[ActiveDir] User Security Problem
After searching further into an NDR 5.3.5 issue I was having with Exchange 2000 last week, it looks like the user with the issue has incorrect security settings in Active Directory. When I go to the security tab of the user properities, the check mark is missing from the Allow Inheritable Permissions from Parent box. I then click to put the check mark back in. A while later, when going back in to check the securities again, the check mark is gone, and any changes that I made to make this users security match other users are gone. I am logged on with an Enterprise Admin account while trying to make these changes Any ideas as to what is happening, and how I can get this security setting corrected. Thanks for your assistance. Tim Care System Administrator Electro Chemical Finishing 616-531-0670 x 102 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] User Security Problem
Tim, the user is most likely a member of a protected group. See this article: Delegated Permissions Are Not Available and Inheritance Is Automatically Disabled http://support.microsoft.com/?kbid=817433 For a sample about how to manipulate the permissions on this object (since the GUI doesn't really work that well), take a look at: http://support.microsoft.com/?kbid=232199 I hope this helps... - Dave -- Original Message -- From: Tim Care [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 5 Jun 2003 08:52:38 -0400 After searching further into an NDR 5.3.5 issue I was having with Exchange 2000 last week, it looks like the user with the issue has incorrect security settings in Active Directory. When I go to the security tab of the user properities, the check mark is missing from the Allow Inheritable Permissions from Parent box. I then click to put the check mark back in. A while later, when going back in to check the securities again, the check mark is gone, and any changes that I made to make this users security match other users are gone. I am logged on with an Enterprise Admin account while trying to make these changes Any ideas as to what is happening, and how I can get this security setting corrected. Thanks for your assistance. Tim Care System Administrator Electro Chemical Finishing 616-531-0670 x 102 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication Problems...
It would entirely depend on if there is an underlying IP addressing scheme that would lend itself to being subnetted - in this case there appears to be one, as it used to be subnetted. So, in this case, you just create subnets in AD that reflect the local group of IP's in each office. You are correct, however, that if it's a truly bridged network (like the one I mentioned) and there is no localized IP scheme, it can't be done. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Fugleberg, David A [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication Problems... If it's really bridged, as in one big, happy IP subnet, how would you create sites ? Maybe I'm just confused...happens a lot lately. Dave -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 3:03 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Replication Problems... I *think* the default is 300 minutes, but can be configured down as low as 15 minutes. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 3:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Replication Problems... Raymond, If you can set up meaningful sites (which I guess you can), then a potential strategy would be to disable the ISTG at each site and set up manual connections between the remote sites and one or more DCs at HQ. Ideally you would run DNS on each of the DCs as well so that clients would keep DC location traffic local. The only trick then would be to make sure that when a DC fails at a remote site that the clients would select a DC at HQ for authentication, instead of any random DC on the network. I wrote an article for Windows.NET magazine a few months ago about this topic; it was in the March issue I think. There's a copy you can D/L from our website: http://www.netpro.com/forum/files/authentication_topology.pdf. The replication schedule between sites is by default every 15 minutes; not quie immediate, but good enough for most purposes. Its configurable by defining the schedule on the connection object in AD SitesServices. HTH, -gil -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 11:50 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication Problems... Gil, That's kind of what I was asking. I was thinking I could just have all of the remote DC's pull from the DC's here at HQ, I just wasn't sure what problems I might run into. MS recommends using a site for each remote which makes sense, but I wasn't clear on the time periods that sync would occur during, or whether immediate changes would indeed be immediate. Thanks, Raymond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Wednesday, June 04, 2003 10:59 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Replication Problems... Raymond, Roger, Perhaps I'm missing the significance of a bridged WAN, but why not disable the KCC and create your own connection objects to control which DCs replicate with each other? -gil -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 9:06 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication Problems... We do, at least, have each of our remote sites with a different IP range since the network USED to be routed (long story short, our core processor uses a serial printing protocol that was not routable at the time) We are redesigning the network this year so that we can unf#$%^ ourselves. But in the meantime changes we make don't replicate, or un-replicate. On a side note, our network has broken even the most confident of men, the consultant that just left was on top of his game before he worked on our network. But he left a broken and battered man with a lot of self-doubt (and as a good friend). And if the guy who 'designed' this network were still here Roger, having what you mentioned happen to him would be the LEAST of his worries :-). Thanks again, Raymond McClinnis Network Administrator Provident Credit Union -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, June 04, 2003 8:15 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Replication Problems...
RE: [ActiveDir] Replication Problems...
I'd agree with you on the consultant. I'm guessing that what you're seeing is the result of an inconsistant replication topology. I'd even be willing to bet that what's happening is the KCC is constantly modifying the topology, and its never fully acquiesed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 6:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication Problems... Bob, There have been some other weird issues, for instance it took TWO days for a computer to finally be deleted in active directory, DNS disappearing off of a couple domain controllers after that and some name resolution problems which may or may not be related. I'm really beginning to think the consultant that came out here didn't plan us out very well... -=groan=- Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bobel, Robert Sent: Wednesday, June 04, 2003 1:39 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication Problems... Is the returning group membership issue the only problem your seeing? Thanks Bob -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 11:06 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Replication Problems... Hello all, Does anyone know a good topology for a bridged WAN. Once everyone picks up their jaws, I'll continue. We have approximately 18 DC's at remote sites on various low bandwidth lines (from 384K to T-1). By default all the servers are trying to talk to each other and there have been instances of us removing users from groups and the user returning to the group. I had thought of pointing all the remote controllers to the DC's here at HQ. and having the ones here at HQ talk amongst themselves. Is this a good idea, or is there a better solution. I appreciate any input y'all can give me. Thanks in Advance, Raymond McClinnis Network Administrator Provident Credit Union List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
Is MMS3 general availability yet? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 11:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on ADAM is intended AFAIK, to be free. MMS 3.0 Standard is free, too - but it will only synch MS data. E.g Forest GAL to Forest GAL. If you want to bring other directories into the mix (iPlanet, NDS, etc) you will need MS 3.0 Enterprise. That one is gonna cost ya. ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharma, Shshank Sent: Wednesday, June 04, 2003 7:49 PM To: '[EMAIL PROTECTED]' Thanks Justin, for the useful pointer. I was reading through the March'03 issue (http://www.fawcette.com/dotnetmag/2003_03/magazine/features/n ruest/page3.as p) and it refers to MMS. Will check it out in more detail. Also, are MMS and ADAM (Active Directory in Application Mode) shipped as _free_ add-ons with Server 2003, or do they have separate licensing, anyone ? ./Shshank -Original Message- From: Jb Leney [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 5:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Shshank, MMS (Microsoft Metadirectory Services) seems to be a nice solution. http://www.microsoft.com/windows2000/technologies/directory/MMS/default.asp The May 2003 issue of Windows .NET Magazine has 4 page infomercial about MMS. I can tell you from experience; one organization I am familiar with was quoted millions of dollars to set up a UNIX-based single sign on. I can't imagine MMS costing that much, however. Hope this helps and good luck. -Original Message- From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:08 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Single sign-on Hi everybody, I am new to Active Directory realm. Am looking for help on implementing single sign-on for multiple web-based applications using Microsoft's Active Directory. Any and all pointers to how-to's et al will be thankfully received. -Shshank Sharma List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
