delegated request is able to talk to. There is no completely safe solution when we involve impersonation. However, Security is Risk Management. Without having a complete, holistic view of the entire solution and environment, I can't really tell you what your risk will be. What I can say is that if Plain Text is 100% Risk, and Act As Operating System is 30%, this is 10%. As to the AD perspective - not much at all that I'm aware of. As to the desirability, I'd prefer this method over any of the others that have been presented of late - short of two-factor. If you haven't seen this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ security/constdel.mspx Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Do you have details on the accounts that will be delegated? With constrained delegation, it is pretty straightforward to limit which accounts can delegate to which other services, but you might want to be very careful about limiting who gets delegated. One really good idea is marking all the domain admin accounts as sensitive and cannot be delegated for example. From there, you might also consider adding additional accounts. From a business perspective, a lot of times implementing a delegation scenario is much preferable to the alternatives. Here, the dev would probably have to hit the other SQL boxes with a service account and would lose the ability to enforce the same security model in place with SQL which is not good. My $0.02, Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD migration
Tom, Argumentative - no. Tricky, no - I didn't think that at all. (*Trick* is an old racing term of mine that leaks out now and again Simply means doing something others don't do... It's not a bad term at all). As Bernard pointed out - there's a thing or two that I didn't account for. He gives you some good information. As to 'converting' the standard sec. into a primary - good plan. I like their thinking! :0) Now that you now that you have control of the DNS (as well as the WINS) I suspect that the DNS is the better route. By nature and by approach, I have a tendency to do things the simplest and least complicated way possible. The reason is tantamount to flying the Space Shuttle as compared to an ultra-light. Simplicity wins - based on your needs. (IOW, if I have to go into space, the shuttle wins you get my meaning...) NetBIOS disabled does have an impact on choices. If they have DNS functioning - go with it. As to the Exchange - a bit of an issue - but it's not big. They don't have to log in per se If you have the trust in place, half of the problem is done. User A in Domain B has a mailbox on an Exchange server in domain A. The account properties for the mailbox need to indicate the mailbox in domain A, and the permission on the disabled mailbox-enabled user account in domain A need to indicate that User A in Domain B has External Acct Permissions to the mailbox. If the above paragraph makes no sense, let me know. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 3:37 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry, I wasn't trying to be tricky. I actually suggested the lmhosts solution but the consultants from ibm who are planning the migration with MS are going the dns route. MS hacked the formerly AD-intergrated dns from the root zone to be a standard primary zone for our domain for this migration. Also, I just found out that this enterprise has netbios disabled in the forest so that could have something to do with it. I'd really like to know your thoughts because i don't feel the warm and fuzzies from these guys from ibm as to AD/Exchange. I respect your suggestions much more, Rick. P.S.- In this migration solution, would users have to log back in to the old domain to access their Exchange mboxes(while Exchange is still in the old forest) or does sid history make it so they can access exchange while logged into the new forest? I've never been involved in this kind of migration before. Sorry again to have upset you or if I seemed argumentative. On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Tom, While I am sure that Rick has some document in which using LMHosts files are identified as a best practice, I can assure you that it is quite feasible to use WINS to accomplish the name resolution requirement for the task at hand: creating an external trust between two domains with different names explicitly for the purpose of migrating client systems from one domain to another. In fact I might suggest that in many cases this is a better approach. The Quest products will rely on name resolution (as well as the trust) in order to migrate users, groups, workstations, server and other resources between domains. This name resolution will in fact be even more important during the migration process if users in one domain will need to access resources in the other domain. The existing WINS environment is already populated with necessary records, and has all the information required to resolve the names of DCs, resource servers, workstations, etc. in the existing domain. Assuming you have administrative control over the WINS server, you can certainly configure WINS replication between a WINS server in the new environment and one in the existing environment - and no, a trust is not needed to make this work as WINS replication (and resolution) is generally unauthenticated. If you are planning to migrate your WINS servers to the new environment I might argue that the best approach would be to migrate them first (one by one verifying functionality as you go) to the new environment and continue to point both old *and new systems* to the same WINS servers. Of course this assumes, as stated previously, that you have administrative control over the WINS servers. This implementation should avoid the need to use LMHost files or change primary/secondary WINS assignments on migrated systems. This is an approach I have used many times when migrating between forests and between NT4 domains and AD domains. As for migrating without the availability of the root domain, you should be mostly OK as the Quest representatives stated. However without the root being accessible and the _mscds DNS domain being unavailable, I would certainly look to accelerate the migration as you should start having replication even within
RE: [ActiveDir] Kerberos Delegation
Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... That's the point of my query, I certainly don't understand all I know about it and we have never allowed it, at this point I have just begun to scratch the surface. I was totally uncomfortable when it was first proposed and threw up the stop sign. I'm getting less comfortable by the minute as I read more about it. I'm reading the Kerberos Protocol Transition and Constrained Delegation article and the Troubleshooting Kerberos Delegation white paper and like I said, trying to understand all I know about it ;-( Everyone's comments so far are immensely appreciated. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving this goal and fulfilling the applications need, but like any Domain Admin in your forest the developer and the application must be trusted. I would recommend clear documentation as to the architecture of the application, how and with what other systems it interoperates, and if you have the wherewithal (or can bring in someone who does) a code review to ensure that what is defined is accurate. I know this seems a little over-the-top, but we are taking about you accepting someone else walking around with my ID and saying he told me it was OK that I access fill in the blank on his behalf. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD migration
