RE: [ActiveDir] GPO Restricted Groups gotchas ?
Worked like a charm! You have the possibility to use Member option and/or memberof option Using the member option you ENFORCE (or replace) which objects (users/groups) are a member of a group. If you add an object as a member of the group and it is not on the restricted groups list, it will be removed again by the system Using the memberof option you just tell the system (merge with existing) to add the object to the group specified and it will still be allowed to be a member of other groups that are not specified in the list Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 23, 2005 07:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Restricted Groups gotchas ? I would like to use restricted groups policies to specifiy local Administrative access to application servers. I am sure this has already been tried. I would like to know how this worked or did not work for those who have tried it and where there any unexpected gotchas that happened ? Thank You ! And have a nice day !**Mark LunsfordKAISER PERMANENTE This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
[ActiveDir] Manually data corruption in exchange
All, I am looking for different ways - How to manually corrupt 1. Mailbox Store 2. Public Store 3. A single Mailbox 4. Public Folder 5. A single message in the mailbox We have created an application for Exchange and I want to test my application with by manually corrupting the message/mailbox/mailbox store/public store. Thanks, Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] PST 2003
ALL, How to access outlook pst 2003 in outlook 2000. -Rakesh Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort.
RE: [ActiveDir] Extend the UI ofADUC on one machine
no one can help me please ? :o( Have a nice day :) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de TIROA YANNEnvoyé: vendredi 23 septembre 2005 21:32À: ActiveDir@mail.activedir.orgObjet: [ActiveDir] Extend the UI ofADUC on one machine Hello, Is there a way to extend the UI of ADUC on only one machine rather than editing the display specifiers in the configuration container ? I would like to see the emloyeeid attributeby right-clicking on a user,and i'd like this attributeto be visiblein the context menuononly one machine. Tahnks for input. Cheers, Yann
[ActiveDir] Manually data corruption in exchange
All, I am looking for different ways - How to manually corrupt 1. Mailbox Store 2. Public Store 3. A single Mailbox 4. Public Folder 5. A single message in the mailbox We have created an application for Exchange and I want to test my application with by manually corrupting the message/mailbox/mailbox store/public store. Thanks, Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] PST 2003
If the PST file is a Unicode PST, then the answer is that you can't access it with any downlevel client. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 9/26/05, rakesh jakhar [EMAIL PROTECTED] wrote: ALL, How to access outlook pst 2003 in outlook 2000. -Rakesh List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] out look 2003
Yes, but you still need OL2003 to do so. The easiest would be to simply create a new PST file using the option PST 97-2002 PST Files. Then copy from one PST to another inside OL2003. Other than third party software, this would be the easiest way. Reminder that OL2003 extends beyond 1.8 GB PST limits - so you may have to break up the file is it is. Generally speaking, I would never recommend to go beyond 1.0 G anyway. -Jon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakharSent: Monday, September 26, 2005 6:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] out look 2003 Hi ALL I tried a demo of Office 2003 that came on my new laptop and used Outlook 2003 for e-mails. My demo expired and I opted not to upgrade - I installed my licensed copy of Office 2000 Premium. Can I import/recover the e-mails I received in Outlook 2003 for storage in Outlook 2000. Thanks guys! Rakesh __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments.
RE: [ActiveDir] out look 2003
Thanks Jon. This is done. -Rakesh[EMAIL PROTECTED] wrote: Yes, but you still need OL2003 to do so. The easiest would be to simplycreate a new PST file using the option PST 97-2002 PST Files. Then copyfrom one PST to another inside OL2003. Other than third party software,this would be the easiest way. Reminder that OL2003 extends beyond 1.8GB PST limits - so you may have to break up the file is it is.Generally speaking, I would never recommend to go beyond 1.0 G anyway.-JonFrom: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakharSent: Monday, September 26, 2005 6:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] out look 2003Hi ALLI tried a demo of Office 2003 that came on my new laptopand used Outlook 2003 for e-mails. My demo expired and I opted not toupgrade - I installed my licensed copy of Office 2000 Premium. Can I import/recover the e-mails I received in Outlook2003 for storage in Outlook 2000. Thanks guys! Rakesh__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Visit our website at http://www.ubs.comThis message contains confidential information and is intended onlyfor the individual named. If you are not the named addressee youshould not disseminate, distribute or copy this e-mail. Pleasenotify the sender immediately by e-mail if you have received thise-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-freeas information could be intercepted, corrupted, lost, destroyed,arrive late or incomplete, or contain viruses. The sender thereforedoes not accept liability for any errors or omissions in the contentsof this message which arise as a result of e-mail transmission. Ifverification is required please request a hard-copy version. Thismessage is provided for informational purposes and should not beconstrued as a solicitation or offer to buy or sell any securities orrelated financial instruments. Yahoo! for Good Click here to donate to the Hurricane Katrina relief effort.
Re: [ActiveDir] OT: TS Security Warning and GPO
I would probably try user configuration/administrative templates/system/code signing for device drivers: Determines how the system responds when a user tries to install device driver files that are not digitally signed. This setting establishes the least secure response permitted on the systems of users in the group. Users can use System in Control Panel to select a more secure setting, but when this setting is enabled, the system does not implement any setting less secure than the one the setting established. When you enable this setting, use the drop-down box to specify the desired response. -- Ignore directs the system to proceed with the installation even if it includes unsigned files. -- Warn notifies the user that files are not digitally signed and lets the user decide whether to stop or to proceed with the installation and whether to permit unsigned files to be installed. Warn is the default. -- Block directs the system to refuse to install unsigned files. As a result, the installation stops, and none of the files in the driver package are installed. To change driver file security without specifying a setting, use System in Control Panel. Right-click My Computer, click Properties, click the Hardware tab, and then click the Driver Signing button. John Steve Patrick [EMAIL PROTECTED] st.netTo Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject Re: [ActiveDir] OT: TS Security 09/25/2005 12:09 Warning and GPO PM Please respond to [EMAIL PROTECTED] tivedir.org perhaps the following reg key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing steve - Original Message - From: Creamer, Mark [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Sunday, September 25, 2005 6:52 AM Subject: [ActiveDir] OT: TS Security Warning and GPO We have a number of terminal servers running various apps, with a OU-level GPO managing their settings. A new Windows 2003 terminal server was recently added to the OU, and it is the only one running an older legacy app. When a user starts the application, it pops up a warning saying The publisher could not be verified. Are you sure you want to run this software? I haven't been able to figure out how to turn off this warning. Does anyone know how to set it either on this server or at my GPO? Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] (OT) Trust Issues
Normally, I would look at the restrict anonymous configuration if experiencing communication issues between NT 4.0 systems and = 2000 systems. A setting of 2 seems to break legacy communication. Thanks, Dave Waller Booz Allen Hamilton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Monday, September 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] (OT) Trust Issues Scenario I have a forest that is a root place holder and two child domains. Domain.Com; Child1.Domain.com; Child2.Domain.com. The forest is in Windows Server 2003 Forest mode. Domain.com is all Windows Server 2003 SP1 Child1.domain.com is all Windows Server 2003 SP1 Child2.domain.com is all Windows Server 2003 SP1 bar one DC. Child1 and Child2 both have trusts to a Windows NT4.0 sp 6.0a domain. The Problem When I upgrade the last DC to W2K3 Service Pack 1 in Child2.Domain.com it breaks the trust to the NT4.0 environment and I am at a loss as to why. Child1.domain.com continues to function correctly and the trust does not break. All domains in the forest run the same security principles and nothing appears in the event logs. Removal of SP1 reverses the issue and all trusts are restored - without the need to recreate them. The only error message I get is when I go to validate the trust: Verification of the trust between the domain xyz and the domain 123 was unsuccessful because: Access is Denied. All accounts used are Domain Admins. Any suggestions? The issue is not currently critical as I have removed the Service Pack, but I will need to reapply the Service Pack soon, Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Extend the UI ofADUC on one machine
Theres a sample in the platform sdk for doing this. You have to write a little COM shell extension in C++. Its not trivial, but, its not rocket science either. Takes a lot of patience the first try. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, September 26, 2005 3:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Extend the UI ofADUC on one machine no one can help me please ? :o( Have a nice day :) Cheers, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de TIROA YANN Envoyé: vendredi 23 septembre 2005 21:32 À: ActiveDir@mail.activedir.org Objet: [ActiveDir] Extend the UI ofADUC on one machine Hello, Is there a way to extend the UI of ADUC on only one machine rather than editing the display specifiers in the configuration container ? I would like to see the emloyeeid attributeby right-clicking on a user,and i'd like this attributeto be visiblein the context menuononly one machine. Tahnks for input. Cheers, Yann
RE: [ActiveDir] 2003 DC Deployment Question.
Title: SSL question Hi, You cannot tell which user authenticates to which DC. Clients determine their authenticating DC querying DC for a SRV RR. With SRV RRs you designate a weight factor and a priority factor. By default the weight is set to 100 and the priority is set to 0. SRV RRs with the same priority are treated as equal and are load balanced by DNS (round robin if enabled - which by default is in w2k/w2k3). SRV RRs with a lower priority value are used first before using SRV RRS with higher values SRV RRs with higher weight values are used more frequent than SRV RRs with lower values. If you have SRV RR with weight = 50 and another with weight = 100. The SRV RR with weight = 100 will be used twice as more as the SRV RR with weight = 50 The only way I can think of right now to designate a certain DC to users is to create a separate AD site, place that W2K3 DC in it and assign existing AD subnets to that site where the new w2k3 DC is. This way the clients/servers on those subnets will use the w2k3 as a DC for authentication Don't forget that you must update the schema first before you introduce w2k3 DCs. Downlevel clients are not AD site aware. You can make them site aware by installing the DSClient. For more info on what you are asking see: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Monday, September 26, 2005 16:00To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 2003 DC Deployment Question. Hello All, I have a number of large sites all running W2K DC's. I want to migrate them to W2K3 and want to do it bit by bit. I want to deploy the first W2K3 DC to a site, and have only a handful of users authenticate to that DC as a pilot. I want to repeat this about 10 times over my largest sites (where different applications and downlevel client exist) to assess the changes in behaviour before taking the plunge with the remaining clients. Most subnets in this exercise cater for over 500 clients, and I want to find the easiest way to re-direct 5 clients to the W2K3 DC's. All clients are W2K SP4 and use DHCP. TIA for your help. Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] 2003 DC Deployment Question.