Are there any other products out there similar to MMS? When you say clunky to set up and configure, are we talking months? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, June 05, 2003 3:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WinPE and RIS
Title: Message That sounds suspiciously like XP Home... WinPE is designed as a CLI envrionment to replace DOS. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe L. Casale [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 11:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WinPE and RIS Hey Roger, what ya mean no GUI? I have it from my OEM pack, and use it many a time, it has a GUI. It's a "light" version of windows, that's all... jlc From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:25 AMTo: '[EMAIL PROTECTED]' WinPE is a full 32-Bit command line based OS - meaning that in a nutshell, its XP without a GUI. The upshot is that you no longer need DOS drivers for anything - NIC, CDROM, etc. You can use the same drivers that the final OS will use, which is a HUGE deal because of the increasing lack of support for DOS drivers from NIC vendors. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: De Schepper Marc [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 5:59 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] WinPE and RIS Hey all, This may not be a question for this group, but I don't know where I can ask this question. My question is: Why using a RIS for installing WinPE? Either I don't see why WinPE is used for, or I'm missing something here... * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
Re: [ActiveDir] Single sign-on
MMS 3.0 is a lot easier then the old 2.2 version. 3.0 will be availible this summer and can be configured by the customer. It's not that clunky and now comes with a nice wizard that helps you through the process. You still needs to know what you are doing because it's not really easy. The biggest thing missing I think is a preview to see how the changes are going to look. I guess that's just an other reason to force us to get us to test this is in a test environment :-) Fred -Original Message- From: Chris Flesher [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Sent: Thu Jun 05 10:25:54 2003 Subject: RE: [ActiveDir] Single sign-on Are there any other products out there similar to MMS? When you say clunky to set up and configure, are we talking months? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, June 05, 2003 3:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Force Logoff
Hello, I'm having a problem with the force logoff (Automatically log off users when time expires) in my GPO. I have all the users times from 10 pm on in to the morning to logon deny. This is supposed to log them off of their machine, correct? Well is doesn't. All the client machines are XP pro. All of this is a problem because periodically during the night I get security events that the user is trying to log on during the night after their logon time has expired; giving a false impression that someone is trying to hack in. Any ideas? Thanks, Ryan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Single sign-on
MMS 3.0 definitely does not have a consulting requirement, its licensing was brought out before. The enterprise version is 25k per processor, I believe. -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/05/2003 04:09 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] WinPE and RIS
Title: Message I have the Select version and it runs the standrad xp graphical background with its only interface being a command prompt window. Not much of a gui --Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/05/2003 03:01 AM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] WinPE and RIS I think there is difference between the OEM version and the version you get from SELECT agreement. Marc From: Joe L. Casale [mailto:[EMAIL PROTECTED] Sent: donderdag 5 juni 2003 5:44To: [EMAIL PROTECTED] Hey Roger, what ya mean no GUI? I have it from my OEM pack, and use it many a time, it has a GUI. It's a "light" version of windows, that's all... jlc From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:25 AMTo: '[EMAIL PROTECTED]' WinPE is a full 32-Bit command line based OS - meaning that in a nutshell, its XP without a GUI. The upshot is that you no longer need DOS drivers for anything - NIC, CDROM, etc. You can use the same drivers that the final OS will use, which is a HUGE deal because of the increasing lack of support for DOS drivers from NIC vendors. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: De Schepper Marc [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 5:59 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] WinPE and RIS Hey all, This may not be a question for this group, but I don't know where I can ask this question. My question is: Why using a RIS for installing WinPE? Either I don't see why WinPE is used for, or I'm missing something here... * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. * * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
RE: [ActiveDir] WinPE and RIS
Title: Message The one that I have from my MCS folks is CLI only - no GUI. FWIW. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, June 05, 2003 9:14 AMTo: [EMAIL PROTECTED] I have the Select version and it runs the standrad xp graphical background with its only interface being a command prompt window. Not much of a gui --Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/05/2003 03:01 AM To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: RE: [ActiveDir] WinPE and RIS I think there is difference between the OEM version and the version you get from SELECT agreement. Marc From: Joe L. Casale [mailto:[EMAIL PROTECTED] Sent: donderdag 5 juni 2003 5:44To: [EMAIL PROTECTED] Hey Roger, what ya mean no GUI? I have it from my OEM pack, and use it many a time, it has a GUI. It's a "light" version of windows, that's all... jlc From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:25 AMTo: '[EMAIL PROTECTED]' WinPE is a full 32-Bit command line based OS - meaning that in a nutshell, its XP without a GUI. The upshot is that you no longer need DOS drivers for anything - NIC, CDROM, etc. You can use the same drivers that the final OS will use, which is a HUGE deal because of the increasing lack of support for DOS drivers from NIC vendors. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: De Schepper Marc [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 5:59 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] WinPE and RIS Hey all, This may not be a question for this group, but I don't know where I can ask this question. My question is: Why using a RIS for installing WinPE? Either I don't see why WinPE is used for, or I'm missing something here... * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. * * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
RE: [ActiveDir] Single sign-on
Best low cost alternative is called Simple Sync from CPS Systems. It also doesn't come with the Microsoft only limitations of the free version of MMS2003 -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on Are there any other products out there similar to MMS? When you say clunky to set up and configure, are we talking months? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, June 05, 2003 3:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WinPE and RIS
Title: Message We have a copy of it from our Select agreement. It has the default WinXP background but only the command prompt can be used. Maybe the background is what he is referring to as the GUI? Mike From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 11:18 AMTo: [EMAIL PROTECTED] The one that I have from my MCS folks is CLI only - no GUI. FWIW. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Thursday, June 05, 2003 9:14 AMTo: [EMAIL PROTECTED] I have the Select version and it runs the standrad xp graphical background with its only interface being a command prompt window. Not much of a gui --Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/05/2003 03:01 AM To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: RE: [ActiveDir] WinPE and RIS I think there is difference between the OEM version and the version you get from SELECT agreement. Marc From: Joe L. Casale [mailto:[EMAIL PROTECTED] Sent: donderdag 5 juni 2003 5:44To: [EMAIL PROTECTED] Hey Roger, what ya mean no GUI? I have it from my OEM pack, and use it many a time, it has a GUI. It's a "light" version of windows, that's all... jlc From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:25 AMTo: '[EMAIL PROTECTED]' WinPE is a full 32-Bit command line based OS - meaning that in a nutshell, its XP without a GUI. The upshot is that you no longer need DOS drivers for anything - NIC, CDROM, etc. You can use the same drivers that the final OS will use, which is a HUGE deal because of the increasing lack of support for DOS drivers from NIC vendors. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: De Schepper Marc [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 5:59 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] WinPE and RIS Hey all, This may not be a question for this group, but I don't know where I can ask this question. My question is: Why using a RIS for installing WinPE? Either I don't see why WinPE is used for, or I'm missing something here... * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. * * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
RE: [ActiveDir] WinPE and RIS
