[ActiveDir] ADFIND mods
Not trying to scare anyone but I actually might have somehow hacked CSV
support into the V1.* version of adfind.
Jerry[1] pulled me off to the side at the MVP summit during the Exec
sessions and threatened to thrash me if I didn't add the ability to support
sorting the attribute output order for objects into adfind. Well actually he
said it very nicely, Jerry is a very nice guy. I say this in case you don't
know him personally. Then Marty List said that is a great idea and then Dean
said it was a good idea which almost made me not do it because Dean doesn't
like me but I decided I liked Jerry and Marty enough to overcome the dislike
Dean has. Yup. ;o) So I got home from the summit, received my email to
myself to remind myself that I needed to make that mod for Jerry so I didn't
have to keep looking in the rearview mirror and sending my cat out to start
the truck. So I pulled up the adfind code and scrolled through it (since I
hadn't looked at the overall flow in months) to reaquaint myself with how
hacked it is (it really is at this point, positively evil). Then I closed it
and waiting until the bug bit me to tell me my mind had somehow figured out
how to insert the new code...
Well it bit me tonight while watching My Name is Earl on the Media Center
PC. I had worked out where I needed to further hack the code and opened it
up and started slinging code and have been doing so for the last couple of
hours though now I have to rewatch Earl because I lost the thread of what
was happening.
After I stuck in Jerry's attribute sort so that an object will return the
attributes in an order sorted by attribute name say
>cn: Users
>dSCorePropagationData: 20050805040803.0Z
>dSCorePropagationData: 20050805040622.0Z
>dSCorePropagationData: 20050805032808.0Z
>dSCorePropagationData: 20050805031109.0Z
>dSCorePropagationData: 16010714223649.0Z
>description: Default container for upgraded user accounts
>distinguishedName: CN=Users,DC=joe,DC=com
>instanceType: 4
>memberOf: CN=MyDL,OU=contacts,DC=joe,DC=com
>name: Users
>objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=joe,DC=com
>objectClass: top
>objectClass: container
>objectGUID: {48F745DD-7E01-4151-A1EA-C7D16085DAE6}
>uSNChanged: 3021990
>uSNCreated: 16365
>whenChanged: 20050805051458.0Z
>whenCreated: 20040309041843.0Z
instead of the default return order from the server of
>objectClass: top
>objectClass: container
>cn: Users
>description: Default container for upgraded user accounts
>distinguishedName: CN=Users,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040309041843.0Z
>whenChanged: 20050805051458.0Z
>uSNCreated: 16365
>memberOf: CN=MyDL,OU=contacts,DC=joe,DC=com
>uSNChanged: 3021990
>name: Users
>objectGUID: {48F745DD-7E01-4151-A1EA-C7D16085DAE6}
>objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=joe,DC=com
>dSCorePropagationData: 20050805040803.0Z
>dSCorePropagationData: 20050805040622.0Z
>dSCorePropagationData: 20050805032808.0Z
>dSCorePropagationData: 20050805031109.0Z
>dSCorePropagationData: 16010714223649.0Z
I decided to add a quick list function which combines -nodn -nolabel and
inserts the attribute specified into the -sort or -rsort without having to
type the attribute again which I have wanted for some time because I was
tired of typing all of that stuff all of the time.
I then decided since it was all going too smoothly I should take a shot at
CSV output because I really need to crash it good when I am adding new
things so I can slap my forehead and think, what in the world do I do this
for. Plus the mechanism I had set up to pull off Jerry's option I had
architected in such a way that CSV was at least remotely possible
theoretically and how dare I not test the theory.
This CSV option only works with DN and name if you don't specify specific
attributes or it works with the attributes you specify though DN will always
be the first column. Amazingly, it seems to be working and it isn't entirely
slow. I have to play with it some more and I thought of a couple of other
options to try and stick in and break things before I start officially beta
testing it. Once I get to that point I may annoy some folks into testing it
out for me. If you use adfind a lot and would like to test the new version
when I am ready to let someone find the holes, respond to me with this email
and why you would like to test it and I will put you in the hat. Oh here is
what the csv output looks like at the moment
F:\Dev\CPP\AdFind>adfind -h 2k3dc01 -default -s one name objectclass
whenchanged -csv -sort name
"dn","name","objectclass","whenchanged"
"CN=Builtin,DC=joe,DC=com","Builtin","top;builtinDomain","20040625234526.0Z"
"OU=CleanOU,DC=joe,DC=com","CleanOU","top;organizationalUnit","2005080401461
3.0Z"
"CN=Computers,DC=joe,DC=com","Computers","top;container","20040625234526.0Z"
"OU=contacts,DC=joe,DC=com","contacts","top;organizationalUnit","20050821222
039.0Z"
"OU=Domain Controllers,DC=joe,DC=com","Domain
Controllers","top;organizationalUnit","2004
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
I don't have a problem with it. Take a peek at it first before you for sure tell me you want me to put it up there. I have stuff up there that can incite people and you would sort of become associated with it. We can do the same thing where we have it sent to you directly again. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, October 10, 2005 11:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Interesting idea... what say you joe? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, October 10, 2005 7:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Start a blog? :) Since that takes some time to get traffic, perhaps joe would be willing to post your survey on his blog? I imagine he gets some good traffic to his blog. Phil On 10/10/05, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: We usually do a big "State of the AD World" survey at DEC, and certainly will again in Vegas (assuming there are some people left in the room who haven't already headed out to the casino. :) I needed some answers sooner than later for a whitepaper I was working on. -gil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Creamer, MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Interesting idea... what say you joe? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil RenoufSent: Monday, October 10, 2005 7:14 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Start a blog? :) Since that takes some time to get traffic, perhaps joe would be willing to post your survey on his blog? I imagine he gets some good traffic to his blog. Phil On 10/10/05, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: We usually do a big "State of the AD World" survey at DEC, and certainly will again in Vegas (assuming there are some people left in the room who haven't already headed out to the casino. :) I needed some answers sooner than later for a whitepaper I was working on. -gil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Creamer, MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Schema Updates
Title: Schema Updates >You ever find that often times the products are already bought before your input is requested? The better question is when do they ever check with you before they buy a product? Nope... They usually ask someone that has no clue of the impact to the production systems then they bring it to us to "implement" We have Unity and it has had a major impact to our AD environment although I can say that the users (including me) love it's functionality. What irks me more though is the version that we implemented initially had major schema changes and then the subsequent version decide to move a lot of the data from AD to a separate SQL DB. Why didn't they tell me that BEFORE we irrevocably altered the schema. Another good example is Cisco ICM. The version prior to the new 7.x version required a separate domain, required domain admin level privileges to operate and schema changes to forest as well as a litany of other "issues". At least version 7.x will integrate into an existing corporate domain although requires a dedicated OU. I really get nervous with applications that want to create user objects wily-nily in order to operate. Diane From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 10, 2005 6:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Our movement for Cisco Unity was based strictly on a wholesale move to Cisco VoIP solutions all the way around. Apparently there’s some cost savings there somewhere. I dunno… regarding the comment joe made about not ever being in your ad environment. Concur 100%. You ever find that often times the products are already bought before your input is requested? I dunno if I have bigger problems with cisco being in the software space or their horrible turnout of applications after they’ve acquired them. Unity, call manager, etc… one uses ad… one uses dirsync in a proprietary ldap server… odd stuff like that. Not to mention, it took a nda and massive levels of coercion to get cisco to fess up to what the exact permissions were that are required in order for unity to work successfully. That was a good month long ordeal. Unfortunately nda - so I can’t really speak or blog on the exact stuff to correct it. Their reasoning? Most admins have no idea how to configure the ACLs properly to support their application. I digress. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 7:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates The price tag will definitely drop as soon as Microsoft releases Exchange 12 with UM built in. But, it's not THAT expensive today, and there are some great business pluses to it. We had no problems showing ROI on VOIP or UM. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, October 10, 2005 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates It's a feature with lots of "gee whiz!" appeal, but once people see the price tag, the response is usually "ouch!" We are still waiting for the "year of UM". I'm betting on 2007. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]Sent: Monday, October 10, 2005 6:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I think this is definitely a case where Moore's Law hasn't been applicable. It's funny how little this story has changed since I saw the first unified messaging demos (then by Octel) about ten years ago. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 1:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn't created or even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best
[ActiveDir] October MVP Awards
Title: RE: [MVP-Directory Services] October MVP Awards Congratulations to our new and re-awarded Directory Services MVPs! -Sean And congratulations to Marc Scheuner - re-awarded MVP for October! _ From: Gary Wilson Sent: Monday, October 10, 2005 4:30 PM To: Gary Wilson Cc: Mas Libman Subject: [MVP-Directory Services] October MVP Awards Hi everyone. I wanted to send out a brief message of Congratulations to our October MVP awardees for Directory Services; New MVPs for October: Zubair Alexander Rodney Buike Re-awarded MVPs for October Dean Wells Jimmy Andersson David Shaw Joe Richards Danny Sanders William J Stacey Ace Fekay Tony Murray Mark Minasi Evan Erwee Dmitry Vladimirovitch Korolyov As you know, this annual award is first and foremost a 'thank-you' for all of the valuable contributions you make to the MS technical communities. It's also a great time to say thanks to everyone else here for your ongoing community involvement - so thank you all! Please be sure to visit the Profile pages to see a listing of all MVPs - https://mvp.support.microsoft.com/communities/mvp.aspx - in your technology area. And if you are not listed, you can manage that in your profile (https://mvp.support.microsoft.com/profile/default.aspx) - be sure to keep it updated! ;) Congratulations again everyone! Thanks, Gary - Gary Wilson MVP Lead Windows Server Technologies
RE: [ActiveDir] exchange confusion(OT)
What are the entries under E-Mail Addresses for the contact? Which SMTP address is bolded? Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, October 10, 2005 5:10 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) ok, it goes like this- i work for a finanical corp so we have to stay in compliance. i have 2 smtp connectors- one goes to a compliance server, the other to an journal host. for the journal host, all my mail stores point to an external contact(1 smtp proxy addy) for journaling. this gets routed out a smtp connector going to the journal server. the addy on the contact is in the form of [EMAIL PROTECTED]. the address space for the smtp connector is *.journaldomain.com. when mail gets routed out the smtp connector, the RCPT TO: changes from [EMAIL PROTECTED] to [EMAIL PROTECTED] . i see this in the smtp protocol log on the virtual server of the bridgehead server(i have diag logging turned up to max but the app lof shows nothing). The journal server will not accept mail for that domain. mail stays in the queue on the bridgehead. here's where it gets weirder- when i change the smtp connector addy space to servername.journaldomain.com, mail starts flowing for awhile but then stops as well. in the log, i just see MAIL FROM: and RCPT TO:, but nothing else. these 2 things might be unrelated but i'd like to know why exchange rewrites the RCPT TO:. OR why mail is stuck in the queue in this situation. OR both would be cool too :) SO, Exchange 2k sp3 mixed mode no Exchange 5.5 servers. the contact has 1 smtp proxy addy- [EMAIL PROTECTED]. this is the primary and only smtp addy(1 x.400 addy, of course). curiously whoever set it up didn't uncheck the "update this addy with recipeint policiy" checkbox, but the smtp addy isn't overwritten by the RUS. it still has that addy and not our normal addy set by the RUS. so as you can see, there are alot of strange exchange things going on here. i'd like just an answer to any of these questions. thanks for putting up with me and my story(but i'm sticking to it). thanks On 10/10/05, Ed Crowley [MVP] <[EMAIL PROTECTED]> wrote: Is this address on a contact that has [EMAIL PROTECTED] as a reply address? Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:33 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) thats because this addy has special needs. its a journal contact that needs to be routed out a dedicated connector to a journal server. i still don't understand why exchange rewrites the address to domain.com instead of servername.domain.com. thanks On 10/10/05, joe <[EMAIL PROTECTED]> wrote: I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PM To: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
Re: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Start a blog? :) Since that takes some time to get traffic, perhaps joe would be willing to post your survey on his blog? I imagine he gets some good traffic to his blog. Phil On 10/10/05, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: We usually do a big "State of the AD World" survey at DEC, and certainly will again in Vegas (assuming there are some people left in the room who haven't already headed out to the casino. :) I needed some answers sooner than later for a whitepaper I was working on. -gil From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Creamer, MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Schema Updates
Title: Schema Updates Our movement for Cisco Unity was based strictly on a wholesale move to Cisco VoIP solutions all the way around. Apparently there’s some cost savings there somewhere. I dunno… regarding the comment joe made about not ever being in your ad environment. Concur 100%. You ever find that often times the products are already bought before your input is requested? I dunno if I have bigger problems with cisco being in the software space or their horrible turnout of applications after they’ve acquired them. Unity, call manager, etc… one uses ad… one uses dirsync in a proprietary ldap server… odd stuff like that. Not to mention, it took a nda and massive levels of coercion to get cisco to fess up to what the exact permissions were that are required in order for unity to work successfully. That was a good month long ordeal. Unfortunately nda - so I can’t really speak or blog on the exact stuff to correct it. Their reasoning? Most admins have no idea how to configure the ACLs properly to support their application. I digress. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Monday, October 10, 2005 7:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Updates The price tag will definitely drop as soon as Microsoft releases Exchange 12 with UM built in. But, it's not THAT expensive today, and there are some great business pluses to it. We had no problems showing ROI on VOIP or UM. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, October 10, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Updates It's a feature with lots of "gee whiz!" appeal, but once people see the price tag, the response is usually "ouch!" We are still waiting for the "year of UM". I'm betting on 2007. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Monday, October 10, 2005 6:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Updates I think this is definitely a case where Moore's Law hasn't been applicable. It's funny how little this story has changed since I saw the first unified messaging demos (then by Octel) about ten years ago. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 1:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn't created or even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Monday, October 10, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 9:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander Kooi Sent: Monday, October 10, 2005 10:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, October 09, 2005 7:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded
RE: [ActiveDir] Active Directory wish list
:o) Don't even need to worry about multiple ports. It is all hierarchical. I can, for instance run 50 NCs on a single ADAM instance on a single server. I could also run 50 different instances of ADAM on 50 different ports. Which makes more sense? But otherwise yes, the SRV records coupled with the builtin hierarchical structure just helps in many ways. As for the iusr accounts and actually any accounts for the system provided services and cluster accounts, etc. I don't like them. I like connection agreements for chatting between machines. This service on this machine can talk to that service on that machine. Look at DNS/WINS replication. Look at Exchange now. Etc. There are lots of cases that spinning up two whole domain controllers for two different domains is extreme overkill versus simply allowing the one DC handle principals from the two domains. Even better in my opinion would be a DC that could auth someone from any domain, basically a caching DC, once someone auth's there, their credentials come down and sit there until some TTL and then they are purged. Out of curiosity, does anyone know if anyone has tried integrating MIT or Heimdahl kerb packages into a server running ADAM using ADAM for the backend principal store? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, October 10, 2005 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Agreed - the legacy APIs pose a serious problem in many cases. After noodling over the LDAP issue a little more, and recalling that ports are specified in the SRV records :), any AD aware of SRV aware system/application should be able to handle multiple instances of LDAP on a single server (assuming they are each using a different port or IP). The SYSVOL issue is also negligible as, like you said, the file system hierarchy was clearly designed with the domain name embedded. The only issue here that remains (in its current incarnation) is that of data replication. Given the advancements shown in DFSR this should be easily overcome with the only problem being replicating data to places it should not be (i.e. a legacy DC running some antiquated OS like W2K or W2K3 pre-R2 ;-). There are of course other unhandled issues such as which domain should the IUSR_Machine user object be created in if IIS is installed/running on a multi-domain capable DC? (Or better yet, should the IUSR account exist at all?) Regardless, there is a substantial trail of legacy issues that have to be handled before multi-domain DCs can come to fruition. Of course we should more properly be talking about multi-forest DCs as opposed to multi-domain DCs - or does that just blur the entire security boundary issue a bit too much? Needless to say, given the current technology, using virtual guest operating systems atop your favorite virtualization product is a viable way to generally satisfy the need for running multiple domains on a single piece of hardware as opposed to the desire of running them all on a single OS instance albeit at a higher theoretical cost for system management and other pay for software that is installed in each instance. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I don't think the issue is there. When you make an LDAP call, you specify where you want to go, the hierarchy is all there and required in the call. Also I don't believe the issue is in SYSVOL, if you look at the sysvol structure, it has the domain component in there. In fact when I first saw that in say Oct 1999 in the gold product I was thinking... H is MS thinking about supporting multiple domains from a single DC? One of the big issues is at the level of all of the old NET style calls. You specify a server, not a domain, then it assumes there is one auth point on that one server (i.e. one SAM in the old days) and it works it. If a call came in for user bob on server123 and there were three domains or partitions or x hosted all of which have bob, which one gets sent back? If the old NET functionality got dumped, I would be rewriting quite a bit of code. The only reason I am not already doing it is that there is no impetus to, it works, I don't have to worry about it. At the same time, that holds back from doing newer and cooler things if MS did offer the option to move on. If that option were there though... I would start rewriting to get to it. At the present time, there is no sign of the death of the NET API so there is no reason to rewrite something that works fine using it unless there is some other reason (like you need something that isn't accessible through the API). Even on this list which has a lot of the more eager techofolks, we discuss the WinNT provider and other NET API based methods quite a
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
Part of what you are talking about if I understand what you are talking about is going to be in the later longhorn product or blackcomb. Look up the term hypervisor which will help with the virtualization and integrated right into the OS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Monday, October 10, 2005 6:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. Well once upon a time, Operating System was software that handled all the I/O and hardware… Windows uses how many MB/GB for that now, and there is a crossing over between kernel mode and app/user mode… if you could really separate off the kernel mode so you could run multiple things on it independently of each other and not caring about the kernel parts, then, um, you wouldn’t have to buy ESX J I’ll have to look into the archives on the differencing disks thing! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 3:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? Well with this, you can use differencing disks. I do it now after Dean talked about it. I build one server and then spin up Differencing disks off of it and it drammatically reduces my disk use. As for everything else, you are describing running everything on a single machine with virtualization up at the subsystem level which isn't really virtualization in the same terms of the hardware virtualization. You still have a single registry and source for device drivers, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Monday, October 10, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819---"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will al
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Again, I am speaking legacy baggage. If you were a UNIX developer, would you rather stick to writing to old proprietary interfaces or using standards based interfaces like LDAP and Kerberos, etc. Again, all of the integration going on now is working in those areas. Those areas will move fine into the new realms. It is the old NET based stuff that need to be burned out of the product. Exactly the stuff that all of the non-MS folks have bitched about year after year. Dumping the legacy gives us a chance to move forward and not be stuck with the idea that a DC is x and can't be anything but x. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 6:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Hmm... No, I disagree joe. Microsoft does need to worry about adoption of their products and any barriers, real or imagined, to that adoption. *nix integration is a reality. Get used to it. Be sure to take it into account for future releases. Be sure to protect the investment of your developer followers [1]. Create a framework that developers can develop to and be somewhat future proof else your customers won't adopt your products. Remember, customers don't buy operating systems for the sake of the operating system, they buy them for what they do and what they contribute to their business. It's the applications that the company wants to run that causes people to buy new OS and new hw. 64bit computing would be a great example of that. And MS gets it as evidenced by their strategy to embrace the developers prior to the release. It's about the applications not the OS. It's just that the applications don't exist without a solid foundation such as a really strong, reliable, and easy to maintain OS running the hardware. It takes time to build the ecosystem, but adoption only happens when there is a compelling reason. Apps are that reason. [1] Developers! Developers! Developers! ~ SteveB [2] [2] remember why he said that? Because they totally dissed the dev community prior to that. Badly. And paid the price for it.[3] [3] why do people pick Microsoft in the first place? Because they have the absolute latest and greatest technology? Nope. Because they have the best technology? Nope (seen RMS lately? I rest that case) Because they have the most applications written for their platform? Yep. Can't swing a dead cat without hitting a MS application. Even open source writes apps that run on Windows because they want their apps adopted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > - Blackcomb clients would need to be available several years before > the blackcomb server. Well no, that is why you have the functional mode associated with it. It doesn't just happen, the customer chooses to do it. Someone setting up a brand new environment would be good to go immediately. Someone with legacy that they are trying to clean up could take as long as they like. The benefit is that it is a step forward. > - Impact on non-Windows clients would need to be assessed. [SAMBA, > nix, Mac etc] By the vendors who supply those clients and the people who have them deployed, yes. Not MS. Part of the reason we are stuck with so much legacy baggage is due to MS worrying so much about the legacy clients that they do not control. There are some great blogs out there of stuff MS has done to make it so incorrectly written apps work with their changes and results in all sorts of special cases in the OS. That is the kind of stuff I would like to see going away. It makes MS more limber and hopefully less chance for weird corner cases. The new model may not look anything like the current model, the fact that you have a functional mode to jump to this mode allows the customer to choose when to go to it. At some point, maybe two revs past Blackcomb, that new mode is the mode Windows uses and all legacy is gone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only ar