Title: SSL question Jorge, Thanks for the links. I have already got my schema upgrades done, but your comments light up another possible option. What if I weighted the new DC with a really low SRV weight such as 5. Would this mean that a very small number of clients would authenticate against it, or would each client weigh up 100 Vs 5 and choose the 100? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 26 September 2005 15:29To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 2003 DC Deployment Question. Hi, You cannot tell which user authenticates to which DC. Clients determine their authenticating DC querying DC for a SRV RR. With SRV RRs you designate a weight factor and a priority factor. By default the weight is set to 100 and the priority is set to 0. SRV RRs with the same priority are treated as equal and are load balanced by DNS (round robin if enabled - which by default is in w2k/w2k3). SRV RRs with a lower priority value are used first before using SRV RRS with higher values SRV RRs with higher weight values are used more frequent than SRV RRs with lower values. If you have SRV RR with weight = 50 and another with weight = 100. The SRV RR with weight = 100 will be used twice as more as the SRV RR with weight = 50 The only way I can think of right now to designate a certain DC to users is to create a separate AD site, place that W2K3 DC in it and assign existing AD subnets to that site where the new w2k3 DC is. This way the clients/servers on those subnets will use the w2k3 as a DC for authentication Don't forget that you must update the schema first before you introduce w2k3 DCs. Downlevel clients are not AD site aware. You can make them site aware by installing the DSClient. For more info on what you are asking see: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Monday, September 26, 2005 16:00To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 2003 DC Deployment Question. Hello All, I have a number of large sites all running W2K DC's. I want to migrate them to W2K3 and want to do it bit by bit. I want to deploy the first W2K3 DC to a site, and have only a handful of users authenticate to that DC as a pilot. I want to repeat this about 10 times over my largest sites (where different applications and downlevel client exist) to assess the changes in behaviour before taking the plunge with the remaining clients. Most subnets in this exercise cater for over 500 clients, and I want to find the easiest way to re-direct 5 clients to the W2K3 DC's. All clients are W2K SP4 and use DHCP. TIA for your help. Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This message has been scanned for viruses by MailControl
RE: [ActiveDir] 2003 DC Deployment Question.
Title: SSL question You can use 32 bit subnets if you want to designate half a dozen IPs or something in that site. That said, why not just put one DC in general deployment at a couple of these sites and let it burn in for a bit? Thats the only way youre going to get an accurate picture. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, September 26, 2005 10:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 DC Deployment Question. Hi, You cannot tell which user authenticates to which DC. Clients determine their authenticating DC querying DC for a SRV RR. With SRV RRs you designate a weight factor and a priority factor. By default the weight is set to 100 and the priority is set to 0. SRV RRs with the same priority are treated as equal and are load balanced by DNS (round robin if enabled - which by default is in w2k/w2k3). SRV RRs with a lower priority value are used first before using SRV RRS with higher values SRV RRs with higher weight values are used more frequent than SRV RRs with lower values. If you have SRV RR with weight = 50 and another with weight = 100. The SRV RR with weight = 100 will be used twice as more as the SRV RR with weight = 50 The only way I can think of right now to designate a certain DC to users is to create a separate AD site, place that W2K3 DC in it and assign existing AD subnets to that site where the new w2k3 DC is. This way the clients/servers on those subnets will use the w2k3 as a DC for authentication Don't forget that you must update the schema first before you introduce w2k3 DCs. Downlevel clients are not AD site aware. You can make them site aware by installing the DSClient. For more info on what you are asking see: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, September 26, 2005 16:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 DC Deployment Question. Hello All, I have a number of large sites all running W2K DC's. I want to migrate them to W2K3 and want to do it bit by bit. I want to deploy the first W2K3 DC to a site, and have only a handful of users authenticate to that DC as a pilot. I want to repeat this about 10 times over my largest sites (where different applications and downlevel client exist) to assess the changes in behaviour before taking the plunge with the remaining clients. Most subnets in this exercise cater for over 500 clients, and I want to find the easiest way to re-direct 5 clients to the W2K3 DC's. All clients are W2K SP4 and use DHCP. TIA for your help. Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] 2003 DC Deployment Question.
Title: SSL question IIRC you can do this with a reg hack that forces the machine to a certain DC. Problem is the machine will not look elsewhere if that DC is not available AFAIK. Regards Peter Johnson From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: 26 September 2005 16:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 DC Deployment Question. Jorge, Thanks for the links. I have already got my schema upgrades done, but your comments light up another possible option. What if I weighted the new DC with a really low SRV weight such as 5. Would this mean that a very small number of clients would authenticate against it, or would each client weigh up 100 Vs 5 and choose the 100? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: 26 September 2005 15:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 DC Deployment Question. Hi, You cannot tell which user authenticates to which DC. Clients determine their authenticating DC querying DC for a SRV RR. With SRV RRs you designate a weight factor and a priority factor. By default the weight is set to 100 and the priority is set to 0. SRV RRs with the same priority are treated as equal and are load balanced by DNS (round robin if enabled - which by default is in w2k/w2k3). SRV RRs with a lower priority value are used first before using SRV RRS with higher values SRV RRs with higher weight values are used more frequent than SRV RRs with lower values. If you have SRV RR with weight = 50 and another with weight = 100. The SRV RR with weight = 100 will be used twice as more as the SRV RR with weight = 50 The only way I can think of right now to designate a certain DC to users is to create a separate AD site, place that W2K3 DC in it and assign existing AD subnets to that site where the new w2k3 DC is. This way the clients/servers on those subnets will use the w2k3 as a DC for authentication Don't forget that you must update the schema first before you introduce w2k3 DCs. Downlevel clients are not AD site aware. You can make them site aware by installing the DSClient. For more info on what you are asking see: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, September 26, 2005 16:00 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 DC Deployment Question. Hello All, I have a number of large sites all running W2K DC's. I want to migrate them to W2K3 and want to do it bit by bit. I want to deploy the first W2K3 DC to a site, and have only a handful of users authenticate to that DC as a pilot. I want to repeat this about 10 times over my largest sites (where different applications and downlevel client exist) to assess the changes in behaviour before taking the plunge with the remaining clients. Most subnets in this exercise cater for over 500 clients, and I want to find the easiest way to re-direct 5 clients to the W2K3 DC's. All clients are W2K SP4 and use DHCP. TIA for your help. Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This message has been scanned for viruses by MailControl
RE: [ActiveDir] 2003 DC Deployment Question.
Title: SSL question As I know of the clients do not choose anything. It is the DNS server that makes the choices for the client and after that the client receives a list of servers in a certain order to consult. That is also a way to do it. Setting the weight of the W2K3 DCs to 5 and letting the W2K DCsstick to100 means the W2K DCs will used for 20 times more than the W2K3 DCs. However you still cannot control which client uses the w2k3 DC. To see which client uses which DC you could "enhance" your loginscript and let the client write its %COMPUTERNAME% and %LOGONSERVER% to some central log file. If I remember correctly windows 95/98 don't know about the %LOGONSERVER% variable. Or you could turn on account logon events on the DC. For more info about DC selection see: http://www.windowsitpro.com/Articles/ArticleID/37935/37935.html(by Gil KirkPatrick) Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Monday, September 26, 2005 16:41To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 2003 DC Deployment Question. Jorge, Thanks for the links. I have already got my schema upgrades done, but your comments light up another possible option. What if I weighted the new DC with a really low SRV weight such as 5. Would this mean that a very small number of clients would authenticate against it, or would each client weigh up 100 Vs 5 and choose the 100? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: 26 September 2005 15:29To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 2003 DC Deployment Question. Hi, You cannot tell which user authenticates to which DC. Clients determine their authenticating DC querying DC for a SRV RR. With SRV RRs you designate a weight factor and a priority factor. By default the weight is set to 100 and the priority is set to 0. SRV RRs with the same priority are treated as equal and are load balanced by DNS (round robin if enabled - which by default is in w2k/w2k3). SRV RRs with a lower priority value are used first before using SRV RRS with higher values SRV RRs with higher weight values are used more frequent than SRV RRs with lower values. If you have SRV RR with weight = 50 and another with weight = 100. The SRV RR with weight = 100 will be used twice as more as the SRV RR with weight = 50 The only way I can think of right now to designate a certain DC to users is to create a separate AD site, place that W2K3 DC in it and assign existing AD subnets to that site where the new w2k3 DC is. This way the clients/servers on those subnets will use the w2k3 as a DC for authentication Don't forget that you must update the schema first before you introduce w2k3 DCs. Downlevel clients are not AD site aware. You can make them site aware by installing the DSClient. For more info on what you are asking see: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, BradSent: Monday, September 26, 2005 16:00To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 2003 DC Deployment Question. Hello All, I have a number of large sites all running W2K DC's. I want to migrate them to W2K3 and want to do it bit by bit. I want to deploy the first W2K3 DC to a site, and have only a handful of users authenticate to that DC as a pilot. I want to repeat this about 10 times over my largest sites (where different applications and downlevel client exist) to assess the changes in behaviour before taking the plunge with the remaining clients. Most subnets in this exercise cater for over 500 clients, and I want to find the easiest way to re-direct 5 clients to the W2K3 DC's. All clients are W2K SP4 and use DHCP. TIA for your help. Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This message has been scanned for viruses by
[ActiveDir] Distributing AD responsibilty
We are looking at making the department directors here a little more responsible for their users. We are thinking about allowing them to have the rights to change passwords. Is anyone else doing this? If so how are you going about doing it? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Distributing AD responsibilty
Delegate the right/permission to the directors on the OU where the users are in. To reset user passwords you need the Reset Password extended right on the user object. This is also available through the delegation of control wizard using the common delegated task Reset a user account's password If you want to reset user passwords and force password change at next logon you need the Reset Password extended right on the user object and you need Read/Write permissions on the attribute pwdLastSet. This is also available through the delegation of control wizard using the common delegated task Reset user passwords and force password change at next logon Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss Sent: Monday, September 26, 2005 17:15 To: Active Directory Admin Issues; ActiveDir@mail.activedir.org; NT System Admin Issues Subject: [ActiveDir] Distributing AD responsibilty We are looking at making the department directors here a little more responsible for their users. We are thinking about allowing them to have the rights to change passwords. Is anyone else doing this? If so how are you going about doing it? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Delegating Terminal Services Profile permissions
I was wondering if it's possible to delegate the ability to change the settings in the terminal services profile tab on an account. I took a look, and nothing stood out that might work. Thanks. Alan Olegario Lead Analyst, Systems Engineering Tiffany Co. 973-254-7253 [EMAIL PROTECTED] The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] flaky gpo
ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a net adapter but the change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whats in the gui in network connections. also, when you ping a unqaulified name, it doesn't apply the search list from the gui but rather the one in the output from ipconfig.exe why is that? does ipconfig.exe get net info from a different place than the gui in network connections? why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the network connections one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: To further elaborate, the setting i'm trying to apply is a custom adm file to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being reboot never get it but when you type ipconfig /release and then renew, they get it. Thats bizzare. how would a reboot not get the pol but i release/renew would? thnaks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: I have a computer portion gpo at the domain level that is a little flaky. For some pc's it applies, others take a number of reboots. All my pc's are win2k. The gpt has replicated to all DC's in all sites. When i enable userenv debugging on the affected pc, this is what i get - USERENV(a8.1e0) 08:23:36:191 MyGetUserName: GetUserNameEx failed with 1326 I can't find what this error means anywhere. It also fails with error 1317 as well. Does anyone know? thanks
RE: [ActiveDir] Distributing AD responsibilty
Jorge answered the how part. To answer the other part of your question, yes, this is a very common scenario. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss Sent: Monday, September 26, 2005 11:15 AM To: Active Directory Admin Issues; ActiveDir@mail.activedir.org; NT System Admin Issues Subject: [ActiveDir] Distributing AD responsibilty We are looking at making the department directors here a little more responsible for their users. We are thinking about allowing them to have the rights to change passwords. Is anyone else doing this? If so how are you going about doing it? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] flaky gpo
When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you are setting in the adm/gpo. You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings, though. That task is reserved for gpoguy, who will be around very shortly ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a net adapter but the change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whats in the gui in network connections. also, when you ping a unqaulified name, it doesn't apply the search list from the gui but rather the one in the output from ipconfig.exe why is that? does ipconfig.exe get net info from a different place than the gui in network connections? why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the network connections one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: To further elaborate, the setting i'm trying to apply is a custom adm file to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being reboot never get it but when you type ipconfig /release and then renew, they get it. Thats bizzare. how would a reboot not get the pol but i release/renew would? thnaks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: I have a computer portion gpo at the domain level that is a little flaky. For some pc's it applies, others take a number of reboots. All my pc's are win2k. The gpt has replicated to all DC's in all sites. When i enable userenv debugging on the affected pc, this is what i get - USERENV(a8.1e0) 08:23:36:191 MyGetUserName: GetUserNameEx failed with 1326 I can't find what this error means anywhere. It also fails with error 1317 as well. Does anyone know? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Ipconfig vs. network connections(WAS flaky gpo)
Okay, i've seen that my custom gpo is applying to append a dns suffix search list but the only issue is there is a difference in output between what i see in the gui via network connections and what i see in the output of ipconfig. In network connections, when i right click the adapter, the dns gpo applies. However, from cmd.exe, when i type ipconfig, the output is the pre-gpo setting until i issue and ipconfig /renew. any reason why the 2 would be different? Windows seems to follow the ipconfig output and NOT what's in the gui in the adapter settings. so when i ping or map a drive with an unqualified name, it does not append any of the search suffix listed in the adapter settings, and the command fails making the gpo useless unless i do an ipconfig /renew. all my clients are win2k pro and the gpo is a tattoo and not a real policy.. is this a bug? should i call MS PSS? thanks again.
Re: [ActiveDir] flaky gpo
thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When MS introduced that GPO ability, someone forgot to remember whereipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the samelocation, so ipconfig will never be able to report whatever you are settingin the adm/gpo.You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings, though.That task is reserved for gpoguy, who will be around very shortly ;)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 9:42 AM To: activedirectorySubject: Re: [ActiveDir] flaky gpook, last time i reply to my own email :)I applied a gpo to add 3 domains to the dns suffix search order.these 3 domains show up in the gui, when you right click a net adapter but the change is not reflected when you do an ipconfig.the output of ipconfig.exe is different than whats in the gui in networkconnections.also, when you ping a unqaulified name, it doesn't apply the search list from the gui but rather the one in the output from ipconfig.exewhy is that?does ipconfig.exe get net info from a different place than the gui innetwork connections?why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe?and why is ping.exe only using the one in ipconfig.exe and not the networkconnections one.thanksP.S.- all clients are dhcp, if that provides any clue. thanks again.On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: To further elaborate, the setting i'm trying to apply is a custom admfile to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it.the really weird thing is, some clients after being reboot never getit but when you type ipconfig /release and then renew, they get it. Thats bizzare. how would a reboot not get the pol but i release/renew would? thnaks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: I have a computer portion gpo at the domain level that is alittle flaky. For some pc's it applies, others take a number of reboots. All my pc's are win2k. The gpt has replicated to all DC's in all sites. When i enable userenv debugging on the affected pc, this iswhat i get - USERENV(a8.1e0) 08:23:36:191 MyGetUserName:GetUserNameEx failed with 1326 I can't find what this error means anywhere. It also failswith error 1317 as well. Does anyone know? thanksList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] flaky gpo
my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\InterfacesBTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd)I'm just curious, and not at a place where I can test. I won't be able to seeyour response for a long time. Going offline.Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] flaky gpothanks.disregard that last email...i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out?Does this also apply to the real policy that comes with winxp/2k3 as well?thanks again!!On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you aresetting in the adm/gpo. You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings,though. That task is reserved for gpoguy, who will be around very shortly;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a netadapter but the change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whats in the gui innetwork connections. also, when you ping a unqaulified name, it doesn't apply the searchlist from the gui but rather the one in the output from ipconfig.exe why is that? does ipconfig.exe get net info from a different place than the guiin network connections? why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the network connections one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote:To further elaborate, the setting i'm trying to apply is acustom adm file to add the dns search suffix to tcp/ip props.all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being rebootnever get it but when you type ipconfig /release and then renew, they get it.Thats bizzare.how would a reboot not get the pol but i release/renew would?thnaks again.On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote:I have a computer portion gpo at the domain level thatis a little flaky.For some pc's it applies, others take a number of reboots.All my pc's are win2k.The gpt has replicated to all DC's in all sites.When i enable userenv debugging on the affected pc,this is what i get -USERENV(a8.1e0) 08:23:36:191 MyGetUserName:GetUserNameEx failed with 1326I can't find what this error means anywhere. It also fails with error 1317 as well.Does anyone know?thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] flaky gpo
oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\InterfacesBTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd)I'm just curious, and not at a place where I can test. I won't be able to seeyour response for a long time. Going offline.Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know IT www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] flaky gpo thanks.disregard that last email...i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out?Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!!On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you aresetting in the adm/gpo. You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings, though. That task is reserved for gpoguy, who will be around very shortly;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo ok, last time i reply to my own email :) I applied a gpo to add 3 domains to the dns suffix search order. these 3 domains show up in the gui, when you right click a netadapter but the change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whats in the gui innetwork connections. also, when you ping a unqaulified name, it doesn't apply the searchlist from the gui but rather the one in the output from ipconfig.exe why is that? does ipconfig.exe get net info from a different place than the guiin network connections? why would the gpo apply to the network connections info but NOT the ipconfig.exe info you see in cmd.exe? and why is ping.exe only using the one in ipconfig.exe and not the network connections one. thanks P.S.- all clients are dhcp, if that provides any clue. thanks again. On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote:To further elaborate, the setting i'm trying to apply is acustom adm file to add the dns search suffix to tcp/ip props.all clients are win2k. some get it, some never get it. the really weird thing is, some clients after being rebootnever get it but when you type ipconfig /release and then renew, they get it.Thats bizzare.how would a reboot not get the pol but i release/renew would?thnaks again.On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote:I have a computer portion gpo at the domain level thatis a little flaky.For some pc's it applies, others take a number of reboots.All my pc's are win2k.The gpt has replicated to all DC's in all sites.When i enable userenv debugging on the affected pc,this is what i get -USERENV(a8.1e0) 08:23:36:191 MyGetUserName:GetUserNameEx failed with 1326I can't find what this error means anywhere. It also fails with error 1317 as well.Does anyone know?thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 SP1
Sorry for the delay in responding but the issues I keep hearing about center around the fact that the SCManager ACL has been locked down. So anything you have monitoring service states, etc may be impacted if they run as non-admins or don't directly ask for the service by name. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Tuesday, September 06, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 Good morning folks, I am entertaining the idea of applying SP1 to our 2003 domain controllers. I figured I would start with http://support.microsoft.com/kb/889101 but if you have any 1st hand knowledge of any issues, please let me know. For that matter, if you have a good link about applying 2003 SP1 to member servers please send it to me. I will probably assist with this task also. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Cannot modify a distribution list
I thought that is what I said. ;o) "You need to grant the person the ability to update the membership list. Now if you have an older version of ADUC, you won't see that checkbox under the managed by tab" From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Thursday, September 22, 2005 11:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a distribution list "If you mean ownership as in setting an owner from the Exchange tab or the managed by tab, neither allows you to modify the membership." Setting an account in the Managed By tab and checking the box "Manager can update membership list" will allow the account to modify the list members. All the checkbox is doing is setting an Allow Write Members ACE. The account *won't* be able to modify other attributes of the list, such as the description, based strictly on the Managed By information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, September 22, 2005 8:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a distribution list If you mean ownership as in setting an owner from the Exchange tab or the managed by tab, neither allows you to modify the membership. You need to grant the person the ability to update the membership list. Now if you have an older version of ADUC, you won't see that checkbox under the managed by tab. If you have set this, and you have a multidomain forest, and the group is mail enabled, and the person is trying to manage through outlook, you probably have another issue which I don't have time to go into here but in that situation, don't use outlook to manage the membership. Outlook is a tool to read mail, not manage group membership. I don't use ADUC to check my calendar, so I don't have a problem avoiding using Outlook to manage groups. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, September 22, 2005 3:58 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cannot modify a distribution list Hi Gurus, I have created a Distribution list which is owned by a particular user. Now I log as that user and try to modify the distribution list, say setting the description attribute. but am getting the error: ***Call Modify...ldap_modify_s(ld, 'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] attrs);Error: Modify: Insufficient Rights. 50 If I bind as the administrator, then I can modify the distribution list. any pointers as to why this is happening? Regards, Mayuresh.