Title: Message So, its a pretty CLI then. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 10:14 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] WinPE and RIS I have the Select version and it runs the standrad xp graphical background with its only interface being a command prompt window. Not much of a gui --Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/05/2003 03:01 AM To: "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: RE: [ActiveDir] WinPE and RIS I think there is difference between the OEM version and the version you get from SELECT agreement. Marc From: Joe L. Casale [mailto:[EMAIL PROTECTED] Sent: donderdag 5 juni 2003 5:44To: [EMAIL PROTECTED] Hey Roger, what ya mean no GUI? I have it from my OEM pack, and use it many a time, it has a GUI. It's a "light" version of windows, that's all... jlc From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 02, 2003 7:25 AMTo: '[EMAIL PROTECTED]' WinPE is a full 32-Bit command line based OS - meaning that in a nutshell, its XP without a GUI. The upshot is that you no longer need DOS drivers for anything - NIC, CDROM, etc. You can use the same drivers that the final OS will use, which is a HUGE deal because of the increasing lack of support for DOS drivers from NIC vendors. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: De Schepper Marc [mailto:[EMAIL PROTECTED] Sent: Saturday, May 31, 2003 5:59 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] WinPE and RIS Hey all, This may not be a question for this group, but I don't know where I can ask this question. My question is: Why using a RIS for installing WinPE? Either I don't see why WinPE is used for, or I'm missing something here... * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. * * Dit e-mail bericht inclusief eventuele ingesloten bestanden kan informatie bevatten die vertrouwelijk is en/of beschermd door intellectuele eigendomsrechten. Dit bericht is uitsluitend bestemd voor de geadresseerde(n). Elk gebruik van de informatie vervat in dit bericht (waaronder de volledige of gedeeltelijke reproductie of verspreiding onder elke vorm) door andere personen dan de geadresseerde(n) is verboden. Indien u dit bericht per vergissing heeft ontvangen, gelieve de afzender hiervan te verwittigen en dit bericht te verwijderen. This e-mail and any attachment thereto may contain information which is confidential and/or protected by intellectual property rights and are intended for the sole use of the addressees. Any use of the information contained herein (including but not limited to total or partial reproduction or distribution in any form) by other persons than the addressees is prohibited. If you have received this e-mail in error, please notify the sender and delete its contents. *
[ActiveDir] Remote Office Domain Controllers
We have several (6) remote offices, each with 5-10 users, that are connected via 256K FR circuits back here to the corporate office. At the present time, they are used for FP services, wins, and dhcp. We do have plans to implement SMS in the future for software rollout and desktop management. All desktop clients are W2K as well as most roving laptop users (the few remaining W9x laptops are being retired if they can't be upgraded). I am in the process of replacing their older W2K server with a new one that has sufficient disk space, processor power and a larger tape backup. The question comes up as to make them domain controllers or not. If I want to control replication, I need to set up a site which requires a DC. OTOH, having a DC out there in the first place increases traffic too. Almost all useful information for the remote users exists at the corporate site (Exchange, AS400, corporate shared data, etc.) so they are pretty much dead in the water if the line is down anyway. I asked this question as last fall's TechEd and got a majority of opinions that making the servers DCs would probably not be an advantage to such a small group of users that are depending on the central system anyway to offset the DC traffic. Is this still the consensus? Although I could promote them later in the field, it certainly would be easier to dcpromo them there before sending them out. Pete Carstensen, MCSE Senior LAN Engineer CSK Auto, Inc. Phoenix, AZ Computers are not intelligent. They only think they are. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
RC1 is on msdn universal subscriptions. It was supposed to be available to general public in gold release 90 days after Windows Server 2003 launch. Roger Seielstad [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 06/05/2003 10:21 AM Please respond to ActiveDir To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Single sign-on Is MMS3 general availability yet? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 11:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on ADAM is intended AFAIK, to be free. MMS 3.0 Standard is free, too - but it will only synch MS data. E.g Forest GAL to Forest GAL. If you want to bring other directories into the mix (iPlanet, NDS, etc) you will need MS 3.0 Enterprise. That one is gonna cost ya. ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharma, Shshank Sent: Wednesday, June 04, 2003 7:49 PM To: '[EMAIL PROTECTED]' Thanks Justin, for the useful pointer. I was reading through the March'03 issue (http://www.fawcette.com/dotnetmag/2003_03/magazine/features/n ruest/page3.as p) and it refers to MMS. Will check it out in more detail. Also, are MMS and ADAM (Active Directory in Application Mode) shipped as _free_ add-ons with Server 2003, or do they have separate licensing, anyone ? ./Shshank -Original Message- From: Jb Leney [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 5:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Shshank, MMS (Microsoft Metadirectory Services) seems to be a nice solution. http://www.microsoft.com/windows2000/technologies/directory/MMS/default.asp The May 2003 issue of Windows .NET Magazine has 4 page infomercial about MMS. I can tell you from experience; one organization I am familiar with was quoted millions of dollars to set up a UNIX-based single sign on. I can't imagine MMS costing that much, however. Hope this helps and good luck. -Original Message- From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:08 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Single sign-on Hi everybody, I am new to Active Directory realm. Am looking for help on implementing single sign-on for multiple web-based applications using Microsoft's Active Directory. Any and all pointers to how-to's et al will be thankfully received. -Shshank Sharma List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
And is it good for single sign-on implementations for apps having disparate databases, Oracle, SQL Server et al ? Any used-it-and-this-is-what-we-ran-into kind of stories, anyone ? ./Shshank -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Best low cost alternative is called Simple Sync from CPS Systems. It also doesn't come with the Microsoft only limitations of the free version of MMS2003 -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on Are there any other products out there similar to MMS? When you say clunky to set up and configure, are we talking months? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, June 05, 2003 3:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
Title: Message Right, sure that's the context I was thinking about. So, what are people typically doing, getting some stuff like this, and then cobbling together a single sign-on solution unique to themselves ? Or are there more generic tools out there, ofcourse ones which cost more and make life more easier ? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Single sign-onBTW MMS does not strictly enable single sign ons. It is a meta directory and it can enable the synchronization of directory information across different systems, including in most cases usernames passwords. However even with the same username and password on different systems a user may very well be required to sign on multiple times (using the same credentials). True Single sign on can be very complex (not that a meta-directory with provisioning isn't!)
RE: [ActiveDir] AD DNS: CNAME/Alias
It is a known issue, but if you are running SP3 then you can set the reg key described in this article to resolve the issue: http://support.microsoft.com/?scid=kb;en-us;281308 - Dave -- Original Message -- From: Roger Seielstad [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 5 Jun 2003 12:26:26 -0400 I think that's a known issue with CNAME FQDN's in UNC paths, but I can't remember for sure. I've seen it before though. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Pelle, Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 11:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD DNS: CNAME/Alias Hello! You all have been very helpful in the past and want to thank you for your time in helping me with various issues! Please advise: I'm in the middle of migrating from NT to W2K and have a DNS issue: I want to create a CNAME record in my AD integrated DNS that points to a server that still resides in NT. After I create the CNAME record I click on Start | Run and type: \\testcname.FQDN file://testcname.FQDN/ and get this in response: A duplicate name exists on the network. Has anyone encountered this scenario? Any help is greatly appreciated. Thanks! Joe Pelle Systems Administrator Information Technology Valassis / Targeted Print Media Solutions 35955 Schoolcraft Rd. Livonia, MI 48150 Tel 734.632.3753 Fax 734.632.6240 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://www.valassis.com/ http://www.valassis.com/ This message may have included proprietary or protected information. This message and the information contained herein are not to be further communicated without my express written consent. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exchange 5.5 and active directory connector errors
While trying to install Exchange 2000 where the active directory is installed. I keep getting the following error. Setup has detected that the Exchange 5.5 site your server belongs to has not replicated to the Active Directory yet. You can either wait for replication to complete and try the upgrade again or upgrade a server from a site that has already been replicated to the AD. I have tried all that I can find on the microsoft knowledge base, and am trying here before I spend the money to call Microsoft.