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Jumping to redhat doesn't give you a migration strategy, it is simply jump! What I am describing is a mode that lets you say when to jump. In the meanwhile, you can work towards it with the current environment. At some point you say, well everything should be using the new stuff, bam. Note I am not saying screw everything non-MS, I am saying screw everything that hasn't started moving from the old crap. The MACs and Samba packages that are using LDAP and Kerberos for instance would almost certainly be perfectly fine as I don't see MS moving from those plus they support multiple backend hierarchies, a domain model isn't required, a single domain on a DC isn't required. However if they are still using Auth/Authz routines that were old a long time ago, those need to die. Those old code paths need to die. This isn't just about being able to run multiple domains on a single DC, it is about revamping the whole domain concept and losing all of the legacy holdbacks we currently have. Often I hear things that people say MS should do and the reason MS can't do it is because it is tied to APIs that are well over a decade old. When you really get down to it, the stuff that is non-MS that depends on MS now wasn't written by MS, the chances are good that people are going to fix it because nothing has changed in the reasons why it was done in the first place. As for adding more and more servers and virtualized instances. I don't like the idea even if they are virtualized. Each one is its own support and patching problem. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 6:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Well, that's really my point. You can't really take away some of those "apps" that exist today. They're too ingrained in the way people use the technology. They really are the value add at the core of the product. Otherwise, this would be fine by me: http://directory.fedora.redhat.com/wiki/Main_Page and has a lot less built in headache to manage. But it also has a LOT less functionality that I need which are provided by those apps that will one day be legacy. I can be open minded and forward thinking. Let's just leave it at "provide same or better functionality" as I get now to provide the push I need to move to a new paradigm [1]. But if you plan to take that away, then I don't see the value you provide (at this point). If you do provide a complete instance for each of those, how does that differ from the VM path? Am I just missing the concept here? I hate to be so close minded that I miss the point, but I also don't want to be so open minded my brains fall out. I need a boundary in an open forum. Just a beer in a closed forum. Seriously Joe, I get the concept of wanting this type of functionality. What I don't get is the value it adds. It comes across as a lot of trouble for a gee-whiz feature with no substance that helps me attain my business goals. I'm more of the DC in a VM camp because I prefer the isolation. Is that old-school? I don't know. Does that help others out? Not sure. Would putting multiple domains on the same piece of hardware be helpful? Without a doubt. Does it need to be in the same instance of the hard. Yep. Does that mean that there could be multiple instances that all are self-contained AD's complete with kerberos, dns, dhcp, wins (collectively name res because one of those should not be in BC release; I'll let you decide which one)GPO, etc? I don't buy into that as having a tremendous amount of value. It would be nice to be able to do it for a lot of the multi-forest models (test forest, production forest, exchange forest, Bob's spam forest, etc) but I don't know that effort should be spent to do it that way vs. using virtualization of the entire OS. I see some stability issues that could come about that I'm not comfortable with. I see some authentication and administration issues I'm not comfortable with. I don't see a value in terms of hardware savings. That's not the issue IMHO. I can achieve that today and be very happy with it. Don't get me wrong, I DO think that a service based AD is certainly needed. Especially for maintenance and troubleshooting, but that's a different issue that's much more easily solved. But putting three, four, five, etc authentications realms on the same hardware in the same OS instance doesn't buy me much that I can see. I don't see a cost savings. I don't see a reliability gain. I don't see it being worth the upgrade PITA. I do see it would be cool. I don't see it as being faster to restore thereby achieving a higher service realibility. Not to be long-winded, but I think I may just not be seeing it the right way. I may be thinking in terms of today's architecture and that it is so tied to the registry (For the love of is that???) that it would not be truly separate
RE: [ActiveDir] Adding custom fields to AD
Now that's deep :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP] Sent: Monday, October 10, 2005 3:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD A lot of things sucked with NT 3.50. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Sunday, October 09, 2005 9:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD In the NT 3.50 days, WINS was a mess. I'm sorry but no amount of good design would help it. It just sucked. It got progressively better in NT 4.0 but I saw lots of corruptions of many kinds in 3.5x and I knew a thing or two about WINS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 09, 2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD I would guess that it never got that far. My experience with folks troubleshooting WINS is that they don't look very deep, someone can't resolve XYZ server name and they stop the service, delete the DB, and repopulate and call the DB corrupt. I think I said this in another post but I have never seen a corrupt WINS DB though I have had lots of people tell me that WINS was corrupt. I have seen lots of dorked up individual entries and simply deleting that entry and reregistering gets everything working fine again. The worst cases I have seen have been really poorly configured SAMBA machines stomping on domain records though I once heard of a really misconfigured Windows machine knocking a Fortune 50 down for a bit because someone built there own domain with the same domain name as the corporate domain and registered it in the production WINS environment. The solution there ended up being shut down WINS and deleting the WINS DB and letting it rebuild... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 09, 2005 8:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD Tom, what revision of the server OS was the WINS server? NT 4.0? Did you ever determine if the WINS DB corruptions were being exposed at the app/WINS level (esentutl /g succeeds) or ESE level (esentutl /g fails)? esentutl /g (the svc/DB must be offline for this) is the (slightly simplistic) method for determining if the corruption is exposing itself at the app logic level or the ESE level. Was the server being hard powered down (power outage)? Just curious. Cheers, -BrettSh [msft] - ESE Developer On Sat, 8 Oct 2005, Tom Kern wrote: > I've had the reverse- > last place i worked at had corrupted WINS at least once every 2 > months(this could of been due to my lousy admin skills) i've never had > issues with dns(could be my dumb luck) now i work for a corp that has > netbios/tcp disabled and relies solely on dns(both MS and BIND) with > no name resolution issues. > also wins replication seems much more complex than standard > primary/secondary dns replication. > and i'm not one to think i know anything as an admin or would even > think of getting into such a disscussion with someone as experienced > and knowldgable as you, but i've always found dns easier than wins and > netbios names in general. > my only diffculty came with learning dns on BIND/Linux and just > wrapping my head around AD intergrated dns when i first came to Windows. > sometimes when you learn something via the command line, using the gui > just confuses things. > then again i'm probably one of those guys who "thinks" he knows dns > but really doesn't know anything and hasen't found out yet :( > what would you think would be a good replacement for dns/wins? > thanks > > On 10/8/05, joe <[EMAIL PROTECTED]> wrote: > > > > I wasn't saying I like WINS better than DNS or vice versa, just said > > I don't like DNS. I especially dislike the AD/DNS integration. I > > don't like chicken and egg problems. > > BTW, as you bring up WINS. 1. I've never had a corrupted WINS Database. > > 2. Fewer admins had name resolution issues replication based issues > > with WINS than they do with DNS. 3. The complexity of DNS seems to > > put many admins off the deep end, interestingly enough, the same > > admins who said they couldn't figure out WINS say they know all > > about DNS. > > But again, my comment wasn't I like WINS more than DNS, or I like > > any name resolution systems better than DNS, it was simply I don't > > like DNS. > > > > -- > > *From:* [EMAIL PROTECTED] [mailto: > > [EMAIL PROTECTED] *On Behalf Of *Tom Kern > > *Sent:* Saturday, October 08, 2005 12:42 PM > > *To:* ActiveDir@mail.activedir.org > > *Subject:* Re: [ActiveDir]
Re: [ActiveDir] exchange confusion(OT)
oh yeah, i can telnet to the journal server from the bridgehead. NO IMF. NO tarpitting. the bridgehead routes mail to the journal server via a simple GRE tunnel bet 2 cisco routers. thanks again. i think this needs the help of joe and a "freelance email philospher"(hopefully not an existential one). thanks again :) On 10/10/05, Tom Kern <[EMAIL PROTECTED]> wrote: ok, it goes like this- i work for a finanical corp so we have to stay in compliance. i have 2 smtp connectors- one goes to a compliance server, the other to an journal host. for the journal host, all my mail stores point to an external contact(1 smtp proxy addy) for journaling. this gets routed out a smtp connector going to the journal server. the addy on the contact is in the form of [EMAIL PROTECTED]. the address space for the smtp connector is *.journaldomain.com. when mail gets routed out the smtp connector, the RCPT TO: changes from [EMAIL PROTECTED] to [EMAIL PROTECTED] . i see this in the smtp protocol log on the virtual server of the bridgehead server(i have diag logging turned up to max but the app lof shows nothing). The journal server will not accept mail for that domain. mail stays in the queue on the bridgehead. here's where it gets weirder- when i change the smtp connector addy space to servername.journaldomain.com, mail starts flowing for awhile but then stops as well. in the log, i just see MAIL FROM: and RCPT TO:, but nothing else. these 2 things might be unrelated but i'd like to know why exchange rewrites the RCPT TO:. OR why mail is stuck in the queue in this situation. OR both would be cool too :) SO, Exchange 2k sp3 mixed mode no Exchange 5.5 servers. the contact has 1 smtp proxy addy- [EMAIL PROTECTED]. this is the primary and only smtp addy(1 x.400 addy, of course). curiously whoever set it up didn't uncheck the "update this addy with recipeint policiy" checkbox, but the smtp addy isn't overwritten by the RUS. it still has that addy and not our normal addy set by the RUS. so as you can see, there are alot of strange exchange things going on here. i'd like just an answer to any of these questions. thanks for putting up with me and my story(but i'm sticking to it). thanks On 10/10/05, Ed Crowley [MVP] <[EMAIL PROTECTED] > wrote: Is this address on a contact that has [EMAIL PROTECTED] as a reply address? Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:33 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) thats because this addy has special needs. its a journal contact that needs to be routed out a dedicated connector to a journal server. i still don't understand why exchange rewrites the address to domain.com instead of servername.domain.com. thanks On 10/10/05, joe <[EMAIL PROTECTED]> wrote: I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PM To: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
Re: [ActiveDir] exchange confusion(OT)
ok, it goes like this- i work for a finanical corp so we have to stay in compliance. i have 2 smtp connectors- one goes to a compliance server, the other to an journal host. for the journal host, all my mail stores point to an external contact(1 smtp proxy addy) for journaling. this gets routed out a smtp connector going to the journal server. the addy on the contact is in the form of [EMAIL PROTECTED]. the address space for the smtp connector is *.journaldomain.com. when mail gets routed out the smtp connector, the RCPT TO: changes from [EMAIL PROTECTED] to [EMAIL PROTECTED] . i see this in the smtp protocol log on the virtual server of the bridgehead server(i have diag logging turned up to max but the app lof shows nothing). The journal server will not accept mail for that domain. mail stays in the queue on the bridgehead. here's where it gets weirder- when i change the smtp connector addy space to servername.journaldomain.com, mail starts flowing for awhile but then stops as well. in the log, i just see MAIL FROM: and RCPT TO:, but nothing else. these 2 things might be unrelated but i'd like to know why exchange rewrites the RCPT TO:. OR why mail is stuck in the queue in this situation. OR both would be cool too :) SO, Exchange 2k sp3 mixed mode no Exchange 5.5 servers. the contact has 1 smtp proxy addy- [EMAIL PROTECTED]. this is the primary and only smtp addy(1 x.400 addy, of course). curiously whoever set it up didn't uncheck the "update this addy with recipeint policiy" checkbox, but the smtp addy isn't overwritten by the RUS. it still has that addy and not our normal addy set by the RUS. so as you can see, there are alot of strange exchange things going on here. i'd like just an answer to any of these questions. thanks for putting up with me and my story(but i'm sticking to it). thanks On 10/10/05, Ed Crowley [MVP] <[EMAIL PROTECTED]> wrote: Is this address on a contact that has [EMAIL PROTECTED] as a reply address? Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom Kern Sent: Monday, October 10, 2005 3:33 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) thats because this addy has special needs. its a journal contact that needs to be routed out a dedicated connector to a journal server. i still don't understand why exchange rewrites the address to domain.com instead of servername.domain.com. thanks On 10/10/05, joe <[EMAIL PROTECTED]> wrote: I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PM To: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] Schema Updates
Title: Schema Updates The price tag will definitely drop as soon as Microsoft releases Exchange 12 with UM built in. But, it's not THAT expensive today, and there are some great business pluses to it. We had no problems showing ROI on VOIP or UM. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, October 10, 2005 6:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates It's a feature with lots of "gee whiz!" appeal, but once people see the price tag, the response is usually "ouch!" We are still waiting for the "year of UM". I'm betting on 2007. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]Sent: Monday, October 10, 2005 6:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I think this is definitely a case where Moore's Law hasn't been applicable. It's funny how little this story has changed since I saw the first unified messaging demos (then by Octel) about ten years ago. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 1:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn't created or even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity… I wish to Christ they’d stick to hardware and stop venturing into software… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubje
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
Note also that there is also a significant IO (and therefore performance) benefit in using undoable/differencing disks in this manner across ESX, Virtual Server, Virtual PC and VMware Workstation. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 1:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? Well with this, you can use differencing disks. I do it now after Dean talked about it. I build one server and then spin up Differencing disks off of it and it drammatically reduces my disk use. As for everything else, you are describing running everything on a single machine with virtualization up at the subsystem level which isn't really virtualization in the same terms of the hardware virtualization. You still have a single registry and source for device drivers, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Monday, October 10, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819---"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibit
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
They're inherently the same ... undoable disks ... they're just easier to work with (as is the whole product in my entirely VMware biased opinion). --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Monday, October 10, 2005 3:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. VMWare Workstation I think starting with 5.0 has a similar concept to differencing disks. Usually these things endup in the GSX platform, it just takes a while. ESX has a differencing disks type story, I forget what its called, though. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 4:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? Well with this, you can use differencing disks. I do it now after Dean talked about it. I build one server and then spin up Differencing disks off of it and it drammatically reduces my disk use. As for everything else, you are describing running everything on a single machine with virtualization up at the subsystem level which isn't really virtualization in the same terms of the hardware virtualization. You still have a single registry and source for device drivers, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Monday, October 10, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819---"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kell
RE: [ActiveDir] Schema Updates
Title: Schema Updates It's a feature with lots of "gee whiz!" appeal, but once people see the price tag, the response is usually "ouch!" We are still waiting for the "year of UM". I'm betting on 2007. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley [MVP]Sent: Monday, October 10, 2005 6:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I think this is definitely a case where Moore's Law hasn't been applicable. It's funny how little this story has changed since I saw the first unified messaging demos (then by Octel) about ten years ago. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 1:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn't created or even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity… I wish to Christ they’d stick to hardware and stop venturing into software… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 ev
RE: [ActiveDir] exchange confusion(OT)
Is this address on a contact that has [EMAIL PROTECTED] as a reply address? Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:33 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) thats because this addy has special needs. its a journal contact that needs to be routed out a dedicated connector to a journal server. i still don't understand why exchange rewrites the address to domain.com instead of servername.domain.com. thanks On 10/10/05, joe <[EMAIL PROTECTED]> wrote: I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PM To: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] Active Directory wish list
Agreed - the legacy APIs pose a serious problem in many cases. After noodling over the LDAP issue a little more, and recalling that ports are specified in the SRV records :), any AD aware of SRV aware system/application should be able to handle multiple instances of LDAP on a single server (assuming they are each using a different port or IP). The SYSVOL issue is also negligible as, like you said, the file system hierarchy was clearly designed with the domain name embedded. The only issue here that remains (in its current incarnation) is that of data replication. Given the advancements shown in DFSR this should be easily overcome with the only problem being replicating data to places it should not be (i.e. a legacy DC running some antiquated OS like W2K or W2K3 pre-R2 ;-). There are of course other unhandled issues such as which domain should the IUSR_Machine user object be created in if IIS is installed/running on a multi-domain capable DC? (Or better yet, should the IUSR account exist at all?) Regardless, there is a substantial trail of legacy issues that have to be handled before multi-domain DCs can come to fruition. Of course we should more properly be talking about multi-forest DCs as opposed to multi-domain DCs - or does that just blur the entire security boundary issue a bit too much? Needless to say, given the current technology, using virtual guest operating systems atop your favorite virtualization product is a viable way to generally satisfy the need for running multiple domains on a single piece of hardware as opposed to the desire of running them all on a single OS instance albeit at a higher theoretical cost for system management and other pay for software that is installed in each instance. Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 2:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I don't think the issue is there. When you make an LDAP call, you specify where you want to go, the hierarchy is all there and required in the call. Also I don't believe the issue is in SYSVOL, if you look at the sysvol structure, it has the domain component in there. In fact when I first saw that in say Oct 1999 in the gold product I was thinking... H is MS thinking about supporting multiple domains from a single DC? One of the big issues is at the level of all of the old NET style calls. You specify a server, not a domain, then it assumes there is one auth point on that one server (i.e. one SAM in the old days) and it works it. If a call came in for user bob on server123 and there were three domains or partitions or x hosted all of which have bob, which one gets sent back? If the old NET functionality got dumped, I would be rewriting quite a bit of code. The only reason I am not already doing it is that there is no impetus to, it works, I don't have to worry about it. At the same time, that holds back from doing newer and cooler things if MS did offer the option to move on. If that option were there though... I would start rewriting to get to it. At the present time, there is no sign of the death of the NET API so there is no reason to rewrite something that works fine using it unless there is some other reason (like you need something that isn't accessible through the API). Even on this list which has a lot of the more eager techofolks, we discuss the WinNT provider and other NET API based methods quite a bit for accessing AD. How come everyone isn't only using the LDAP methods? Answer, because the NET API methods still work for many things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, October 10, 2005 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Sounds like we need an LDAP.SYS that is similar to HTTP.SYS in that it can act as a routing, queuing, and parsing mechanism to determine which LDAP namespace/partition or domain an inbound request is destined for. With such a mechanism in place registration/advertisement (DNS) of the various LDAP namespaces supported should be compatible with today's implementation and existing client capabilities. However, some of the other facets of the NOS implementation (i.e. SYSVOL) would still be unaccounted for but I suppose similar proxy methods could be developed to support these subsystems as well... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, October 10, 2005 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hd
RE: [ActiveDir] Adding custom fields to AD
A lot of things sucked with NT 3.50. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Sunday, October 09, 2005 9:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD In the NT 3.50 days, WINS was a mess. I'm sorry but no amount of good design would help it. It just sucked. It got progressively better in NT 4.0 but I saw lots of corruptions of many kinds in 3.5x and I knew a thing or two about WINS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 09, 2005 8:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD I would guess that it never got that far. My experience with folks troubleshooting WINS is that they don't look very deep, someone can't resolve XYZ server name and they stop the service, delete the DB, and repopulate and call the DB corrupt. I think I said this in another post but I have never seen a corrupt WINS DB though I have had lots of people tell me that WINS was corrupt. I have seen lots of dorked up individual entries and simply deleting that entry and reregistering gets everything working fine again. The worst cases I have seen have been really poorly configured SAMBA machines stomping on domain records though I once heard of a really misconfigured Windows machine knocking a Fortune 50 down for a bit because someone built there own domain with the same domain name as the corporate domain and registered it in the production WINS environment. The solution there ended up being shut down WINS and deleting the WINS DB and letting it rebuild... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Sunday, October 09, 2005 8:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Adding custom fields to AD Tom, what revision of the server OS was the WINS server? NT 4.0? Did you ever determine if the WINS DB corruptions were being exposed at the app/WINS level (esentutl /g succeeds) or ESE level (esentutl /g fails)? esentutl /g (the svc/DB must be offline for this) is the (slightly simplistic) method for determining if the corruption is exposing itself at the app logic level or the ESE level. Was the server being hard powered down (power outage)? Just curious. Cheers, -BrettSh [msft] - ESE Developer On Sat, 8 Oct 2005, Tom Kern wrote: > I've had the reverse- > last place i worked at had corrupted WINS at least once every 2 > months(this could of been due to my lousy admin skills) i've never had > issues with dns(could be my dumb luck) now i work for a corp that has > netbios/tcp disabled and relies solely on dns(both MS and BIND) with > no name resolution issues. > also wins replication seems much more complex than standard > primary/secondary dns replication. > and i'm not one to think i know anything as an admin or would even > think of getting into such a disscussion with someone as experienced > and knowldgable as you, but i've always found dns easier than wins and > netbios names in general. > my only diffculty came with learning dns on BIND/Linux and just > wrapping my head around AD intergrated dns when i first came to Windows. > sometimes when you learn something via the command line, using the gui > just confuses things. > then again i'm probably one of those guys who "thinks" he knows dns > but really doesn't know anything and hasen't found out yet :( > what would you think would be a good replacement for dns/wins? > thanks > > On 10/8/05, joe <[EMAIL PROTECTED]> wrote: > > > > I wasn't saying I like WINS better than DNS or vice versa, just said > > I don't like DNS. I especially dislike the AD/DNS integration. I > > don't like chicken and egg problems. > > BTW, as you bring up WINS. 1. I've never had a corrupted WINS Database. > > 2. Fewer admins had name resolution issues replication based issues > > with WINS than they do with DNS. 3. The complexity of DNS seems to > > put many admins off the deep end, interestingly enough, the same > > admins who said they couldn't figure out WINS say they know all > > about DNS. > > But again, my comment wasn't I like WINS more than DNS, or I like > > any name resolution systems better than DNS, it was simply I don't > > like DNS. > > > > -- > > *From:* [EMAIL PROTECTED] [mailto: > > [EMAIL PROTECTED] *On Behalf Of *Tom Kern > > *Sent:* Saturday, October 08, 2005 12:42 PM > > *To:* ActiveDir@mail.activedir.org > > *Subject:* Re: [ActiveDir] Adding custom fields to AD > > > > ok, i'll bite. > > GPO's, i understand but whats there to hate about DNS? > > its better than WINS. > > I've never had a corrputed dns database. > > thanks > > > > On 10/8/05, joe <[EMAIL PROTECTED]> wrote: > > > > >
RE: [ActiveDir] Schema Updates
Title: Schema Updates I understand your point of view completely, I have the same hang up about anything made by CA. (Not on my network.) Unity really depends on your use. The things that Cisco has changed make it awesome to use if you have an AD environment and a Cisco VOIP system. Pricey to be sure, but IMHO it can't be beat. YMMV From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 3:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn't created or even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity… I wish to Christ they’d stick to hardware and stop venturing into software… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would reco
RE: [ActiveDir] Schema Updates
Title: Schema Updates I think this is definitely a case where Moore's Law hasn't been applicable. It's funny how little this story has changed since I saw the first unified messaging demos (then by Octel) about ten years ago. Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!™ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 1:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn't created or even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity… I wish to Christ they’d stick to hardware and stop venturing into software… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would
RE: [ActiveDir] exchange confusion(OT)
Not enough information. Is this one of it's domains for which the Exchange server has a recipient policy? That's the most likely reason. Can you tell us more about the scenario? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, October 10, 2005 6:33 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] exchange confusion(OT) thats because this addy has special needs. its a journal contact that needs to be routed out a dedicated connector to a journal server. i still don't understand why exchange rewrites the address to domain.com instead of servername.domain.com. thanks On 10/10/05, joe <[EMAIL PROTECTED]> wrote: I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PM To: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? We usually do a big "State of the AD World" survey at DEC, and certainly will again in Vegas (assuming there are some people left in the room who haven't already headed out to the casino. :) I needed some answers sooner than later for a whitepaper I was working on. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, October 10, 2005 1:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Interesting Scripting Task.....