I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain
RE: [ActiveDir] Kerberos Delegation
Rick, I agree with your points on CD, but what are you talking about here with Act as part of the operating system? That doesn't need to get enabled anywhere to use constrained delegation. Generally, that only tends to get added to accounts on Windows 2000 that need to call the LogonUser API, but it is not needed for that on XP or 2003. The other reason is it sometimes needs is when a process wants to directly create a security token for a user with impersonation privileges via Kerberos S4U (protocol transition). However, this is not normally the case unless protocol transition is being done programmatically. The automatic version of protocol transition doesn't need this. If you were just using that as an example of a bad setting choice to have to make, then I get it. I just wanted to make sure there was no cross up. Thanks! Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, Make no mistake - I'm really not a fan of allowing Act as part of the operating system or the Impersonation privilege. That being said - from the work that I have done with other web developers needing access to SQL or application servers, constrained delegation is the best method that I have seen available - IF it is done correctly. As I suspect you know (and the reason for your asking) it' all about the level of comfort with the solution. However, just the very configuration sets up two things that I like very much. One - in the old(er)methods of delegation, Alice authNs to server Bob, which then impersonates Alice to SQL Server. Bob is then the authenticator to the destination, SQL Server - not Alice, which causes a bit of problem - Trust. Can you trust Server Bob, or the administrator, or who else might have control of server Bob? Maybe not. Auditing, too, becomes a problem. Model two involves, again Alice AuthN to Server Bob, Server Bob authNs to the SQL server as Alice. Server Bob, in and of itself has no permissions to the SQL server and we see that the audit logs show access by Alice - not Bob. Big mitigation in relation to authN. Alice is allowed, not Server Bob. Server Bob is still allowed to do some role based authN and authZ. Now, let's add the constrained delegation. Pretty much the same thing as model two - except we are allowed to limit the scope of servers, services, ports, etc. that the delegated request is able to talk to. There is no completely safe solution when we involve impersonation. However, Security is Risk Management. Without having a complete, holistic view of the entire solution and environment, I can't really tell you what your risk will be. What I can say is that if Plain Text is 100% Risk, and Act As Operating System is 30%, this is 10%. As to the AD perspective - not much at all that I'm aware of. As to the desirability, I'd prefer this method over any of the others that have been presented of late - short of two-factor. If you haven't seen this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/ security/constdel.mspx Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is
RE: [ActiveDir] AD migration
U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To:
RE: [ActiveDir] Problem at remote site
I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, August 07, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I can only browse our file server but the connection if very slow to come up. I cannot browse any other server. I can; however, telnet to all ports on the boxes I cannot browse to. All of my clients at the remote site can browse these servers without issue. I am see tons of 1311 errors: Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/7/2005 Time: 1:30:21 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=domain,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=domain,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. When I check the sites and services, I see a connector for all of the DCs in my site. I also noticed that the KCC configured it to be an IP not RPC connection. There aren't any ACLs, firewalls that are in the way of these servers. Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Jennifer, I haven't paid close attention to the thread or the issues that you've been having - other than you had a problem getting it promoted. I suspect that the cause is likely related. First, Network Browse uses a completely different set of communication methods and the fact that you can or cannot see anything via browsing is really immaterial at this point. I'd suggest pings to the DCs on the other end of the connection and directed telnet over 389, 3268, 88, etc. to get a feel for the real communication abilities. Look this over as well. For 1311 Errors, this is a perfect starting point to resolve or narrow down the problems. http://support.microsoft.com/default.aspx?scid=kb;en-us;307593 Can you give us some detail (again... I know) on the remote and local connection methods - are there firewalls, ACLs on routers - anything that might be interfering with the wide variety of ports / protocols that AD Replication / AD Communication uses? Rick * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Bob, As Rick and Joe mentioned, as far as allowing a system to do something on behalf of a user, constrained delegation is a pretty good solution. Your developers need as I understand it is as follows: User connects to a front application server (i.e. web server) and authenticates to that server using Kerberos. The application needs to be able to contact multiple different SQL servers to perform a distributed query. If the application where to do with a service account, the response to the query would likely contain all of the information that the service account had that matched the query - this might contain more or less information than the user making the request has access to. In addition the audit trail on the SQL server should reflect that the application server made the access to the SQL server as opposed to the user. Using constrained delegation, the application server is provided the capability to act as the user when interacting with the identified SQL servers (only). If done properly, the application server will be delegated in a manner that explicitly identifies the SQL servers Service Principal names (which include port numbers) associated with each SQL computers object in the directory. Therefore