RE: [ActiveDir] Single sign-on
RSN* -gil *real soon now -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:21 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Is MMS3 general availability yet? Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 11:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on ADAM is intended AFAIK, to be free. MMS 3.0 Standard is free, too - but it will only synch MS data. E.g Forest GAL to Forest GAL. If you want to bring other directories into the mix (iPlanet, NDS, etc) you will need MS 3.0 Enterprise. That one is gonna cost ya. ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharma, Shshank Sent: Wednesday, June 04, 2003 7:49 PM To: '[EMAIL PROTECTED]' Thanks Justin, for the useful pointer. I was reading through the March'03 issue (http://www.fawcette.com/dotnetmag/2003_03/magazine/features/n ruest/page3.as p) and it refers to MMS. Will check it out in more detail. Also, are MMS and ADAM (Active Directory in Application Mode) shipped as _free_ add-ons with Server 2003, or do they have separate licensing, anyone ? ./Shshank -Original Message- From: Jb Leney [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 5:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Shshank, MMS (Microsoft Metadirectory Services) seems to be a nice solution. http://www.microsoft.com/windows2000/technologies/directory/MMS/default.asp The May 2003 issue of Windows .NET Magazine has 4 page infomercial about MMS. I can tell you from experience; one organization I am familiar with was quoted millions of dollars to set up a UNIX-based single sign on. I can't imagine MMS costing that much, however. Hope this helps and good luck. -Original Message- From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 04, 2003 4:08 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Single sign-on Hi everybody, I am new to Active Directory realm. Am looking for help on implementing single sign-on for multiple web-based applications using Microsoft's Active Directory. Any and all pointers to how-to's et al will be thankfully received. -Shshank Sharma List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Remote Office Domain Controllers
From a network traffic point of view, it doesn't it makes sense to put DCs at the remote sites. The concern I would have is the reliability of the links... No linky, no login. -gil -Original Message- From: Carstensen, Pete [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 8:41 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Remote Office Domain Controllers We have several (6) remote offices, each with 5-10 users, that are connected via 256K FR circuits back here to the corporate office. At the present time, they are used for FP services, wins, and dhcp. We do have plans to implement SMS in the future for software rollout and desktop management. All desktop clients are W2K as well as most roving laptop users (the few remaining W9x laptops are being retired if they can't be upgraded). I am in the process of replacing their older W2K server with a new one that has sufficient disk space, processor power and a larger tape backup. The question comes up as to make them domain controllers or not. If I want to control replication, I need to set up a site which requires a DC. OTOH, having a DC out there in the first place increases traffic too. Almost all useful information for the remote users exists at the corporate site (Exchange, AS400, corporate shared data, etc.) so they are pretty much dead in the water if the line is down anyway. I asked this question as last fall's TechEd and got a majority of opinions that making the servers DCs would probably not be an advantage to such a small group of users that are depending on the central system anyway to offset the DC traffic. Is this still the consensus? Although I could promote them later in the field, it certainly would be easier to dcpromo them there before sending them out. Pete Carstensen, MCSE Senior LAN Engineer CSK Auto, Inc. Phoenix, AZ Computers are not intelligent. They only think they are. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
From what I've heard (no personal experience), MMS 2.x was a pain, MMS 2003 is quite easy for common scenarios. There are other meatdirectories (Novell, CriticalPath, Siemens, IBM, etc.) They are industrial strength metadirectories but are time consuming (read: expensive) to implement. There are some basic sync products available too... HP has one from the Compaq merger called LDSU. There is one called SimpleSync I think as well. -gil -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on Are there any other products out there similar to MMS? When you say clunky to set up and configure, are we talking months? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, June 05, 2003 3:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 5.5 and active directory connector errors
That message comes up if the install account does not have the proper privileges. I used the exchange 5.5 service account which is a domain administrator to install. Ken -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 2:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange 5.5 and active directory connector error s Have you setup all your connection agreements correctly to replicate two way from exchange 5.5 to AD? Have you setup a Public Folder Connection Agreement? -Original Message- From: Rick Reynolds [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 2:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange 5.5 and active directory connector errors While trying to install Exchange 2000 where the active directory is installed. I keep getting the following error. Setup has detected that the Exchange 5.5 site your server belongs to has not replicated to the Active Directory yet. You can either wait for replication to complete and try the upgrade again or upgrade a server from a site that has already been replicated to the AD. I have tried all that I can find on the microsoft knowledge base, and am trying here before I spend the money to call Microsoft.
RE: [ActiveDir] Exchange 5.5 and active directory connector errors
Have you setup all your connection agreements correctly to replicate two way from exchange 5.5 to AD? Have you setup a Public Folder Connection Agreement? -Original Message- From: Rick Reynolds [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 2:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange 5.5 and active directory connector errors While trying to install Exchange 2000 where the active directory is installed. I keep getting the following error. Setup has detected that the Exchange 5.5 site your server belongs to has not replicated to the Active Directory yet. You can either wait for replication to complete and try the upgrade again or upgrade a server from a site that has already been replicated to the AD. I have tried all that I can find on the microsoft knowledge base, and am trying here before I spend the money to call Microsoft.
Re: [ActiveDir] Single sign-on
Typically, there are very expensive packages that a difficult to maintain which set up a wrapper around each application to handle authentication. Some of these actually reduce security. If you want to build a single sign on solution you have to get pretty deep into delegation and kerberos realms. It completely depends on the applications and their methods of authentication and authorization. -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/05/2003 01:29 PM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on And is it good for single sign-on implementations for apps having disparate databases, Oracle, SQL Server et al ? Any used-it-and-this-is-what-we-ran-into kind of stories, anyone ? ./Shshank -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Best low cost alternative is called Simple Sync from CPS Systems. It also doesn't come with the Microsoft only limitations of the free version of MMS2003 -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on Are there any other products out there similar to MMS? When you say clunky to set up and configure, are we talking months? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, June 05, 2003 3:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Please Help
Title: Please Help Hello, to all, I have the following problem. I have a user in a remote office that some how manage to screw up his system running windows 2000. What I did was configure a new HD and shipped out to him. I was able to log on to the NT domain as him, configure his email and load other applications. I do this all the time and never have a problem! Also added his nt user account to the local administrators group. When he received the HD and replaced him on his computer, he is not able to log on as himself to the domain. We have a bdc on his remote office. I asked him to, and gave him permissions, to remove the machine from the domain and re add it. It will not work! He can't log in as himself, however, using his nt credentials he is able to join the computer to the domain, which proves that his credentials are correct. I have never seen this problem and can't figure out the reason for this behavior. Can you please help asap? Thanks in advance Juan
RE: [ActiveDir] Please Help
Title: Please Help Have you synchronized the BDC with the PDC? Anwer Abbas, MCSE, CNA, MCP, CCNA, A+ IT Manager Interactive Network for Continuing Education Phone: (609) 819-4152 Fax: (609) 409-5965 www.ince.com -Original Message- From: Juan Ibarra [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 5:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Please Help Hello, to all, I have the following problem. I have a user in a remote office that some how manage to screw up his system running windows 2000. What I did was configure a new HD and shipped out to him. I was able to log on to the NT domain as him, configure his email and load other applications. I do this all the time and never have a problem! Also added his nt user account to the local administrators group. When he received the HD and replaced him on his computer, he is not able to log on as himself to the domain. We have a bdc on his remote office. I asked him to, and gave him permissions, to remove the machine from the domain and re add it. It will not work! He can't log in as himself, however, using his nt credentials he is able to join the computer to the domain, which proves that his credentials are correct. I have never seen this problem and can't figure out the reason for this behavior. Can you please help asap? Thanks in advance Juan
RE: [ActiveDir] Please Help
