RE: [ActiveDir] Simultaneous password change on multiple DCs
I guess I'm trying to figure out why replication would be limited to just the connected partners. Wouldn't the change on each DC cause the USN to be incremented for that DC's replica? In that case, every other DC would see it as a change which needs to be acquired during replication? I guess there would be some consolidation at the site bridgeheads, but even then, there should still be 1 change per DC being replicated to N-1 domain controllers. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2003 10:10 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Roger, > > Apparently, I need to clarify what I meant. In relation to > the product that > was proposed, the normal password replication would be minimized to > immediate connected partners - so, IMHO, this wouldn't be a > storm but a bit > of a burst (squall???) > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, July 31, 2003 5:59 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > Actually, why would it be minimized? The password change is > happening on > every domain controller, and as suck looks like a discreet > change to the > PDCE - meaning its gonna kill the PDCE. > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 10:12 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > > > Gil, > > > > > Making the same change on multiple DCs is bone-headed > > As anyone who has had to clean up or troubleshoot the appearance of > > CNF: > > objects can attest to > > > > And, yes - I concur that the password changes are all > propagated via > > the PDCE and the replication traffic would be minimized because of > > such. > > > > Rick Kingslan MCSE, MCSA, MCT > > Microsoft MVP - Active Directory > > Associate Expert > > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > > Kirkpatrick > > Sent: Wednesday, July 30, 2003 8:43 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > Making the same change on multiple DCs is bone-headed, but I don't > > think it will generate much additional replication traffic. > Aren't the > > password changes forwarded to the PDC FSMO role owner for > the domain > > and then replicated from there? If that's true, then the redundant > > changes coming into the PDCE should be dropped (generally, > changing an > > attribute to its current value has no effect). So the additional > > password changes will each generate a message to the PDCE, but > > otherwise not much else. > > > > Or am I missing something? > > > > -gil > > > > > > -Original Message- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 1:22 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > > > That strikes me as a way to cause replication storms in a flash, > > depending on how the application is written. Say you have > 10 DC's, and > > this app changes the password on all 10 dc's. That's at least 81 > > different replication messages, since each DC will > recongnize that as > > a different change. > > > > Seems to me to be both overkill and unnecessary. > > > > -- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -Original Message- > > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, July 30, 2003 3:23 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > > > > > > > We're looking at a product to manage passwords - it > enforces common > > > password policy and keeps passwords in sync across multiple > > > platforms (mainframe, AD, NDS, Unix, etc.), as well as provides > > > self-service password change/reset via a browser interface. > > > > > > One of its features on AD is that it's nominally > site-aware - it can > > > determine a browser's location based on IP address and > change the AD > > > password on a DC in that site.
RE: [ActiveDir] Simultaneous password change on multiple DCs
That makes sense - but does it do that only for local changes or does it do it for changes replicated from other DC's? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2003 11:11 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Yes replication is USN based. However if you make a change to an > attribute normally that is the same exact value, AD tricks you and > responds to the request like it made the change but doesn't really > update anything. I haven't tested that with the password fields but > would expect that it works the same. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, July 31, 2003 6:38 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Isn't replication USN based only - meaning that the value of the > attribute isn't relevant, just the fact that it was changed, as > indicated by the USN incrementing? > > I have to go back and look up the password propagation pattern (PPP?) > again. For some reason, I recall it being standard > replication with the > exception of the nearly instantaneous replication to the PDCE. > > Now that I think about it, this product is going to tax the > heck out of > the PDCE... > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 9:43 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > > > Making the same change on multiple DCs is bone-headed, but I > > don't think it > > will generate much additional replication traffic. Aren't > the password > > changes forwarded to the PDC FSMO role owner for the domain and then > > replicated from there? If that's true, then the redundant > > changes coming > > into the PDCE should be dropped (generally, changing an > > attribute to its > > current value has no effect). So the additional password > > changes will each > > generate a message to the PDCE, but otherwise not much else. > > > > Or am I missing something? > > > > -gil > > > > > > -Original Message- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 1:22 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > > > That strikes me as a way to cause replication storms in a > > flash, depending > > on how the application is written. Say you have 10 DC's, > and this app > > changes the password on all 10 dc's. That's at least 81 different > > replication messages, since each DC will recongnize that as a > > different > > change. > > > > Seems to me to be both overkill and unnecessary. > > > > -- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -Original Message- > > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, July 30, 2003 3:23 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > > > > > > > We're looking at a product to manage passwords - it > enforces common > > > password policy and keeps passwords in sync across multiple > > > platforms (mainframe, AD, NDS, Unix, etc.), as well as provides > > > self-service password change/reset via a browser interface. > > > > > > One of its features on AD is that it's nominally > site-aware - it can > > > > determine a browser's location based on IP address and > change the AD > > > > password on a DC in that site. So far, so good. Now the tricky > > > part - it can also be configured to ALWAYS change the password on > > > one or more DCs that you specify on the config, in > addition to the > > > one it selects. > > > The idea is to specify DCs near resources at headquarters > > > that people access from branch offices. This is supposed to > > > ensure that people can access the resources immediately > > > rather than waiting for the new password to replicate. > > > > > > Net result is that the same password change is applied > directly at > > > multiple DCs in different sites at the same time. My > question is, > > > what is the impact on the DCs and replication traffic ? What are > > > the caveats of such a scenario ? > > > > > > One other thing - the helpdesk can use the web interface > to assist > > > callers who choose not to use self-service. In that case, the > > > helpdesk can see a list of all DCs and
RE: [ActiveDir] Simultaneous password change on multiple DCs