the application server CAN impersonate the user but under the constraint that it may only occur when communicating with the remote server/service/port as named in the delegation. In your case the risk should be relatively low so long as your developer has a vested interest in the integrity of the data on the SQL servers. The only abuse of this specific configuration that I can think off the top of my head would be possibility for the developer to execute a stored procedure on the SQL server with more rights than he or she would typically have thereby gaining access to or altering data in the DB that they would otherwise not have access to. Now if your developer starts asking for constrained delegation from the application server to a DC, we should talk some more. :) Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 2:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... That's the point of my query, I certainly don't understand all I know about it and we have never allowed it, at this point I have just begun to scratch the surface. I was totally uncomfortable when it was first proposed and threw up the stop sign. I'm getting less comfortable by the minute as I read more about it. I'm reading the Kerberos Protocol Transition and Constrained Delegation article and the Troubleshooting Kerberos Delegation white paper and like I said, trying to understand all I know about it ;-( Everyone's comments so far are immensely appreciated. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving this goal and fulfilling the applications need, but like any Domain Admin in your forest the developer and the application must be trusted. I would recommend clear documentation as to the architecture of the application, how and with what other systems it interoperates, and if you have the wherewithal (or can bring in someone who does) a code review to ensure that what is defined is accurate. I know this seems a little over-the-top, but we are taking about you accepting someone else walking around with my ID and saying he told me it was OK that I access fill in the blank on his behalf. Regards, Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the
RE: [ActiveDir] AD migration
A it is a personal aversion to WINS at the crux here... I see. ;o) WINS is great, I loved it. I ran a huge WINS architecture and it ran well, but then it was well configured and well monitored. MS didn't make it easy to monitor it, actually I think they tried everything they could to make it so you couldn't monitor it, but those who figured it out, tended to be ok. :) It took me a minute to realize who you were talking to. We need Aric to change his last name so he doesn't have two first names... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 5:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to
RE: [ActiveDir] AD migration
Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that
RE: [ActiveDir] Problem at remote site
What OS is the new DC running Windows Server 2003 SP1? Do you have a firewall in-between the remote site and HQ? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, August 09, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, August 07, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I can only browse our file server but the connection if very slow to come up. I cannot browse any other server. I can; however, telnet to all ports on the boxes I cannot browse to. All of my clients at the remote site can browse these servers without issue. I am see tons of 1311 errors: Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/7/2005 Time: 1:30:21 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=domain,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=domain,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. When I check the sites and services, I see a connector for all of the DCs in my site. I also noticed that the KCC configured it to be an IP not RPC connection. There aren't any ACLs, firewalls that are in the way of these servers. Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Jennifer, I haven't paid close attention to the thread or the issues that you've been having - other than you had a problem getting it promoted. I suspect that the cause is likely related. First, Network Browse uses a completely different set of communication methods and the fact that you can or cannot see anything via browsing is really immaterial at this point. I'd suggest pings to the DCs on the other end of the connection and directed telnet over 389, 3268, 88, etc. to get a feel for the real communication abilities. Look this over as well. For 1311 Errors, this is a perfect starting point to resolve or narrow down the problems. http://support.microsoft.com/default.aspx?scid=kb;en-us;307593 Can you give us some detail (again... I know) on the remote and local connection methods - are there firewalls, ACLs on routers - anything that might be interfering with the wide variety of ports / protocols that AD Replication / AD Communication uses? Rick * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
RE: [ActiveDir] Kerberos Delegation
Correct - we're on the same page. Simply an example of things that I don't like that have been used in the past to allow systems to act upon another by issuing token-based methods. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, August 09, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Rick, I agree with your points on CD, but what are you talking about here with Act as part of the operating system? That doesn't need to get enabled anywhere to use constrained delegation. Generally, that only tends to get added to accounts on Windows 2000 that need to call the LogonUser API, but it is not needed for that on XP or 2003. The other reason is it sometimes needs is when a process wants to directly create a security token for a user with impersonation privileges via Kerberos S4U (protocol transition). However, this is not normally the case unless protocol transition is being done programmatically. The automatic version of protocol transition doesn't need this. If you were just using that as an example of a bad setting choice to have to make, then I get it. I just wanted to make sure there was no cross up. Thanks! Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, Make no mistake - I'm really not a fan of allowing Act as part of the operating system or the Impersonation privilege. That being said - from the work that I have done with other web developers needing access to SQL or application servers, constrained delegation is the best method that I have seen available - IF it is done correctly. As I suspect you know (and the reason for your asking) it' all about the level of comfort with the solution. However, just the very configuration sets up two things that I like very much. One - in the old(er)methods of delegation, Alice authNs to server Bob, which then impersonates Alice to SQL Server. Bob is then the authenticator to the destination, SQL Server - not Alice, which causes a bit of problem - Trust. Can you trust Server Bob, or the administrator, or who else might have control of server Bob? Maybe not. Auditing, too, becomes a problem. Model two involves, again Alice AuthN to Server Bob, Server Bob authNs to the SQL server as Alice. Server Bob, in and of itself has no permissions to the SQL server and we see that the audit logs show access by Alice - not Bob. Big mitigation in relation to authN. Alice is allowed, not Server Bob. Server Bob is still allowed to do some role based authN and authZ. Now, let's add the constrained delegation. Pretty much the same thing as model two - except we are allowed to limit the scope of servers, services, ports, etc. that the delegated request is able to talk to. There is no completely safe solution when we involve impersonation. However, Security is Risk Management. Without having a complete, holistic view of the entire solution and environment, I can't really tell you what your risk will be. What I can say is that if Plain Text is 100% Risk, and Act As Operating System is 30%, this is 10%. As to the AD perspective - not much at all that I'm aware of. As to the desirability, I'd prefer this method over any of the others that have been presented of late - short of two-factor. If you haven't seen this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technolog ies/ security/constdel.mspx Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Problem at remote site
Jennifer, RPC Server is Unavailable screams Name Resolution problem to me. Have you done a NetDiag or DCDiag on either of these systems? AD can replicate over a modem connection - I've done it connections with as little as 64k available to small sites (not my choice) as long as IP is available to / from. However, I really have to begin to suspect a DNS issue that you're fighting here now. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Tuesday, August 09, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I ended up sending another Dc to the site so I could just readd this server to the domain but AD will not start on that box. I keep getting an error - rpc server unavailable. We have approx 9 DCs (4 at HQ and one at each remote site). We have dcs at our other remote sites (diagram below): Site1 Site2 Site3 (wan connection using private sprint network) -- HQ -- site6 (business cable modem with vpn tunnel to corporate (internet)) Site4 Site5 The new DC can ping but anything else gets a RPC server unavailable unavailable error. I thought AD could replicate over a modem connection? So, I am not sure where I need to go from here. Any thoughts? Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain Sent: Sunday, August 07, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site I can only browse our file server but the connection if very slow to come up. I cannot browse any other server. I can; however, telnet to all ports on the boxes I cannot browse to. All of my clients at the remote site can browse these servers without issue. I am see tons of 1311 errors: Event Type: Error Event Source: NTDS KCC Event Category: Knowledge Consistency Checker Event ID: 1311 Date: 8/7/2005 Time: 1:30:21 PM User: N/A Computer: DC Description: The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=Configuration,DC=domain,DC=net, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often due to the servers being unreachable). For (a), please use the Active Directory Sites and Services Manager to do one of the following: 1. Publish sufficient site connectivity information such that the system can infer a route by which this Partition can reach this site. This option is preferred. 2. Add an ntdsConnection object to a Domain Controller that contains the Partition CN=Configuration,DC=domain,DC=net in this site from a Domain Controller that contains the same Partition in another site. For (b), please see previous events logged by the NTDS KCC source that identify the servers that could not be contacted. When I check the sites and services, I see a connector for all of the DCs in my site. I also noticed that the KCC configured it to be an IP not RPC connection. There aren't any ACLs, firewalls that are in the way of these servers. Thank you for your time! Jennifer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem at remote site Jennifer, I haven't paid close attention to the thread or the issues that you've been having - other than you had a problem getting it promoted. I suspect that the cause is likely related. First, Network Browse uses a completely different set of communication methods and the fact that you can or cannot see anything via browsing is really immaterial at this point. I'd suggest pings to the DCs on the other end of the connection and directed telnet over 389, 3268, 88, etc. to get a feel for the real communication abilities. Look this over as well. For 1311 Errors, this is a perfect starting point to resolve or narrow down the problems. http://support.microsoft.com/default.aspx?scid=kb;en-us;307593 Can you give us some detail (again... I know) on the remote and local connection methods - are there firewalls, ACLs on routers - anything that might be interfering with the wide variety of ports / protocols that AD Replication / AD Communication uses? Rick * The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the
RE: [ActiveDir] AD migration
LOL - I probably would not have this problem if I spelled my first name correctly. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 3:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration A it is a personal aversion to WINS at the crux here... I see. ;o) WINS is great, I loved it. I ran a huge WINS architecture and it ran well, but then it was well configured and well monitored. MS didn't make it easy to monitor it, actually I think they tried everything they could to make it so you couldn't monitor it, but those who figured it out, tended to be ok. :) It took me a minute to realize who you were talking to. We need Aric to change his last name so he doesn't have two first names... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 5:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root
RE: [ActiveDir] Adding custom fields to AD
I am going to basically say what the other said only I am going to put it this way IF the data needs to be available at all locations or a majority of locations where your domain controllers are located, consider adding the data to AD. IF the data is going to be needed only at a couple of sites or a single site, put them into another store. My preference being AD/AM unless you need to do some complicated joins or queries of the data that LDAP doesn't support. There is also the possibility of using app partitions but if you were going to go that far, just use AD/AM. The thing I have about sticking this data into AD is that AD is becoming, in many companies, a dumping ground of all the crap that was in all the other directories in the company. I realize this was the initial view from MS on how this should work but I worked in a large company and thought that was silly even then. The number one most important thing for AD is to authenticate Windows users. Every time you dump more crap into AD you are working towards impacting that capability or the capability to quickly restore or the ability to quickly add more DCs. The more I see the one stop everything loaded into ADs the more I think that the NOS directory should be NOS only. Plus, I wonder how long before we hit some interesting object size limits. I have asked for details from some MS folks a couple of times on the issues with admin limit exceeded errors that you get when overpopulating a normal multivalue attribute (i.e. not linked) and it causing no other attributes to be added to the object. I wonder what other limits like that exist. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD migration