Title: Please Help I think that Anwer is correct. He was able to add the computer account to the domain using his credentials because that action has to go to the PDC which obviously has the account. His local BDC can not do that and cant authenticate him because it doesnt know about him yet. I am guessing that this is an NT 4 domain or a mixed mode AD domain. Kevin -Original Message- From: Juan Ibarra [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 5:05 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Please Help Hello, to all, I have the following problem. I have a user in a remote office that some how manage to screw up his system running windows 2000. What I did was configure a new HD and shipped out to him. I was able to log on to the NT domain as him, configure his email and load other applications. I do this all the time and never have a problem! Also added his nt user account to the local administrators group. When he received the HD and replaced him on his computer, he is not able to log on as himself to the domain. We have a bdc on his remote office. I asked him to, and gave him permissions, to remove the machine from the domain and re add it. It will not work! He can't log in as himself, however, using his nt credentials he is able to join the computer to the domain, which proves that his credentials are correct. I have never seen this problem and can't figure out the reason for this behavior. Can you please help asap? Thanks in advance Juan
[ActiveDir] No logon servers available
Title: No logon servers available Hi, We've just upgraded our NT domain to Windows 2000 Active Directory. The upgrade went very smooth with few issues. The problem that we're having is with VPN users. When working from home, users can access email and other applications but they are unable to access network shares. They get the following error message: There are currently no logon servers available to service the logon request. The only way users are able to access the shares is by going to Tools | Map Network Drive or using 'net use' command. Either way the user has to provide login credentials. Has anyone encountered this issue before? If so, is there a fix? Any help is greatly appreciated. Thanks, Demetria Camper Technical Project Manager, IT Operations Takeda Pharmaceuticals North America, Inc. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] No logon servers available
Title: Message Windows VPN or RAS? What are the clients running? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 9:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] No logon servers available Hi, We've just upgraded our NT domain to Windows 2000 Active Directory. The upgrade went very smooth with few issues. The problem that we're having is with VPN users. When working from home, users can access email and other applications but they are unable to access network shares. They get the following error message: There are currently no logon servers available to service the logon request. The only way users are able to access the shares is by going to Tools | Map Network Drive or using 'net use' command. Either way the user has to provide login credentials. Has anyone encountered this issue before? If so, is there a fix? Any help is greatly appreciated. Thanks, Demetria Camper Technical Project Manager, IT Operations Takeda Pharmaceuticals North America, Inc. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Single sign-on
Just a fyi - On a MS sponsored Windows Server 2003 Readiness course last week our guys were told that MMS 3.0 would cost £25,000 (may have been $s) per processor. Which is a stunning amount of money - in either currency Stephen Wilkinson Tel: +44(0)207 4759276 Mobile: +44(0)7973 143970 E-Mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 June 2003 21:14 To: [EMAIL PROTECTED] Typically, there are very expensive packages that a difficult to maintain which set up a wrapper around each application to handle authentication. Some of these actually reduce security. If you want to build a single sign on solution you have to get pretty deep into delegation and kerberos realms. It completely depends on the applications and their methods of authentication and authorization. -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/05/2003 01:29 PM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on And is it good for single sign-on implementations for apps having disparate databases, Oracle, SQL Server et al ? Any used-it-and-this-is-what-we-ran-into kind of stories, anyone ? ./Shshank -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Best low cost alternative is called Simple Sync from CPS Systems. It also doesn't come with the Microsoft only limitations of the free version of MMS2003 -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on Are there any other products out there similar to MMS? When you say clunky to set up and configure, are we talking months? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, June 05, 2003 3:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. -- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
That is correct, for the Enterprise version. Its roughly $25,000 per processor. Interesting, that seems to be the per processor cost of most of the MS Enterprise apps. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Wilkinson, Stephen (DrKW) [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 5:18 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Just a fyi - On a MS sponsored Windows Server 2003 Readiness course last week our guys were told that MMS 3.0 would cost 25,000 (may have been $s) per processor. Which is a stunning amount of money - in either currency Stephen Wilkinson Tel: +44(0)207 4759276 Mobile: +44(0)7973 143970 E-Mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 June 2003 21:14 To: [EMAIL PROTECTED] Typically, there are very expensive packages that a difficult to maintain which set up a wrapper around each application to handle authentication. Some of these actually reduce security. If you want to build a single sign on solution you have to get pretty deep into delegation and kerberos realms. It completely depends on the applications and their methods of authentication and authorization. -- Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/05/2003 01:29 PM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on And is it good for single sign-on implementations for apps having disparate databases, Oracle, SQL Server et al ? Any used-it-and-this-is-what-we-ran-into kind of stories, anyone ? ./Shshank -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:30 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Best low cost alternative is called Simple Sync from CPS Systems. It also doesn't come with the Microsoft only limitations of the free version of MMS2003 -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Chris Flesher [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 10:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on Are there any other products out there similar to MMS? When you say clunky to set up and configure, are we talking months? Chris Flesher The University of Chicago NSIT/DCS 1-773-834-8477 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Thursday, June 05, 2003 3:10 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Single sign-on RE: [ActiveDir] Single sign-onThat used to be the case, not sure if MMS 2003 has the same sort of requirements. The main reason they had consulting attached was that MMS was fairly clunky to set up and configure, and unless you knew what you were doing, could tie youself up in knots fairly quickly. Obviously not something MS wanted to let into the wild, as customers who had problems with it invariably came away with a bad impression (through their lack of knowledge of the product). ..and it wasnt just MCS, any of the major certified partners could assist you with MMS design / implmentation / deployment (did some consulting on MMS while @ Compaq/HP). Glenn - Original Message - From: Mayet, Yusuf Y To: '[EMAIL PROTECTED]' Sent: Thursday, June 05, 2003 4:40 PM Subject: RE: [ActiveDir] Single sign-on Rick, correct me if I am wrong but as far as I know if one is considering MMS Enterprise than you are bound by MCS to assist you in the QA and Design. (and they don't come cheap) Yusuf snip List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/
RE: [ActiveDir] No logon servers available
Title: Message All clients are running Windows 2000 Pro with SecuRemote v4.1. -Original Message-From: rick reynolds [mailto:[EMAIL PROTECTED]Sent: Thursday, June 05, 2003 11:55 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] No logon servers available what os?? on the clients. - Original Message - From: Bryan Schlegel To: [EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:25 PM Subject: RE: [ActiveDir] No logon servers available Windows VPN or RAS? What are the clients running? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 9:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] No logon servers available Hi, We've just upgraded our NT domain to Windows 2000 Active Directory. The upgrade went very smooth with few issues. The problem that we're having is with VPN users. When working from home, users can access email and other applications but they are unable to access network shares. They get the following error message: There are currently no logon servers available to service the logon request. The only way users are able to access the shares is by going to Tools | Map Network Drive or using 'net use' command. Either way the user has to provide login credentials. Has anyone encountered this issue before? If so, is there a fix? Any help is greatly appreciated. Thanks, Demetria Camper Technical Project Manager, IT Operations Takeda Pharmaceuticals North America, Inc. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Single sign-on
Title: Message To provideweb based stuff you're looking for then we're in the middle of implementing Novell iChain - we run both NDS and AD, but I'm told it can be installed against either (or any LDAP v3 directory). Basically it's a reverse proxy that sits between you and the web server, when it sees the web server requesting authentication it can fill in the dialogs/forms and return them to the server without the client ever seeing them. You'd probably need MMS (or similar) as well though to get the usernames and passwords synced. cheers dave -Original Message-From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: 05 June 2003 18:32To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Single sign-on Right, sure that's the context I was thinking about. So, what are people typically doing, getting some stuff like this, and then cobbling together a single sign-on solution unique to themselves ? Or are there more generic tools out there, ofcourse ones which cost more and make life more easier ? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Single sign-onBTW MMS does not strictly enable single sign ons. It is a meta directory and it can enable the synchronization of directory information across different systems, including in most cases usernames passwords. However even with the same username and password on different systems a user may very well be required to sign on multiple times (using the same credentials). True Single sign on can be very complex (not that a meta-directory with provisioning isn't!)