Ahh - I see it now. I was forgetting the last-change-wins part, so convergence would happen at the bridgeheads. Rick's squal terminology is most likely the most accurate. Although I'd hate to be the PDCE in a big domain running that app -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2003 10:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > The changes are all passed immediately to the PDC FSMO holder > (assuming > the mastering DC can reach it) and then the changes replicate out from > both places slowly converging around the domain. If you change on > multiple domain controllers all of those would be passed to > the PDC FSMO > and then the last one written (as Gil says an update that is the same > doesn't update) would be passed out from the PDC and the rest > of the DCs > would send out the changes that they have going through the standard > conflict resolution actions. Depending on how your topology layed out > (star versus some form of spanning tree) you could have different > amounts of replication generated based on which DC's got hit and what > their partners are and which DC's would handle the conflict resolution > actions prior to sending out a single change for the several password > attributes. > > I completely agree with the boneheaded comment. No point. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gil > Kirkpatrick > Sent: Wednesday, July 30, 2003 9:43 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Making the same change on multiple DCs is bone-headed, but I > don't think > it will generate much additional replication traffic. Aren't the > password changes forwarded to the PDC FSMO role owner for the > domain and > then replicated from there? If that's true, then the redundant changes > coming into the PDCE should be dropped (generally, changing > an attribute > to its current value has no effect). So the additional > password changes > will each generate a message to the PDCE, but otherwise not much else. > > Or am I missing something? > > -gil > > > -Original Message- > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 1:22 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > That strikes me as a way to cause replication storms in a flash, > depending on how the application is written. Say you have 10 DC's, and > this app changes the password on all 10 dc's. That's at least 81 > different replication messages, since each DC will recongnize > that as a > different change. > > Seems to me to be both overkill and unnecessary. > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 3:23 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > > > > We're looking at a product to manage passwords - it enforces common > > password policy and keeps passwords in sync across multiple > platforms > > (mainframe, AD, NDS, Unix, etc.), as well as provides self-service > > password change/reset via a browser interface. > > > > One of its features on AD is that it's nominally site-aware > - it can > > determine a browser's location based on IP address and > change the AD > > password on a DC in that site. So far, so good. Now the > tricky part > > - it can also be configured to ALWAYS change the password on one or > > more DCs that you specify on the config, in addition to the one it > > selects. > > The idea is to specify DCs near resources at headquarters > > that people access from branch offices. This is supposed to > > ensure that people can access the resources immediately > > rather than waiting for the new password to replicate. > > > > Net result is that the same password change is applied directly at > > multiple DCs in different sites at the same time. My question is, > > what is the impact on the DCs and replication traffic ? > What are the > > caveats of such a scenario ? > > > > One other thing - the helpdesk can use the web interface to assist > > callers who choose not to use self-service. In that case, the > > helpdesk can see a list of all DCs and select the > > one(s) they wish to send the change to. This can be > > disabled, but is the default if you enable 'site-awareness'. > > This bothers me a bit, since there's nothing to prevent a > > helpdesk person from selecting 'em all. Your thoughts ? > > > > Dave > >
RE: [ActiveDir] GP overridden
Well, something was over-riding the policy on the workstations. At the closest workstation, I logged in and disabled the GPO on the PC, rebooted, and let a user sign on. So far, nothing in the Default Domain Policy has been over-ridden (almost 20 hours now). I'm still confused as to why the GPO would be over-ridden at the workstation level. Thanks for all the help though. As long as nothing is overridden at the workstation, I will make the same changes on the remaining PC's. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 31, 2003 22:46 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP overridden Charles, I'd suggest strongly not to conclude that there's a problem simply because of this output. If you aren't seeing errors, there is no problems on the system (i.e. incorrect behavior, crashing, improper application of GPO or missing / incorrect settings) and the Application and System Event logs are not showing anything other than the successful SceCli messages - I'd not get too worried. Now, Tony mentioned that it's not a good idea to mess with the Default policies in Windows 2000. He's right, but I'm going to contradict my good friend Mr. Murray. I don't know of anything that READS the NAME of the policy. Much like a user, group or computer being identified by SID rather than display name, the Default policies are identified by GUID. You cannot delete the Default policies and recreate them by simply creating a new policy and naming them Default Domain Policy or Default Domain Controller Policy and expect them to work. The GUID must be exact. So, IMHO, if you want to rename it - you can. However, I'd leave it alone lest you forget what it really is and delete it - which, sadly, would be much worse than the report of duplicate objects in GPRESULT === Wait - I just thought of a situation where I have seen duplicate GPO names in GPRESULT. This was caused by a conflict resolved object that was visible via GPRESULT. I found it by using ADSIEdit and drilling into the Domain NC/System/Policies node. Here I found an object prefixed with a CNF: that needed to be removed. Caveat - this IN NOT an operation to be taken lightly! AND! In my case it was NOT the Default Domain Policy. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Simultaneous password change on multiple DCs
Roger, If each DC is connected to a given DC, and the topology is laid out even remotely properly, the max hops that a replication are going to take is 3. The connected partners are going to replicate, and then the event is going to be done. There is not going to any need to replicate changes to a DC that already has seen it - as the USNs should certainly accommodate, and prevent. Consider this from Q225511: By default, machine account password and user password changes are sent immediately to the PDC FSMO. In a mixed-mode domain, if a Microsoft Windows NT 4.0 domain controller receives the request, the client is sent to the PDC FSMO role owner (which must be a Windows 2000-based computer) to make the password change. This change is then replicated to other Windows 2000 domain controllers using Active Directory replication, and to down-level domain controllers through the down-level replication process. If a Windows 2000 domain controller receives the request (either in mixed or native mode), the password change is made locally, sent immediately to the PDC FSMO role owner using the Netlogon service in the form of a Remote Procedure Call (RPC), and the password change is then replicated to its partners using the Active Directory replication process. Down-level domain controllers replicate the change directly from the PDC FSMO role owner. If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO is located at another site, the password change is not sent immediately to the PDC. However, it is notified of the change through normal Active Directory replication, which in turn replicates it to down-level domain controllers (if the domain is in mixed mode). If the PDC FSMO is at the same site, the AvoidPdcOnWan value is disregarded and the password change is immediately communicated to the PDC. --- The default clearly states that the local DC receives the change, and then the PDC-E is immediately notified via RPC - Not normal replication. Then, the PDC-E changes the rest of the DC's via the normal replication cycle. This will, in effect, reduce the overall impact of replication to some degree, but again, to directly connected partners (max of three hops). Now, if AvoidPdcOnWan is modified to be TRUE, then normal replication is the mechanism of change, but from the site DC if the PDCE is not in the same site. But, it's still going to be a max of three hop replication to directly connected partners. In now way am I saying that each DC doesn't need the update - they do. I just suggest that it would not necessarily be a storm of updates. In a 10 DC structure, the local is going to be changed. The PDCE is going to be notified and is going to change itself with a call via RPC from the changed local DC - not replication. The PDCE is then going to send change notification to it's directly connected partners, which could be done, theoretically, in two replication notices from the PDCE, with two other DCs being responsible for two partners. Each of the others would only have one. In 3 hops maximum, you would have all 10 DC changed - 2 of those almost immediately and not participating in replication at all. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, August 01, 2003 6:04 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs I guess I'm trying to figure out why replication would be limited to just the connected partners. Wouldn't the change on each DC cause the USN to be incremented for that DC's replica? In that case, every other DC would see it as a change which needs to be acquired during replication? I guess there would be some consolidation at the site bridgeheads, but even then, there should still be 1 change per DC being replicated to N-1 domain controllers. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2003 10:10 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Roger, > > Apparently, I need to clarify what I meant. In relation to the > product that was proposed, the normal password replication would be > minimized to immediate connected partners - so, IMHO, this wouldn't be > a storm but a bit of a burst (squall???) > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > Seielstad > Sent: Thursday, July 31, 2003 5:59 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Si