RE: [ActiveDir] Cannot modify a distribution list
Well full access rights is a bit like taking off a hang nail with a table saw but if it works for you... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, September 22, 2005 11:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a distribution list Hi All, Yes by owned I meant setting the managedby attribute. I then set the permissions for the user in the security tab giving him full access rights and then I could modify using that user. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Thursday, September 22, 2005 9:18 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a distribution list "If you mean ownership as in setting an owner from the Exchange tab or the managed by tab, neither allows you to modify the membership." Setting an account in the Managed By tab and checking the box "Manager can update membership list" will allow the account to modify the list members. All the checkbox is doing is setting an Allow Write Members ACE. The account *won't* be able to modify other attributes of the list, such as the description, based strictly on the Managed By information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, September 22, 2005 8:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cannot modify a distribution list If you mean ownership as in setting an owner from the Exchange tab or the managed by tab, neither allows you to modify the membership. You need to grant the person the ability to update the membership list. Now if you have an older version of ADUC, you won't see that checkbox under the managed by tab. If you have set this, and you have a multidomain forest, and the group is mail enabled, and the person is trying to manage through outlook, you probably have another issue which I don't have time to go into here but in that situation, don't use outlook to manage the membership. Outlook is a tool to read mail, not manage group membership. I don't use ADUC to check my calendar, so I don't have a problem avoiding using Outlook to manage groups. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, September 22, 2005 3:58 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Cannot modify a distribution list Hi Gurus, I have created a Distribution list which is owned by a particular user. Now I log as that user and try to modify the distribution list, say setting the description attribute. but am getting the error: ***Call Modify...ldap_modify_s(ld, 'CN=testgrp1,OU=Exchange Test,OU=CV,OU=Views,OU=Mayuresh,DC=meta,DC=test',[1] attrs);Error: Modify: Insufficient Rights. 50 If I bind as the administrator, then I can modify the distribution list. any pointers as to why this is happening? Regards, Mayuresh.
RE: [ActiveDir] Delegating Terminal Services Profile permissions
You can try delegating userParameter as that is where the info is stored, but I believe all of the mechanisms that update it use legacy NET style calls which require Acc Op or Admin rights. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Sent: Monday, September 26, 2005 11:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegating Terminal Services Profile permissions I was wondering if it's possible to delegate the ability to change the settings in the terminal services profile tab on an account. I took a look, and nothing stood out that might work. Thanks. Alan Olegario Lead Analyst, Systems Engineering Tiffany Co. 973-254-7253 [EMAIL PROTECTED] The information contained in this email message may be privileged, confidential, and protected from disclosure. Any unauthorized use, printing, copying, disclosure, dissemination of or reliance upon this communication by persons other than the intended recipient may be subject to legal restriction or sanction. If you think that you have received this E-mail message in error, please reply to the sender and delete this email promptly. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] flaky gpo
Cool. Good to know. In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txt tabid=63mid=431 is (IMO) as good as the adm you are doing now, and it *should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV. TTY tomorrow :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/ - we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: When MS introduced that GPO ability, someone forgot to remember where ipconfig looks for the information it displays. Ipconfig reads the registry for the information, but the suffix adm/gpo is not stored in the same location, so ipconfig will never be able to report whatever you are setting in the adm/gpo. You are not crazy. You are just observing some known feature. I can not answer why some clients are not getting your gpo settings, though. That task is reserved for gpoguy, who will be around very shortly ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/ - we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 9:42 AM To: activedirectory Subject: Re: [ActiveDir] flaky gpo
RE: [ActiveDir] Distributing AD responsibilty
This is definitely doable, however you may consider using some sort of proxy system to do it so you can answer the question who did it and when as those questions come up. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Craig Gauss Sent: Monday, September 26, 2005 11:15 AM To: Active Directory Admin Issues; ActiveDir@mail.activedir.org; NT System Admin Issues Subject: [ActiveDir] Distributing AD responsibilty We are looking at making the department directors here a little more responsible for their users. We are thinking about allowing them to have the rights to change passwords. Is anyone else doing this? If so how are you going about doing it? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Controller Security
When looking at group memberships, you will need to look at the group itself, any groups nested into group (and so on), and any users with primaryGroupID set to the value of any of those groups. Primary groups are not represented in the normal group membership with the LDAP interfaces. An alternative would be to look at the group with the NET* API as it would catch primary group entries butwould miss nested entries. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Saturday, September 24, 2005 7:14 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Domain Controller Security I agree, thanks joe, for your efforts ! Your answers always widensmy thinking horizons, I am not into ADS extensively, like you all experts,but have ambition to become one. I have to go long way, and I am here to learn. joe How exactly are you monitoring your group memberships ? I am usingthe logparser utility toparse security eventlogs of DCs for group membership modification events. and just plainly taking a look at all theaccounts who are members of special-privilege groupsthru nested grouping. I am also trying to setup a system for monitoring reporting the changes tosome specific userattributes. :-) And changes made to special-privilege groups using some SPECIAL account. I would like some pointers fornuts and bolts details of AD. I already have some mspress books, and AD 2nd edition. joe, I am eagerly waiting for 3rd edition. On 9/24/05, DeStefano, Dan [EMAIL PROTECTED] wrote: As lucid, eloquent and logical as ever, joe. Dan From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of joeSent: Friday, September 23, 2005 9:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain Controller Security That is fine, I have no problem with people disagreeing with me. It still won't make me prove a point bydocumentinghow it is done. If I gave a step by step or even a high level that gave people who couldn't figure it out on their own a clue as to how it is done, I would have to kick my own ass. As was stated by others, knowing how this is done does not arm you so that you can do anything more about it. Windows has always had two areas you needed to secure and had different assumptions of who should be in those areas.There is the remote access"zone" andthe local access "zone". I am talking from a software angle, not physical. If someone has physical access and can do what they want, there really isn't anysecurity that can not be compromised in some way shape or form. So now you have remote and local access (or unrestricted remote system access such as c$ or registery access, etc). If you have remote access, you have to goup against the fixed function interfaces MS has made available to connect to and manipulate the machine such as LDAPor kerberos or remote RPC calls, etc. Thesehave been built by MS to be as secure as they, at the time they built the interface, could. This is the most secure you will find things to be and even this can be compromised. I simply ask you to review the history of all of the various worms and viruses that have torn through networks infecting machines through unauthenticated remote access. Think RPC interfaces, web interfaces, SQL interfaces, etc. Again, making people use the system resources through remote fixed function access interfaces is going to be theMOSTsecure you will see. Honestly, for a long time this only secured you against people who didn't want to harm you that were smart enough to keep their machines from being infected by keeping the services that exposed handles to THEIR machines to a minimum and ran firewalls to block all but the smallest amount of remotely activated connections and didn't run code that they didn't fully trust. If you have local access (such as TS to the desktop or remote console), you have bypassed a great deal of the security barriers Microsoft has put into place. You are within at least the semi-trusted zone and quite honestly in my opinion, the pretty much fully trusted zone. You know the MShistory in keeping the untrusted zone safe, do you expect the semi-trusted zone to be that much more successful at repelling people trying to do you harm? Look at your own house as an example, once someone is past your locked (lol) windows and doors, how much more security is there in place to make sure people do not get access to sensitive information or modify your stuff in a way that you do not know? Probably little to none because it isn't feasible to audit and/or monitor everything in real time. Further to that, how many automated systems do you have in your house that you have no understanding of and wouldn't know one way or the other ifthey were compromised and being used against you. How do
[ActiveDir] Domain-wide operations masters change
I just noticed our domain-wide operations masters levels all changed. We've had the same pdc/rid/infrastructure master for years, and suddenly, it's on a different domain controller. Is there any way this could have changed automatically? Or did a domain admin have to physically make this change? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] 2003 SP1
I think Windows Firewall is on by default on new 2003 SP1 installations. Check the properties of the NIC and see if it is. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B. Sent: Monday, September 26, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 On this same subject, is there anything in Service Pack (2003) that presents client systems from not being able to ping or join a domain? I have installed a new domain with 3 clients. Setting up DNS/WINS, etc. The Clients can ping each other, the router and switch, but not the new AD server. Server can ping everyone else. It just can't be pinged, or even recognized by anyone else. Ron Pennell IDA [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, September 26, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 Sorry for the delay in responding but the issues I keep hearing about center around the fact that the SCManager ACL has been locked down. So anything you have monitoring service states, etc may be impacted if they run as non-admins or don't directly ask for the service by name. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Tuesday, September 06, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 Good morning folks, I am entertaining the idea of applying SP1 to our 2003 domain controllers. I figured I would start with http://support.microsoft.com/kb/889101 but if you have any 1st hand knowledge of any issues, please let me know. For that matter, if you have a good link about applying 2003 SP1 to member servers please send it to me. I will probably assist with this task also. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Additional DHCP server same LAN