Do you mean check off associate with external account on the user attrib? Also, how do they see the GAL in the old forest? How does outlook in the new domain find the gc's in the old domain(i think the answer to this is when it points to the exchange server in the old forest, dsproxy will direct them to a gc in the exchange server's site?) also, i tought a lot of things would break when disabling netbios/tcp, like ESM,outlook pre 2003,exmerge,etc. Thanks On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own
RE: [ActiveDir] AD migration
Ack! Aric, sorry about that.. I think that I've been almost fooled by that once before and caught myself. The other problem is the format that Outlook displays names in. Some are Firstname Lastname i.e. 'Jennifer Fountain' (or just firstname / nickname / pseudonym, i.e. 'joe') or Lastname, Firstname (i.e. 'Wells, Dean'). Or, Bernard, Aric. That's my excuse - I'm sticking to it Not exactly on the same lines, but a guy I used to work with was named Martin Ferry. Imagine what we called him In the form of a verb and a proper noun, please Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 5:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and uses ntlm and NOT kerberos, but does it also relie on wins/netbios like an old NT-style trust? thanks On 8/8/05, Tom Kern [EMAIL PROTECTED] wrote: I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old
RE: [ActiveDir] Kerberos Delegation
Aric- (Also trying to answer Joe K's questions) The developer owns all 3 of the SQL servers involved so he definitely has a vested interest in the integrity of the data on the SQL servers. SQL server runs under a domain service account only used on them. They just wanted me to create the SPN's for the domain account the service runs under and tick the Account is trusted for delegation on the service account and Computer is trusted for delegation on the SQL servers' machine accounts. Seemed to me the proper way would be to utilize Trust this computer for delegation to specified services only to set up the middle tier service account to be only able to talk to the back end SQL servers' services and configure the account to use constrained delegation without protocol transition by selecting Use Kerberos Only. It also seemed like only the middle tier needed to have the machine account trusted for delegation and, finally, that it would be better to run the backend server under a separate service account with it's own SPN's. Am I close? Joe- Your point about the limiting the accounts by marking sensitive and cannot be delegated is well taken. As soon as I started looking at this can of worms, that occurred to me immediately. Thanks again Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, As Rick and Joe mentioned, as far as allowing a system to do something on behalf of a user, constrained delegation is a pretty good solution. Your developers need as I understand it is as follows: User connects to a front application server (i.e. web server) and authenticates to that server using Kerberos. The application needs to be able to contact multiple different SQL servers to perform a distributed query. If the application where to do with a service account, the response to the query would likely contain all of the information that the service account had that matched the query - this might contain more or less information than the user making the request has access to. In addition the audit trail on the SQL server should reflect that the application server made the access to the SQL server as opposed to the user. Using constrained delegation, the application server is provided the capability to act as the user when interacting with the identified SQL servers (only). If done properly, the application server will be delegated in a manner that explicitly identifies the SQL servers Service Principal names (which include port numbers) associated with each SQL computers object in the directory. Therefore the application server CAN impersonate the user but under the constraint that it may only occur when communicating with the remote server/service/port as named in the delegation. In your case the risk should be relatively low so long as your developer has a vested interest in the integrity of the data on the SQL servers. The only abuse of this specific configuration that I can think off the top of my head would be possibility for the developer to execute a stored procedure on the SQL server with more rights than he or she would typically have thereby gaining access to or altering data in the DB that they would otherwise not have access to. Now if your developer starts asking for constrained delegation from the application server to a DC, we should talk some more. :) Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 2:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... That's the point of my query, I certainly don't understand all I know about it and we have never allowed it, at this point I have just begun to scratch the surface. I was totally uncomfortable when it was first proposed and threw up the stop sign. I'm getting less comfortable by the minute as I read more about it. I'm reading the Kerberos Protocol Transition and Constrained Delegation article and the Troubleshooting Kerberos Delegation white paper and like I said, trying to understand all I know about it ;-( Everyone's comments so far are immensely appreciated. Thanks Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Assuming that you are aware of what constrained delegation is, how it operates, and what it should be used for... Anytime you allow someone or something to impersonate, err, act on behalf of another security principal, there is always cause for concern. Constrained delegation certainly provides some flexibility in achieving this
RE: [ActiveDir] Kerberos Delegation