I've written that, and it's actually rather straightforward if you're willing to tackle VBScript and ADSI. Another option you might consider is Microsoft Virtual Server or VMware, where you can build a VM with your environment, save it as a "golden master", and use it as the base when you need to rebuild your lab. Ed Crowley MCSE+Internet MVP Freelance E-Mail Philosopher Protecting the world from PSTs and Bricked Backups!T -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] exchange confusion(OT)
thats because this addy has special needs. its a journal contact that needs to be routed out a dedicated connector to a journal server. i still don't understand why exchange rewrites the address to domain.com instead of servername.domain.com. thanks On 10/10/05, joe <[EMAIL PROTECTED]> wrote: I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PM To: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
VMWare Workstation I think starting with 5.0 has a similar concept to differencing disks. Usually these things endup in the GSX platform, it just takes a while. ESX has a differencing disks type story, I forget what its called, though. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? Well with this, you can use differencing disks. I do it now after Dean talked about it. I build one server and then spin up Differencing disks off of it and it drammatically reduces my disk use. As for everything else, you are describing running everything on a single machine with virtualization up at the subsystem level which isn't really virtualization in the same terms of the hardware virtualization. You still have a single registry and source for device drivers, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distri
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Hmm... No, I disagree joe. Microsoft does need to worry about adoption of their products and any barriers, real or imagined, to that adoption. *nix integration is a reality. Get used to it. Be sure to take it into account for future releases. Be sure to protect the investment of your developer followers [1]. Create a framework that developers can develop to and be somewhat future proof else your customers won't adopt your products. Remember, customers don't buy operating systems for the sake of the operating system, they buy them for what they do and what they contribute to their business. It's the applications that the company wants to run that causes people to buy new OS and new hw. 64bit computing would be a great example of that. And MS gets it as evidenced by their strategy to embrace the developers prior to the release. It's about the applications not the OS. It's just that the applications don't exist without a solid foundation such as a really strong, reliable, and easy to maintain OS running the hardware. It takes time to build the ecosystem, but adoption only happens when there is a compelling reason. Apps are that reason. [1] Developers! Developers! Developers! ~ SteveB [2] [2] remember why he said that? Because they totally dissed the dev community prior to that. Badly. And paid the price for it.[3] [3] why do people pick Microsoft in the first place? Because they have the absolute latest and greatest technology? Nope. Because they have the best technology? Nope (seen RMS lately? I rest that case) Because they have the most applications written for their platform? Yep. Can't swing a dead cat without hitting a MS application. Even open source writes apps that run on Windows because they want their apps adopted. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > - Blackcomb clients would need to be available several years before > the blackcomb server. Well no, that is why you have the functional mode associated with it. It doesn't just happen, the customer chooses to do it. Someone setting up a brand new environment would be good to go immediately. Someone with legacy that they are trying to clean up could take as long as they like. The benefit is that it is a step forward. > - Impact on non-Windows clients would need to be assessed. [SAMBA, > nix, Mac etc] By the vendors who supply those clients and the people who have them deployed, yes. Not MS. Part of the reason we are stuck with so much legacy baggage is due to MS worrying so much about the legacy clients that they do not control. There are some great blogs out there of stuff MS has done to make it so incorrectly written apps work with their changes and results in all sorts of special cases in the OS. That is the kind of stuff I would like to see going away. It makes MS more limber and hopefully less chance for weird corner cases. The new model may not look anything like the current model, the fact that you have a functional mode to jump to this mode allows the customer to choose when to go to it. At some point, maybe two revs past Blackcomb, that new mode is the mode Windows uses and all legacy is gone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
Well once upon a time, Operating System was software that handled all the I/O and hardware… Windows uses how many MB/GB for that now, and there is a crossing over between kernel mode and app/user mode… if you could really separate off the kernel mode so you could run multiple things on it independently of each other and not caring about the kernel parts, then, um, you wouldn’t have to buy ESX J I’ll have to look into the archives on the differencing disks thing! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 3:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? Well with this, you can use differencing disks. I do it now after Dean talked about it. I build one server and then spin up Differencing disks off of it and it drammatically reduces my disk use. As for everything else, you are describing running everything on a single machine with virtualization up at the subsystem level which isn't really virtualization in the same terms of the hardware virtualization. You still have a single registry and source for device drivers, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 3:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This messa
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? You want something done right, do it yourself :) -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, October 10, 2005 1:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Maybe I shouldn’t be pushing so hard to take over DNS operations for clients and servers. ;-) Actually, we manage the SRV records only, and while they are a bit tricky, but once it’s working it just works. But trying to explain what’s going on to a Windows admin who doesn’t have an AD background is almost a bigger challenge. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- "Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, October 10, 2005 12:06 PMTo: ActiveDir@mail.activedir.orgCc: Christine McDermottSubject: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts) K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database / required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click > edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please email your shipping particulars to me at mailto:[EMAIL PROTECTED], and I will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappr
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Well, that's really my point. You can't really take away some of those "apps" that exist today. They're too ingrained in the way people use the technology. They really are the value add at the core of the product. Otherwise, this would be fine by me: http://directory.fedora.redhat.com/wiki/Main_Page and has a lot less built in headache to manage. But it also has a LOT less functionality that I need which are provided by those apps that will one day be legacy. I can be open minded and forward thinking. Let's just leave it at "provide same or better functionality" as I get now to provide the push I need to move to a new paradigm [1]. But if you plan to take that away, then I don't see the value you provide (at this point). If you do provide a complete instance for each of those, how does that differ from the VM path? Am I just missing the concept here? I hate to be so close minded that I miss the point, but I also don't want to be so open minded my brains fall out. I need a boundary in an open forum. Just a beer in a closed forum. Seriously Joe, I get the concept of wanting this type of functionality. What I don't get is the value it adds. It comes across as a lot of trouble for a gee-whiz feature with no substance that helps me attain my business goals. I'm more of the DC in a VM camp because I prefer the isolation. Is that old-school? I don't know. Does that help others out? Not sure. Would putting multiple domains on the same piece of hardware be helpful? Without a doubt. Does it need to be in the same instance of the hard. Yep. Does that mean that there could be multiple instances that all are self-contained AD's complete with kerberos, dns, dhcp, wins (collectively name res because one of those should not be in BC release; I'll let you decide which one)GPO, etc? I don't buy into that as having a tremendous amount of value. It would be nice to be able to do it for a lot of the multi-forest models (test forest, production forest, exchange forest, Bob's spam forest, etc) but I don't know that effort should be spent to do it that way vs. using virtualization of the entire OS. I see some stability issues that could come about that I'm not comfortable with. I see some authentication and administration issues I'm not comfortable with. I don't see a value in terms of hardware savings. That's not the issue IMHO. I can achieve that today and be very happy with it. Don't get me wrong, I DO think that a service based AD is certainly needed. Especially for maintenance and troubleshooting, but that's a different issue that's much more easily solved. But putting three, four, five, etc authentications realms on the same hardware in the same OS instance doesn't buy me much that I can see. I don't see a cost savings. I don't see a reliability gain. I don't see it being worth the upgrade PITA. I do see it would be cool. I don't see it as being faster to restore thereby achieving a higher service realibility. Not to be long-winded, but I think I may just not be seeing it the right way. I may be thinking in terms of today's architecture and that it is so tied to the registry (For the love of is that???) that it would not be truly separated in tomorrows implementation. That's likely a wrong assumption and I can easily get over that. But I don't see the effort paying off if I have to discard 10 years of legacy software applications and process trash to get to a point where I save a few dollars on hardware vs. using VM technology (software or hardware based doesn't matter to me in this conversation although I would prefer hardware to alleviate any cross-over ties to the OS in case of failure; totally autonomous and hardware separated [2]) [1] Buzz-word-bingo champ, cubicle farm #3, cubicle cluster #2 - 1998 [2] Right. So any gains in hardware ability have historically resulted in higher prices. That would likely negate the savings I might have had if I had gone with multiple smaller hardware devices or if I had used software VM [3] [3] It's almost circular logic at some point -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 4:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Don't get lost in the details yet. I tried to give a specific example to help clarify the general concept of "I have switch labeled Hurray that shuts off legacy support", it launches Windows into a whole new non-NT compatible auth/authz system. It seems to me if we keep the legacy stuff in there, it is never going to go away because there is no impetus for it to go away. Then again, maybe ADAM is the new model... Companies switch to using ADAM for auth/authz entirely and away from AD. However, that means having to build up the GPO model, etc in ADAM as well as Kerberos and other supporting pieces. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECT
RE: [ActiveDir] exchange confusion(OT)
I may regret asking this, but recall I don't know squat about Exchange message routing. Why do you need a connector? If the name is resolvable from your server, it doesn't seem like it should need anything special to get to it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernSent: Monday, October 10, 2005 3:28 PMTo: activedirectorySubject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] BlackComb Super Forest Functional Mode
> - Blackcomb clients would need to be available several years before the blackcomb server. Well no, that is why you have the functional mode associated with it. It doesn't just happen, the customer chooses to do it. Someone setting up a brand new environment would be good to go immediately. Someone with legacy that they are trying to clean up could take as long as they like. The benefit is that it is a step forward. > - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] By the vendors who supply those clients and the people who have them deployed, yes. Not MS. Part of the reason we are stuck with so much legacy baggage is due to MS worrying so much about the legacy clients that they do not control. There are some great blogs out there of stuff MS has done to make it so incorrectly written apps work with their changes and results in all sorts of special cases in the OS. That is the kind of stuff I would like to see going away. It makes MS more limber and hopefully less chance for weird corner cases. The new model may not look anything like the current model, the fact that you have a functional mode to jump to this mode allows the customer to choose when to go to it. At some point, maybe two revs past Blackcomb, that new mode is the mode Windows uses and all legacy is gone. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode 2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate
RE: [ActiveDir] Active Directory wish list
I don't think the issue is there. When you make an LDAP call, you specify where you want to go, the hierarchy is all there and required in the call. Also I don't believe the issue is in SYSVOL, if you look at the sysvol structure, it has the domain component in there. In fact when I first saw that in say Oct 1999 in the gold product I was thinking... H is MS thinking about supporting multiple domains from a single DC? One of the big issues is at the level of all of the old NET style calls. You specify a server, not a domain, then it assumes there is one auth point on that one server (i.e. one SAM in the old days) and it works it. If a call came in for user bob on server123 and there were three domains or partitions or x hosted all of which have bob, which one gets sent back? If the old NET functionality got dumped, I would be rewriting quite a bit of code. The only reason I am not already doing it is that there is no impetus to, it works, I don't have to worry about it. At the same time, that holds back from doing newer and cooler things if MS did offer the option to move on. If that option were there though... I would start rewriting to get to it. At the present time, there is no sign of the death of the NET API so there is no reason to rewrite something that works fine using it unless there is some other reason (like you need something that isn't accessible through the API). Even on this list which has a lot of the more eager techofolks, we discuss the WinNT provider and other NET API based methods quite a bit for accessing AD. How come everyone isn't only using the LDAP methods? Answer, because the NET API methods still work for many things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Monday, October 10, 2005 4:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list Sounds like we need an LDAP.SYS that is similar to HTTP.SYS in that it can act as a routing, queuing, and parsing mechanism to determine which LDAP namespace/partition or domain an inbound request is destined for. With such a mechanism in place registration/advertisement (DNS) of the various LDAP namespaces supported should be compatible with today's implementation and existing client capabilities. However, some of the other facets of the NOS implementation (i.e. SYSVOL) would still be unaccounted for but I suppose similar proxy methods could be developed to support these subsystems as well... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, October 10, 2005 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying "wish" here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: Monday, October 10, 2005 10:28 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Active Directory wish list > > I agree. SMB business can be very complex. > > Can you expand on the idea that VM's aren't working well for you? I'm > trying to understand the difference between that and a multiple domain > DC for that scenario. > > I'd have to say that smaller, cheaper dc's (desktop class?) have > always worked well for me in the past when doing functionality > testing. > Scalability requires full-blown hardware. But I'm not seeing where VM > environments aren't working as well as you'd like a physical > environment to work? What's the difference in this situation? > > For availability, I could see some value in a DC configured to host > mulitple domains because I could designate one to be the failover for > several domains. Otherwise, I'm not sure I get it. Is this like a > LPAR concept you're talking about? Th
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? Well with this, you can use differencing disks. I do it now after Dean talked about it. I build one server and then spin up Differencing disks off of it and it drammatically reduces my disk use. As for everything else, you are describing running everything on a single machine with virtualization up at the subsystem level which isn't really virtualization in the same terms of the hardware virtualization. You still have a single registry and source for device drivers, etc. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Monday, October 10, 2005 3:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819---"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
I mostly agree. The Data Center Edition according to some of the other links out there indicate that it will allow unlimited instances on it. As for the not running category, I think it means that unless the instance is at that moment running, it doesn't need a license. So you could have 300 images on an EE box and as long as you only have 4 running at any given moment, you only need one license for server. Someone brought up a good question on the virtual guy's blog on whether this just applies when using VS or if it also works with vmware. He indicated ESX specifically which I think is right out, but what about GSX. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Monday, October 10, 2005 3:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. My understanding is as follows: 1 licensed copy of W2K3R2 or Longhorn (EE/DC) provides the following: 1 physical host running the licensed OS 4 virtual guests running the licensed OS or a lesser version (i.e. Enterprise Edition would allow for Web Edition running in a VM) VMs developed and designed for the following purposes (as examples) need not be licensed until which time they no longer fall under the following: Copies of licensed machines (physical or virtual) used for backup purposes only “Template” virtual disks used for deploying new virtual guests Other virtual machines not generally online and not used for production purposes (e.g. an offline CA in a VM would not qualify) Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich MilburnSent: Monday, October 10, 2005 12:09 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? ---Rich MilburnMCSE, Microsoft MVP - Directory ServicesSr Network Analyst, Field Platform DevelopmentApplebee's International, Inc.4551 W. 107th StOverland Park, KS 66207913-967-2819---"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interc
RE: [ActiveDir] exchange confusion(OT)
You should be able to just do domain.com and it will pick up any child domains, unless you have a child that needs special priveledges. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom KernPosted At: Monday, October 10, 2005 2:28 PMPosted To: ActiveDirectoryConversation: [ActiveDir] exchange confusion(OT)Subject: [ActiveDir] exchange confusion(OT) I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] Adding custom fields to AD
Won't work for me. I have about 50,000 users in my home AD on about 3
domains and 8 DCs... Oh I also have trusts to a couple of R2 and NT4
Domains.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Monday, October 10, 2005 3:05 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Adding custom fields to AD
:-P
I think someone needs to run SBS at home. See what nice solid DNS/AD is all
about :-)
joe wrote:
> Heck NetBEUI with all broadcasts would work perfect for all internal
> SBS needs. :o)
>
> --
> --
> *From:* [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] *On Behalf Of *Susan
> Bradley, CPA aka Ebitz - SBS Rocks [MVP]
> *Sent:* Monday, October 10, 2005 12:33 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Adding custom fields to AD
>
>
>
> I love DNS and AD and argue strongly for the glue all the time.