Two companies sharing the same physical LAN, IP configuration, Windows 2000 servers, two seperate forests, and one DHCP server. In the the not so distant future they will seperate. In the meantime, is there a way to point the XP pro clients from CompanyB to a new DHCP server on the same physical LAN through Group Policy or WMI Scripting? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 SP1
1. Is the name being resolved? 2. If so is the server actively refusing the connections or is it not responding at all. You need a network trace for this one, look for returned packets with RST in them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B. Sent: Monday, September 26, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 On this same subject, is there anything in Service Pack (2003) that presents client systems from not being able to ping or join a domain? I have installed a new domain with 3 clients. Setting up DNS/WINS, etc. The Clients can ping each other, the router and switch, but not the new AD server. Server can ping everyone else. It just can't be pinged, or even recognized by anyone else. Ron Pennell IDA [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, September 26, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 SP1 Sorry for the delay in responding but the issues I keep hearing about center around the fact that the SCManager ACL has been locked down. So anything you have monitoring service states, etc may be impacted if they run as non-admins or don't directly ask for the service by name. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Tuesday, September 06, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 Good morning folks, I am entertaining the idea of applying SP1 to our 2003 domain controllers. I figured I would start with http://support.microsoft.com/kb/889101 but if you have any 1st hand knowledge of any issues, please let me know. For that matter, if you have a good link about applying 2003 SP1 to member servers please send it to me. I will probably assist with this task also. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] global catalog discovery / Outlook XP
2) If Closest GC registry key set, call UseDsGetDcName() Yep, fall back to whatever the OS says... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Saturday, September 24, 2005 11:14 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] global catalog discovery / Outlook XP I believe it works like... Outlook clients are not site-aware. By default Outlook uses the GC handed out by the DSPROXY/DSACCESS proces of the Exchange server that is hosting the mailbox of the user. It will thus (again by default) not use a closest GC like a Windows 2000/XP/2003 client would. This behavior can be though and it is described in MS-KBQ319206. But at least for OL2003 RTM, the complete process goes like this: 1) If DS Server registry key set, use that GC 2) If Closest GC registry key set, call UseDsGetDcName() 3) If fast network adapter, get DS Referral from home Exchange server 4) If slow network adapter, attempt connect with GC in MAPI profile 5) Connect to DSProxy from home Exchange server Cheers Jorge From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 9/23/2005 6:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] global catalog discovery / Outlook XP If outlook is configured to use nearest GC I believe it simply falls back to whatever the OS says to use. Check to see if nltest /dsgetdc:forestrootdomain /gc matches up with the Exchange server you use for AB/NSPI ops from outlook. Obviously you could start a network sniffer and see what happens when outlook fires up as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, September 23, 2005 11:05 AM To: activedir@mail.activedir.org Subject: [ActiveDir] global catalog discovery / Outlook XP Dear all, i have been away from the list for absolutely ages but i need to go over an issue of GC discovery with Outlook XP that need some help on. this may be regarded as OT to this list, but have posted on an MS Outlook newsgroup site with nothing back so i hope this post to be in order. i recall what ended up as a trilogy many months ago on a similar topic but need to get fairly specific information on the mechanisms used by Outlook XP to locate a GC server. there was much discussion on the configuration of Outlook to use local GC discovery (by way of the CLOSESTGC reg value) but on the basis of this configuration can anyone elaborate on the mechanism that Outlook configured as such uses to locate a GC. as i understand the MS documentation, this registry value disables the 'referral' that the client gets (presumably from DSACCESS / DSPROXY). as such it must then have its own mechanism - THIS IS WHAT WE ARE INTERESTED IN - we have attempted loading the SRV RR's (ldapsrvpriority) so the discovery process is loaded towards a particular GC, but this does not seem to prevail as always assistances gladly received. GT List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO Restricted Groups gotchas ?
Yeah we need a good search mechanism for this list, this was discussed nearly to death last year or the year before when that functionality change was introduced. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge deSent: Monday, September 26, 2005 2:25 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Restricted Groups gotchas ? Worked like a charm! You have the possibility to use Member option and/or memberof option Using the member option you ENFORCE (or replace) which objects (users/groups) are a member of a group. If you add an object as a member of the group and it is not on the restricted groups list, it will be removed again by the system Using the memberof option you just tell the system (merge with existing) to add the object to the group specified and it will still be allowed to be a member of other groups that are not specified in the list Cheers, Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, September 23, 2005 07:36To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO Restricted Groups gotchas ? I would like to use restricted groups policies to specifiy local Administrative access to application servers. I am sure this has already been tried. I would like to know how this worked or did not work for those who have tried it and where there any unexpected gotchas that happened ? Thank You ! And have a nice day !**Mark LunsfordKAISER PERMANENTE This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] exchange one more time(ot)
From my experience it should work fine. It doesn't have to know if the right hand side is a domain or host IP, it simply needs to try and look it up in DNS. I believe it will try an MX lookup and failing that, fall back to a host record lookup. A simple test would be to enable SMTP on some machine in your domain, make sure there is a host record for the given name and then send a message to it, you should see the message hit your configured drop folder. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Saturday, September 24, 2005 2:12 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one more time(ot) how does it figure out its a literal addy and not a domain? how does it know the RHS is not a domain name and fail trying to look it up? or does it fail and then go up the list to the other part of the name? I'd like to know because i can't find any exchange docs on it. there's nothing in the app log. i'll turn up diag logging.. mail didn't start flowing untill i changed the connector to point to a smart host rather than dns. until then, it just sat in the queue. the error in the queue was "remote destatination did not respond". Thanks On 9/23/05, Al Mulnick [EMAIL PROTECTED] wrote: Exchange should be able to deliver to a literal address as long as it is not its own. That's a valid and a common address in SMTP. Check the logs to see what the failure is. There's a lot of possibilities as to why it may not get to its destination. Al From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, September 23, 2005 3:07 PMTo: activedirectorySubject: [ActiveDir] exchange one more time(ot) If i set up a contact with the server name in the addy as in [EMAIL PROTECTED], will the message get delivered or will exchange think " servername.domain.tld " is the domain name and throw an error? Just a question i'm throwing out because an archive solution is giving me that kind of contact to send mail to and its not getting there. I have a feeling its because of that and i should just create a connector to forward to that addy as a smarthost but i want to confirm with you guys that i can't write an address in that form and expect exchange(or any smtp server?) to deliver the mail. thanks
Re: [ActiveDir] flaky gpo
thanks alot!! quick ques- if i machine already has a static entry in the suffix search order, will this script wipe out that entry or append to it? same question for the GPO verison- will it add or wipe out? thanks again On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Cool. Good to know.In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it*should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV.TTY tomorrow :)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 12:09 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpooh yeah,-wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correctsuffix orderOn 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it atHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix valuesand that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping anddrive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is ifyou issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for eachadapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. Iwon't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/- we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of TomKern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make aadm to reflect that and push it out? Does this also apply to the real policy that comes withwinxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote:When MS introduced that GPO ability, someone forgot to remember whereipconfig looks for the information it displays.Ipconfig reads the registryfor the information, but the suffix adm/gpo is notstored in the same location, so ipconfig will never be able to reportwhatever you are settingin the adm/gpo.You are not crazy. You are just observing some known feature.I can not answer why some clients are not getting yourgpo settings, though.That task is reserved for gpoguy, who will be around very shortly ;)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/- weknow ITwww.akomolafe.com http://www.akomolafe.com/Do you now realize that Today is the Tomorrow you wereworried aboutYesterday?-anon From: [EMAIL PROTECTED] on behalf ofTom KernSent: Mon 9/26/2005 9:42 AM To: activedirectorySubject: Re: [ActiveDir] flaky gpook, last time i reply to my own email :)I applied a gpo to add 3 domains to the dns suffix search order.these 3 domains show up in the gui, when you rightclick a net adapter butthe change is not reflected when you do an ipconfig. the output of ipconfig.exe is different than whatsin the gui in networkconnections.also, when you ping a unqaulified name, it doesn't apply the search list fromthe gui but rather the one in the output fromipconfig.exewhy is that?does ipconfig.exe get net info from a differentplace than the gui innetwork connections?why would the gpo apply to the network connections info but NOT theipconfig.exe info you see in cmd.exe?and why is ping.exe only using the one in ipconfig.exeand not the networkconnections one. thanksP.S.- all clients are dhcp, if that provides any clue.thanks again.On 9/26/05, Tom Kern [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: To further elaborate, the setting i'm trying to apply is a custom admfile to add the dns search suffix to tcp/ip props. all clients are win2k. some get it, some never get it. the really weird thing is, some clients afterbeing reboot never getit but when you type ipconfig /release and thenrenew, they get it. Thats bizzare. how would a reboot not get the