[ActiveDir] E2k3 Planning guides
Just found out over night that the Exchange 2003 Planning and Deployment guides have been released, for those that are interested. RSS is such a cool thing Enjoy! (Watch for URL wrap.) http://www.microsoft.com/downloads/details.aspx?familyid=9fc3260f-787c-4567- bb71-908b8f2b980d&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=77b6d819-c7b3-42d1- 8fbb-fe6339ffa1ed&displaylang=en Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir]
Title: Message
[ActiveDir] NETBIOS names with underscores
Title: Message Hi guys, I need to upgrade our domain from NT4.0. Or domain is called RES_DOM1. Will the underscore be compatible with ADS, i.e will NetBios be okay. I'm going to have the DNS names space to something like res.local. What do you think? Thanks in advance Lou
[ActiveDir]
Return Receipt Your [ActiveDir] document : was James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV received by: at: 08/01/2003 09:44:33 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Simultaneous password change on multiple DCs
I'm starting to see where you're coming from - in the end, its still a bad idea, at least from a replication standpoint. At the very least, you'll get n-1 DC's worth of updates to the PDCE - as I said, I'd hate to be the PDCE in that envrionment -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 9:20 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Roger, > > If each DC is connected to a given DC, and the topology is > laid out even > remotely properly, the max hops that a replication are going > to take is 3. > The connected partners are going to replicate, and then the > event is going > to be done. There is not going to any need to replicate > changes to a DC > that already has seen it - as the USNs should certainly > accommodate, and > prevent. > > Consider this from Q225511: > > By default, machine account password and user password > changes are sent > immediately to the PDC FSMO. In a mixed-mode domain, if a > Microsoft Windows > NT 4.0 domain controller receives the request, the client is > sent to the PDC > FSMO role owner (which must be a Windows 2000-based computer) > to make the > password change. This change is then replicated to other > Windows 2000 domain > controllers using Active Directory replication, and to > down-level domain > controllers through the down-level replication process. If a > Windows 2000 > domain controller receives the request (either in mixed or > native mode), the > password change is made locally, sent immediately to the PDC > FSMO role owner > using the Netlogon service in the form of a Remote Procedure > Call (RPC), and > the password change is then replicated to its partners using > the Active > Directory replication process. Down-level domain controllers > replicate the > change directly from the PDC FSMO role owner. > > If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO is > located at > another site, the password change is not sent immediately to the PDC. > However, it is notified of the change through normal Active Directory > replication, which in turn replicates it to down-level domain > controllers > (if the domain is in mixed mode). If the PDC FSMO is at the > same site, the > AvoidPdcOnWan value is disregarded and the password change is > immediately > communicated to the PDC. > > --- > > The default clearly states that the local DC receives the > change, and then > the PDC-E is immediately notified via RPC - Not normal > replication. Then, > the PDC-E changes the rest of the DC's via the normal > replication cycle. > This will, in effect, reduce the overall impact of replication to some > degree, but again, to directly connected partners (max of three hops). > > Now, if AvoidPdcOnWan is modified to be TRUE, then normal > replication is the > mechanism of change, but from the site DC if the PDCE is not > in the same > site. But, it's still going to be a max of three hop replication to > directly connected partners. > > In now way am I saying that each DC doesn't need the update - > they do. I > just suggest that it would not necessarily be a storm of > updates. In a 10 > DC structure, the local is going to be changed. The PDCE is > going to be > notified and is going to change itself with a call via RPC > from the changed > local DC - not replication. The PDCE is then going to send change > notification to it's directly connected partners, which could be done, > theoretically, in two replication notices from the PDCE, with > two other DCs > being responsible for two partners. Each of the others would > only have one. > In 3 hops maximum, you would have all 10 DC changed - 2 of > those almost > immediately and not participating in replication at all. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Friday, August 01, 2003 6:04 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > I guess I'm trying to figure out why replication would be > limited to just > the connected partners. Wouldn't the change on each DC cause > the USN to be > incremented for that DC's replica? In that case, every other > DC would see it > as a change which needs to be acquired during replication? > > I guess there would be some consolidation at the site > bridgeheads, but even > then, there should still be 1 change per DC being replicated > to N-1 domain > controllers. > > -- > Roger D. Seielstad - MTS MCSE MS
[ActiveDir] NETBIOS names with underscores
Return Receipt Your [ActiveDir] NETBIOS names with underscores document : was James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV received by: at: 08/01/2003 10:13:38 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Simultaneous password change on multiple DCs
Good explanation but I want to modify a bit. Note I am not talking about downlevel replication at all, that is simple, it replicates out from the PDC once the BDC receives the UAS_CHANGE packet, have a nice day. :o) Note that the mastering DC will still send the changes out as normal replication. The straight out of band shot to the PDC will occur (unless specified flag is set or the PDC is out of contact) which will then start its replication but then the mastering DC will replicate to its direct partners as well. So say you have a single site with say 10 DC's with DC1 as PDC this is what I would expect would happen. You make change on DC10. It sends the change to DC1 immediately as a normal change (i.e. like it was change requested from any client for instance) and then you now have 8 DC's with the old password and 2 with the new password. The PDC having the change with the latest time stamp or if everything was really fast, the time stamp being the same as on the other DC. Now it is a race, they both send out the change notifications and the partners will start the pull. These changes will replicate around and depending on how the ring is set up (are DC10 and DC1 direct partners for instance or three hops from each other) varying amounts of replication will occur until the changes collide and have to go through conflict resolution. If the PDC has the later change, it wins. If they are at the same time you go through the rest of the resolution process probably falling to whomever has lowest GUID wins. Now expand to two sites (very simple spanning tree if you can even call it that). The mastering DC is in site 2 and the PDC is in site 1. Change occurs on the masterering DC, it fires it to the PDC. The master then replicates it around site 2 and the PDC replicates it around site 1 both following normal site replication rules. The changes hit the bridgeheads and both changes get passed both ways. Now the bridgeheads need to look at the change and say, hmm is this newer? If so, apply it, otherwise toss it. If changes