> {example answer in SBS newsgroup to person not wanting a
> domain."why in the WORLD do you want to run as workgroup? A
> domain is just a workgroup with more toys!"}
>
> But then again I run insecure SBS where our wizards set up the glue
> for us and we don't have to worry about it.
>
>
>
> joe wrote:
>
>> I don't think the rest of the planet loves DNS, I think a lot of
>> people put up with it as a necessary evil due to exactly the reason
>> you state. There isn't even a viable option on the table. WINS simply
>> won't scale due to the lack of hierarchy. I myself also realize that
>> it is a necessary evil but it doesn't mean I have to necessarily like
>> it. ;o) I certainly don't like managing it nor running it as
>> integrated into the AD itself. The fact that AD is critically
>> dependent on a service that it itself provides smacks my internal
>> like it or hate it sensors about. I am very much pro-someone else
>> running DNS properly and I run AD properly.
>>
>>
>>
>> -
>> ---
>> *From:* [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] *On Behalf Of *Rick
>> Kingslan
>> *Sent:* Sunday, October 09, 2005 11:31 AM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* RE: [ActiveDir] Adding custom fields to AD
>>
>> "what would you think would be a good replacement for dns/wins?"
>>
>> There currently isn't one. Not really even a viable option on the
>> table. joe doesn't like DNS. The rest of the planet loves DNS -
>> including those eggheads (loveable eggheads that they are) at IETF
>> are the holders of the standards, and they love DNS too. :-)
>>
>> Microsoft fought hard to get TO standards cooperation . Don't look
>> for anything in the near future to break away from that in regards to
>> DNS.
>>
>> Rick
>>
>> --
>> Posting is provided "AS IS", and confers no rights or warranties ...
>>
>>
>>
>>
>> -
>> ---
>> *From:* [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] *On Behalf Of *Tom Kern
>> *Sent:* Saturday, October 08, 2005 4:44 PM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* Re: [ActiveDir] Adding custom fields to AD
>>
>> I've had the reverse-
>> last place i worked at had corrupted WINS at least once every 2
>> months(this could of been due to my lousy admin skills) i've never
>> had issues with dns(could be my dumb luck) now i work for a corp that
>> has netbios/tcp disabled and relies solely on dns(both MS and BIND)
>> with no name resolution issues.
>> also wins replication seems much more complex than standard
>> primary/secondary dns replication.
>>
>>
>> and i'm not one to think i know anything as an admin or would even
>> think of getting into such a disscussion with someone as experienced
>> and knowldgable as you, but i've always found dns easier than wins
>> and netbios names in general.
>>
>> my only diffculty came with learning dns on BIND/Linux and just
>> wrapping my head around AD intergrated dns when i first came to Windows.
>> sometimes when you learn something via the command line, using the
>> gui just confuses things.
>>
>> then again i'm probably one of those guys who "thinks" he knows dns
>> but really doesn't know anything and hasen't found out yet :(
>>
>>
>> what would you think would be a good replacement for dns/wins?
>> thanks
>>
>>
>> On 10/8/05, *joe* <[EMAIL PROTECTED]
>> > wrote:
>>
>> I wasn't saying I like WINS better than DNS or vice versa, just
>> said I don't like DNS. I especially dislike the AD/DNS
>> integration. I don't like chicken and egg problems.
>>
>> BTW, as you bring up WINS. 1. I've never had a corrupted WINS
>> Database. 2. Fewer admins had name resolution issues replication
>> based issues with WINS than they do with DNS. 3. The complexity
>> of DNS seems to put many admins off
Re: [ActiveDir] TS GPO and Citrix Settings
Hi Ryan, The greying out of the settings is a "good thing". Basically any well designed program that provides a user interface to a regitry setting should grey out settings that are managed via the Policy key. This is really saying "This setting is set via policy. Don't fiddle with it". When it used to be ungreyed, I would have thought you still would have had problem, since next time policies applied it would set it back anyway. While you could temporarily change it as Derek suggests, I presume you want to permanently fix it. As you suggested, you can block inheritance for the OU, but this is not nice since it blocks all policies (except those with No Override) from flowing to that OU. Your other options is another policy connected to the OU that reverses the policy setting, or create a group of all your CITRIX machines and put the group in the DENY list for the policy. Alan Cuthbertson Policy Management Software:-http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtmlADM Template Editor:-http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtmlPolicy Log Reporter(Free)http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml- Original Message - From: Derek Harris To: ActiveDir@mail.activedir.org Sent: Tuesday, October 11, 2005 6:05 AM Subject: RE: [ActiveDir] TS GPO and Citrix Settings If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. ConradSent: Monday, October 10, 2005 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although its probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc ) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully Ive explained well enough. Thanks in advance, Ryan
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? Hmm DNS you say... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, October 10, 2005 2:06 PMTo: ActiveDir@mail.activedir.orgCc: Christine McDermottSubject: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts) K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database / required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click > edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please email your shipping particulars to me at mailto:[EMAIL PROTECTED], and I will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
RE: [ActiveDir] Schema Updates
Title: Schema Updates Entirely your option. :) Windows 3.11 and Windows NT are really not the same product. Note I am not saying I won't use cisco routers because they sucked 12 years ago. As someone else pointed out, software isn't cisco's ball of wax. There is obviously a little bit of a scary point there when you consider though that the IOS is software... Also as you mentioned, it wasn't created or even modified much by cisco. So I don't expect it is much different now than what I saw. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 12:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity… I wish to Christ they’d stick to hardware and stop venturing into software… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would recommend pulling up the sysinternal registry and file monitors as well as tracing the AD calls. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August 11, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Updates Hi, I am having some problems updating the schema for Avaya Unified Messaging. It is my thinking that in Windows 2003 the schema is already enabled for updates as long as you are in the Schema Admins g
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? Maybe I shouldn’t be pushing so hard to take over DNS operations for clients and servers. ;-) Actually, we manage the SRV records only, and while they are a bit tricky, but once it’s working it just works. But trying to explain what’s going on to a Windows admin who doesn’t have an AD background is almost a bigger challenge. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- "Cry 'Havoc!' and let slip the dogs of war" - Anthony, in Julius Caesar III i. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, October 10, 2005 12:06 PM To: ActiveDir@mail.activedir.org Cc: Christine McDermott Subject: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts) K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database / required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click > edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please email your shipping particulars to me at mailto:[EMAIL PROTECTED], and I will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 05, 2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire,
Re: [ActiveDir] single login size in bytes?
Totally guessing here from the Dr. J password literature I've read...but wouldn't it depend on the auth method involved as to the traffic size? Since NTLMv2 is MS specific... you might have to fire up the sniff tools on that one. Chapter 11 in the Riley/Johansson book on passwords LMhash ... password is padded to 14 characers lowercase converted to uppercase split into 7 byte chunks, chunk generates 8 byte odd parity DES key each 8 byte key used in DES encryption of fixed string two cipher texts are concatenated and stored NTMLv2 you are sending challenges back and forth across the wire Auth req Server challenge ntlm2 response auth result The Great Debates: Pass Phrases vs. Passwords. Part 1 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint091004.mspx The Great Debates: Pass Phrases vs. Passwords. Part 2 of 3: http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint100504.mspx The Great Debates: Pass Phrases vs. Passwords. Part 3 of 3 -- TechNet Column - Security Management - December 2004: http://www.microsoft.com/technet/community/columns/secmgmt/sm1204.mspx Rich Milburn wrote: Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I’ve been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We’re talking simple logging in, including a single GPO or maybe two – but no replication, etc. They do already get their email using Outlook to a pst. And please don’t laugh. This is a very serious issue. ;-) Rich //---/// ///Rich Milburn/// ///MCSE, Microsoft MVP - Directory Services/// //Sr Network Analyst, Field Platform Development// //Applebee's International, Inc.// //4551 W. 107th St// //Overland Park//, KS 66207// //913-967-2819// //---// ///"I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso// / *---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---* PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system./ -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Modifying Domain Admins & Administrators Group
Define within reason. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb Sent: Monday, October 10, 2005 12:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group "Is a tool like that something people would be willing to pay for? " Affirmative Mr. joe. (Within reason of course) YMYMYM ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 09, 2005 11:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Ah global won't have the issue with primary group since it used the NET* calls. However, it won't catch nesting that is disallowed in NT, those entries will be curiously absent because the NET calls don't know anything about it. If you are simply looking for any change on a group, fire a notification on the changing of the metadata or the USN or the whenChanged stamp. What would I do? The answer is of course, it depends. :o) It depends on what I perceive the risks are and the necessity for protecting things. It could be very little or it could be a lot with several cross checks. Generally, monitoring from multiple angles as well as trying to prevent the possibility of any change is the best solution in my opinion. Sort of like root kit detection, you won't know when looking at things one way, you have to look from different angles and check the shadows. If I really wanted to be sure I would have a service running on every DC that made the sure the group memberships were exactly what I wanted. These would be services that had change notifications set up for each monitored group so AD told me when the group changed versus me looking at it and seeing if something changed on some x interval. But just the same, that service would still look at some very regular very short interval just in case the change notification dorked up and I would do it using multiple interfaces. If I was REALLY being paranoid I would possibly have the service shut down the box if it detected a change being originated on it in case that one box has been somehow compromised. That service might also, for instance, look for certain known vectors and try to clean those up if detected as well. There are other things but the more you tell people about what you are doing to protect a system, the more you tell them on what they may need to do to compromise a system. Is a tool like that something people would be willing to pay for? You set it for how jittery you are about changes to some finite small number of specific groups and depending on the jittery setting it does anything from warn to correct to locking the box down dead from any more mods? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, October 08, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group I'm just using the (I believe) resource kit tool global.exe to return samaccountname of users in the group. A user who has that particular group as primary still shows up. At the time my biggest concern was ANY change. There should not be any changes made to those groups at any time with out my groups knowledge. Obviously if a group (nesting) is added I'll know about it and whip out my ruler to smack someone with. As far as the restricted groups are concerned; when I first added them to the policy it worked like a charm. After some more testing I found it was taking longer than expected...more than 15 minutes. After looking at the policy I saw that I had entered "domain admins" instead of domain\domain admins. I changed it and it never worked. Changed it back to just "domain admins" and again it usually works but I recently saw a user sit in the group for an hour or so before I removed it manually. I was however notified with in a minute of the change. Like I said, it's crude but it get's what I need done. I know that I have to deal with replication time and I could hit a DC that doesn't know about the change immediately which could delay my notification by up to a few minutes, but my biggest concern at this time are certain admins that can add to the DA's group. No need to start down that road...I walked into this and am slowly cleaning up this mess. Who the hell makes a file server a DC... Now...I have to ask...how would Joe do it? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, October 08, 2005 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group What about people who have those groups as a primary group? 30 seconds is a long time, I could be a domain admin and have it not show in the DA member attribute in milliseco
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Don't get lost in the details yet. I tried to give a specific example to help clarify the general concept of "I have switch labeled Hurray that shuts off legacy support", it launches Windows into a whole new non-NT compatible auth/authz system. It seems to me if we keep the legacy stuff in there, it is never going to go away because there is no impetus for it to go away. Then again, maybe ADAM is the new model... Companies switch to using ADAM for auth/authz entirely and away from AD. However, that means having to build up the GPO model, etc in ADAM as well as Kerberos and other supporting pieces. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 12:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Depends on how it's implemented. If it is really multiple AD domains/forests (full functionality for all three) then I would be all for it as it would greatly simplify multi-forest deployments and really be a cause for celebration for new deployments. However, it would be interesting to see how a multi-forest server would register itself and be advertised. Same for application of services and applications when they have one IP address to resolve to. I see this as a fundamental change that only has the advantage of reducing OS licensing costs. I haven't seen specs on BC, but would imagine that virtualization will eventually be included at some level either in the OS or in the hardware itself. At that point, is there a benefit to a multiple forest or domain on a single DC vs virtualization? I suspect the differences in cost would not be large. I'm not sure I'd like the stability issues per se. Hardware is cheap. Dirt cheap and if I can withstand the risk of multiple forests on a single OS/piece of hardware, I can probalby withstand three low-class servers. Or one larger with virtualization because the scenario that I would likely deploy into would not be a high-availability and high-traffic scenario. It would likely be a remote site with 200 or less users that needs access to resources in multiple forests. As for partition information or ldap identity stores, I already have ADAM available to me in the OS (R2) and can deploy many instances of that. It's not the LDAP abilities I'm after. It's the other NOS related information that appeals. Specifically for me, it would be multi-forest implementations that would be of interest. The drawback to me would be flushing my investment in other applications. I'm not interested enough in the end result to flush my legacy apps and the investment I have in them. My 0.04 anyway. >From: "joe" <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode >Date: Mon, 10 Oct 2005 10:32:26 -0400 > >To move this in a slightly different direction. How would people feel about >a BlackComb Super Forest Functional Mode where not only are DCs impacted >but >every machine touching the DCs are affected. I.E. MS allows multiple >domains >on a single DC but not for any pre-BlackComb clients. I.E. Complete break >with legacy capability? > >Personally I wouldn't mind seeing something like that but how do others >feel >about it. Once in this mode, no going back. Legacy clients pre-Blackcomb >have no clue how to use the domains, etc. > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick >Sent: Monday, October 10, 2005 10:10 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >While I generally agree this would be great, I have to ask about eDir and >it's authentication abilities. IIRC, multiple domains via LDAP only work >just fine. It's called ADAM in its latest incarnation. But for the >authentication[1] and other apps that support/work with AD to provide >identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a >multi-instance/single-server deployment. LDAP sure. The other apps, I'm not >so sure. > > >I'm curious, Charlie and Neil. What services do these SMB's offer that >they >need multiple instances of DC's? I realize that a best practice is to have >multiple servers that can provide some failure tolerant behaviors, but I'm >wondering what type of work a SMB does that requires multiple full blown AD >domain instances and therefore multiple servers etc. Can you expand that? > > >[1] LDAP is not an authentication protocol; Kerberos is though. > >-ajm >CCBW > > >From: <[EMAIL PROTECTED]> > >Reply-To: ActiveDir@mail.activedir.org > >To: > >Subject: RE: [ActiveDir] Active Directory wish list > >Date: Mon, 10 Oct 2005 08:52:25 +0100 > > > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > >[MVP] > >Sent: 06 October
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Yeah I didn't want to state going away completely from the domain model. My basic idea is to do something different than is allowed by current legacy systems and their support. Allowing multiple domains on a single DC sounds like an easy way for people to visualize it. It could, in fact, be something more along the partitioning done by Novell or something else entirely different. Either way, the switch turns off all Legacy to never allow it to work in that environment again. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, October 10, 2005 11:59 AM To: Send - AD mailing list Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail
[ActiveDir] exchange confusion(OT)
I have a contact with the addy of [EMAIL PROTECTED]. I created a smtp connector with an address space of *.domain.com. when exchange 2k sends an email destined for [EMAIL PROTECTED] thru that smtp connector, it rewrites the addy in the RCPT TO: as [EMAIL PROTECTED], taking out the servename. i see this in the smtp logs on the server and the remote server dosen't accept mail to that addy and is saying "relay not allowed". Now, my question- why is exchange rewriting the address just because i'm using a wildcard in the connector address space? is this by design? What if i wanted a connector going to every domain under domain.com like subdomain.domain.com and childdomain.domain.com ? wouldn't i just create a connector with an address space of *.domain.com? should exchange 2k just forward the email without changing the RCPT TO: headers? am i wrong and clueless as usual? what am i missing? i'm running Exchange 2k post sp3 rollup in mixed mode(but no exchange 5.5 servers or ADC). Thanks alot
RE: [ActiveDir] TS GPO and Citrix Settings
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services. Already have tried the deletion but you have to keep on doing it if you want to make changes to Citrix. I was hoping there was a “Disable Secure RDP” registry setting that wouldn’t gray anything out (as in W2K). -Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Monday, October 10, 2005 4:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] TS GPO and Citrix Settings If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. Conrad Sent: Monday, October 10, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although it’s probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc…) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully I’ve explained well enough. Thanks in advance, Ryan
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? Hmmm... maybe I could pull off a DEC pass. "All expenses paid" is probably a bit much. People run up a lot of "expenses" in Vegas! -g From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Monday, October 10, 2005 12:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) How about an all expenses paid trip to DEC in Vegas, entry to the NDA lunch and of course the obligatory book – Active Directory Programming, ISBN: 0672315874? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil KirkpatrickSent: 10 October 2005 19:06To: ActiveDir@mail.activedir.orgCc: Christine McDermottSubject: [Norton AntiSpam] [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts) K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database / required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click > edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please email your shipping particulars to me at mailto:[EMAIL PROTECTED], and I will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if t
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? Why not just ask the people at DEC - a captive audience of some of the most knowledgeable AD people anywhere. Or were you hoping for answers prior to then? This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Active Directory wish list
And I wholeheartedly applaud dreaming. Without it we'd still be in a dark wet cave, chewing on roots and hoping to keep warm ;-) It's just that I don't think the licensing case is the big issue. I would guess that Microsoft licensing would find another way to get the pound of flesh. I don't think for a minute that they shouldn't either. Because of that market force, I tend to disassociate the licensing from the solution altogether. Take that away, and I'm not sure that you have solved your technical problem by avoiding the hardware purchase. I have to admit, it sounds cliche but the hardware is cheap. Very cheap and you'd likely have to include bigger hardware to get multiple domains installed anyway. The OS is not taking copious amounts of memory last I checked (128 is fine for just the OS). It's those silly apps that require so much. And if you have to load test, then you're deeper in the water because you'll take the rest of the domains down to their knees while you use one of the others. Virtualization offers a better technical solution in that you can keep them totally separate from each other. They rely on a common OS, so the only real difference is the memory overhead and some of the OS overhead you otherwise might not have. The tradeoff is the stability that comes with the separation and a higher maintenance cost while you rev the OS across 9 instances of the OS. I see that. But there's also some flexibility in that approach because I am not required to upgrade all 9 instances at once. I can create a test environment that works with multiple versions at a time vs. all upgrade at once, like IIS requires (that's a shared code issue, not to pick on IIS). I have to say I think it's a great idea to dream Charlie, but I don't get the advantage of multiple domains (as they exist today) over virtualization. Thanks for clarifying though. We'll have to wait and see how it pans out I suppose. Cheers, Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, October 10, 2005 3:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying "wish" here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: Monday, October 10, 2005 10:28 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Active Directory wish list > > I agree. SMB business can be very complex. > > Can you expand on the idea that VM's aren't working well for > you? I'm trying > to understand the difference between that and a multiple > domain DC for that > scenario. > > I'd have to say that smaller, cheaper dc's (desktop class?) > have always > worked well for me in the past when doing functionality testing. > Scalability requires full-blown hardware. But I'm not seeing where VM > environments aren't working as well as you'd like a physical > environment to > work? What's the difference in this situation? > > For availability, I could see some value in a DC configured > to host mulitple > domains because I could designate one to be the failover for several > domains. Otherwise, I'm not sure I get it. Is this like a > LPAR concept > you're talking about? That would be more helpful to you in > these situations? > If so, how is that different than VM's? > > Test environments are notoriously able to take down servers > without warning. > I would often prefer to use a VM to decrease that risk of > consuming all > resources to destruction. That provides some isolation while > not requiring > extra hardware. > > VM's require licenses (the OS and apps do) FWIW. You're only > saving on the > hardware and environmentals that I can see, but I'm trying to > understand > what I'm missing. > > > - Ori
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? you forgot to mention the amount USD in casino chips you would like to find in your complimentary hotel room upon arrival ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Monday, October 10, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) How about an all expenses paid trip to DEC in Vegas, entry to the NDA lunch and of course the obligatory book – Active Directory Programming, ISBN: 0672315874? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: 10 October 2005 19:06 To: ActiveDir@mail.activedir.org Cc: Christine McDermott Subject: [Norton AntiSpam] [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts) K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database / required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click > edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please email your shipping particulars to me at mailto:[EMAIL PROTECTED], and I will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 05, 2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they
RE: [ActiveDir] TS GPO and Citrix Settings
If you just want to make a quick change, go into the registry and delete the policy subtrees (from HKCU or HKLM, or both). They'll come back on the next policy refresh, but it'll give you a few minutes. I can't remember off the top of my head where those setting are stored: [software\policies], [software\microsoft\windows\current version\policies] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ryan A. ConradSent: Monday, October 10, 2005 11:17 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] TS GPO and Citrix Settings We are experiencing what appears to be a strange problem (although it’s probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc…) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully I’ve explained well enough. Thanks in advance, Ryan
RE: [ActiveDir] Active Directory wish list
Sounds like we need an LDAP.SYS that is similar to HTTP.SYS in that it can act as a routing, queuing, and parsing mechanism to determine which LDAP namespace/partition or domain an inbound request is destined for. With such a mechanism in place registration/advertisement (DNS) of the various LDAP namespaces supported should be compatible with today's implementation and existing client capabilities. However, some of the other facets of the NOS implementation (i.e. SYSVOL) would still be unaccounted for but I suppose similar proxy methods could be developed to support these subsystems as well... Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, October 10, 2005 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying "wish" here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: Monday, October 10, 2005 10:28 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Active Directory wish list > > I agree. SMB business can be very complex. > > Can you expand on the idea that VM's aren't working well for > you? I'm trying > to understand the difference between that and a multiple > domain DC for that > scenario. > > I'd have to say that smaller, cheaper dc's (desktop class?) > have always > worked well for me in the past when doing functionality testing. > Scalability requires full-blown hardware. But I'm not seeing where VM > environments aren't working as well as you'd like a physical > environment to > work? What's the difference in this situation? > > For availability, I could see some value in a DC configured > to host mulitple > domains because I could designate one to be the failover for several > domains. Otherwise, I'm not sure I get it. Is this like a > LPAR concept > you're talking about? That would be more helpful to you in > these situations? > If so, how is that different than VM's? > > Test environments are notoriously able to take down servers > without warning. > I would often prefer to use a VM to decrease that risk of > consuming all > resources to destruction. That provides some isolation while > not requiring > extra hardware. > > VM's require licenses (the OS and apps do) FWIW. You're only > saving on the > hardware and environmentals that I can see, but I'm trying to > understand > what I'm missing. > > > - Original Message - > From: "Charlie Kaiser" <[EMAIL PROTECTED]> > To: > Sent: Monday, October 10, 2005 11:05 AM > Subject: RE: [ActiveDir] Active Directory wish list > > > For us, it's the ability to run parallel domains for test/development > purposes. We have our production domain, my IT test domain, > and our LOB > application test domain. I'd have another IT test domain if I had the > available hardware right now. > We are required to test and document all changes to the LOB app and a > significant number of people work in that test domain. > Running it on VMs > or old hardware doesn't cut it gracefully, although that's what I do. > Since management won't write the check for additional > hardware/licenses, > we do what we can. > But if we had one beefy server to replace 3, and one server license to > replace 3, it would be much more cost effective to do, and would > increase performance for the user community. > In my last gig, we had multiple domains that were used for development > and customer support departments. The support kids especially needed > multiple domains to recreate customer environments and > various software > versions. > I can think of a lot of reasons to need multiple domains/forests in an > SMB environment. Regulatory compliance, 24x7 availability > that mandates > full testing
RE: [ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? Suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) How about an all expenses paid trip to DEC in Vegas, entry to the NDA lunch and of course the obligatory book – Active Directory Programming, ISBN: 0672315874? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: 10 October 2005 19:06 To: ActiveDir@mail.activedir.org Cc: Christine McDermott Subject: [Norton AntiSpam] [ActiveDir] Results of survey - Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts) K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database / required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click > edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please email your shipping particulars to me at mailto:[EMAIL PROTECTED], and I will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Gil Kirkpatrick Sent: Wednesday, October 05, 2005 4:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
My understanding is as follows: 1 licensed copy of W2K3R2 or Longhorn (EE/DC) provides the following: 1 physical host running the licensed OS 4 virtual guests running the licensed OS or a lesser version (i.e. Enterprise Edition would allow for Web Edition running in a VM) VMs developed and designed for the following purposes (as examples) need not be licensed until which time they no longer fall under the following: Copies of licensed machines (physical or virtual) used for backup purposes only “Template” virtual disks used for deploying new virtual guests Other virtual machines not generally online and not used for production purposes (e.g. an offline CA in a VM would not qualify) Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 12:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] single login size in bytes?