[ActiveDir] LDAP filters
Where can I fine more info on creating LDAP filters? Im trying to have Exchange 2003 Address List display users on multiple Mailbox Stores and Groups. I have to do a custom LDAP search to accomplish this. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] OT: Additional DHCP server same LAN
Not if they are on the same LAN. Why do you want to do this before the separation? Maybe there is a workaround for what ever problem you are having. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Monday, September 26, 2005 1:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Additional DHCP server same LAN Two companies sharing the same physical LAN, IP configuration, Windows 2000 servers, two seperate forests, and one DHCP server. In the the not so distant future they will seperate. In the meantime, is there a way to point the XP pro clients from CompanyB to a new DHCP server on the same physical LAN through Group Policy or WMI Scripting? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain-wide operations masters change
No automatic change mechanism for OM roles. Someone did it. J Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, September 26, 2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain-wide operations masters change I just noticed our domain-wide operations masters levels all changed. We've had the same pdc/rid/infrastructure master for years, and suddenly, it's on a different domain controller. Is there any way this could have changed automatically? Or did a domain admin have to physically make this change? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] OT: HP vs Dell servers
I am way late on this thread but my experience with IBM has been horrible. At the widget factory I was at, we switched from Dell to IBM because the newish CIO was from IBM. Our DOA rates went up to about 30% from about 0%. We implemented new procedures to burn in every DC for a couple of weeks prior to use because we had so many failures and had to rebuild them. Also the pricing was no where near similar. We could have picked up several 8-ways for the cost of a single IBM 8-way. I can't speak to the HP hardware, it has been way too long since I have directly worked with it or seen costing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, August 12, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: HP vs Dell servers I have always preferred IBM servers personally. For tech they tend to be about 6 months ahead of HP and Dell and if you're a good sized company you can actually get an IBM server for less than HP. HP makes a great product too but the support depends on who you get your maintenance from and can vary greatly. Dell servers are alright as well, but as mentioned I don't think their tools are up to the same level as IBM and HP. Phil On 8/12/05, Chris Lynch [EMAIL PROTECTED] wrote: Have you contacted your local HP rep, or VAR? Yes, one can argue that servers are a commodity today. HP tends to be a far superior product, in both reliability, support, and to a certain degree performance. One of the drawbacks of Dell is the fact they only supply Intel-based servers. The AMD Opteron systems I have implemented have not only cost less than the Intel servers, but have kicked their a$$ up and down the datacenter. Plus, the management tools HP offers is more mature than IT Assistant is. Both vendors have different roads for their management applications. HP SIM continues to evolve and support multiple platforms (not just HP, but SNMP-based systems, etc). While Dell partners with MS to plug into MOM. that's nice and all, but not every shop out there is completely MS based. Yes Dell has partnered with Altiris, but HP/Compaq has had that partnership for over 7 years. Chris - Original Message - From: Nathan Casey [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 12, 2005 2:48 PM Subject: [ActiveDir] OT: HP vs Dell servers Sorry for the off topic question. We are currently an all HP shop. The accountants in management now want us to justify why we don't switch to Dell servers. I have looked around the web including Gartner but can't find any good Dell vs HP comparison/benchmark testing. Does anyone have any good material that discusses why HP over Dell servers or vise versa. Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] flaky gpo
The guy in link using a batch file to call the VBS Script, You can directly put the VBS file into startup folder, instead of calling it from netlogon. Also, I guess, %logonserver% might create problem, as it might not be defined by the time, script runs. On 9/27/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Cool. Good to know.In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it*should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV.TTY tomorrow :)Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 12:09 PMTo: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpooh yeah,-wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correctsuffix order
RE: [ActiveDir] flaky gpo
As far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied to all adapters on the system and set in the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList. Maybe you can override it per-adapter, but I didn't see where. When you set the policy, as you noted, the registry value is set at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList. This is pretty common where some component has a primary registry location for configuration but then if it falls under policy control there is a reg value under the Policies key that overrides the native location, so I suspect that is what is happening I tried doing a Regmon while issuing an ipconfig /all and I didn't see any queries against either of these two reg. values. That might mean that ipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that could hold the value, depending upon whether the policy has been set or not. I'm almost positive that ping is using an API call rather than reading the registry, so the up-to-dateness of these tools depends upon when policy is refreshed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 26, 2005 12:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] flaky gpo Cool. Good to know. In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it *should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV. TTY tomorrow :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/ - we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: When MS introduced that GPO
Re: [ActiveDir] Fwd: New Child Domain creation error
Nop, this also didn't help... Now I am facing some strange errors, When I open any admin tool related to AD like dsa.msc or dssite.msc or domain.msc I get no domain found error, even though DNS is working fine. If I open adsiedit.msc to see the permission on partitions, it doesn't allow me to see the properties of domain NC. If i try to find the ACL using dsacls.exe dsacls.exe gives memory dump for Domain NC. But it is able to give me ACL for config and schema NC. I tried resetting permission using /S /T options of dsacls.exe still no use. -- Kamlesh On 9/21/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: The following may help you to troubleshoot the issue: http://support.microsoft.com/default.aspx/kb/838179/ http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd13.mspx neil --- Neil Ruston Nomura International Plc Tel: 020 7521 3481 [EMAIL PROTECTED] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kamlesh ParmarSent: 21 September 2005 16:00To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Fwd: New Child Domain creation error Guys !! any pointers... ?? -- Forwarded message --From: Kamlesh Parmar [EMAIL PROTECTED]Date: Sep 19, 2005 9:05 PM Subject: New Child Domain creation errorTo: ActiveDir@mail.activedir.org This is a test enviornment. I have empty root domain, and I had created a child domain earlier, month back. Now when I try to create new child domain, it gives me access denied erroralternatively for configuration and schema partition. Exact Msg: The operation failed because: Active Directory could not replicate the directory partition CN=Schema,CN=Configuration,DC=EXAMPLE,DC=COM from the remote domain controller rootdc2.EXAMPLE.COM. Access is denied. DNS is working fine. I have only two DCs for root domain. I have tried using default Enerprise admin account, created new user made it part of enterprise admin and tried again. still no luck. Using ADSIEDIT.msc, resetted the permission to default, still no luck. -- ~~~Fortune and Love befriend the bold~~~-- ~~~Fortune and Love befriend the bold ~~~PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. -- ~~~Fortune and Love befriend the bold~~~
RE: [ActiveDir] LDAP filters
... Something that is necessary for almost every one of these tools is an LDAP query. Active Directory is an LDAP-based directory (LDAP stands for Lightweight Directory Access Protocol). The queries are based on RFC-2254, The String Representation of LDAP Search Filters (available at http://www.faqs.org/rfcs/rfc2254.html). A very basic introduction to LDAP can be had in Microsoft KB 196455 (Introduction to Lightweight Directory Access Protocol (LDAP)). LDAP queries can be very simple (e.g., (objectCategory=*)which will serve to select every object in Active Directory) or very complex (as shown by the queries in Chapter 4). The Understanding LDAP white-paper available from Microsoft at http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp provides quite a few examples of LDAP queries. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, September 26, 2005 4:51 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP filters Where can I fine more info on creating LDAP filters? Im trying to have Exchange 2003 Address List display users on multiple Mailbox Stores and Groups. I have to do a custom LDAP search to accomplish this. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] LDAP filters
This is always a good starting place if you find it consumable: http://www.faqs.org/rfcs/rfc2254.html Optionally, using the ADUC MMC Snap-in you can build some Saved Queries and see how they are built (Query String) by the snap-in to learn some of the intricacies. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, September 26, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP filters Where can I fine more info on creating LDAP filters? Im trying to have Exchange 2003 Address List display users on multiple Mailbox Stores and Groups. I have to do a custom LDAP search to accomplish this. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Domain-wide operations masters change
Know of an easy way to find out who? I'm assuming auditing, but our security logs are unwieldy and if it happened over a couple days ago, well you know how that goes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Monday, September 26, 2005 3:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Domain-wide operations masters change No automatic change mechanism for OM roles. Someone did it. J Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, September 26, 2005 1:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Domain-wide operations masters change I just noticed our domain-wide operations masters levels all changed. We've had the same pdc/rid/infrastructure master for years, and suddenly, it's on a different domain controller. Is there any way this could have changed automatically? Or did a domain admin have to physically make this change? ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Server_Info='00000523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.