at the same time, go through the rest of the conflict process. Most likely the PDC change will overwrite the change of the local mastering DC in site 2. So Site 2 will have gone through replication for the changes from mastering DC and then for the change that went to the PDC. Obviously this can be modified by timing and cross site replication schedules and how fast the changes made it to a bridgehead. For instance if the change was mastered on a bridgehead in site 2 and the rep schedule was in progress already the change from mastering DC could get to site 1 and start replicating there as well as in site 2 prior to the PDC change sweeping through and overwriting due to last change. Now expand to more than two sites. If you have a hub and spoke changes mastered on site 2 will most likely get no farther than site 1 (hub) assuming they even get out of site 2. If you have a spanning tree with multiple site hops along the tree between the mastering DC/Site and the PDC/PDC Site then the changes will meet somewhere in the middle and you have even more wasted replication. Now start making these changes on multiple domain controllers in the same site, how does that affect things. First off every change gets back to the PDC so if you have 10 DC's you hit with a change, 10 changes hit the PDC via direct calls. Now things start replicating and last change wins in all of the conflict resolution and there would be conflict resolution until the changes all converged to the last written change. Expand to multiple sites... Oy. You figure it out. :oP You have 50 DC's you make the change on in 50 sites and the PDC gets hit with 50 direct changes and in the meanwhile has probably started replicating the change from the first couple of change calls (depending on how fast all the initiating changes went through) and you get to figure out where all of the DC's would have collisions with each other (most likely on bridgeheads) and various amounts of changes will get so far until you get convergence to, most likely again, the last change the PDC saw which would then replicate out over top of all the other changes that had replicated around including over top of the DC's that had the change mastered on it. Does that make sense? This is based on reading and things I have seen through the years. If not or this is wrong, please speak up. I would really like to hear if Stuart Kwan agrees or if Trulli watches this list it would be good to hear from Dave again as well. Thanks. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 01, 2003 9:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs Roger, If each DC is connected to a given DC, and the topology is laid out even remotely properly, the max hops that a replication are going to take is 3. The connected partners are going to r
RE: [ActiveDir] Simultaneous password change on multiple DCs
It only works for mastering changes. It does not do replication matching to see if something changed as any change once accepted is a USN change. But if you get 30 changes to an attribute replicated into a DC the USN will get updated 30 times and then it will only send out the last change it has (or the one winning after the other conflict resolution mechanisms). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, August 01, 2003 7:07 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs That makes sense - but does it do that only for local changes or does it do it for changes replicated from other DC's? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 31, 2003 11:11 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Yes replication is USN based. However if you make a change to an > attribute normally that is the same exact value, AD tricks you and > responds to the request like it made the change but doesn't really > update anything. I haven't tested that with the password fields but > would expect that it works the same. > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Thursday, July 31, 2003 6:38 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Isn't replication USN based only - meaning that the value of the > attribute isn't relevant, just the fact that it was changed, as > indicated by the USN incrementing? > > I have to go back and look up the password propagation pattern (PPP?) > again. For some reason, I recall it being standard replication with > the exception of the nearly instantaneous replication to the PDCE. > > Now that I think about it, this product is going to tax the > heck out of > the PDCE... > > -- > Roger D. Seielstad - MTS MCSE MS-MVP > Sr. Systems Administrator > Inovis Inc. > > > > -Original Message- > > From: Gil Kirkpatrick [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 9:43 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > > > Making the same change on multiple DCs is bone-headed, but I don't > > think it will generate much additional replication traffic. Aren't > the password > > changes forwarded to the PDC FSMO role owner for the domain and then > > replicated from there? If that's true, then the redundant changes > > coming into the PDCE should be dropped (generally, changing an > > attribute to its > > current value has no effect). So the additional password > > changes will each > > generate a message to the PDCE, but otherwise not much else. > > > > Or am I missing something? > > > > -gil > > > > > > -Original Message- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, July 30, 2003 1:22 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] Simultaneous password change on > multiple DCs > > > > > > That strikes me as a way to cause replication storms in a flash, > > depending on how the application is written. Say you have 10 DC's, > and this app > > changes the password on all 10 dc's. That's at least 81 different > > replication messages, since each DC will recongnize that as a > > different change. > > > > Seems to me to be both overkill and unnecessary. > > > > -- > > Roger D. Seielstad - MTS MCSE MS-MVP > > Sr. Systems Administrator > > Inovis Inc. > > > > > > > -Original Message- > > > From: Fugleberg, David A [mailto:[EMAIL PROTECTED] > > > Sent: Wednesday, July 30, 2003 3:23 PM > > > To: [EMAIL PROTECTED] > > > Subject: [ActiveDir] Simultaneous password change on multiple DCs > > > > > > > > > We're looking at a product to manage passwords - it > enforces common > > > password policy and keeps passwords in sync across multiple > > > platforms (mainframe, AD, NDS, Unix, etc.), as well as provides > > > self-service password change/reset via a browser interface. > > > > > > One of its features on AD is that it's nominally > site-aware - it can > > > > determine a browser's location based on IP address and > change the AD > > > > password on a DC in that site. So far, so good. Now the tricky > > > part - it can also be configured to ALWAYS change the password on > > > one or more DCs that you specify on the config, in > addition to the > > > one it selects. > > > The idea is to specify DCs near resources at headquarters > > > that people access from branch offices. This is supposed to > > > ens
RE: [ActiveDir] NETBIOS names with underscores
Title: Message We had the same situation - we elected to just have the dns name and the NetBIOS name of the domain be different (i.e., NetBIOS name was xxx_yyy, DNS name of the domain is zzz.company.com). Have had no problems with having the two different names for the same domain, and we've been in production since December of 2000. I know there's been discussion on this list about this topic before - I have not yet heard of a scenario where this causes problems, but I suppose one exists someplace :( If so, I'd love to hear about it. Users will see the 'old' name in the drop-down box when they log in to the domain, and can continue to use it wherever they need to specify the domain (like xxx_yyy\username in the NET USE command, etc.). When you use AD tools like ADU&C, you'll deal with the 'new' DNS name. Dave -Original Message-From: Louise Martin [mailto:[EMAIL PROTECTED]Sent: Friday, August 01, 2003 8:43 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] NETBIOS names with underscores Hi guys, I need to upgrade our domain from NT4.0. Or domain is called RES_DOM1. Will the underscore be compatible with ADS, i.e will NetBios be okay. I'm going to have the DNS names space to something like res.local. What do you think? Thanks in advance Lou
RE: [ActiveDir] Simultaneous password change on multiple DCs