Thanks Bob... I actually used that article too, once upon a time, though it's way more detail than I was looking for. There's another one more recent, it goes into server authentication details - way TMI. You know, we're not even talking multiple machines, just one. The serious thing is that we can't impact cc transactions. But even so... I tested it and with a first-time user log on, it spiked the graph to just over 50 kbps. Subsequent logons were in the 40 kbps range, and only briefly. No one here at the technical level is worried about it - note how I was asking about how much bandwidth it uses, not how much of a noticeable delay might there be :) Rich -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Monday, October 10, 2005 2:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] single login size in bytes? Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the conten
RE: [ActiveDir] Active Directory wish list
The limitations of the VMs are the underlying hardware, in our case. I have 9 VMs running on one server. It's choking for more RAM, but management won't foot the bill for the additional riser card and ram. Otherwise, no limitations in functionality. If I had adequate hdw to run the VMs I could use VMs more gracefully. I've used/use desktop hdw to run testlab machines, but scalability and user experience testing is indeed a factor for some things. The underlying "wish" here was to be able to put multiple AD DCs on one piece of hdw/OS. Instead of having to build 3 VMs or physical machines, be able to run 3 domains on one, with AD running as a service, kinda like the way IIS can run multiple websites, or SQL can run multiple DBs (although it's at a lower level than either of those apps). If I could run 3 domains on 2 servers instead of 6, I would imagine that I'd save on licensing costs as well as hdw, since running an AD service would likely be less hdw intensive than running an OS... We can dream, can't we? :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: Monday, October 10, 2005 10:28 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Active Directory wish list > > I agree. SMB business can be very complex. > > Can you expand on the idea that VM's aren't working well for > you? I'm trying > to understand the difference between that and a multiple > domain DC for that > scenario. > > I'd have to say that smaller, cheaper dc's (desktop class?) > have always > worked well for me in the past when doing functionality testing. > Scalability requires full-blown hardware. But I'm not seeing where VM > environments aren't working as well as you'd like a physical > environment to > work? What's the difference in this situation? > > For availability, I could see some value in a DC configured > to host mulitple > domains because I could designate one to be the failover for several > domains. Otherwise, I'm not sure I get it. Is this like a > LPAR concept > you're talking about? That would be more helpful to you in > these situations? > If so, how is that different than VM's? > > Test environments are notoriously able to take down servers > without warning. > I would often prefer to use a VM to decrease that risk of > consuming all > resources to destruction. That provides some isolation while > not requiring > extra hardware. > > VM's require licenses (the OS and apps do) FWIW. You're only > saving on the > hardware and environmentals that I can see, but I'm trying to > understand > what I'm missing. > > > - Original Message - > From: "Charlie Kaiser" <[EMAIL PROTECTED]> > To: > Sent: Monday, October 10, 2005 11:05 AM > Subject: RE: [ActiveDir] Active Directory wish list > > > For us, it's the ability to run parallel domains for test/development > purposes. We have our production domain, my IT test domain, > and our LOB > application test domain. I'd have another IT test domain if I had the > available hardware right now. > We are required to test and document all changes to the LOB app and a > significant number of people work in that test domain. > Running it on VMs > or old hardware doesn't cut it gracefully, although that's what I do. > Since management won't write the check for additional > hardware/licenses, > we do what we can. > But if we had one beefy server to replace 3, and one server license to > replace 3, it would be much more cost effective to do, and would > increase performance for the user community. > In my last gig, we had multiple domains that were used for development > and customer support departments. The support kids especially needed > multiple domains to recreate customer environments and > various software > versions. > I can think of a lot of reasons to need multiple domains/forests in an > SMB environment. Regulatory compliance, 24x7 availability > that mandates > full testing prior to implementation in production, customer support > domains, etc. Just because a business is small doesn't mean it can't > have complex requirements... > > ** > Charlie Kaiser > W2K3 MCSA/MCSE/Security, CCNA > Systems Engineer > Essex Credit / Brickwalk > 510 595 5083 > ** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > > Sent: Monday, October 10, 2005 7:10 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > I'm curious, Charlie and Neil. What services do these SMB's > > offer that they > > need multiple instances of DC's? I realize that a best > > practice is to have > > multiple servers that can provide some failure tolerant > > behaviors, but I'm > > wondering w
RE: [ActiveDir] single login size in bytes?
Rich- This paper isn't XP/2003 but essentially a lot of the same principals apply. I found this paper very illuminating in it's day so maybe it will be of some use to you. As far as the feasibility, I spent a lot of time at the wrong end of an ISDN line and it wasn't that bad but I never had more than 2 machines connected concurrently. Windows 2000 Startup and Logon Traffic Analysis: http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/conf eat/w2kstart.mspx HTH Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn Sent: Monday, October 10, 2005 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] single login size in bytes? Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I've been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We're talking simple logging in, including a single GPO or maybe two - but no replication, etc. They do already get their email using Outlook to a pst. And please don't laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
I’m a bit confused as to what she was trying to say… in the quote below, she says four VMs, but she doesn’t say four instances of Windows… and she says that they’ll only charge for virtual images of Windows actually running. I take that to mean that if I have a box with 10 virtual machines defined but only 4 running at a time, that I only have to pay for 4? Unless I start a 5th one before I bring one of the others down? Does it mean that currently I’d have to pay for 10? Or is it that if I am only running 4 I can run them on top of one purchased copy of Windows Server 2003 R2 EE? One thing that seems a bit silly to me is if I have my new 64 bit server, GOLIATH, and he’s running 10 VMs with Windows, then he’s running 10 W2K3 kernels, 10 HALs, 10 __ (fill in the blank). There was a concept, sort of filled by NTVDM, that you could run something in there and if it crashed it didn’t take down the OS. What if you could run an instance of Exchange in one of those? Or a DC? VMs are now sort of like having CD images on the network were for a while – 15 copies of NT4 SP6a, 12 copies of NT4 Option Pack, 25 copies of Adobe Reader, 20 copies of IE5, 15 copies of IE4… you see what I mean. Run 10 VMs and you have maybe 15 GB of duplicate info on disk. I hear ESX can mitigate that somewhat… but MS wrote the Windows code, who could do it better than them? Or maybe I’m way off base here. ?? --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said. ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
Re: [ActiveDir] Adding custom fields to AD
:-P
I think someone needs to run SBS at home. See what nice solid DNS/AD is
all about :-)
joe wrote:
Heck NetBEUI with all broadcasts would work perfect for all internal
SBS needs. :o)
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Susan
Bradley, CPA aka Ebitz - SBS Rocks [MVP]
*Sent:* Monday, October 10, 2005 12:33 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Adding custom fields to AD
I love DNS and AD and argue strongly for the glue all the time.
{example answer in SBS newsgroup to person not wanting a
domain."why in the WORLD do you want to run as workgroup? A
domain is just a workgroup with more toys!"}
But then again I run insecure SBS where our wizards set up the glue
for us and we don't have to worry about it.
joe wrote:
I don't think the rest of the planet loves DNS, I think a lot of
people put up with it as a necessary evil due to exactly the reason
you state. There isn't even a viable option on the table. WINS simply
won't scale due to the lack of hierarchy. I myself also realize that
it is a necessary evil but it doesn't mean I have to necessarily like
it. ;o) I certainly don't like managing it nor running it as
integrated into the AD itself. The fact that AD is critically
dependent on a service that it itself provides smacks my internal
like it or hate it sensors about. I am very much pro-someone else
running DNS properly and I run AD properly.
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Rick Kingslan
*Sent:* Sunday, October 09, 2005 11:31 AM
*To:* ActiveDir@mail.activedir.org
*Subject:* RE: [ActiveDir] Adding custom fields to AD
"what would you think would be a good replacement for dns/wins?"
There currently isn't one. Not really even a viable option on the
table. joe doesn't like DNS. The rest of the planet loves DNS -
including those eggheads (loveable eggheads that they are) at IETF
are the holders of the standards, and they love DNS too. :-)
Microsoft fought hard to get TO standards cooperation . Don't look
for anything in the near future to break away from that in regards to
DNS.
Rick
--
Posting is provided "AS IS", and confers no rights or warranties ...
*From:* [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] *On Behalf Of *Tom Kern
*Sent:* Saturday, October 08, 2005 4:44 PM
*To:* ActiveDir@mail.activedir.org
*Subject:* Re: [ActiveDir] Adding custom fields to AD
I've had the reverse-
last place i worked at had corrupted WINS at least once every 2
months(this could of been due to my lousy admin skills)
i've never had issues with dns(could be my dumb luck)
now i work for a corp that has netbios/tcp disabled and relies solely
on dns(both MS and BIND) with no name resolution issues.
also wins replication seems much more complex than standard
primary/secondary dns replication.
and i'm not one to think i know anything as an admin or would even
think of getting into such a disscussion with someone as experienced
and knowldgable as you, but i've always found dns easier than wins
and netbios names in general.
my only diffculty came with learning dns on BIND/Linux and just
wrapping my head around AD intergrated dns when i first came to Windows.
sometimes when you learn something via the command line, using the
gui just confuses things.
then again i'm probably one of those guys who "thinks" he knows dns
but really doesn't know anything and hasen't found out yet :(
what would you think would be a good replacement for dns/wins?
thanks
On 10/8/05, *joe* <[EMAIL PROTECTED]
> wrote:
I wasn't saying I like WINS better than DNS or vice versa, just
said I don't like DNS. I especially dislike the AD/DNS
integration. I don't like chicken and egg problems.
BTW, as you bring up WINS. 1. I've never had a corrupted WINS
Database. 2. Fewer admins had name resolution issues replication
based issues with WINS than they do with DNS. 3. The complexity
of DNS seems to put many admins off the deep end, interestingly
enough, the same admins who said they couldn't figure out WINS
say they know all about DNS.
But again, my comment wasn't I like WINS more than DNS, or I like
any name resolution systems better than DNS, it was simply I
don't like DNS.
*From:* [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]
] *On Behalf Of *Tom Kern
*Sent:* Saturday, October 08, 2005 12:42 PM
*To:* ActiveDir@mail.activedir.org
*Subject: *Re: [ActiveDir] Adding custom fi
RE: [ActiveDir] BlackComb Super Forest Functional Mode
> or an entirely new model not yet conceived ... Perhaps something that doesn't require NT4 to W2K style migration headaches to keep people from moving to it the way that migration did... I'd hate to see a show of hands for who here is still trying to determine if they should "make that leap" off NT4... IMHO, at the rate the server infrastructure field is evolving, if Blackcomb looks like W2K under the covers with a lot of enhancements, MS is going to have a hard time getting people to move to it. Look at the heavy trends towards virtualization in only the past couple of years, and at the new face the Internet has with spam, viruses, and exploits in the past few years. Blackcomb is due in, what, 7 years? A lot can happen in 7 years. Maybe I'm alone in this opinion, but with as far as things have come, things like AD replication are too hard (for what they should be). And it's too easy to back yourself into a corner when designing your infrastructure, because to some extent you still have to design to the limitations and nuances of the OS (at least with Windows). I think Dean may have something here... perhaps us saying how AD domains should work is too short-sighted? How should it work? Either the guys at Microsoft are going to come up with something, or just modify the same old stuff, or maybe this list and forums like it with the brain trust that exists here can help suggest the directions. ?? just a few p for thought... Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, October 10, 2005 10:59 AM To: Send - AD mailing list Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory
RE: [ActiveDir] LDAP Query Fails
Sudhir do you have a network sniff of the original problem? I think that's likely the easiest way to diagnose this. That way we see the problem itself. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Query Fails Outlook Express (OE) and Search for People use the same WAB provider IIRC. When you open ldap://servername you're really making a call to use WAB.EXE which is the same address book that OE uses to search for users. I notice though, that if you specify a server to contact, that you get that pre-filled in vs. if you open it in search or via OE. Interesting IE uses the following key to control what it uses for the ldap url: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Contacts\Address Book\Protocols\ldap\shell\open\command So my thinking was that you needed to properly specify the directory on the client. It may just be permissions related however, as utilizing the ldap url to open a DC for search provides null credentials by default. Check your security logs (if auditing) to see if this is the case. Note: I notice as I looked at this in my test environment that I had no notification in the event logs. I didn't look at it long enough to see if I had the audit settings perfected, so it's possible I missed something. However, a network trace shows the attempt and an error indicating that I need to first bind. That's not really correct, because I do bind, but I bind anonymously. It should be telling me to allow anonymous bind in order to search etc. If it helps, ldap url syntax is defined in RFC 2255. Al >From: Sudhir Kaushal <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] LDAP Query Fails >Date: Mon, 10 Oct 2005 10:07:57 -0400 > >Hi Mulnick, > >I get the same error when i give ldap://domainname. Yes i am using IE. >Sorry i didnt get what u mean to ask by " How are your directory >settings in OE configured exactly? > >Regards, >Sudhir > > >--- - >This is a PRIVATE message. If you are not the intended recipient, please >delete without copying and kindly advise us by e-mail of the mistake in >delivery. NOTE: Regardless of content, this e-mail shall not operate to >bind CSC to any order or other contract unless pursuant to explicit >written agreement or government initiative expressly permitting the use of >e-mail for such purpose. >--- - > > > > > >"Al Mulnick" @hotmail.com> >Sent by: ActiveDir-owner >10/10/2005 10:01 AM >Please respond to ActiveDir > > To: ActiveDir@mail.activedir.org > cc: > Subject:RE: [ActiveDir] LDAP Query Fails > > >What happens if you specify ldap://domainname ? Just out of curiousity. > >Using IE or some other browser? > >IE relies on OE IIRC to handle LDAP searches. How are your directory >settings in OE configured exactly? > > > > > > >From: Sudhir Kaushal <[EMAIL PROTECTED]> > >Reply-To: ActiveDir@mail.activedir.org > >To: ActiveDir@mail.activedir.org > >Subject: [ActiveDir] LDAP Query Fails > >Date: Mon, 10 Oct 2005 07:37:57 -0400 > > > >Hi All, > > > >Whenever I do LDAP search for any user in AD through browser, (ldap://DC > >server IP ) it gives me error " An error accured while performing the > >search. Your computer, ISP or the specified directory services may be > >disconnected. Check ur connections and try again. Operations Error " > > > >I have tried this even locally on the DC, still it gives the same error. > >Though it is working very well with LDAP browser ( Softerra ) and using > >the Search -> Find ppl from Start Menu. > > > >Any Help!! > > > >Regards, > >Sudhir > > > > > > > > > >--- - > >This is a PRIVATE message. If you are not the intended recipient, please > >delete without copying and kindly advise us by e-mail of the mistake in > >delivery. NOTE: Regardless of content, this e-mail shall not operate to > >bind CSC to any order or other contract unless pursuant to explicit > >written agreement or government initiative expressly permitting the use >of > >e-mail for such purpose. > >--- - > > >List info : http://www.activedir.org/List.aspx >List FAQ: http://www.activedir.org/ListFAQ.aspx >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.as
[ActiveDir] Results of survey - Most common cause of Active Directory "failures"?