It is in the create code. The OS that it must assign SIDs to users, computers, etc. It may be hardcoded to the existence of that attribute as a mandatory attribute for the class or it could just be for certain fixed clases. I have never tested it by creating another class with objectSID as a required attribute. The Security Descriptor item is for all creates. Any objct that doesn't have a security descriptor specified in the ldap_add will automatically have the defaultSD inserted from the schema for the appropriate class. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Friday, August 05, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Thanks for the FYI joe, much appreciated. What is the process that slaps on the defaultsid and ntsecuritydescriptor? Is this a validation that AD does when an object is created since it can't rely on the schema? Thanks, Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: August 4, 2005 7:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. FYI If nTSecurityDescriptor isn't specified, the system will insert the defaultSD from the schema for the objectclass. objectSid can't be specified, the system will set it to what it wants to set it to. The issue is definitely with the sAMAccountName attribute. I admit the first two can be a bit confusing. Even though the schema says something is mandatory, AD may not actually require you to specify it. This makes the schema less than a perfect source of info for AD for determining what you need for new objects as well as what you can and can't do. Other examples are length of sAMAccountName and the fact that even though the schema says description is multivalued, it actually is single values on certain SAM objects. There are other examples. It means your programs have to have special hard coded routines for certain pieces or you have to maintain in your head certain special rules for special things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: Thursday, August 04, 2005 12:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. I'm not a pro but could it be related to mandatory attributes missing? I'm thinking maybe nTSecurityDescriptor and objectSid. Although I could be way off if AD actually populates those attributes when the object is created ;) Just thinking out loud here -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: August 4, 2005 1:41 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0. Hi All, I am using a meta directory to push mailbox users into active directory. I am stuck with the following: The adding of user entries to AD fails with the above error. The kind of entry that the meta directory is trying to add is as follows: ADD 'cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net' dn: cn=ZZZGGG,OU=test,DC=gepurbsres01,DC=net objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 544 DisplayName: ZZZGGG, ANGUS cn: ZZZGGG, ANGUS givenName: ANGUS sn: ZZZGGG sAMAccountName: ZZZGGG, ANGUS-Test ADD Result Server_Info='0523: SysErr: DSID-031A0FB2, problem 22 (Invalid argument), data 0.' Any clue as to how can I solve this problem? Thanks and Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP filters
I also find this article helpful: http://msdn.microsoft.com/library/default.asp?url=""> Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, September 26, 2005 4:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP filters This is always a good starting place if you find it consumable: http://www.faqs.org/rfcs/rfc2254.html Optionally, using the ADUC MMC Snap-in you can build some Saved Queries and see how they are built (Query String) by the snap-in to learn some of the intricacies. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Monday, September 26, 2005 1:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP filters Where can I fine more info on creating LDAP filters? Im trying to have Exchange 2003 Address List display users on multiple Mailbox Stores and Groups. I have to do a custom LDAP search to accomplish this. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __ This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] Domain-wide operations masters change
Are you asking if there is a way to do this with out using the event logs? The only option I can think of is gathering all of the persons with permissions and beating them about the head until somebody confesses. Come to think of it that could generate some false positives. J If you have access to the logs and need to narrow down the time in which the change occurred, you can look at the whenChanged attribute (in GMT) for the following objects CN=RID Manager$,CN=System,DC=YourDomain,DC=YourDomainSuffix CN=Infrastructure, DC=YourDomain,DC=YourDomainSuffix The PDC role is defined in an attribute fSMORoleOwner on the domain head object for the domain in question. Determining when this attribute was changed would have to be done with repadmin or another utility (as opposed to ADSIEdit which can give you the information on the other two). I believe that event ID 1458 is what you need to look for in the Application log on either (or both) the system that originally held the role and the one that requested the transfer. The user that requested the transfer should be identified. If you do not have access to the logs I suggest that you discuss changing your log retention policies by either keeping more information live on the DC or by archiving old information on a regular basis. Another option would be to implement some sort of log collection system. HTH Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, September 26, 2005 2:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain-wide operations masters change Know of an easy way to find out who? I'm assuming auditing, but our security logs are unwieldy and if it happened over a couple days ago, well you know how that goes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, September 26, 2005 3:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain-wide operations masters change No automatic change mechanism for OM roles. Someone did it. J Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, September 26, 2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain-wide operations masters change I just noticed our domain-wide operations masters levels all changed. We've had the same pdc/rid/infrastructure master for years, and suddenly, it's on a different domain controller. Is there any way this could have changed automatically? Or did a domain admin have to physically make this change? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
Re: [ActiveDir] flaky gpo
The adm i set, directly sets the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList value, NOT the policies key. Its for win2k, so its a tattoo, not a policiy. that other key never comes into play. as i stated, in the net coonections applet it changed the adapter. when doing an ipconfig, it didn't show up. drive mappings and pings with single label names failed(we don't use netbios) even though it showed up in the adapter gui. i suspect, ipconfig uses the Interfaces key under Parameters in the int guid key. and so does ping and net use? thanks On 9/26/05, Darren Mar-Elia [EMAIL PROTECTED] wrote: As far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied to all adapters on the system and set in the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList. Maybe you can override it per-adapter, but I didn't see where. When you set the policy, as you noted, the registry value is set at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList. This is pretty common where some component has a primary registry location for configuration but then if it falls under policy control there is a reg value under the Policies key that overrides the native location, so I suspect that is what is happening I tried doing a Regmon while issuing an ipconfig /all and I didn't see any queries against either of these two reg. values. That might mean that ipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that could hold the value, depending upon whether the policy has been set or not. I'm almost positive that ping is using an API call rather than reading the registry, so the up-to-dateness of these tools depends upon when policy is refreshed. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of [EMAIL PROTECTED]Sent: Monday, September 26, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] flaky gpo Cool. Good to know.In the meantime, thishttp://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txttabid=63mid=431 is (IMO) as good as the adm you are doing now, and it*should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV.TTY tomorrow :) Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anonFrom: [EMAIL PROTECTED] on behalf of Tom KernSent: Mon 9/26/2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] flaky gpooh yeah,-wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it atHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/- we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday?-anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if i find out where ipconfig reads it, i can make a adm to reflect that and push it out? Does this also apply to the real policy that comes with winxp/2k3 as well? thanks again!! On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote:When MS introduced that GPO ability, someone forgot to remember whereipconfig looks for the information it displays. Ipconfig reads the registryfor the information, but the suffix adm/gpo is not stored in the samelocation, so ipconfig will never be able to report whatever you are settingin the
RE: [ActiveDir] finding txt in a message
I don't have the answer to this other than writing a sink or something that reads every message of every mailbox, neither of which I would consider trivial, but I find this statement to be humorous Sorry for sending an Exchange question to an AD group, but I really need an answer to this quick.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Monday, August 29, 2005 7:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding txt in a message Group, Sorry for sending an Exchange question to an AD group, but I really need an answer to this quick. Does anyone know how to find a specific string or text in email? I know that exmerge can do subjects and system manager can track a message by sender or receiver.. But, I need to know how to find specific text in an email. Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] exchange one more time(ot)
when i had the smtp connector point to dns, it failed with remote host did not respond. when pointing to a smarthost it worked. maybe exchange while sending to [EMAIL PROTECTED], thinks servername.domain.tld is a domain and when it gets a nxdomain from domain.tld, it fails? no? sillier things have been know to occur with exchange... thanks On 9/26/05, joe [EMAIL PROTECTED] wrote: From my experience it should work fine. It doesn't have to know if the right hand side is a domain or host IP, it simply needs to try and look it up in DNS. I believe it will try an MX lookup and failing that, fall back to a host record lookup. A simple test would be to enable SMTP on some machine in your domain, make sure there is a host record for the given name and then send a message to it, you should see the message hit your configured drop folder. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Saturday, September 24, 2005 2:12 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one more time(ot) how does it figure out its a literal addy and not a domain? how does it know the RHS is not a domain name and fail trying to look it up? or does it fail and then go up the list to the other part of the name? I'd like to know because i can't find any exchange docs on it. there's nothing in the app log. i'll turn up diag logging.. mail didn't start flowing untill i changed the connector to point to a smart host rather than dns. until then, it just sat in the queue. the error in the queue was remote destatination did not respond. Thanks On 9/23/05, Al Mulnick [EMAIL PROTECTED] wrote: Exchange should be able to deliver to a literal address as long as it is not its own. That's a valid and a common address in SMTP. Check the logs to see what the failure is. There's a lot of possibilities as to why it may not get to its destination. Al From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, September 23, 2005 3:07 PMTo: activedirectorySubject: [ActiveDir] exchange one more time(ot) If i set up a contact with the server name in the addy as in [EMAIL PROTECTED], will the message get delivered or will exchange think servername.domain.tld is the domain name and throw an error? Just a question i'm throwing out because an archive solution is giving me that kind of contact to send mail to and its not getting there. I have a feeling its because of that and i should just create a connector to forward to that addy as a smarthost but i want to confirm with you guys that i can't write an address in that form and expect exchange(or any smtp server?) to deliver the mail. thanks
RE: [ActiveDir] finding txt in a message
Findstr /S /I string \\.\backofficestorage\domain\mbx It'll be slow. And it requires access to every mailbox. But it'll work. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, September 26, 2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] finding txt in a message I don't have the answer to this other than writing a sink or something that reads every message of every mailbox, neither of which I would consider trivial, but I find this statement to be humorous Sorry for sending an Exchange question to an AD group, but I really need an answer to this quick.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Monday, August 29, 2005 7:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] finding txt in a message Group, Sorry for sending an Exchange question to an AD group, but I really need an answer to this quick. Does anyone know how to find a specific string or text in email? I know that exmerge can do subjects and system manager can track a message by sender or receiver.. But, I need to know how to find specific text in an email. Thanks S List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] exchange one more time(ot)
Why should Exchange not think that servername.domain.tld is a domain? Can you resolve servername.domain.tld from the Exchange server? How about from the smarthost? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, September 26, 2005 5:32 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one more time(ot) when i had the smtp connector point to dns, it failed with "remote host did not respond". when pointing to a smarthost it worked. maybe exchange while sending to [EMAIL PROTECTED], thinks servername.domain.tld is a domain and when it gets a nxdomain from domain.tld, it fails? no? sillier things have been know to occur with exchange... thanks On 9/26/05, joe [EMAIL PROTECTED] wrote: From my experience it should work fine. It doesn't have to know if the right hand side is a domain or host IP, it simply needs to try and look it up in DNS. I believe it will try an MX lookup and failing that, fall back to a host record lookup. A simple test would be to enable SMTP on some machine in your domain, make sure there is a host record for the given name and then send a message to it, you should see the message hit your configured drop folder. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Saturday, September 24, 2005 2:12 AM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange one more time(ot) how does it figure out its a literal addy and not a domain? how does it know the RHS is not a domain name and fail trying to look it up? or does it fail and then go up the list to the other part of the name? I'd like to know because i can't find any exchange docs on it. there's nothing in the app log. i'll turn up diag logging.. mail didn't start flowing untill i changed the connector to point to a smart host rather than dns. until then, it just sat in the queue. the error in the queue was "remote destatination did not respond". Thanks On 9/23/05, Al Mulnick [EMAIL PROTECTED] wrote: Exchange should be able to deliver to a literal address as long as it is not its own. That's a valid and a common address in SMTP. Check the logs to see what the failure is. There's a lot of possibilities as to why it may not get to its destination. Al From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Friday, September 23, 2005 3:07 PMTo: activedirectorySubject: [ActiveDir] exchange one more time(ot) If i set up a contact with the server name in the addy as in [EMAIL PROTECTED], will the message get delivered or will exchange think " servername.domain.tld " is the domain name and throw an error? Just a question i'm throwing out because an archive solution is giving me that kind of contact to send mail to and its not getting there. I have a feeling its because of that and i should just create a connector to forward to that addy as a smarthost but i want to confirm with you guys that i can't write an address in that form and expect exchange(or any smtp server?) to deliver the mail. thanks
RE: [ActiveDir] LDAP filters
Be very careful with this. The RUS doesn't actually use LDAP to execute that filter except for when you test it in ESM. I have seen perfectly good queries that work great in the test (because it actually submits the LDAP query to AD) and then the AL is built all wrong. It is usually around the NOT op. I know, for instance, that if you do (!attrb=value) versus (!(attrib=value)) it will almost certainly have issues. What specifically do you want to do, I am sure someone can probably lay out a query for it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, September 26, 2005 4:51 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP filters Where can I fine more info on creating LDAP filters? Im trying to have Exchange 2003 Address List display users on multiple Mailbox Stores and Groups. I have to do a custom LDAP search to accomplish this. Devon Harding Windows Systems Engineer Southern Wine Spirits - BSG 954-602-2469 __This message and any attachments are solely for the intended recipientand may contain confidential or privileged information. If you are notthe intended recipient, any disclosure, copying, use or distribution ofthe information included in the message and any attachments isprohibited. If you have received this communication in error, pleasenotify us by reply e-mail and immediately and permanently delete thismessage and any attachments. Thank You.