[ActiveDir] sidhistory of well known groups
Dear all, have posted quite recently with no feedback so hoping this time round to get a bit more info, still looking at strategy for migration of the well known accounts - Domain Admins / Domain Users on which a lot of domain security is based. thought this was where the Group mapping and merging wizard gave us some help. using it to map sourcedom\Domain Admins to targetdom\Domain Admins with the migrate group sids option enabled - i assumed this would populate the Sidhistory of the targetdomain group object with that of the source domain sid and in doing so creating an entry in the ADMT database that will be read by the security translation / user migration wizards. ditto for Domain Users However this ADMT process is failing with the following error codes; ERR2: 7085 Replace failed rc=1371 Cannot perform this operation on builtin accounts for me am i not right to say that the above groups are not in fact builtin accounts but well known accounts ?? saw one post back that documented the use of a manual process (cloneprincipal) to acheive the population of the sidhistroy but this will not allow us to acheive the requirement of security translation any clues ?? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sidhistory of well known groups
Graham, You cannot migrate the well known groups from one domain (or forest) to another. The SIDS are universally the same. ADMT will attempt, however the well-known already exists, and you cannot migrate it. Our solution was to take an inventory of who / what was member of the groups (or included membership of) and recreate that via scripting, manual methods, what have you. If someone else has a solution, great - I hope that they do for the sake of your time in collecting the data. Otherwise, you do have a task - not monumental, but not small either. BTW, our environment - 15k desktops, 25k users. Lots of groups. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, June 06, 2003 7:44 AM To: [EMAIL PROTECTED] Dear all, have posted quite recently with no feedback so hoping this time round to get a bit more info, still looking at strategy for migration of the well known accounts - Domain Admins / Domain Users on which a lot of domain security is based. thought this was where the Group mapping and merging wizard gave us some help. using it to map sourcedom\Domain Admins to targetdom\Domain Admins with the migrate group sids option enabled - i assumed this would populate the Sidhistory of the targetdomain group object with that of the source domain sid and in doing so creating an entry in the ADMT database that will be read by the security translation / user migration wizards. ditto for Domain Users However this ADMT process is failing with the following error codes; ERR2: 7085 Replace failed rc=1371 Cannot perform this operation on builtin accounts for me am i not right to say that the above groups are not in fact builtin accounts but well known accounts ?? saw one post back that documented the use of a manual process (cloneprincipal) to acheive the population of the sidhistroy but this will not allow us to acheive the requirement of security translation any clues ?? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] No logon servers available
Title: Message All I can think of is check theWINS settings on the client and make sure the clients have the correct DNS servers when trying to login and that you can resolve server names to ip addresses when logging into your vpn solution.I would also check with yourVPN solution provider or someone who uses SecuRemote, sorry I am not familiar with that product. Another thing I've discovered with remote users is that everyone has a different setup at home. Is it working for anyone?Maybe there is some type of firewall preventing windows authentiation on their home routers.I think Active Directory uses some different ports to do Kerbos authentication. http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q289/2/41.ASPNoWebContent=1NoWebContent=1 Strange that it would be working before and now it isn't thoughsorry couldn't be more help. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 7:52 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] No logon servers available All clients are running Windows 2000 Pro with SecuRemote v4.1. -Original Message-From: rick reynolds [mailto:[EMAIL PROTECTED]Sent: Thursday, June 05, 2003 11:55 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] No logon servers available what os?? on the clients. - Original Message - From: Bryan Schlegel To: [EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:25 PM Subject: RE: [ActiveDir] No logon servers available Windows VPN or RAS? What are the clients running? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 9:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] No logon servers available Hi, We've just upgraded our NT domain to Windows 2000 Active Directory. The upgrade went very smooth with few issues. The problem that we're having is with VPN users. When working from home, users can access email and other applications but they are unable to access network shares. They get the following error message: There are currently no logon servers available to service the logon request. The only way users are able to access the shares is by going to Tools | Map Network Drive or using 'net use' command. Either way the user has to provide login credentials. Has anyone encountered this issue before? If so, is there a fix? Any help is greatly appreciated. Thanks, Demetria Camper Technical Project Manager, IT Operations Takeda Pharmaceuticals North America, Inc. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] No logon servers available
In the past I've had users check off the Dial Up Networking box as soon as the logon screen appears. Then the users selects a VPN session to dial/connect too. Give that a shot in a test environement.[EMAIL PROTECTED] wrote: All clients are running Windows 2000 Pro with SecuRemote v4.1. -Original Message-From: rick reynolds [mailto:[EMAIL PROTECTED]Sent: Thursday, June 05, 2003 11:55 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] No logon servers available what os?? on the clients. - Original Message - From: Bryan Schlegel To: [EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:25 PM Subject: RE: [ActiveDir] No logon servers available Windows VPN or RAS? What are the clients running? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 9:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] No logon servers available Hi, We've just upgraded our NT domain to Windows 2000 Active Directory. The upgrade went very smooth with few issues. The problem that we're having is with VPN users. When working from home, users can access email and other applications but they are unable to access network shares. They get the following error message: There are currently no logon servers available to service the logon request. The only way users are able to access the shares is by going to Tools | Map Network Drive or using 'net use' command. Either way the user has to provide login credentials. Has anyone encountered this issue before? If so, is there a fix? Any help is greatly appreciated. Thanks, Demetria Camper Technical Project Manager, IT Operations Takeda Pharmaceuticals North America, Inc. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. Do you Yahoo!? Free online calendar with sync to Outlook(TM).