Title: Most common cause of Active Directory "failures"? Here's the summary of the results from last weeks informal survey. By far the most popular cause of AD failure is the inadvertant misconfiguration of MSFT DNS, which is interesting, because that was true 2 years ago as well. I guess some things never change. (45 pts) C. Inadvertant misconfiguration of MSFT DNS. (30 pts) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) (28 pts) A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) (22 pts) G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) (15 pts) H. Physical disaster (fire, flood, power failure, etc) (14 pts) F. Hardware failure of a DC (12 pts) E. Inadvertant misconfiguration of networking devices (4 pts) J. Malicious attack by a data admin (2 pts) K. Malicious attack by an authenticated user I ignored anything that was ranked lower than 5th... Also interesting to note that the top three items are human error due to lack of knowledge or carelessness, the next three are physical failures nominally outside of human control. Is this because there are just too many knobs and switches on AD and DNS? A little surprising is that the there were two votes for malicious attacks by an internal source. Some of the other failure reasons cited (no overlap, so I must have listed all the important reasons...) Incomplete load of an IPSec filter list Impact of a 3rd party agent or application on a DC e.g. Antivirus software Issues with FW config that hindered replication over tombstone livetime (may belong to E) Corrupt AD DC database / required metadata cleanup and repromotion of DC Misconfiguration by a previous admin, and shutting down a DC with out dcpromo, or cleaning up metadata afterwards. Inadvertantly double-clicking a _vbscript_ when someone meant to right-click > edit it :) The two winners of the "nothing too fancy" prize are Hunter Coleman and Stuart Fuller (wait for applause to die down...) Please email your shipping particulars to me at mailto:[EMAIL PROTECTED], and I will get your gifts sent out ASAP. I only received about 20 responses... I was expecting maybe 40 or 50. Any suggestions as to how to make this more effective (I don't have any money to spend on this, so large cash-value prizes are right out :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Wednesday, October 05, 2005 4:32 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most common cause of Active Directory "failures"? Greetings fellow travellers, Here's a quick, informal, non-scientific survey. Please reply to me directly at mailto:[EMAIL PROTECTED] so we don't spam the list with responses. I've got a some swell gifts to give away at random to a couple of lucky respondants (nothing too fancy). I'll post the summary in a few days. Question: *In your experience*, which are the most common causes of Active Directory "failure" (where failure is defined as failure to authenticate, authorize, replicate, or apply GPOs as expected). List as many as you care to, in order from most common to least common. Note that I am not considering the consequences of the failure, just how frequent they are. Just send me a response like B, A, F or some such, along with any commentary you might have. A. Inadvertant data deletion (fat-fingering a user object or, God-forbid, an OU) B. Inadvertant misconfiguration of AD (for instance screwing up a connection object, or changing the wrong registry setting, or making an inappropriate GPO change) C. Inadvertant misconfiguration of MSFT DNS. D. Inadvertant misconfiguration of non-MSFT DNS. E. Inadvertant misconfiguration of networking devices F. Hardware failure of a DC G. Hardware failure of a networking device (including DNS servers, if they are not also DCs) H. Physical disaster (fire, flood, power failure, etc) I. Malicious attack by a service admin J. Malicious attack by a data admin K. Malicious attack by an authenticated user L. Malicious attack by an unauthenticated user M. Other (please specify) Thanks for your feedback. -gil Gil Kirkpatrick CTO, NetPro Don''t miss the Directory Experts Conference 2006. More information at www.dec2006.com.
Re: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
Sweet!! -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 10/10/05, joe <[EMAIL PROTECTED]> wrote: > http://www.pcworld.com/news/article/0,aid,122949,00.asp > > Virtual Windows License Simplified > > > > > > Microsoft also will allow customers to have four virtual machines running on > top of Windows Server 2003 R2 Enterprise Edition and Windows Server > "Longhorn" Datacenter Edition at no extra cost, Kelly said. > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
http://blogs.msdn.com/virtual_pc_guy/archive/2005/10/10/479186.aspx From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 11:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS. http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said.
Re: [ActiveDir] Active Directory wish list
I agree. SMB business can be very complex. Can you expand on the idea that VM's aren't working well for you? I'm trying to understand the difference between that and a multiple domain DC for that scenario. I'd have to say that smaller, cheaper dc's (desktop class?) have always worked well for me in the past when doing functionality testing. Scalability requires full-blown hardware. But I'm not seeing where VM environments aren't working as well as you'd like a physical environment to work? What's the difference in this situation? For availability, I could see some value in a DC configured to host mulitple domains because I could designate one to be the failover for several domains. Otherwise, I'm not sure I get it. Is this like a LPAR concept you're talking about? That would be more helpful to you in these situations? If so, how is that different than VM's? Test environments are notoriously able to take down servers without warning. I would often prefer to use a VM to decrease that risk of consuming all resources to destruction. That provides some isolation while not requiring extra hardware. VM's require licenses (the OS and apps do) FWIW. You're only saving on the hardware and environmentals that I can see, but I'm trying to understand what I'm missing. - Original Message - From: "Charlie Kaiser" <[EMAIL PROTECTED]> To: Sent: Monday, October 10, 2005 11:05 AM Subject: RE: [ActiveDir] Active Directory wish list For us, it's the ability to run parallel domains for test/development purposes. We have our production domain, my IT test domain, and our LOB application test domain. I'd have another IT test domain if I had the available hardware right now. We are required to test and document all changes to the LOB app and a significant number of people work in that test domain. Running it on VMs or old hardware doesn't cut it gracefully, although that's what I do. Since management won't write the check for additional hardware/licenses, we do what we can. But if we had one beefy server to replace 3, and one server license to replace 3, it would be much more cost effective to do, and would increase performance for the user community. In my last gig, we had multiple domains that were used for development and customer support departments. The support kids especially needed multiple domains to recreate customer environments and various software versions. I can think of a lot of reasons to need multiple domains/forests in an SMB environment. Regulatory compliance, 24x7 availability that mandates full testing prior to implementation in production, customer support domains, etc. Just because a business is small doesn't mean it can't have complex requirements... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 7:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Why would you want to have them several years earlier available? I don't see this feature (although major) anything different then the 'native mode' switch you have in AD and Exchange. Once you have upgraded everything to BlackComb you could make the switch. Might even help moving people to the new OS quicker. :) Martin Tuip MVP Exchange -- Original Message -- From: <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org Date: Mon, 10 Oct 2005 16:45:03 +0100 >2 immediate comments: > > - Blackcomb clients would need to be available several years before the >blackcomb server. > - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, >Mac etc] > > > >neil > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of joe >Sent: 10 October 2005 15:32 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode > >To move this in a slightly different direction. How would people feel >about a BlackComb Super Forest Functional Mode where not only are DCs >impacted but every machine touching the DCs are affected. I.E. MS allows >multiple domains on a single DC but not for any pre-BlackComb clients. >I.E. Complete break with legacy capability? > >Personally I wouldn't mind seeing something like that but how do others >feel about it. Once in this mode, no going back. Legacy clients >pre-Blackcomb have no clue how to use the domains, etc. > > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick >Sent: Monday, October 10, 2005 10:10 AM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >While I generally agree this would be great, I have to ask about eDir >and >it's authentication abilities. IIRC, multiple domains via LDAP only >work >just fine. It's called ADAM in its latest incarnation. But for the >authentication[1] and other apps that support/work with AD to provide >identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a >multi-instance/single-server deployment. LDAP sure. The other apps, I'm >not so sure. > > >I'm curious, Charlie and Neil. What services do these SMB's offer that >they need multiple instances of DC's? I realize that a best practice is >to have multiple servers that can provide some failure tolerant >behaviors, but I'm wondering what type of work a SMB does that requires >multiple full blown AD domain instances and therefore multiple servers >etc. Can you expand that? > > >[1] LDAP is not an authentication protocol; Kerberos is though. > >-ajm >CCBW > >>From: <[EMAIL PROTECTED]> >>Reply-To: ActiveDir@mail.activedir.org >>To: >>Subject: RE: [ActiveDir] Active Directory wish list >>Date: Mon, 10 Oct 2005 08:52:25 +0100 >> >>Maybe you should read about eDIR/NDS... :) Novell did this back in '93. >> >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >>[MVP] >>Sent: 06 October 2005 01:51 >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] Active Directory wish list >> >>I'd be surprised if we see this in my lifetime, or at least before I >>retire. >> >>Ed Crowley MCSE+Internet MVP >>Freelance E-Mail Philosopher >>Protecting the world from PSTs and Bricked Backups!T >> >>-Original Message- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >>Sent: Wednesday, October 05, 2005 2:34 PM >>To: ActiveDir@mail.activedir.org >>Subject: RE: [ActiveDir] Active Directory wish list >> >>What I want is to be able to run multiple domains on one OS >>installation and segment the directories from each other. That way I >>don't need to run multiple licenses of the OS, nor do I need hardware >>that can power 4 VMs. >>I already run VMs using VMWare in my test lab; it works but I'd prefer >>to be able to run AD as a service and have it be smart enough to be >>able to segment itself without needing a separate OS... >> >>** >>Charlie Kaiser >>W2K3 MCSA/MCSE/Security, CCNA >>Systems Engineer >>Essex Credit / Brickwalk >>510 595 5083 >>** >> >> >> > -Original Message- >> > From: [EMAIL PROTECTED] >> > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >> > [MVP] >> > Sent: Wednesday, October 05, 2005 10:07 AM >> > To: ActiveDir@mail.activedir.org >> > Subject: RE: [ActiveDir] Active Directory wish list >> > >> > You can. It's called Microsoft Virtual Server. >> > >> > Ed Crowley MCSE+Internet MVP >> > Freelance E-Mail Philosopher >> > Protecting the world from PSTs and Bricked Backups!T >> > >> > -Original Message- >> > From: [EMAIL PROTECTED] >> > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie >> > Kaiser >> > Sent: Tuesday, October 04, 2005 6:37 PM >> > To: ActiveDir@mail.activedir.org >> > Subject: RE: [ActiveDir] Active Directory wish list >> > >> > I'd also like to see the ability to run DCs for mu
[ActiveDir] TS GPO and Citrix Settings
We are experiencing what appears to be a strange problem (although it’s probably expected for all I know) with Terminal Service settings on W2K3 boxes. A GPO at our application server container sets various settings (timeout values, encryption, etc…) for all systems (regardless of Admin/Application mode). The behavior is when any TS setting is set by a GPO the setting is grayed out and even administrators cannot change the settings. This itself would not be an issue, however, the default behavior of Citrix is to take the RDP settings and therefore we cannot change the ICA settings which presents a problem. So aside from blocking policy inheritance on the OUs where there are terminal servers does anyone know of a way to un-gray the settings for W2K3? This was not an issue in W2K. Hopefully I’ve explained well enough. Thanks in advance, Ryan
Re: [ActiveDir] Interesting Scripting Task.....
I am copying the exact post from Tiro Yann, Hi Activedir List :) A new free tool is now available here http://www.yside.com/projects/tools.htm which name is XSync v0.2 It duplicates your real AD Domain in a test lab with no SID issues. Thanks a lot to Chris Wall ([EMAIL PROTECTED] ) who made the information available on the ExhcangeList with the same thread "Duplicate your AD domain with this new (free) tool". Cheers, Yann On 10/10/05, Smith, Brad <[EMAIL PROTECTED] > wrote:All,I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testingneeds to be done in an environment where all our Ous, GPOs, Groups and soforth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Usersand GPO's (including security) and then restores them in a different targetdomain (different forest too). Has anyone attempted/achieved this before? BradThis email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding.List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- ~~~"Fortune and Love befriend the bold"~~~
Re: [ActiveDir] Interesting Scripting Task.....
Exporting users, groups etc and then recreating them in a new environment is not terribly difficult. Getting the security settings and the GPO information recreated is a bit more difficult. This is not an export and copy, it's an export and create new that looks like the old situation if you do it that way. What do you have to work with? Is it too much to recreate the environments by overlaying the production, cleaning up the metadata and letting it loose? Or do you have workstations and servers in the environment to be concerned about? Al - Original Message - From: "Smith, Brad" <[EMAIL PROTECTED]> To: Sent: Monday, October 10, 2005 11:07 AM Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] BlackComb Super Forest Functional Mode
I think that's something that needs to happen eventually; if exciting innovations are going to continue to occur, then they really can't be hamstrung by legacy support requirements. joe's suggestion of a "functional level"-type mechanism for this is quite a useful one: for those orgs that still need to support legacy functionality on their servers and clients, here you go, you've got that support. For those who are willing to make the break and cut all ties to legacy in order to get otherwise unavailable whizz-bang features, then good on you: make the choice and flip the switch. - Laura On 10/10/05, joe <[EMAIL PROTECTED]> wrote: > To move this in a slightly different direction. How would people feel about > a BlackComb Super Forest Functional Mode where not only are DCs impacted but > every machine touching the DCs are affected. I.E. MS allows multiple domains > on a single DC but not for any pre-BlackComb clients. I.E. Complete break > with legacy capability? > > Personally I wouldn't mind seeing something like that but how do others feel > about it. Once in this mode, no going back. Legacy clients pre-Blackcomb > have no clue how to use the domains, etc. > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: Monday, October 10, 2005 10:10 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Active Directory wish list > > While I generally agree this would be great, I have to ask about eDir and > it's authentication abilities. IIRC, multiple domains via LDAP only work > just fine. It's called ADAM in its latest incarnation. But for the > authentication[1] and other apps that support/work with AD to provide > identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a > multi-instance/single-server deployment. LDAP sure. The other apps, I'm not > so sure. > > > I'm curious, Charlie and Neil. What services do these SMB's offer that they > need multiple instances of DC's? I realize that a best practice is to have > multiple servers that can provide some failure tolerant behaviors, but I'm > wondering what type of work a SMB does that requires multiple full blown AD > domain instances and therefore multiple servers etc. Can you expand that? > > > [1] LDAP is not an authentication protocol; Kerberos is though. > > -ajm > CCBW > > >From: <[EMAIL PROTECTED]> > >Reply-To: ActiveDir@mail.activedir.org > >To: > >Subject: RE: [ActiveDir] Active Directory wish list > >Date: Mon, 10 Oct 2005 08:52:25 +0100 > > > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > >[MVP] > >Sent: 06 October 2005 01:51 > >To: ActiveDir@mail.activedir.org > >Subject: RE: [ActiveDir] Active Directory wish list > > > >I'd be surprised if we see this in my lifetime, or at least before I > >retire. > > > >Ed Crowley MCSE+Internet MVP > >Freelance E-Mail Philosopher > >Protecting the world from PSTs and Bricked Backups!T > > > >-Original Message- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser > >Sent: Wednesday, October 05, 2005 2:34 PM > >To: ActiveDir@mail.activedir.org > >Subject: RE: [ActiveDir] Active Directory wish list > > > >What I want is to be able to run multiple domains on one OS > >installation and segment the directories from each other. That way I > >don't need to run multiple licenses of the OS, nor do I need hardware > >that can power 4 VMs. > >I already run VMs using VMWare in my test lab; it works but I'd prefer > >to be able to run AD as a service and have it be smart enough to be > >able to segment itself without needing a separate OS... > > > >** > >Charlie Kaiser > >W2K3 MCSA/MCSE/Security, CCNA > >Systems Engineer > >Essex Credit / Brickwalk > >510 595 5083 > >** > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > > [MVP] > > > Sent: Wednesday, October 05, 2005 10:07 AM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > You can. It's called Microsoft Virtual Server. > > > > > > Ed Crowley MCSE+Internet MVP > > > Freelance E-Mail Philosopher > > > Protecting the world from PSTs and Bricked Backups!T > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > > Kaiser > > > Sent: Tuesday, October 04, 2005 6:37 PM > > > To: ActiveDir@mail.activedir.org > > > Subject: RE: [ActiveDir] Active Directory wish list > > > > > > I'd also like to see the ability to run DCs for multiple domains on > > > the same server. SMBs with limited resources balk at having to buy > > > additional server hardware for redundancy on multiple domains, > > > especially when the AD load on the DCs is minimal. This feature > > > s
Re: [ActiveDir] AD Migration Question
How to upgrade Windows 2000 domain controllers to Windows Server 2003 http://support.microsoft.com/?kbid=325379 Just follow the steps for forestprep & domainprep and then introduce win2003 DC. It will be in same domain.This also covers, some checks for exchange too. Of all the services, DHCP can become risky to move without adequate safeguards, take a look at this article. How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003 http://support.microsoft.com/default.aspx?scid=kb;en-us;325473 -- Kamlesh On 10/10/05, Alborzfard, Alex <[EMAIL PROTECTED]> wrote: Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex -- ~~~"Fortune and Love befriend the bold"~~~
RE: [ActiveDir] Interesting Scripting Task.....
Yes, Microsoft has attempted it. Check out the scripts directory under the GPMC install. It has two scripts: CreateXMLFromEnvironment.wsf and CreateEnvironmentFromXML.wsf That do pretty much everything that you've described below. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Smith, Brad Sent: Monday, October 10, 2005 8:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Interesting Scripting Task. All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Schema Updates
Title: Schema Updates And I will never run Windows because 3.11 just wasn't that great at networking. ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, October 10, 2005 9:42 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity… I wish to Christ they’d stick to hardware and stop venturing into software… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would recommend pulling up the sysinternal registry and file monitors as well as tracing the AD calls. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August 11, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Updates Hi, I am having some problems updating the schema for Avaya Unified Messaging. It is my thinking that in Windows 2003 the schema is already enabled for updates as long as you are in the Schema Admins group. In Windows 2000 you had to enable the Schema to be updated. Am I correct or misguided? Thanks! Travis Abrams
RE: [ActiveDir] Modifying Domain Admins & Administrators Group
"Is a tool like that something people would be willing to pay for? " Affirmative Mr. joe. (Within reason of course) YMYMYM ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 09, 2005 11:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group Ah global won't have the issue with primary group since it used the NET* calls. However, it won't catch nesting that is disallowed in NT, those entries will be curiously absent because the NET calls don't know anything about it. If you are simply looking for any change on a group, fire a notification on the changing of the metadata or the USN or the whenChanged stamp. What would I do? The answer is of course, it depends. :o) It depends on what I perceive the risks are and the necessity for protecting things. It could be very little or it could be a lot with several cross checks. Generally, monitoring from multiple angles as well as trying to prevent the possibility of any change is the best solution in my opinion. Sort of like root kit detection, you won't know when looking at things one way, you have to look from different angles and check the shadows. If I really wanted to be sure I would have a service running on every DC that made the sure the group memberships were exactly what I wanted. These would be services that had change notifications set up for each monitored group so AD told me when the group changed versus me looking at it and seeing if something changed on some x interval. But just the same, that service would still look at some very regular very short interval just in case the change notification dorked up and I would do it using multiple interfaces. If I was REALLY being paranoid I would possibly have the service shut down the box if it detected a change being originated on it in case that one box has been somehow compromised. That service might also, for instance, look for certain known vectors and try to clean those up if detected as well. There are other things but the more you tell people about what you are doing to protect a system, the more you tell them on what they may need to do to compromise a system. Is a tool like that something people would be willing to pay for? You set it for how jittery you are about changes to some finite small number of specific groups and depending on the jittery setting it does anything from warn to correct to locking the box down dead from any more mods? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Saturday, October 08, 2005 6:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group I'm just using the (I believe) resource kit tool global.exe to return samaccountname of users in the group. A user who has that particular group as primary still shows up. At the time my biggest concern was ANY change. There should not be any changes made to those groups at any time with out my groups knowledge. Obviously if a group (nesting) is added I'll know about it and whip out my ruler to smack someone with. As far as the restricted groups are concerned; when I first added them to the policy it worked like a charm. After some more testing I found it was taking longer than expected...more than 15 minutes. After looking at the policy I saw that I had entered "domain admins" instead of domain\domain admins. I changed it and it never worked. Changed it back to just "domain admins" and again it usually works but I recently saw a user sit in the group for an hour or so before I removed it manually. I was however notified with in a minute of the change. Like I said, it's crude but it get's what I need done. I know that I have to deal with replication time and I could hit a DC that doesn't know about the change immediately which could delay my notification by up to a few minutes, but my biggest concern at this time are certain admins that can add to the DA's group. No need to start down that road...I walked into this and am slowly cleaning up this mess. Who the hell makes a file server a DC... Now...I have to ask...how would Joe do it? ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, October 08, 2005 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Modifying Domain Admins & Administrators Group What about people who have those groups as a primary group? 30 seconds is a long time, I could be a domain admin and have it not show in the DA member attribute in milliseconds. Also do you chase all nesting? If so how? What do you key your hash/map/associative array/dictionary on so you don't get stuck in a recursive nesting? Name? SamAccountName? Should be using DN if you aren't. When building the list of current unique members do you key of
Re: [ActiveDir] Adding local admin rights to non english native o s?