That nicely sums up what I've been trying to say - it would be a discrete change done on each DC, rather than one change done on multiple DC's. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 10:29 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Good explanation but I want to modify a bit. Note I am not > talking about > downlevel replication at all, that is simple, it replicates > out from the > PDC once the BDC receives the UAS_CHANGE packet, have a nice day. :o) > > Note that the mastering DC will still send the changes out as normal > replication. The straight out of band shot to the PDC will > occur (unless > specified flag is set or the PDC is out of contact) which will then > start its replication but then the mastering DC will replicate to its > direct partners as well. > > So say you have a single site with say 10 DC's with DC1 as PDC this is > what I would expect would happen. You make change on DC10. It > sends the > change to DC1 immediately as a normal change (i.e. like it was change > requested from any client for instance) and then you now have 8 DC's > with the old password and 2 with the new password. The PDC having the > change with the latest time stamp or if everything was really > fast, the > time stamp being the same as on the other DC. Now it is a race, they > both send out the change notifications and the partners will start the > pull. These changes will replicate around and depending on > how the ring > is set up (are DC10 and DC1 direct partners for instance or three hops > from each other) varying amounts of replication will occur until the > changes collide and have to go through conflict resolution. If the PDC > has the later change, it wins. If they are at the same time you go > through the rest of the resolution process probably falling > to whomever > has lowest GUID wins. > > Now expand to two sites (very simple spanning tree if you can > even call > it that). The mastering DC is in site 2 and the PDC is in > site 1. Change > occurs on the masterering DC, it fires it to the PDC. The master then > replicates it around site 2 and the PDC replicates it around > site 1 both > following normal site replication rules. The changes hit the > bridgeheads > and both changes get passed both ways. Now the bridgeheads > need to look > at the change and say, hmm is this newer? If so, apply it, otherwise > toss it. If changes at the same time, go through the rest of the > conflict process. Most likely the PDC change will overwrite the change > of the local mastering DC in site 2. So Site 2 will have gone through > replication for the changes from mastering DC and then for the change > that went to the PDC. Obviously this can be modified by > timing and cross > site replication schedules and how fast the changes made it to a > bridgehead. For instance if the change was mastered on a bridgehead in > site 2 and the rep schedule was in progress already the change from > mastering DC could get to site 1 and start replicating there > as well as > in site 2 prior to the PDC change sweeping through and overwriting due > to last change. > > Now expand to more than two sites. If you have a hub and spoke changes > mastered on site 2 will most likely get no farther than site 1 (hub) > assuming they even get out of site 2. If you have a spanning tree with > multiple site hops along the tree between the mastering > DC/Site and the > PDC/PDC Site then the changes will meet somewhere in the > middle and you > have even more wasted replication. > > Now start making these changes on multiple domain controllers in the > same site, how does that affect things. First off every > change gets back > to the PDC so if you have 10 DC's you hit with a change, 10 > changes hit > the PDC via direct calls. Now things start replicating and last change > wins in all of the conflict resolution and there would be conflict > resolution until the changes all converged to the last > written change. > > Expand to multiple sites... Oy. You figure it out. :oP You have 50 > DC's you make the change on in 50 sites and the PDC gets hit with 50 > direct changes and in the meanwhile has probably started > replicating the > change from the first couple of change calls (depending on > how fast all > the initiating changes went through) and you get to figure > out where all > of the DC's would have collisions with each other (most likely on > bridgeheads) and various amounts of changes will get so far until you > get convergence to, most likely again, the last change the > PDC saw which > would then replicate out over top of all the other changes that had > replicated around including over top of the DC's that had the change > mastered on it. > > Does
RE: [ActiveDir] Planning the migration from NT4 to AD
Sounds like you've got it covered. No problem with bringing in the other domain later - my comment about 'works well for a single domain' was *as opposed to* a situation with lots of domains that you might want to restructure and collapse - in that case, many folks opt for a brand new AD and migrations into it, instead of in-place upgrades. Re DNS, there are lots of ways to approach that. In a single domain, and with the way AD-integrated DNS works in Win2000, it made sense to us to make every DC a DNS server. They all had the complete DNS zone information anyhow, and this allowed us to make use of the local DNS services in each site with a DC. I can only dream about the size of pipes to each location that Rick has :) Now, if you're using W2K3 servers for AD, you can specify which servers get the application partition that DNS uses, so you might be more selective on which DCs get DNS servers. As always, a tradeoff between adminstrative concerns, bandwidth, client usage patterns, etc. The beauty is that you have the flexibility to adjust those kinds of things as you go. My original comment with DNS was more related to making sure you know your "going-in" strategy so there's no surprises on Upgrade Day. That's NOT the time to be deciding what to use for a DNS name, fighting with the existing UNIX DNS team about who handles DNS, figuring out where to point the DNS resolver of the next DC, etc. I don't know about you, but I like to have those things decided and documented BEFORE starting to play with servers that cause Very Visible Bad Things to happen worldwide if I screw them up ! Again, with proper planning and the confidence that comes from repeated, consistent success in the lab, your upgrade should be very uneventful. Dave -Original Message- From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 4:29 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Planning the migration from NT4 to AD > This works well for a single domain. Dave, Any caveats for the multiple NT 4.0 domains ? We do have another, smaller, not-so-AD-hungry-as-yet NT 4.0 domain that we might consider merging into AD realm in the future. Would that be a problem ? > Some things to watch: > - make sure you know how you're going to handle DNS - whether > you're going to use existing DNS servers, which servers will > use Microsoft's DNS, whether you want AD-integrated DNS or > not (you do!), etc. I was thinking of having one DC at each site run a DNS server locally. So, the root domain DC DNS server doesn't get overwhelmed. Sounds good ? > - if you'll have NT4 BDCs for awhile, have a plan on how to > keep the Netlogon replication in sync between the W2K DC > environment (which uses FRS), and the NT4 BDC environment > (which uses LMRepl) Yes, http://download.microsoft.com/download/5/2/f/52f23d76-7d56-44d6-ad25-a95bf0b e5516/11_CHAPTER_8_Upgrading_Windows_NT_4.0_Domains_to_Windows_Server_2003_A ctive_Directory.doc {link may wrap} has a nicely documented procedure on this. I plan to follow it. Shshank > > -Original Message- > From: Sharma, Shshank [mailto:[EMAIL PROTECTED] > Sent: Wednesday, July 30, 2003 11:37 AM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Planning the migration from NT4 to AD > > > Am planning the migration from NT 4.0 domain to AD domain. We > have a single NT domain presently. > Wondering if the the following is a possible migration path, > and solicit feedback on it > > 1. Phase A: Do an in-place upgrade for the NT domain > controllers to AD Domain Controllers. No restructuring and no > reorganization involved. > Objective is to keep disruption as minimal as possible. > 2. Phase B: Introduce restructuring, by moving users into > respective Ous, delegations etc. > > Is there something obviously wrong that I am doing here ? > > Shshank Sharma > QTC > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] windows 2000 (domain) licensing
this could possibly be taken as OT - so apologies if this is the case - if so not sure of the newsgroup to post to. am considering issues of licencing in the context of a domain upgrade it has been raised as a potential issue that client access licences procured to support connection to NT4 domain are not valid for connection to a Windows 2000 active directory domain ?? any views ? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Pretting interesting site.