RE: [ActiveDir] sidhistory of well known groups
Rick, thanks for the reply post. membership of these groups not the issue - i take your point though it is more to do with the ability to translate the security of the resources which as i understand wont happen without an entry in the ADMT database - but thinking about it I don't need to do security translation as long as i populate sidhistory of the target domain admins / users group objects using alternative tools such as cloneprincipal ?? although that said this loses some of the genericness of a security translation i assume the manual hack of the sidhistory to be a supported operation ? as an aside i picked up from netiq.com a technote that suggests that it does support the migration of sidhistory for these well known objects - heres an extract - and by corollary thought that this would be supported under ADMT2 The API used to migrate SID History for Well-Known objects will only migrate to a target domain object with the same RID. This has been implemented by Microsoft for security reasons. For example, you can only migrate the SID of the source domain's Well-Known Domain Admins group to the SID History of the target domain's Well-Known Domain Admins group. You could not apply it to any other group. GT On Fri, 6 Jun 2003 07:57:07 -0500, Rick Kingslan wrote: Graham, You cannot migrate the well known groups from one domain (or forest) to another. The SIDS are universally the same. ADMT will attempt, however the well-known already exists, and you cannot migrate it. Our solution was to take an inventory of who / what was member of the groups (or included membership of) and recreate that via scripting, manual methods, what have you. If someone else has a solution, great - I hope that they do for the sake of your time in collecting the data. Otherwise, you do have a task - not monumental, but not small either. BTW, our environment - 15k desktops, 25k users. Lots of groups. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, June 06, 2003 7:44 AM To: [EMAIL PROTECTED] Dear all, have posted quite recently with no feedback so hoping this time round to get a bit more info, still looking at strategy for migration of the well known accounts - Domain Admins / Domain Users on which a lot of domain security is based. thought this was where the Group mapping and merging wizard gave us some help. using it to map sourcedom\Domain Admins to targetdom\Domain Admins with the migrate group sids option enabled - i assumed this would populate the Sidhistory of the targetdomain group object with that of the source domain sid and in doing so creating an entry in the ADMT database that will be read by the security translation / user migration wizards. ditto for Domain Users However this ADMT process is failing with the following error codes; ERR2: 7085 Replace failed rc=1371 Cannot perform this operation on builtin accounts for me am i not right to say that the above groups are not in fact builtin accounts but well known accounts ?? saw one post back that documented the use of a manual process (cloneprincipal) to acheive the population of the sidhistroy but this will not allow us to acheive the requirement of security translation any clues ?? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Single sign-on
Title: Message Since you are using AD, if you are using IIS you can use integrated authentication in many circumstances for single signon--Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 06/06/2003 07:53 AM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on To provideweb based stuff you're looking for then we're in the middle of implementing Novell iChain - we run both NDS and AD, but I'm told it can be installed against either (or any LDAP v3 directory). Basically it's a reverse proxy that sits between you and the web server, when it sees the web server requesting authentication it can fill in the dialogs/forms and return them to the server without the client ever seeing them. You'd probably need MMS (or similar) as well though to get the usernames and passwords synced. cheers dave -Original Message-From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: 05 June 2003 18:32To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Single sign-on Right, sure that's the context I was thinking about. So, what are people typically doing, getting some stuff like this, and then cobbling together a single sign-on solution unique to themselves ? Or are there more generic tools out there, ofcourse ones which cost more and make life more easier ? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Single sign-onBTW MMS does not strictly enable single sign ons. It is a meta directory and it can enable the synchronization of directory information across different systems, including in most cases usernames passwords. However even with the same username and password on different systems a user may very well be required to sign on multiple times (using the same credentials). True Single sign on can be very complex (not that a meta-directory with provisioning isn't!)
[ActiveDir] FSMO roles issue
Hello AD Folks, I've got a problem of configuring my firewall. I need to know what FSMO role holders (PDC Emulator, RID Master, Infrastructure Master, Domain Naming Master, Schema Master ) must be contacted by every DC of the forest. I heard somewhen the same problem reported. The people told that DCs were still trying to conect to some of the FSMOs but I don't remeber to what of the 5. And what are the reasons of permanent connectivity to that FSMOs? Thanks for your interest. -- Best regards, Alex Kulev (mailto:[EMAIL PROTECTED])06.06.2003, 19:38 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] No logon servers available
Title: Message did you renew the certs on the server, and each client needs to request one as well - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 06, 2003 4:51 AM Subject: RE: [ActiveDir] No logon servers available All clients are running Windows 2000 Pro with SecuRemote v4.1. -Original Message-From: rick reynolds [mailto:[EMAIL PROTECTED]Sent: Thursday, June 05, 2003 11:55 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] No logon servers available what os?? on the clients. - Original Message - From: Bryan Schlegel To: [EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:25 PM Subject: RE: [ActiveDir] No logon servers available Windows VPN or RAS? What are the clients running? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 9:42 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] No logon servers available Hi, We've just upgraded our NT domain to Windows 2000 Active Directory. The upgrade went very smooth with few issues. The problem that we're having is with VPN users. When working from home, users can access email and other applications but they are unable to access network shares. They get the following error message: There are currently no logon servers available to service the logon request. The only way users are able to access the shares is by going to Tools | Map Network Drive or using 'net use' command. Either way the user has to provide login credentials. Has anyone encountered this issue before? If so, is there a fix? Any help is greatly appreciated. Thanks, Demetria Camper Technical Project Manager, IT Operations Takeda Pharmaceuticals North America, Inc. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
Re: [ActiveDir] FSMO roles issue
I would highly recommend making sure that your FSMO role holders are fully connected. But if for some reason this is not possible, below is the answer to your question. Schema Master - Only needs connectivity if you are updating the schema. Domain Naming Master - Needs full connectivity. If it doesn't then adding/removing domains will fail. RID Master - Needs full connectivity. RID allocation and cross-domain moves will break without this. If RID allocation fails then you will not be able to create security-enabled objects on other domain controllers. PDC emulator - Needs full connectivity, especially if it is the PDC emulator for the first domain installed in the forest. In addition to effectively being the PDC for older clients it is also used for keeping time in synch, ensuring that when a user changes their password they can use it across all domain controllers almost immediately, and is also is involved in keeping account lockout correctly functioning. Infrastructure Master - Probably doesn't need full connectivity, but I haven't ever tested it. There's more information on what all the roles do and their effect of being unreachable at: Windows 2000 Active Directory FSMO Roles http://support.microsoft.com/?scid=kb;EN-US;197132 Active Directory Disaster Recovery http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/ad/windows2000/support/adrecov.asp I hope this helps - Dave - Original Message - From: Alex Kulev [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 06, 2003 10:38 AM Subject: [ActiveDir] FSMO roles issue Hello AD Folks, I've got a problem of configuring my firewall. I need to know what FSMO role holders (PDC Emulator, RID Master, Infrastructure Master, Domain Naming Master, Schema Master ) must be contacted by every DC of the forest. I heard somewhen the same problem reported. The people told that DCs were still trying to conect to some of the FSMOs but I don't remeber to what of the 5. And what are the reasons of permanent connectivity to that FSMOs? Thanks for your interest. -- Best regards, Alex Kulev (mailto:[EMAIL PROTECTED])06.06.2003, 19:38 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
Title: Message To provideweb based stuff you're looking for then we're in the middle of implementing Novell iChain - we run both NDSand AD, but I'm told it can be installed against either (or any LDAP v3 directory). Web-based stuff, yes. But I am looking at apps that dont necessarily use a directory service (such as NDS or AD). The apps typically have thier own databases (Oracle, SQL Server et al.), and they manage authentication and authorization individually. The goal to do all that in a single entity is claimed to be simplified using tools such as P-Synch and Simple Synch, though I would love to hear from someone who has used something like that. BTW, this group looks a great place to be. Kudos, all ! ./Shshank -Original Message-From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: 05 June 2003 18:32To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Single sign-on Right, sure that's the context I was thinking about. So, what are people typically doing, getting some stuff like this, and then cobbling together a single sign-on solution unique to themselves ? Or are there more generic tools out there, ofcourse ones which cost more and make life more easier ? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Single sign-onBTW MMS does not strictly enable single sign ons. It is a meta directory and it can enable the synchronization of directory information across different systems, including in most cases usernames passwords. However even with the same username and password on different systems a user may very well be required to sign on multiple times (using the same credentials). True Single sign on can be very complex (not that a meta-directory with provisioning isn't!)