I assume, copying it locally on first run, will make the subsequent run bit faster.
Do correct me, if I am mistaken...On 10/10/05, joe <[EMAIL PROTECTED]> wrote:
Can't you run sid2user from the netlogon share?-Original Message-From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of Freddy HARTONOSent: Monday, October 10, 2005 4:08 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Adding local admin rights to non english native o
s?Thanks for the replies guysJoe, converting the administrator wellknown sid to user seems like a greatidea - but then involves copying the .exe into the local machines first andexecuting it?
Havent work out how to do it without copying the sid converter program...ifso would have to copy it from the netlogon? For some reason I've done likebelow but just aint working out :( perhaps some variables like set L is not
avail yet on startup?for /F "tokens=2 delims==" %%i IN ('set l') do set gpodcname=%%i if notexist %systemroot%\system32\sid2user.exe copy\\%gpodcname%\netlogon\sid2user.exe %systemroot%\system32\sid2user.exe
for /F "tokens=3" %%i IN ('sid2user 5 32 544 ^|qgrep Name') do setgpoadminvar=%%i net localgroup %gpoadminvar% /add "domain\OUAdmins"Thank you and have a splendid day!Kind Regards,
Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]phone: (+65) 6330-9740 - temp-Original Message-
From: Brian Desmond [mailto:[EMAIL PROTECTED]]Sent: Saturday, October 08, 2005 9:17 AMTo: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Adding local admin rights to non english native os?In 9 years of Spanish, I didn't learn Administrator in Spanish.Thanks,Brian Desmond
[EMAIL PROTECTED]c - 312.731.3132-Original Message-From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of joeSent: Friday, October 07, 2005 9:02 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?
Better make that "Powerum Tripum Maximum" or else Laura might get on yourabout only representing the masculine gender. :o)I knew 3 years of Latin would eventually come in useful. ;o)
-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]
] On Behalf Of Darren Mar-EliaSent: Friday, October 07, 2005 5:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?
"Powerus Tripus Maximus" ?-Original Message-From: [EMAIL PROTECTED][mailto:
[EMAIL PROTECTED]] On Behalf Of Ed Crowley [MVP]Sent: Friday, October 07, 2005 2:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?
What is "Administrators" in Latin?Ed Crowley MCSE+Internet MVPFreelance E-Mail PhilosopherProtecting the world from PSTs and Bricked Backups!(tm)-Original Message-From:
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]Sent: Friday, October 07, 2005 11:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Adding local admin rights to non english native os?
This is when your high school language classes come in handy. You will needto know what "administrators" translates to in the target language. Forexample, in German, it's "administratoren", so your code will look like
this:net localgroup administratoren blah blah blahHTHSincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+IMicrosoft MVP - Directory Serviceswww.readymaids.com
- we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried aboutYesterday? -anonFrom:
[EMAIL PROTECTED] on behalf of Freddy HARTONOSent: Fri 10/7/2005 8:51 AMTo: 'activedir@mail.activedir.org
'Subject: [ActiveDir] Adding local admin rights to non english native os?Hi all,Usually net localgroup administrators xxx /add would work fine on computerstartup gpo - but how about on non english native oses? Would this work as
well?Thank you and have a splendid day!Kind Regards,Freddy HartonoGroup Support EngineerInternationalSOS Pte Ltdmail: [EMAIL PROTECTED]
phone: (+65) 6330-9740 - tempList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info :
http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ:
http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/List info :
http://www.activedir.
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Depends on how it's implemented. If it is really multiple AD domains/forests (full functionality for all three) then I would be all for it as it would greatly simplify multi-forest deployments and really be a cause for celebration for new deployments. However, it would be interesting to see how a multi-forest server would register itself and be advertised. Same for application of services and applications when they have one IP address to resolve to. I see this as a fundamental change that only has the advantage of reducing OS licensing costs. I haven't seen specs on BC, but would imagine that virtualization will eventually be included at some level either in the OS or in the hardware itself. At that point, is there a benefit to a multiple forest or domain on a single DC vs virtualization? I suspect the differences in cost would not be large. I'm not sure I'd like the stability issues per se. Hardware is cheap. Dirt cheap and if I can withstand the risk of multiple forests on a single OS/piece of hardware, I can probalby withstand three low-class servers. Or one larger with virtualization because the scenario that I would likely deploy into would not be a high-availability and high-traffic scenario. It would likely be a remote site with 200 or less users that needs access to resources in multiple forests. As for partition information or ldap identity stores, I already have ADAM available to me in the OS (R2) and can deploy many instances of that. It's not the LDAP abilities I'm after. It's the other NOS related information that appeals. Specifically for me, it would be multi-forest implementations that would be of interest. The drawback to me would be flushing my investment in other applications. I'm not interested enough in the end result to flush my legacy apps and the investment I have in them. My 0.04 anyway. From: "joe" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode Date: Mon, 10 Oct 2005 10:32:26 -0400 To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough t
Re: [ActiveDir] GPO Permissions with .vbs
my BAD :) yes, AT /interactive works with GUI apps. Joe> Every method you list below messes with changing user context and IMO added complexity in a case where it isn't necessary.As I mentioned earlier and you confirmed that, running under SYSTEM context is very bad, so If I want to use Task Scheduler then I have to change the context to normal user. I know this is added complexity for a one off job. but If I can create a small infrastructure to leverage scheduling capability of Task Scheduler, then it would be quite helpful when I have more tasks with complex schedules. While in case of _vbscript_ or Perl, I will have to code the scheduling logic every time there is a different need. What would be easier for my replacement, 1) to decode my scripts and documentation and learn from it and create future schedules. or 2) to leverage the infrastructure where scheduling logic is very simple and delivery part is automated[1]. joe>But the fun thing is that for such a simple script as that (and actually even much more complex scripts), you only need two files from the Perl distribution, I am very very novice in Perl, So I assumed it would require me to install the whole 14 MB ActiveState Perl MSI on each machine. That's why I said it MIGHT be overkill. which is not the case, as u mentioned. And Thank you for that info. joe> running a batch file from one machine against others for this would be simple only for a small number of machines, probably such a small amount that you could just stand up and yell across the room what people should do. I also mentioned there, only suitable for small number of machines. Tell me, what if the machines, you want to schedule the task, are not on same floor, will you still shout.. ;-) joe> As you start to scale you need far more error checking, is the machine up? Use GP Based deployment. Is the scheduler even running? Use GP to make sure it is. so If scalability is the priority, I would use GP to deploy, [1] : I am referring to GP based deployment and not batch file. -- Kamlesh On 10/8/05, joe <[EMAIL PROTECTED]> wrote: > Interactive doesn't help in LOCALSYSTEM context for GUI apps, only CMD.EXE can pop in LOCALSYSTEM context. Not sure where you picked this up, but it is incorrect. I have been doing this for a loong time. Try this if you have SOON loaded soon 60 /interactive "C:\PROGRA~1\INTERN~1\iexplore.exe -new http://www.joeware.net" If not, just create the appropriate AT command. I just did it on an XP SP2 with all of the latest patches and within a minute I had an IE window up and running focused on my web site. However, just because it can be done, isn't a recommendation to do it. In fact, for this particular task, I would recommend against using the scheduler, it is added complexity that isn't needed. > I like to as far as possible, use the tools which come with os itself, so using Perl for this stuff might be overkill. I like to think of overkill as when you go overboard to accomplish something simple. Either in terms of permissions or actions. Every method you list below messes with changing user context and IMO added complexity in a case where it isn't necessary. As for tools in the OS itself, the work done in my other post with the perl script coupled with quiet could be done in two _vbscript_ files. There is a WMI piece that will allow you to launch additional processes including hidden processes. It will just be longer than what I put in that post. For instance the the string comparison I did for the current to desired date would need to be done a different way or would probably take considerably more _vbscript_. But the fun thing is that for such a simple script as that (and actually even much more complex scripts), you only need two files from the perl distribution, perl.exe and perl58.dll (for the current dist, older dists may need a different dll). Both of which could be in the same folder where you have the script and quiet.exe. I have had very complex share/printer reconnection perl scripts and software delivery scripts running as logon scripts for thousands of users where perl is never loaded on the clients, the two binaries are simply in the netlogon share. I have also had entire server build scripts done this way that take a server from nothing to fully loaded with all apps and tools in place. As long as you aren't using modules you have to import you are fine and it is very rare I use modules for that exact reason. Further, running a batch file from one machine against others for this would be simple only for a small number of machines, probably such a small amount that you could just stand up and yell across the room what people should do. As you start to scale you need far more error checking, is the machine up? Is the scheduler even running? Did the job schedule properly? All of those then require either error reporting or a loop back to hit them again. Plus it
RE: [ActiveDir] AD Migration Question
Upgrade KBs: See: MS-KBQ314649_W2K3 ADPREP Command Causes Mangled Attributes in W2K Forests That Contain E2K Servers MS-KBQ325379_How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003 MS-KBQ555040_Common Mistakes When Upgrade Windows 2000 Domain To Windows 2003 MS-KBQ324392_Enhancements to Adprep.exe in Windows Server 2003 Service Pack 1 and in hotfix 324392 Also see: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/bc5ebbdb-a8d7-4761-b38a-e207baa73419.mspx) http://www.petri.co.il/windows_2003_adprep.htm MS-KBQ555038_How to enable Windows 98-ME-NT clients to logon to Windows 2003 based Domains MS-KBQ887426_Incorrect Schema extension for OS X prevents ForestPrep from completing in Windows 2000 MS-KBQ555262_Common Mistakes When Upgrading Exchange 5.5-2000 To a Exchange 2003 MS-KBQ822942_Considerations When You Upgrade to Exchange Server 2003 Cheers Jorge From: [EMAIL PROTECTED] on behalf of Peter Johnson Sent: Mon 10/10/2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Hi Alex Get hold of the MS article on upgrading Windows 2000 Ad to 2003. Basically you will need to do the schema extensions on your current Schema master. Once the changes have replicated to your other DC's then bring up your first W2K3 DC and move the FSMO roles, taking into account DC/GC placements etc and then carry on as in my first mail. Regards Peter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP Query Fails
Outlook Express (OE) and Search for People use the same WAB provider IIRC. When you open ldap://servername you're really making a call to use WAB.EXE which is the same address book that OE uses to search for users. I notice though, that if you specify a server to contact, that you get that pre-filled in vs. if you open it in search or via OE. Interesting IE uses the following key to control what it uses for the ldap url: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Contacts\Address Book\Protocols\ldap\shell\open\command So my thinking was that you needed to properly specify the directory on the client. It may just be permissions related however, as utilizing the ldap url to open a DC for search provides null credentials by default. Check your security logs (if auditing) to see if this is the case. Note: I notice as I looked at this in my test environment that I had no notification in the event logs. I didn't look at it long enough to see if I had the audit settings perfected, so it's possible I missed something. However, a network trace shows the attempt and an error indicating that I need to first bind. That's not really correct, because I do bind, but I bind anonymously. It should be telling me to allow anonymous bind in order to search etc. If it helps, ldap url syntax is defined in RFC 2255. Al From: Sudhir Kaushal <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP Query Fails Date: Mon, 10 Oct 2005 10:07:57 -0400 Hi Mulnick, I get the same error when i give ldap://domainname. Yes i am using IE. Sorry i didnt get what u mean to ask by " How are your directory settings in OE configured exactly? Regards, Sudhir This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. "Al Mulnick" Sent by: ActiveDir-owner 10/10/2005 10:01 AM Please respond to ActiveDir To: ActiveDir@mail.activedir.org cc: Subject:RE: [ActiveDir] LDAP Query Fails What happens if you specify ldap://domainname ? Just out of curiousity. Using IE or some other browser? IE relies on OE IIRC to handle LDAP searches. How are your directory settings in OE configured exactly? >From: Sudhir Kaushal <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: ActiveDir@mail.activedir.org >Subject: [ActiveDir] LDAP Query Fails >Date: Mon, 10 Oct 2005 07:37:57 -0400 > >Hi All, > >Whenever I do LDAP search for any user in AD through browser, (ldap://DC >server IP ) it gives me error " An error accured while performing the >search. Your computer, ISP or the specified directory services may be >disconnected. Check ur connections and try again. Operations Error " > >I have tried this even locally on the DC, still it gives the same error. >Though it is working very well with LDAP browser ( Softerra ) and using >the Search -> Find ppl from Start Menu. > >Any Help!! > >Regards, >Sudhir > > > > > >This is a PRIVATE message. If you are not the intended recipient, please >delete without copying and kindly advise us by e-mail of the mistake in >delivery. NOTE: Regardless of content, this e-mail shall not operate to >bind CSC to any order or other contract unless pursuant to explicit >written agreement or government initiative expressly permitting the use of >e-mail for such purpose. > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] single login size in bytes?
Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I’ve been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We’re talking simple logging in, including a single GPO or maybe two – but no replication, etc. They do already get their email using Outlook to a pst. And please don’t laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] BlackComb Super Forest Functional Mode
Good suggestion Joe and, in principal, I agree ... but were that to make it to reality, I'd question why the legacy domain model persists. Domains are, IMO, an outdated and overly rigid technology ... obviously, there many features that would require significant modification (some of which will hopefully be covered by Longhorn). Perhaps flexible partitioning within a single tree or an entirely new model not yet conceived ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, October 10, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Tuesday, October 04, 2005 6:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > I'd also like to see the ability to run DCs for multiple domains on > > the same server. SMBs with limited resources balk at having to buy > > additional server hardware for redundancy on multiple domains, > > especially when the AD load on the DCs is minimal. This feature > > sounds > > > like an offshoot of your list below. > > If you can run AD as a service, it might not b
RE: [ActiveDir] BlackComb Super Forest Functional Mode
2 immediate comments: - Blackcomb clients would need to be available several years before the blackcomb server. - Impact on non-Windows clients would need to be assessed. [SAMBA, nix, Mac etc] neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 10 October 2005 15:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Tuesday, October 04, 2005 6:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > I'd also like to see the ability to run DCs for multiple domains on > > the same server. SMBs with limited resources balk at having to buy > > additional server hardware for redundancy on multiple domains, > > especially when the AD load on the DCs is minimal. This feature > > sounds > > > like an offshoot of your list below. > > If you can run AD as a service, it might not be that hard to allow > > multiple domains similar to multiple websites/DBs on one server... > > > > I remember discussing this with Stuart Kwan at DEC a couple of years > > ago. I hope it makes it into the mix... > > > > ** > > Charlie Kaiser > > W2K3 MCSA/MCSE/Security, CCNA > > Systems Engineer
RE: [ActiveDir] BlackComb Super Forest Functional Mode
it would certainly be a good way to promote the sales for client inventory tools ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 10. Oktober 2005 16:32 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] BlackComb Super Forest Functional Mode To move this in a slightly different direction. How would people feel about a BlackComb Super Forest Functional Mode where not only are DCs impacted but every machine touching the DCs are affected. I.E. MS allows multiple domains on a single DC but not for any pre-BlackComb clients. I.E. Complete break with legacy capability? Personally I wouldn't mind seeing something like that but how do others feel about it. Once in this mode, no going back. Legacy clients pre-Blackcomb have no clue how to use the domains, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 10:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Tuesday, October 04, 2005 6:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > I'd also like to see the ability to run DCs for multiple domains on > > the same server. SMBs with limited resources balk at having to buy > > additional server hardware for redundancy on multiple domains, > > especially when the AD load on the DCs is minimal. This feature > > sounds > > > like an offshoot of your list below. > > If you can run AD as a service, it might not be that hard to allow > > multiple domains similar to multiple websites/DBs on one server... > > > > I remember discussing this with Stuart Kwan at DEC a couple of years > > ago. I hope it makes it into the mix... > > > > ** > > Charlie Kaiser > > W2K3 MCSA/MCSE/Security, CCNA > > Systems Engineer > > Essex Credit / Brickwalk > > 510 595 5083 > > ** > > > > > > > -Original M
RE: [ActiveDir] AD Migration Question
You need to upgrade the schema first (before you install the first 2k3 DC). Do an adprep /forestprep from the 2003 CD on the 2000 box. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: Monday, October 10, 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I’m installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
[ActiveDir] Interesting Scripting Task.....
All, I am pondering the possibility of automating the creation of development environments. The problem I am hoping to solve is that a lot of our testing needs to be done in an environment where all our Ous, GPOs, Groups and so forth are present. Recreating this is a nightmare, so to alleviate this I want to write an import/export script that dumps all the OU's, Groups, Users and GPO's (including security) and then restores them in a different target domain (different forest too). Has anyone attempted/achieved this before? Brad This email and any attached files are confidential and copyright protected. If you are not the addressee, any dissemination of this communication is strictly prohibited. Unless otherwise expressly agreed in writing, nothing stated in this communication shall be legally binding. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Movement in licensing over Virtual Instances at MS.
http://www.pcworld.com/news/article/0,aid,122949,00.asp Virtual Windows License Simplified Microsoft also will allow customers to have four virtual machines running on top of Windows Server 2003 R2 Enterprise Edition and Windows Server "Longhorn" Datacenter Edition at no extra cost, Kelly said.
RE: [ActiveDir] Active Directory wish list
For us, it's the ability to run parallel domains for test/development purposes. We have our production domain, my IT test domain, and our LOB application test domain. I'd have another IT test domain if I had the available hardware right now. We are required to test and document all changes to the LOB app and a significant number of people work in that test domain. Running it on VMs or old hardware doesn't cut it gracefully, although that's what I do. Since management won't write the check for additional hardware/licenses, we do what we can. But if we had one beefy server to replace 3, and one server license to replace 3, it would be much more cost effective to do, and would increase performance for the user community. In my last gig, we had multiple domains that were used for development and customer support departments. The support kids especially needed multiple domains to recreate customer environments and various software versions. I can think of a lot of reasons to need multiple domains/forests in an SMB environment. Regulatory compliance, 24x7 availability that mandates full testing prior to implementation in production, customer support domains, etc. Just because a business is small doesn't mean it can't have complex requirements... ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick > Sent: Monday, October 10, 2005 7:10 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Active Directory wish list > I'm curious, Charlie and Neil. What services do these SMB's > offer that they > need multiple instances of DC's? I realize that a best > practice is to have > multiple servers that can provide some failure tolerant > behaviors, but I'm > wondering what type of work a SMB does that requires multiple > full blown AD > domain instances and therefore multiple servers etc. Can you > expand that? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] single login size in bytes?