RE: [ActiveDir] exchange one more time(ot)
I just tested this, I sent to [EMAIL PROTECTED] and watched Exchange query DNS for the MX record, an SOA record was returned, it then queried the A record and got that and fired the message off. If it isn't working, then I expect it is in the name res area as Hunter is indicating as well. From: [EMAIL PROTECTED] on behalf of Coleman, Hunter Sent: Mon 9/26/2005 9:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] exchange one more time(ot) Why should Exchange not think that servername.domain.tld is a domain? Can you resolve servername.domain.tld from the Exchange server? How about from the smarthost? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Monday, September 26, 2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] exchange one more time(ot) when i had the smtp connector point to dns, it failed with remote host did not respond. when pointing to a smarthost it worked. maybe exchange while sending to [EMAIL PROTECTED], thinks servername.domain.tld is a domain and when it gets a nxdomain from domain.tld, it fails? no? sillier things have been know to occur with exchange... thanks On 9/26/05, joe [EMAIL PROTECTED] wrote: From my experience it should work fine. It doesn't have to know if the right hand side is a domain or host IP, it simply needs to try and look it up in DNS. I believe it will try an MX lookup and failing that, fall back to a host record lookup. A simple test would be to enable SMTP on some machine in your domain, make sure there is a host record for the given name and then send a message to it, you should see the message hit your configured drop folder. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, September 24, 2005 2:12 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] exchange one more time(ot) how does it figure out its a literal addy and not a domain? how does it know the RHS is not a domain name and fail trying to look it up? or does it fail and then go up the list to the other part of the name? I'd like to know because i can't find any exchange docs on it. there's nothing in the app log. i'll turn up diag logging.. mail didn't start flowing untill i changed the connector to point to a smart host rather than dns. until then, it just sat in the queue. the error in the queue was remote destatination did not respond. Thanks On 9/23/05, Al Mulnick [EMAIL PROTECTED] wrote: Exchange should be able to deliver to a literal address as long as it is not its own. That's a valid and a common address in SMTP. Check the logs to see what the failure is. There's a lot of possibilities as to why it may not get to its destination. Al From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] ] On Behalf Of Tom Kern Sent: Friday, September 23, 2005 3:07 PM To: activedirectory Subject: [ActiveDir] exchange one more time(ot) If i set up a contact with the server name in the addy as in [EMAIL PROTECTED], will the message get delivered or will exchange think servername.domain.tld is the domain name and throw an error? Just a question i'm throwing out because an archive solution is giving me that kind of contact to send mail to and its not getting there. I have a feeling its because of that and i should just create a connector to forward to that addy as a smarthost but i want to confirm with you guys that i can't write an address in that form and expect exchange(or any smtp server?) to deliver the mail. thanks winmail.dat
RE: [ActiveDir] OT: Additional DHCP server same LAN
Are you suggesting counseling, Aric? :) DHCP is based on broadcast. I suppose if you configured your helpers to point to different subnet segments (assuming the two companies don't share the same subnet) you might be able to do this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, September 26, 2005 4:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Additional DHCP server same LAN Not if they are on the same LAN. Why do you want to do this before the separation? Maybe there is a workaround for what ever problem you are having. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Monday, September 26, 2005 1:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Additional DHCP server same LAN Two companies sharing the same physical LAN, IP configuration, Windows 2000 servers, two seperate forests, and one DHCP server. In the the not so distant future they will seperate. In the meantime, is there a way to point the XP pro clients from CompanyB to a new DHCP server on the same physical LAN through Group Policy or WMI Scripting? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain-wide operations masters change
At least the number of people who could do this at least is very limited and hopefully trusted. If you ask each of them if they did it and someone doesn't admit to it, there is obviously an issue. It could have happened in a demotion too and possibly an admin didn't notice it. Was the previous role holder demoted? joe From: [EMAIL PROTECTED] on behalf of Bernard, Aric Sent: Mon 9/26/2005 7:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain-wide operations masters change Are you asking if there is a way to do this with out using the event logs? The only option I can think of is gathering all of the persons with permissions and beating them about the head until somebody confesses. Come to think of it that could generate some false positives. :-) If you have access to the logs and need to narrow down the time in which the change occurred, you can look at the whenChanged attribute (in GMT) for the following objects CN=RID Manager$,CN=System,DC=YourDomain,DC=YourDomainSuffix CN=Infrastructure, DC=YourDomain,DC=YourDomainSuffix The PDC role is defined in an attribute fSMORoleOwner on the domain head object for the domain in question. Determining when this attribute was changed would have to be done with repadmin or another utility (as opposed to ADSIEdit which can give you the information on the other two). I believe that event ID 1458 is what you need to look for in the Application log on either (or both) the system that originally held the role and the one that requested the transfer. The user that requested the transfer should be identified. If you do not have access to the logs I suggest that you discuss changing your log retention policies by either keeping more information live on the DC or by archiving old information on a regular basis. Another option would be to implement some sort of log collection system. HTH Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, September 26, 2005 2:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain-wide operations masters change Know of an easy way to find out who? I'm assuming auditing, but our security logs are unwieldy and if it happened over a couple days ago, well you know how that goes. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, September 26, 2005 3:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain-wide operations masters change No automatic change mechanism for OM roles. Someone did it. :-) Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, September 26, 2005 1:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain-wide operations masters change I just noticed our domain-wide operations masters levels all changed. We've had the same pdc/rid/infrastructure master for years, and suddenly, it's on a different domain controller. Is there any way this could have changed automatically? Or did a domain admin have to physically make this change? ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ winmail.dat
RE: [ActiveDir] OT: Additional DHCP server same LAN
Counseling indeed! I made the assumption when you said the same LAN that both companies were sharing the same subnet...and you know what they say about assumptions... Of course Marcus is right if my assumption is incorrect. :) Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 26, 2005 8:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Additional DHCP server same LAN Are you suggesting counseling, Aric? :) DHCP is based on broadcast. I suppose if you configured your helpers to point to different subnet segments (assuming the two companies don't share the same subnet) you might be able to do this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, September 26, 2005 4:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Additional DHCP server same LAN Not if they are on the same LAN. Why do you want to do this before the separation? Maybe there is a workaround for what ever problem you are having. Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Danny Sent: Monday, September 26, 2005 1:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Additional DHCP server same LAN Two companies sharing the same physical LAN, IP configuration, Windows 2000 servers, two seperate forests, and one DHCP server. In the the not so distant future they will seperate. In the meantime, is there a way to point the XP pro clients from CompanyB to a new DHCP server on the same physical LAN through Group Policy or WMI Scripting? Thank you, ...D List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] flaky gpo
Yeah. what you said ;) Give me some time - I'll think up an explanation for why I F'ed the whole thing up. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia Sent: Mon 9/26/2005 2:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] flaky gpo As far as I can tell, DNS Suffix Search Order is not adapter specific, but rather, if you set it from the Network Connections applet, it is applied to all adapters on the system and set in the following registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchL ist. Maybe you can override it per-adapter, but I didn't see where. When you set the policy, as you noted, the registry value is set at HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\SearchList. This is pretty common where some component has a primary registry location for configuration but then if it falls under policy control there is a reg value under the Policies key that overrides the native location, so I suspect that is what is happening I tried doing a Regmon while issuing an ipconfig /all and I didn't see any queries against either of these two reg. values. That might mean that ipconfig uses some API call instead of reading out of the registry directly. This makes sense since there are obviously two potential locations that could hold the value, depending upon whether the policy has been set or not. I'm almost positive that ping is using an API call rather than reading the registry, so the up-to-dateness of these tools depends upon when policy is refreshed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, September 26, 2005 12:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] flaky gpo Cool. Good to know. In the meantime, this http://www.akomolafe.com/LinkClick.aspx?link=change-DNS-Suffixes-thru-GPO.txt tabid=63mid=431 is (IMO) as good as the adm you are doing now, and it *should* take care of the ipconfig discrepancies. Again, I am not able to test it right now to prove the ipconfig theory, so YMMV. TTY tomorrow :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo oh yeah,- wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) returns the correct suffix order On 9/26/05, Tom Kern [EMAIL PROTECTED] wrote: my gpo sets it at HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. I created a Reg_SZ value called SearchList with the suffix values and that shows up when you right click the adapter under DNS tab. However, windows seems to use the other key for things like ping and drive mappings,etc. the only way the ipconfig.exe output changes to reflect the gui is if you issue an ipconfig/renew. Unfortuantely, the other key(that you gave me) has a guid for each adapter. How am I supposed to set this via a custom adm? thanks for all your help. On 9/26/05, [EMAIL PROTECTED] [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfa ces BTW, does this return the correct suffix for you? wmic nicconfig get DNSDomainSuffixSearchOrder (from cmd) I'm just curious, and not at a place where I can test. I won't be able to see your response for a long time. Going offline. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com/ - we know IT www.akomolafe.com http://www.akomolafe.com/ Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 9/26/2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] flaky gpo thanks. disregard that last email... i guess if