You may want to have Kerberos authentication all the way through, rather than using Protocol Transition. At least in the IIS world, protocol transition involves running your worker processes as LocalSystem rather than any other account, which is yet another security issue you need to manage. Cheers Ken www.adOpenStatic.com/cs/blogs/ken/ : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Wednesday, 10 August 2005 7:33 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : That's the point of my query, I certainly don't understand all I know : about it and we have never allowed it, at this point I have just begun : to scratch the surface. I was totally uncomfortable when it was first : proposed and threw up the stop sign. I'm getting less comfortable by the : minute as I read more about it. : : I'm reading the Kerberos Protocol Transition and Constrained Delegation : article and the Troubleshooting Kerberos Delegation white paper and like : I said, trying to understand all I know about it ;-( : : Everyone's comments so far are immensely appreciated. : : Thanks : : Bob : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric : Sent: Tuesday, August 09, 2005 1:38 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : Anytime you allow someone or something to impersonate, err, act on : behalf of another security principal, there is always cause for concern. : Constrained delegation certainly provides some flexibility in achieving : this goal and fulfilling the applications need, but like any Domain : Admin in your forest the developer and the application must be trusted. : : I would recommend clear documentation as to the architecture of the : application, how and with what other systems it interoperates, and if : you have the wherewithal (or can bring in someone who does) a code : review to ensure that what is defined is accurate. : : I know this seems a little over-the-top, but we are taking about you : accepting someone else walking around with my ID and saying he told me : it was OK that I access fill in the blank on his behalf. : : Regards, : : Aric Bernard : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Tuesday, August 09, 2005 1:07 PM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] Kerberos Delegation : : We have a developer who wants us to allow delegation for a couple of SQL : servers and their service accounts so he can do distributed queries : across linked servers. This is new ground for us from an AD perspective : that I have just started researching and I'd like to hear other's : thoughts, policies etc. : : We are at 2003 functional level so from what I read, we can allow : constrained delegation which is much better than un-constrained but most : of the comments I come across indicate this isn't something to be taken : lightly, has serious security ramifications, policies should be in place : etc etc.. : : I can find a reasonable amount of information from the developers : point-of-view, and I can see how to implement it technically (I think) : but not a whole lot from the AD admin's perspective, especially as it : pertains to the desirability of allowing it and how best to manage it if : it is allowed. : : Any info greatly appreciated. : : Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
Agreed here. If you don't need protocol transition, don't use it. This normally only comes up in situations where you have to use Basic auth on the web tier for an Internet-based scenario or something like that. If the web server can use IWA, then you can go Kerberos end to end. Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Schaefer Sent: Tuesday, August 09, 2005 6:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation You may want to have Kerberos authentication all the way through, rather than using Protocol Transition. At least in the IIS world, protocol transition involves running your worker processes as LocalSystem rather than any other account, which is yet another security issue you need to manage. Cheers Ken www.adOpenStatic.com/cs/blogs/ken/ : -Original Message- : From: [EMAIL PROTECTED] [mailto:ActiveDir- : [EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Wednesday, 10 August 2005 7:33 AM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : That's the point of my query, I certainly don't understand all I know : about it and we have never allowed it, at this point I have just begun : to scratch the surface. I was totally uncomfortable when it was first : proposed and threw up the stop sign. I'm getting less comfortable by the : minute as I read more about it. : : I'm reading the Kerberos Protocol Transition and Constrained Delegation : article and the Troubleshooting Kerberos Delegation white paper and like : I said, trying to understand all I know about it ;-( : : Everyone's comments so far are immensely appreciated. : : Thanks : : Bob : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric : Sent: Tuesday, August 09, 2005 1:38 PM : To: ActiveDir@mail.activedir.org : Subject: RE: [ActiveDir] Kerberos Delegation : : Assuming that you are aware of what constrained delegation is, how it : operates, and what it should be used for... : : Anytime you allow someone or something to impersonate, err, act on : behalf of another security principal, there is always cause for concern. : Constrained delegation certainly provides some flexibility in achieving : this goal and fulfilling the applications need, but like any Domain : Admin in your forest the developer and the application must be trusted. : : I would recommend clear documentation as to the architecture of the : application, how and with what other systems it interoperates, and if : you have the wherewithal (or can bring in someone who does) a code : review to ensure that what is defined is accurate. : : I know this seems a little over-the-top, but we are taking about you : accepting someone else walking around with my ID and saying he told me : it was OK that I access fill in the blank on his behalf. : : Regards, : : Aric Bernard : : -Original Message- : From: [EMAIL PROTECTED] : [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob : Sent: Tuesday, August 09, 2005 1:07 PM : To: ActiveDir@mail.activedir.org : Subject: [ActiveDir] Kerberos Delegation : : We have a developer who wants us to allow delegation for a couple of SQL : servers and their service accounts so he can do distributed queries : across linked servers. This is new ground for us from an AD perspective : that I have just started researching and I'd like to hear other's : thoughts, policies etc. : : We are at 2003 functional level so from what I read, we can allow : constrained delegation which is much better than un-constrained but most : of the comments I come across indicate this isn't something to be taken : lightly, has serious security ramifications, policies should be in place : etc etc.. : : I can find a reasonable amount of information from the developers : point-of-view, and I can see how to implement it technically (I think) : but not a whole lot from the AD admin's perspective, especially as it : pertains to the desirability of allowing it and how best to manage it if : it is allowed. : : Any info greatly appreciated. : : Bob List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos Delegation