Does anyone happen to know a rough idea how many bytes are transmitted when a single user logs on to an XP box to a W2K3 AD, assuming cached credentials aside? I’ve been goog searching and finding a lot of detailed info about replication but not much about the size of the authentication packets etc. I am digging out net monitor as I type (well almost as I type) to see for myself, but anyone who would like to comment on the feasibility of having XP machines on the far end of a 56K frame circuit actually being members of the domain, please feel free to let me know. We’re talking simple logging in, including a single GPO or maybe two – but no replication, etc. They do already get their email using Outlook to a pst. And please don’t laugh. This is a very serious issue. ;-) Rich --- Rich Milburn MCSE, Microsoft MVP - Directory Services Sr Network Analyst, Field Platform Development Applebee's International, Inc. 4551 W. 107th St Overland Park, KS 66207 913-967-2819 --- "I am always doing that which I can not do, in order that I may learn how to do it." - Pablo Picasso ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] Schema Updates
Title: Schema Updates Being the best available doesn't make something good and doesn't need a lot of work. :o) It just means it is better than the other sucky alternatives. I haven't seen unity in years but when I last saw it, it had me swearing about how bad it was. I seem to recall saying something along the lines of that will never be in any AD I ever manage. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Monday, October 10, 2005 10:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Not sure why you don't like Unity, it's the best unified messaging app there is right now. Actually has been for over 5 years. I believe that the reason it;s as good as it is, is that it was not created or even modified much by Cisco, they simply bought a really good product and left it be for the most part. As for the schema updates, it didn't work. We made the registry change and it did work. I don't see how that would be tied to the app as no changes were made there. But who knows. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Sunday, October 09, 2005 7:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Hmmm. I need to think about that again. I think I only saw this behavior in the lab where all the servers were upgraded instead of wipe and replace. In production, we upgraded initially then did a replacement effort later. More to the point, UGH Cisco Unity… I wish to Christ they’d stick to hardware and stop venturing into software… :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, October 07, 2005 9:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Was it maybe the app itself disallowing the update? Did you try to just modify the schema to see if it would work? Say change the rangeupper of cn or something like that and then change it back. Something innocuous. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Yep, same here. I think upgraded scenarios have this. :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:57 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 07, 2005 9:38 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Upgraded to 2003 or fresh install? :m:dsm:cci:mvp marcusoh.blogspot.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Vander KooiSent: Friday, October 07, 2005 10:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates I just did this last week to install Cisco Unity and I still had to enable schema updates in Windows 2003 even though the user was in Schema Admins. I was under the same impression as Travis, but after enabling updating in the registry it worked fine. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, October 06, 2005 10:03 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Updates Did you work this out Travis? If not, I would recommend pulling up the sysinternal registry and file monitors as well as tracing the AD calls. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, August 11, 2005 2:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Updates Hi, I am having some problems updating the schema for Avaya Unified Messaging. It is my thinking that in Windows 2003 the schema is already enabled for updates as long as you are in the Schema Admins group. In Windows 2000 you had to enable the Schema to be updated. Am I correct or misguided? Thanks! Travis Abrams
RE: [ActiveDir] Adding custom fields to AD
http://blogs.msdn.com/brettsh/ I would post a comment to the blog, but it requires a post first. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, October 10, 2005 10:05 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Your blog link being what? :) :m:dsm:cci:mvp marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Monday, October 10, 2005 1:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Adding custom fields to AD Yes, I was hoping you wouldn't take it has who has a bigger database contest, that was not my intent. Besides it was really who has seen the bigger database, and who wants to admit that, you want to HAVE the bigger database. My databases aren't really that big, usually a smidgen over the default 10 MB size for testing, really quite small actually. As for the wondering what kind of crap is stuffed into the AD DB, I'd agree with you to some degree ... for corp / NOS type AD DBs ... but the ones I'm think of are almost always internet auth DBs, and have millions to 10s of millions of identities stored. Then the size starts to make sense. So you can imagine why they get big. And finally about the size limit on AD objects, how many attrs, multi-values, link values, etc, and such, I have a blog post planned about that ... actually 3 posts ... Cheers, -BrettSh [msft] This posting is provided "AS IS" with no warranties, and confers no rights. On Sun, 9 Oct 2005, joe wrote: > Ah Brett, you incorrigible one, you misunderstand my point of posting those > numbers It wasn't to say, look how big I have seen, but instead, look > how big these companies are and they still have small DBs. When I hear of > some giant DB I don't think wow, what a big DB, I think, what kind of sh*t > is being thrown into that AD to bloat it to that extent[1]? I especially > love hearing about companies that jam huge binaries into the directory like > images that get replicated to the four corners of the earth and are only > read by one program, a web app, in one or two of the company's datacenters. > Great use of bandwidth. I also especially love seeing a crap load of data > going into the directory for Exchange when Exchange is centralized, also > great use of bandwidth. That site in South America or in Kuala Lumpur with > 10 people and a GC because they have crappy connectivity certainly needs to > have every object and the entire Exchange selection of data for the other > 200,000 users. No possible issues in data theft there... > > I think after we get past the training of everyone to only grant permissions > to those that really need the permissions and just those specific > permissions to just those specific people, we will start training everyone > to only put the data where it is really needed. Anyone with a really large > DIT should sit down and look at what is in it and say, is it really > necessary for all of this data to go where it goes? Is there additional > exposure that I have for putting it there that isn't necessary? > > Brett, while we have your attention if we do... How about some training on > max data stored per object. What are the limits that we will hit as we stuff > more and more data into say every user object? I know I have found the magic > admin limit exceeded when punching a bunch of data into a non-linked > multivalue attribute and it causing me to not be able to add any new > attributes to the same user object. What other limits are we going to see? > Also, why do I see that admin limit on new attributes when the one single > multivalue attribute get filled up? > > joe > > > [1] I really am not an entirely negative person. I am best described as a > optimistic pessimist. Hope for the best of all worlds but plan for the > worst. I have also been called a Socialist because I am willing to buy a > burger for a friend and a good conversation. ;o) > > > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Sunday, October 09, 2005 11:29 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Adding custom fields to AD > > Mylo, from the way you speak of JET, I suspect you might not know of the two > JETs, and be thinking that JET = Access ... make sure you're "edJETicated" > (man, I slay me! ;), see Notes at bottom of this: > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ese/ese /por > tal.asp > This frequent confusion, is the reason we use the more desired term, ESE. > The two JETs once compatible at the top level API, have not even had to > maintain API compatibility for nearly 10 years, so they are quite different. > > If the _active amount of data_ (and the active amount of data, can be > grossly enlarged by bad queries) exceeds memory, some operati
RE: [ActiveDir] AD Migration Question
Hi Alex Get hold of the MS article on upgrading Windows 2000 Ad to 2003. Basically you will need to do the schema extensions on your current Schema master. Once the changes have replicated to your other DC’s then bring up your first W2K3 DC and move the FSMO roles, taking into account DC/GC placements etc and then carry on as in my first mail. Regards Peter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 16:16 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I’m installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Just bring up a new 2k3 server, DCPromo it and it will do the rest as the first 2k3 DC. Once it is successfully promoted transfer all roles. Once you are sure everything is transferred and working correctly you can DCPromo to demote the old server wipe reinstall whatever. There is no coexistence other than working in Hybrid mode, and you can switch it to native once all of your 2K DCs are upgraded to 2K3. As to moving DNS, WINS, DHCP if your DC is serving all those functions then yes activate them on the new server, and make sure you have updated the required clients to point at the new server for those services. If those services are working on a separate stand-alone server then don't worry about them other than to make sure any static entries are updated. If you are planning to bring in Exchange 2k3 I believe it is best to get your 2k3 domain stable first. I don't think it is required though, but I'm not positive. Just like anything else though it is best to finish one project before starting the next that way you aren't caught trying to troubleshoot conflicting issues. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexPosted At: Monday, October 10, 2005 9:16 AMPosted To: ActiveDirectoryConversation: [ActiveDir] AD Migration QuestionSubject: RE: [ActiveDir] AD Migration Question Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I’m installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JohnsonSent: Monday, October 10, 2005 9:43 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, AlexSent: 10 October 2005 15:26To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What’s the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex
RE: [ActiveDir] AD Migration Question
Check out the upgrade docs at http://www.microsoft.com/ad and the readme that comes with your 2003 server media for more specifics. You won't coexist, you'll insert a 2K3 DC into your 2K domain/forest. As for DNS, DHCP, and WINS, the migration is a little different. DNS - If AD integrated, install on the new DC at installation. Let replicate. - if not AD integrated, then you'll have to replicate the zone to the new server. - recommended to ad-integrate if that works the domain you have. WINS - WINS replicates. Replicate it to the new instance. Change the client settings before sunsetting the old WINS replica. Be sure the clients have started using the new instance. DHCP - no replication :( you'll have to migrate it. There are tools to help, but it takes some time while you update the client settings. It's not overnight neccessarily. -ajm From: "Alborzfard, Alex" <[EMAIL PROTECTED]> Reply-To: ActiveDir@mail.activedir.org To: Subject: RE: [ActiveDir] AD Migration Question Date: Mon, 10 Oct 2005 10:16:10 -0400 Thanks for the advice! Excuse my ignorance, but how do I upgrade the schema, while I'm installing the WIN2K3 server? Ditto for migrating FSMOs. Does it mean that I would have a 2K and 2K3 AD domain coexisting for a while until I remove 2K AD? When you said move DNS, WINS, DHCP, you meant Just installing them on the new server, right? Did you also have to migrate Exchange (from 2K to 2K3) by any chance? If so, in what sequence you did the upgrade? Thanks --Alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson Sent: Monday, October 10, 2005 9:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question I would, if budget allows, go the second route. Do the schema upgrade bring up new windows 2003 server. Migrate FSMO roles to it. Move DNS,WINS etc to the new server and then DCPROMO, one at time, your other servers out. Reinstall them with W2K3 and dcpromo them back in. Did this with a 700 user network with no downtime. Regards Peter Johnson P.S Look out for the article on migrating your DHCP database. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, Alex Sent: 10 October 2005 15:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Migration Question I have a W2K AD that I want to migrate to W2K3 AD. What's the best option: In-place upgrade of the W2K DC or standing up a brand new W2K3 DC server And then upgrade the W2K DC to W2K3? By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more DNS server. If I go the second route do I need to set up a DNS server or can I use the existing ones? Thanks --Alex List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Migration Question
I have also W2K DCs in other remote sites. Are there any gotchas with migrating them? None of them are GCs. Thanks --Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, October 10, 2005 9:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Migration Question Agreed, although you should be careful to note (and take appropriate actions for) any apps that utilize hard coded DNS server entries prior to sunsetting the original 2K DC. It's always been a best practice to stand up a new DC vs. upgrade in place. Not a hard and fast rule, but a best practice. If your DNS is integrated, and since WINS is replicable (word?) as well, then DHCP is the only animal left to contend with really. You'll want to pay some attention to how you approach that so that you work with the lease times, option settings, networks, etc. -ajm >From: "ActiveDirectory" <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] AD Migration Question >Date: Mon, 10 Oct 2005 08:44:10 -0500 > >My personal opinion is that you carry less crap over if you bring up a >new 2k3 DC (even if only temporarily). You can always reformat and >reuse the original server then move it back if you need to. > >Bob > > > >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Alborzfard, >Alex >Posted At: Monday, October 10, 2005 8:26 AM >Posted To: ActiveDirectory >Conversation: AD Migration Question >Subject: [ActiveDir] AD Migration Question > > > > > > > >I have a W2K AD that I want to migrate to W2K3 AD. What's the best >option: In-place upgrade of the W2K DC or standing up a brand new W2K3 >DC server > >And then upgrade the W2K DC to W2K3? > >By the way the W2K DC is also running DNS, DHCP, & WINS. I have one more >DNS server. If I go the second route do I need to set up a DNS server or >can I use the existing ones? > > > >Thanks > > > >--Alex > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory wish list
In order to understand what Novell did/does we need to stop using terms like "DC" and "domain" and instead think of "partitions" within the "directory". Novell allowed the directory to be carved up into manageable chunks (partitions) and then for these partitions to be replicated as read only or read write to one or more servers. I could for example, slice the directory into 3 partitions and then replicate a read write copy of all 3 partitions to the same server. [On its own this is pointless, but it serves its purpose as an illustration]. Note: partitions could be contiguous or overlapping. Each 'part' of the directory must be represented within at least partition, however. These partitions are analogous to domains and so I merely stated that Novell offered us a way to expose multiple partitions/domains via the same server/DC way back when NDS hit the streets in 93. That said, NDS/eDIR and AD are very different beasts at the fundamental level, but as time goes on, we seem to be looking for features which were available in Novell offerings, but which cannot easily be exposed in AD due to its very different architecture. [I do not cite this as a flaw but merely as an observation]. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: 10 October 2005 15:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory wish list While I generally agree this would be great, I have to ask about eDir and it's authentication abilities. IIRC, multiple domains via LDAP only work just fine. It's called ADAM in its latest incarnation. But for the authentication[1] and other apps that support/work with AD to provide identity services (Kerb, DNS, GPOs, etc) might not be a good fit for a multi-instance/single-server deployment. LDAP sure. The other apps, I'm not so sure. I'm curious, Charlie and Neil. What services do these SMB's offer that they need multiple instances of DC's? I realize that a best practice is to have multiple servers that can provide some failure tolerant behaviors, but I'm wondering what type of work a SMB does that requires multiple full blown AD domain instances and therefore multiple servers etc. Can you expand that? [1] LDAP is not an authentication protocol; Kerberos is though. -ajm CCBW >From: <[EMAIL PROTECTED]> >Reply-To: ActiveDir@mail.activedir.org >To: >Subject: RE: [ActiveDir] Active Directory wish list >Date: Mon, 10 Oct 2005 08:52:25 +0100 > >Maybe you should read about eDIR/NDS... :) Novell did this back in '93. > > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley >[MVP] >Sent: 06 October 2005 01:51 >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >I'd be surprised if we see this in my lifetime, or at least before I >retire. > >Ed Crowley MCSE+Internet MVP >Freelance E-Mail Philosopher >Protecting the world from PSTs and Bricked Backups!T > >-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser >Sent: Wednesday, October 05, 2005 2:34 PM >To: ActiveDir@mail.activedir.org >Subject: RE: [ActiveDir] Active Directory wish list > >What I want is to be able to run multiple domains on one OS >installation and segment the directories from each other. That way I >don't need to run multiple licenses of the OS, nor do I need hardware >that can power 4 VMs. >I already run VMs using VMWare in my test lab; it works but I'd prefer >to be able to run AD as a service and have it be smart enough to be >able to segment itself without needing a separate OS... > >** >Charlie Kaiser >W2K3 MCSA/MCSE/Security, CCNA >Systems Engineer >Essex Credit / Brickwalk >510 595 5083 >** > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Ed Crowley > > [MVP] > > Sent: Wednesday, October 05, 2005 10:07 AM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > You can. It's called Microsoft Virtual Server. > > > > Ed Crowley MCSE+Internet MVP > > Freelance E-Mail Philosopher > > Protecting the world from PSTs and Bricked Backups!T > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Charlie > > Kaiser > > Sent: Tuesday, October 04, 2005 6:37 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] Active Directory wish list > > > > I'd also like to see the ability to run DCs for multiple domains on > > the same server. SMBs with limited resources balk at having to buy > > additional server hardware for redundancy on multiple domains, > > especially when the AD load on the DCs is minimal. This feature > > sounds > > > like an offshoot of your list below. > > If you can run AD as a service, it might not be that hard to allow > > multiple domains similar to multiple website
RE: [ActiveDir] GPO Permissions with .vbs
Cute script. Forgot all about datediff.
It doesn't create a window but will it hold up logon script
flow? If not, cool.
Website is working fine... must be a DNS issue of some
sort. Go figure. ;o)
Pinging joeware.net [66.152.98.204] with 32 bytes of
data:
Obviously you won't be able to connect with IP, it used
host headers for the redirect.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
RochfordSent: Monday, October 10, 2005 4:12 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO Permissions
with .vbs
_vbscript_ version below. If you launch this
with:
wscript .vbs
then it won't create a window (so you don't need quiet)
I've added an inital check so the program just terminates if the needed time has
passed.
Joe - I can't get to your web site today; nslookup
doesn't give me an IP address. Not sure if that's a problem with your site or
our DNS ...
Steve
set
oShell=createobject("wscript.shell")sTime="10 oct 2005
09:09"scmd="c:\\progra~1\\intern~1\\iexplore.exe -new www.joeware.net"if datediff("s",now,sTime)
>0 then do while datediff("s",now,sTime)
>0 wscript.sleep 6 loop
oShell.run sCmdend if
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: 08 October 2005 04:21To:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO
Permissions with .vbs
Now that I have a nice steak from Texas Roadhouse in
my belly I can think straight. :o)
Assuming the perl script is called
timedfire.pl
my
$d1="10/7/2005";my $t1="23:04";my $cmd="c:\\progra~1\\intern~1\\iexplore.exe -new
www.joeware.net";
my
($mon,$day,$year)=split(/\//,$d1);my ($hour,$min)=split(/:/,$t1);my
$cmp=GetCmpVal($year,$mon,$day,$hour,$min);$curr=GetCurrentTime();while($cmp>$curr) {
sleep 60; $curr=GetCurrentTime(); }
exec $cmd;
sub
GetCmpVal { return
sprintf("%04s%02s%02s%02s%02s",@_); }
sub
GetCurrentTime { my @lt=localtime(); return
GetCmpVal($lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1]); }
You should be able to put in the logon
script
quiet timedfire.pl
And you can get quiet from http://www.joeware.net/win/free/tools/quiet.htm
That can be further reduced but I wanted it to be
readable. If someone wants to convert to _vbscript_, that might be fun for
people who don't do perl.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian
DesmondSent: Friday, October 07, 2005 9:15 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO
Permissions with .vbs
This should be a piece of
cake to do with a .net app. It's got an easy option to hide from the taskbar,
so you don't have to call the Win32 API to do that (not that its hard...), it
has a couple of timer classes, and it has a Process class you can use to kick
off a process. Sounds like a compelling reason to learn C# or VB.Net to me.
;)
Thanks,Brian Desmond
[EMAIL PROTECTED]
c -
312.731.3132
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
joeSent: Friday, October 07, 2005 9:02 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO
Permissions with .vbs
Oh I just chased back through this thread... You want to
fire up IE, I didn't catch that before, I didn't look that close at the
specific process you wanted fire, just that you wanted to fire a process. You
should still be able to do this with a startup script with AT as long as you
specify interactive, it should pop in the current interactive session but I
would be concerned of the security context it runs in which would be
localsystem. In order to schedule something in the security context of another
ID you will need to be able to specify userid/password which isn't fun either
since someone will probably be able to see it if they are
bright.
What you want is something that opens an IE window in the
context of the current user at a specified time. I am not aware of
anything that will do that. You almost need a special app that can be
launched by the user in the logon script in their security context that will
sleep until the specified time and then fire the app. Here is a point where
being an admin with programming skills is nice though you may be able to do
this with a script. Have the script fire another process that hides itself
from the task bar and pops into the screen at the designated
time.
I will think about this. There might be a way to
pull this off with a perl script.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Harding,
DevonSent: Friday, October 07, 2005 4:46 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO
Permissions with .vbs
How would I use
schtask to assign to more than one computer. It seems like that may be