http://www.idefense.com Figured that I would share the information. Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NETBIOS names with underscores
Title: Message When and how can a company move away from the NetBIOS name? My company's domain name is location specific, but now we've grown large and the domain name doesn't make much sense to employees in other parts of the world. ( We're running W2K native mode with a mix of Win9x-XP clients. ) Does it depend on client OSes? Something else? Dave K. -Original Message-From: Fugleberg, David A [mailto:[EMAIL PROTECTED]Sent: Friday, August 01, 2003 9:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] NETBIOS names with underscores We had the same situation - we elected to just have the dns name and the NetBIOS name of the domain be different (i.e., NetBIOS name was xxx_yyy, DNS name of the domain is zzz.company.com). Have had no problems with having the two different names for the same domain, and we've been in production since December of 2000. I know there's been discussion on this list about this topic before - I have not yet heard of a scenario where this causes problems, but I suppose one exists someplace :( If so, I'd love to hear about it. Users will see the 'old' name in the drop-down box when they log in to the domain, and can continue to use it wherever they need to specify the domain (like xxx_yyy\username in the NET USE command, etc.). When you use AD tools like ADU&C, you'll deal with the 'new' DNS name. Dave -Original Message-From: Louise Martin [mailto:[EMAIL PROTECTED]Sent: Friday, August 01, 2003 8:43 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] NETBIOS names with underscores Hi guys, I need to upgrade our domain from NT4.0. Or domain is called RES_DOM1. Will the underscore be compatible with ADS, i.e will NetBios be okay. I'm going to have the DNS names space to something like res.local. What do you think? Thanks in advance Lou
RE: [ActiveDir] NETBIOS names with underscores
Title: Message That's great. Thanks, Louise -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David ASent: 01 August 2003 15:34To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] NETBIOS names with underscores We had the same situation - we elected to just have the dns name and the NetBIOS name of the domain be different (i.e., NetBIOS name was xxx_yyy, DNS name of the domain is zzz.company.com). Have had no problems with having the two different names for the same domain, and we've been in production since December of 2000. I know there's been discussion on this list about this topic before - I have not yet heard of a scenario where this causes problems, but I suppose one exists someplace :( If so, I'd love to hear about it. Users will see the 'old' name in the drop-down box when they log in to the domain, and can continue to use it wherever they need to specify the domain (like xxx_yyy\username in the NET USE command, etc.). When you use AD tools like ADU&C, you'll deal with the 'new' DNS name. Dave -Original Message-From: Louise Martin [mailto:[EMAIL PROTECTED]Sent: Friday, August 01, 2003 8:43 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] NETBIOS names with underscores Hi guys, I need to upgrade our domain from NT4.0. Or domain is called RES_DOM1. Will the underscore be compatible with ADS, i.e will NetBios be okay. I'm going to have the DNS names space to something like res.local. What do you think? Thanks in advance Lou
RE: [ActiveDir] windows 2000 (domain) licensing
Server CALs have "versions". These are printed on the paper documentation that accompanied them when you purchased them (and if they are Open Licenses, at eopen.microsoft.com). Downlevel is OK. Going up a level requires either repurchase or Software Assurance. These comments don't apply if you have a Select, Enterprise, Service Provider, ASP, etc. license agreement with Microsoft. -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 11:13 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] windows 2000 (domain) licensing this could possibly be taken as OT - so apologies if this is the case - if so not sure of the newsgroup to post to. am considering issues of licencing in the context of a domain upgrade it has been raised as a potential issue that client access licences procured to support connection to NT4 domain are not valid for connection to a Windows 2000 active directory domain ?? any views ? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Object Attribute replication priority
There is no way to prioritize attribute changes, and other than password changes (and a couple of other actions I think), all attribute changes are replicated in the same way with the same priority. The only thing I can think of that would account for the wide difference in replication time is that the changes are being made to different DCs, and the replication latency between the DCs originating the change and the DC where you are looking for the change are different. -gil -Original Message- From: Abbiss, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, July 31, 2003 2:13 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Object Attribute replication priority Does anyone know if it is possible (and if so how and where) to change the priority with which object attribute data is replicated throughout an AD ? For example, when we create new users and include a profile path for Terminal Services it can take 20 minutes longer to replicate than other data associated with the same object. This is not only annoying but creates an unnessecary delay in providing users with access to resources. Any clues ? Many thanks Mark Abbiss List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NETBIOS names with underscores
Title: Message Actually, I think it depends on very little - the only thing that comes to mind is something that is licensed to a particular domain name, but I'm not aware of any software which meets that limitation. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Dave Kinnamon [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 12:01 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] NETBIOS names with underscores When and how can a company move away from the NetBIOS name? My company's domain name is location specific, but now we've grown large and the domain name doesn't make much sense to employees in other parts of the world. ( We're running W2K native mode with a mix of Win9x-XP clients. ) Does it depend on client OSes? Something else? Dave K. -Original Message-From: Fugleberg, David A [mailto:[EMAIL PROTECTED]Sent: Friday, August 01, 2003 9:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] NETBIOS names with underscores We had the same situation - we elected to just have the dns name and the NetBIOS name of the domain be different (i.e., NetBIOS name was xxx_yyy, DNS name of the domain is zzz.company.com). Have had no problems with having the two different names for the same domain, and we've been in production since December of 2000. I know there's been discussion on this list about this topic before - I have not yet heard of a scenario where this causes problems, but I suppose one exists someplace :( If so, I'd love to hear about it. Users will see the 'old' name in the drop-down box when they log in to the domain, and can continue to use it wherever they need to specify the domain (like xxx_yyy\username in the NET USE command, etc.). When you use AD tools like ADU&C, you'll deal with the 'new' DNS name. Dave -Original Message-From: Louise Martin [mailto:[EMAIL PROTECTED]Sent: Friday, August 01, 2003 8:43 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] NETBIOS names with underscores Hi guys, I need to upgrade our domain from NT4.0. Or domain is called RES_DOM1. Will the underscore be compatible with ADS, i.e will NetBios be okay. I'm going to have the DNS names space to something like res.local. What do you think? Thanks in advance Lou