I think you've basically got it. Constrained is the way to go. You might consider implementing unconstrained at first for some testing to make sure you can get it working with the less complicated scenario, but you want to end up using constrained delegation in the final version. I would like to point you to Keith Brown's excellent book the .NET Developers Guide to Window Security which he has graciously published online as well as in print. He actually explains this stuff quite well there and has lots of cross references to the other topics. http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/HomePage.html Check out the topics in part 5. The book is better because it has all of the illustrations, but the free content is a nice start. As Aric pointed out, the delegation scenario is actually better from a security standpoint here in several ways. All of the queries that will be executed at the delegation endpoints will be executed and audited with the original user's credentials instead of a trusted intermediary service account. You can then secure the SQL data directly and use SQL's built-in mechanisms for security features. The alternative is to give access to all of the data to a specific service account and then make the developer implement their own security layer to restrict different data to different users. Rolling your own security is probably a much higher security risk in the long run. Joe K. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 6:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Aric- (Also trying to answer Joe K's questions) The developer owns all 3 of the SQL servers involved so he definitely has a vested interest in the integrity of the data on the SQL servers. SQL server runs under a domain service account only used on them. They just wanted me to create the SPN's for the domain account the service runs under and tick the Account is trusted for delegation on the service account and Computer is trusted for delegation on the SQL servers' machine accounts. Seemed to me the proper way would be to utilize Trust this computer for delegation to specified services only to set up the middle tier service account to be only able to talk to the back end SQL servers' services and configure the account to use constrained delegation without protocol transition by selecting Use Kerberos Only. It also seemed like only the middle tier needed to have the machine account trusted for delegation and, finally, that it would be better to run the backend server under a separate service account with it's own SPN's. Am I close? Joe- Your point about the limiting the accounts by marking sensitive and cannot be delegated is well taken. As soon as I started looking at this can of worms, that occurred to me immediately. Thanks again Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, August 09, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Delegation Bob, As Rick and Joe mentioned, as far as allowing a system to do something on behalf of a user, constrained delegation is a pretty good solution. Your developers need as I understand it is as follows: User connects to a front application server (i.e. web server) and authenticates to that server using Kerberos. The application needs to be able to contact multiple different SQL servers to perform a distributed query. If the application where to do with a service account, the response to the query would likely contain all of the information that the service account had that matched the query - this might contain more or less information than the user making the request has access to. In addition the audit trail on the SQL server should reflect that the application server made the access to the SQL server as opposed to the user. Using constrained delegation, the application server is provided the capability to act as the user when interacting with the identified SQL servers (only). If done properly, the application server will be delegated in a manner that explicitly identifies the SQL servers Service Principal names (which include port numbers) associated with each SQL computers object in the directory. Therefore the application server CAN impersonate the user but under the constraint that it may only occur when communicating with the remote server/service/port as named in the delegation. In your case the risk should be relatively low so long as your developer has a vested interest in the integrity of the data on the SQL servers. The only abuse of this specific configuration that I can think off the top of my head would be possibility for the developer to execute a stored procedure on the SQL server with more rights than he or she would typically have thereby gaining access to or altering data in the DB that
RE: [ActiveDir] Adding custom fields to AD
joe, You hit the nail on the head with what my problem is with this whole thread - we're dumping crap into AD that really doesn't belong there. Seriously, the data needs to be available to a SharePoint server and some other apps, unless I read something wrong (wouldn't be the first time today...). Let AD do the authN, let SQL serve the data to the SharePoint and the other apps. It confounds me sometimes AD shouldn't be the repository for this type of data, unless we're applying the We've got a solution, as long as it's AD mentality. I'm sure that if we tried, the TerraServer could be served by a few optimized ADAM servers, don't you think? ;op Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD I am going to basically say what the other said only I am going to put it this way IF the data needs to be available at all locations or a majority of locations where your domain controllers are located, consider adding the data to AD. IF the data is going to be needed only at a couple of sites or a single site, put them into another store. My preference being AD/AM unless you need to do some complicated joins or queries of the data that LDAP doesn't support. There is also the possibility of using app partitions but if you were going to go that far, just use AD/AM. The thing I have about sticking this data into AD is that AD is becoming, in many companies, a dumping ground of all the crap that was in all the other directories in the company. I realize this was the initial view from MS on how this should work but I worked in a large company and thought that was silly even then. The number one most important thing for AD is to authenticate Windows users. Every time you dump more crap into AD you are working towards impacting that capability or the capability to quickly restore or the ability to quickly add more DCs. The more I see the one stop everything loaded into ADs the more I think that the NOS directory should be NOS only. Plus, I wonder how long before we hit some interesting object size limits. I have asked for details from some MS folks a couple of times on the issues with admin limit exceeded errors that you get when overpopulating a normal multivalue attribute (i.e. not linked) and it causing no other attributes to be added to the object. I wonder what other limits like that exist. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Maurice McNeill is out of the office.