Re: [ActiveDir] EXMERGE
You need to get the Microsoft BackOffice Resource Kit, Second Edition in order to use exmerge. http://support.microsoft.com/default.aspx?scid=kb;EN-US;174197 Rob Freeman Fleetone - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: ActiveDir (E-mail) [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:08 PM Subject: [ActiveDir] EXMERGE I need a copy of EXMERGE for Exchange 5.5, does anyone have? Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 primary office 917.455.0110 cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Single sign-on
SQL Server has an option to use integrated authentication, it works well in most situations. Extranets or public internet sites would be one area where you would probably not want to use that option. Sharma, Shshank [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 06/06/2003 01:15 PM Please respond to ActiveDir To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] Single sign-on To provide web based stuff you're looking for then we're in the middle of implementing Novell iChain - we run both NDS and AD, but I'm told it can be installed against either (or any LDAP v3 directory). Web-based stuff, yes. But I am looking at apps that dont necessarily use a directory service (such as NDS or AD). The apps typically have thier own databases (Oracle, SQL Server et al.), and they manage authentication and authorization individually. The goal to do all that in a single entity is claimed to be simplified using tools such as P-Synch and Simple Synch, though I would love to hear from someone who has used something like that. BTW, this group looks a great place to be. Kudos, all ! ./Shshank -Original Message- From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: 05 June 2003 18:32 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Single sign-on Right, sure that's the context I was thinking about. So, what are people typically doing, getting some stuff like this, and then cobbling together a single sign-on solution unique to themselves ? Or are there more generic tools out there, ofcourse ones which cost more and make life more easier ? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, June 05, 2003 7:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Single sign-on BTW MMS does not strictly enable single sign ons. It is a meta directory and it can enable the synchronization of directory information across different systems, including in most cases usernames passwords. However even with the same username and password on different systems a user may very well be required to sign on multiple times (using the same credentials). True Single sign on can be very complex (not that a meta-directory with provisioning isn't!)
RE: [ActiveDir] sidhistory of well known groups
Graham, The solution that Rick describes in his post is similar to the one that we used when faced with this challenge. Solving the domain admins issue was rather easy because not many users where domain admins and file shares were not acl'd using the domain admins group. What you want to watch out for are situations where you have granted access to resources via the domain users group or added local administrative rights to a workstation via domain users. One way we solved certain issues was to create an nt4 group, populate it, grant it access to resources and then migrate the group. -- Robert Contreras, MCSE/MCT INS - International Network Services [EMAIL PROTECTED] C: 908-208-4580 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 06, 2003 8:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] sidhistory of well known groups Graham, You cannot migrate the well known groups from one domain (or forest) to another. The SIDS are universally the same. ADMT will attempt, however the well-known already exists, and you cannot migrate it. Our solution was to take an inventory of who / what was member of the groups (or included membership of) and recreate that via scripting, manual methods, what have you. If someone else has a solution, great - I hope that they do for the sake of your time in collecting the data. Otherwise, you do have a task - not monumental, but not small either. BTW, our environment - 15k desktops, 25k users. Lots of groups. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, June 06, 2003 7:44 AM To: [EMAIL PROTECTED] Dear all, have posted quite recently with no feedback so hoping this time round to get a bit more info, still looking at strategy for migration of the well known accounts - Domain Admins / Domain Users on which a lot of domain security is based. thought this was where the Group mapping and merging wizard gave us some help. using it to map sourcedom\Domain Admins to targetdom\Domain Admins with the migrate group sids option enabled - i assumed this would populate the Sidhistory of the targetdomain group object with that of the source domain sid and in doing so creating an entry in the ADMT database that will be read by the security translation / user migration wizards. ditto for Domain Users However this ADMT process is failing with the following error codes; ERR2: 7085 Replace failed rc=1371 Cannot perform this operation on builtin accounts for me am i not right to say that the above groups are not in fact builtin accounts but well known accounts ?? saw one post back that documented the use of a manual process (cloneprincipal) to acheive the population of the sidhistroy but this will not allow us to acheive the requirement of security translation any clues ?? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] sidhistory of well known groups
Correct - and I support what is being said by MS - that it will only migrate to the exact SID on the receiving end. However, maybe someone else can shed some light - I'm not sure what the setting is to allow it in ADMT at the moment. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, June 06, 2003 8:43 AM To: [EMAIL PROTECTED] Rick, thanks for the reply post. membership of these groups not the issue - i take your point though it is more to do with the ability to translate the security of the resources which as i understand wont happen without an entry in the ADMT database - but thinking about it I don't need to do security translation as long as i populate sidhistory of the target domain admins / users group objects using alternative tools such as cloneprincipal ?? although that said this loses some of the genericness of a security translation i assume the manual hack of the sidhistory to be a supported operation ? as an aside i picked up from netiq.com a technote that suggests that it does support the migration of sidhistory for these well known objects - heres an extract - and by corollary thought that this would be supported under ADMT2 The API used to migrate SID History for Well-Known objects will only migrate to a target domain object with the same RID. This has been implemented by Microsoft for security reasons. For example, you can only migrate the SID of the source domain's Well-Known Domain Admins group to the SID History of the target domain's Well-Known Domain Admins group. You could not apply it to any other group. GT On Fri, 6 Jun 2003 07:57:07 -0500, Rick Kingslan wrote: Graham, You cannot migrate the well known groups from one domain (or forest) to another. The SIDS are universally the same. ADMT will attempt, however the well-known already exists, and you cannot migrate it. Our solution was to take an inventory of who / what was member of the groups (or included membership of) and recreate that via scripting, manual methods, what have you. If someone else has a solution, great - I hope that they do for the sake of your time in collecting the data. Otherwise, you do have a task - not monumental, but not small either. BTW, our environment - 15k desktops, 25k users. Lots of groups. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Friday, June 06, 2003 7:44 AM To: [EMAIL PROTECTED] Dear all, have posted quite recently with no feedback so hoping this time round to get a bit more info, still looking at strategy for migration of the well known accounts - Domain Admins / Domain Users on which a lot of domain security is based. thought this was where the Group mapping and merging wizard gave us some help. using it to map sourcedom\Domain Admins to targetdom\Domain Admins with the migrate group sids option enabled - i assumed this would populate the Sidhistory of the targetdomain group object with that of the source domain sid and in doing so creating an entry in the ADMT database that will be read by the security translation / user migration wizards. ditto for Domain Users However this ADMT process is failing with the following error codes; ERR2: 7085 Replace failed rc=1371 Cannot perform this operation on builtin accounts for me am i not right to say that the above groups are not in fact builtin accounts but well known accounts ?? saw one post back that documented the use of a manual process (cloneprincipal) to acheive the population of the sidhistroy but this will not allow us to acheive the requirement of security translation any clues ?? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Authentication Problems.
Hello to all, I am experiencing the following problem at a client. We forced all employees to change their password, by going to AD users and computers and checking the box "user must change password at next logon" It appeared that everything worked fine until we started noticing that while working at a computer and trying to access a share an error message popped up. Your password is incorrect and it wouldn't take the new password. We forced a sync with all the DCs and still getting same errors. Please help. Juan
[ActiveDir] FW: Authentication Problems.
Hello to all, I am experiencing the following problem at a client. We forced all employees to change their password, by going to AD users and computers and checking the box "user must change password at next logon" It appeared that everything worked fine until we started noticing that while working at a computer and trying to access a share an error message popped up. Your password is incorrect and it wouldn't take the new password. We forced a sync with all the DCs and still getting same errors. Please help. Juan
RE: [ActiveDir] FW: Authentication Problems.
Tried that many times and didn't work. Juan -Original Message- From: David Precht [mailto:[EMAIL PROTECTED] Sent: Friday, June 06, 2003 9:40 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] FW: Authentication Problems. reboot, logoff/logon, tried that? --- Juan Ibarra [EMAIL PROTECTED] wrote: Hello to all, I am experiencing the following problem at a client. We forced all employees to change their password, by going to AD users and computers and checking the box user must change password at next logon It appeared that everything worked fine until we started noticing that while working at a computer and trying to access a share an error message popped up. Your password is incorrect and it wouldn't take the new password. We forced a sync with all the DCs and still getting same errors. Please help. Juan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/