I will be out of the office starting 08/10/2005 and will not return until 08/15/2005. I will respond to your message when I return. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD migration
See inline below Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Do you mean check off associate with external account on the user attrib? [RTK] If you mean the ACE Associate with External Account in the ACL of the Mail-enabled disabled user - which should have a new entry of [domain in other forest\user], yep. That's the one. I seem to remember that there is at least one maybe two more ACEs that need to be checked as well. Should become apparent pretty quickly. If you can't find it - I'll dig it up. Also, how do they see the GAL in the old forest? How does outlook in the new domain find the gc's in the old domain(i think the answer to this is when it points to the exchange server in the old forest, dsproxy will direct them to a gc in the exchange server's site?) [RTK] The Exchange server in the old forest still has associated GCs, so yes - the GCs that are located by the Exchange servers are still used for the purposes that they are needed for. also, i tought a lot of things would break when disabling netbios/tcp, like ESM,outlook pre 2003,exmerge,etc. [RTK] It's important to understand a specific distinction - especially when related to E2k and E2k3. The dependency is on NetBIOS name resolution - not specifically the Application layer API NetBIOS. Remember - NetBIOS is not a protocol. NetBEUI is. Neither is routable. So, if you don't have NBT and have WINS - you're going to work fine with what you state above. Thanks On 8/9/05, Bernard, Aric [EMAIL PROTECTED] wrote: Don't worry Kingslan, I won't hold anything against you! ;) LOL Aric Bernard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 2:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration U Well, one - I like simplicity. Two, I'm not a big fan of WINS. If all we're trying to do is to establish trust for a migration... Besides, Bernard has already been here to show me the error of my ways, Thank you. ;o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration I didn't read the entire thread so maybe this is answered but this stuck out to me, why isn't WINS going to work? WINS replication nor name resolution doesn't require any trusts nor even authentication. It is all entirely unauthenticated with replication being handled through IP address based connection agreements between the source and destination targets. WINS is entirely name resolution, no worries with trusts or anything else in terms of that name resolution. When you register in WINS, it is anonymous. When you query WINS it is anonymous. Only when you use the admin interfaces to say look at the database or modify the connection agreements, etc does any form of authentication come into play. When playing across subnets like this with netbios functionality, WINS is generally the best way to go, certainly it is one of the least complex. The only time I would really look at using LMHOSTS is if there was a requirement not to use WINS or you don't want the names to be resolveable to anyone that asks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 09, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD migration Really, it uses neither. The NetBT is involved, but because we are on (at present) untrusted domains and forests, WINS isn't going to work. Typically, this is done with an LMHosts file in the \Drivers\ETC directory. The records are going to be very specific, as they will define the domain of the target domain, as well as (typically) the PDC for the target. A 'mirror' LMHosts will be set up on the other trusting side. As noted, the format of the records is specific, and can be found here: http://support.microsoft.com/kb/180094/ And take SPECIAL NOTE that the DOMAIN-NAME records must be EXACTLY as defined, otherwise they will not work. Good luck - it's not daunting, but can be tedious to get working the first time. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 09, 2005 5:58 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD migration Sorry to keep harping- but if you have a trust between a child win2k domain in one forest with a root or child domain in another forest, does this use wins or dns. i know this is not a real forest trust and more like an external trust in that its not transitive and
RE: [ActiveDir] Adding custom fields to AD
I'm sure that if we tried, the TerraServer could be served by a few optimized ADAM servers, don't you think? I realize this is tongue in cheek but no I don't think it would be good. I am not of the opinion that everything should go into an LDAP Store. LDAP isn't really designed for easily working with binary blobs which is what that is all about. SQL Server is probably still a little on the hokey side with it as well but handles it better than AD does. If the app is already doing LDAP to get basic user info then I don't see the point to jump to SQL unless there is some overriding major factor that requires it. Plus, switching to AD/AM could be nearly or actually could be transparent to apps which can't be discounted, that is HUGE in the world of app dev. Consider that MANY of the apps that are used in larger orgs are UNIX/LINUX/JAVA based and you will probably find it generally easier to access LDAP than an MS SQL Server from something other than Windows and vbscript/VB. In this case it is sharepoint, so maybe SQL Server is the best solution. Plus there is the syncronization piece and I think there are more pre-built options to sync AD with AD/AM than AD with SQL. It certainly should be more straightforward. Plus, like you with WINS, I have never been a fan of SQL Server. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, August 10, 2005 12:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD joe, You hit the nail on the head with what my problem is with this whole thread - we're dumping crap into AD that really doesn't belong there. Seriously, the data needs to be available to a SharePoint server and some other apps, unless I read something wrong (wouldn't be the first time today...). Let AD do the authN, let SQL serve the data to the SharePoint and the other apps. It confounds me sometimes AD shouldn't be the repository for this type of data, unless we're applying the We've got a solution, as long as it's AD mentality. I'm sure that if we tried, the TerraServer could be served by a few optimized ADAM servers, don't you think? ;op Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, August 09, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD I am going to basically say what the other said only I am going to put it this way IF the data needs to be available at all locations or a majority of locations where your domain controllers are located, consider adding the data to AD. IF the data is going to be needed only at a couple of sites or a single site, put them into another store. My preference being AD/AM unless you need to do some complicated joins or queries of the data that LDAP doesn't support. There is also the possibility of using app partitions but if you were going to go that far, just use AD/AM. The thing I have about sticking this data into AD is that AD is becoming, in many companies, a dumping ground of all the crap that was in all the other directories in the company. I realize this was the initial view from MS on how this should work but I worked in a large company and thought that was silly even then. The number one most important thing for AD is to authenticate Windows users. Every time you dump more crap into AD you are working towards impacting that capability or the capability to quickly restore or the ability to quickly add more DCs. The more I see the one stop everything loaded into ADs the more I think that the NOS directory should be NOS only. Plus, I wonder how long before we hit some interesting object size limits. I have asked for details from some MS folks a couple of times on the issues with admin limit exceeded errors that you get when overpopulating a normal multivalue attribute (i.e. not linked) and it causing no other attributes to be added to the object. I wonder what other limits like that exist. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Tuesday, August 09, 2005 12:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Adding custom fields to AD Group, My manager wanted me to check, even though, I don't think that it is possible, but, I will present the question. He would like to add some custom fields, about 30, to AD. He would like to add bio information into AD to be pulled by Sharepoint and other applications for people to read. I think that this is a waste of time, space and effort. However, it is not my call and if this is what he wants What are everyone's thoughts on the topic? Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List