RE: [ActiveDir] NETBIOS names with underscores
Return Receipt Your RE: [ActiveDir] NETBIOS names with underscores document : was James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV received by: at: 08/01/2003 01:00:03 PM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NETBIOS names with underscores
> Users will see the 'old' name in the drop-down box when they log > in to the domain, and can continue to use it wherever they need to > specify the domain (like xxx_yyy\username in the NET USE command, etc.). > When you use AD tools like ADU&C, you'll deal with the 'new' DNS name. > Dave And what happens when you decommission the old, NT domain (the xxx_yyy). You need to touch all the clients then ? Shshank List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows NT clients
Title: Message Can NT servers and workstations participate in Active Directory (mixed mode) by default? I know there’s and add in, but that’s only for extra functionality…right? Can they participate without the add in to Active Directory in native mode? I would think it’s required? Thanks in advance for you assistance! Cliff Airhart Answer Financial Inc. Senior Systems Administrator - Server Support / eBusiness [EMAIL PROTECTED] 818.644.4225 We answer to you. -Original Message- From: Crenshaw, Jason [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 14, 2003 7:18 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 98 clients You don't need the AD add-on extension for 9X clients unless you need the extra functionality such as DFS failover, same site login, and etc. Jason -Original Message- From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 14, 2003 7:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 98 clients I am almost sure you don't need the add in but it adds functionality...here is the MS page about the addin http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp -Original Message- From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 14, 2003 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 98 clients Are these machines 98 second edition? I believe you need the AD client for 9x machines. It is located on the Win2k server CD. John Hicks | KEMET Electronics Corporation | Network Engineer Phone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: ipaq1978 [ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] "David Devlin" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/14/2003 08:03 AM Please respond to [EMAIL PROTECTED] To <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc Subject RE: [ActiveDir] Windows 98 clients For only 3 systems you can put a LMHOST file on each to take care of the name resolution. The LMHOST needs a line like: 192.168.10.50 hostmaneOfDomainController #PRE #DOM:DomainName You alos need to run dsclient.exe on each 9x system. David D >>> [EMAIL PROTECTED] 01/13/03 09:50PM >>> Yes, this is a NT domain that was just upgraded to windows 2000, all the win2k machines login fine, however we have three 98 machines left that just can't seem to work...i haven't tried the WINS entries so I'll give those a go. Thanks! -Original Message- From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Monday, January 13, 2003 5:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 98 clients You also have to make sure that MS networking is installed and you click logon to Windows NT domain. -Original Message- From: Tim Hines [mailto:[EMAIL PROTECTED] Sent: Monday, January 13, 2003 8:37 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Windows 98 clients Windows 98 clients do not have computer accounts in the domain. If you are unable to join the domain then you may have a name resolution problem. Make sure that your win 98 clients are pointing to a valid WINS server. They need to be able to query wins to locate the domain controllers for your domain. Tim Hines, MCSA, MCSE (2000 & NT4) MVP - Active Directory - Original Message - From: "Brady" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 13, 2003 8:31 PM Subject: [ActiveDir] Windows 98 clients What are the steps necessary to get a windows 98 machine to 'join' a AD/2000 domain. Do I need to add the win98 computer into the 'computers' OU or do I just need to add a user in? I can't seem to get the win98 machines to see the domain. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Local Admin
Title: Message As I’ve been reading this something else came to mind, is there any to do the opposite… A majority of newly deployed computers (100 or so) were deployed with DOMAIN USERS in the Local Admins group (Don’t ask, I’m not sure) and now I need to remove them. Any thought on how I can do this without going to every desktop. As I don’t want to Hijack this thread, I’ll be happy to take this off line. Thanks in advance for any help Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 31, 2003 8:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin By default, the Domain Administrator is a recovery agent, not the local admin. However, even the Domain Administrator can be removed as a recovery agent. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, July 31, 2003 9:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Not up on EFS as I use PGP but can't the local admin recover the data if he/she/it wants to? And if so, it isn't really very safe. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, July 30, 2003 7:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin > Means anyone who gets their hands on the machine is pretty much golden. Yeah, I think I'd subscribe a HEAVY dose of EFS for that company critical data because it's a minute away from being 'not yours anymore'. :-/ Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, July 30, 2003 3:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Local Admin Means anyone who gets their hands on the machine is pretty much golden. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Malcolm Reitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin What about adding the NT Authority\Interactive account to the local Administrators group? That should give the currently logged-on user administrator privileges without having to explicitly name the user in the Administrators group. Malcolm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 12:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :) The idea of the startup script was exhaustively investigated and abandon due to the fact that the name of the Laptop owner is unknown, so you don't know whom exactly you will be adding to the group. So, I could script a query for the currently logged-on user and try to pass that as a parameter to the main script, but of course that won't work because IF the user already logs in, then the script won't be a startup script anymore, and the script would then be executing in the context of the currently logged-on user, who does not have the privilege to add him/herself to the admin group - otherwise there would be no need for a script in the first place. Finally found an interesting puzzle that will likely stump Joe :) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Joe Sent: Wed 7/30/2003 4:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Restricted groups can be great, say you want to keep schema admins empty all of the time, you set the policy with no one in it and wham it is empty, then someone has to know to add themselves to the policy and to the group, not many hackers would think of that. Ditto but for setting specific members for enterprise admins, domain admins, domain controller admins, etc or if you want very specific admins for all machines on the network. Your particular issue is an interesting one. Assuming only the user him/herself would use the machine the first thing off the top of my head would be to have a startup script for the machine that did a net localgroup int
RE: [ActiveDir]
Argh! Turn off your read receipt please. Thanks, Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 9:45 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Return Receipt Your [ActiveDir] document : was James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV received by: at: 08/01/2003 09:44:33 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Local Admin
You know, I have not been following this thread, but I just had to add a domin group to the local admin group on all of our workstations (NT, 2000). I came up with this method below, which is a bit flakey, but it worked. file: addhelp.bat --- @echo off if {%1}=={} goto Syntax echo. echo Attempting update on %1 echo Resolving computer Set compName=%1 Set firstTwo=%compname:~0,2% if {%compName%}=={\\} goto Syntax if {%compName%}=={\} goto Syntax if {%firstTwo%} NEQ {\\} set compName=\\%compName% echo Determining operating system version utility\gettype %compname% REM That's the gettype.exe utitility from the W2K Resource Kit if ERRORLEVEL=8 goto EIGHT if ERRORLEVEL=7 goto SEVEN if ERRORLEVEL=6 goto SIX if ERRORLEVEL=5 goto FIVE if ERRORLEVEL=4 goto FOUR if ERRORLEVEL=3 goto THREE if ERRORLEVEL=2 goto TWO if ERRORLEVEL=1 goto ONE goto END :EIGHT REM Windows NT Enterprise/Terminal Server Non-Domain Controller echo %COMPNAME% is a Windows NT Enterprise or Terminal Server. It will not be updated. goto END :SEVEN REM Windows NT Enterprise/Terminal Server Domain Controller echo %COMPNAME% is a Windows NT Enterprise or Terminal Server and also a domain controller. It will not be updated. goto END :SIX REM Windows 2000 Server Domain Controller echo %COMPNAME% is a Windows 2000 domain controller. It will not be updated. goto END :FIVE REM Windows NT Server Domain Controller echo %COMPNAME% is a Windows NT domain controller and should be updated manually. Ray will not allow this update. goto END :FOUR REM Windows 2000 Server Non-Domain Controller echo %COMPNAME% is a Windows 2000 Server. It will not be updated. goto END :THREE REM Windows NT Server Non-Domain Controller echo %COMPNAME% is a Windows NT Server. It will not be updated. echo. goto END :TWO REM Windows 2000 Professional installation echo Scheduling update echo net localgroup administrators "ourdomain\helpdesk users" /add>%1\C$\at.bat at %1 12:30 C:\at.bat echo fine echo. goto END :ONE REM Windows NT Workstation echo Scheduling update echo net localgroup administrators "harleysville\helpdesk users" /add>%1\C$\at.bat at %1 12:30 C:\at.bat goto END echo fine echo. Goto END :Syntax echo. echo Will schedule an update on the remote machine for adding the Helpdesk Users group to the local administrators group echo --- echo Usage: echo addGroup \\computername echo. :END echo. END OF THAT FILE--- file: setall.bat: For /f "Skip=3 Tokens=1" %%j in ('net view') do call addHelp %%j END OF THAT FILE--- Then I ran the update on all computers by executing: setall.bat>addhelp.log Like I said, it's a bit flakey, but it'll at least hit the majority of our workstations (about 800) and limit the need for manual updating. And my disclaimer is that I am not a network administrator. I'm an ASP programmer/DBA, and I'm not the best batch-scripter around... Ray at work -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] As I've been reading this something else came to mind, is there any to do the opposite... A majority of newly deployed computers (100 or so) were deployed with DOMAIN USERS in the Local Admins group (Don't ask, I'm not sure) and now I need to remove them. Any thought on how I can do this without going to every desktop. As I don't want to Hijack this thread, I'll be happy to take this off line. Thanks in advance for any help Thanks, ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically "opts-out" of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List
RE: [ActiveDir] Windows NT clients
Title: Message NT servers and clients without add-ins can authenticate to AD DCs in mixed or native mode, but ther eis a minimum SP level I believe. NT BDCs can replicate with AD DCs only in mixed mode. AFAIK, mixed/native mode only affects DC-to-DC interactions, not client to DC interactions. -g Gil KirkpatrickCTO, NetPro -Original Message-From: Clifford Airhart [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 9:58 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows NT clients Can NT servers and workstations participate in Active Directory (mixed mode) by default? I know there's and add in, but that's only for extra functionality...right? Can they participate without the add in to Active Directory in native mode? I would think it's required? Thanks in advance for you assistance! Cliff Airhart Answer Financial Inc. Senior Systems Administrator - Server Support / eBusiness [EMAIL PROTECTED] 818.644.4225 We answer to you. -Original Message-From: Crenshaw, Jason [mailto:[EMAIL PROTECTED]Sent: Tuesday, January 14, 2003 7:18 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Windows 98 clients You don't need the AD add-on extension for 9X clients unless you need the extra functionality such as DFS failover, same site login, and etc. Jason -Original Message-From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 14, 2003 7:16 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 98 clients I am almost sure you don't need the add in but it adds functionality...here is the MS page about the addin http://www.microsoft.com/windows2000/server/evaluation/news/bulletins/adextension.asp -Original Message-From: John Hicks/MIS/HQ/KEMET/US [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 14, 2003 9:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 98 clients Are these machines 98 second edition? I believe you need the AD client for 9x machines. It is located on the Win2k server CD. John Hicks | KEMET Electronics Corporation | Network EngineerPhone: 864-228-4473 | E-mail: [EMAIL PROTECTED] | AOL IM: ipaq1978[ Mailing: 2835 KEMET Way Simpsonville, SC 29681 USA ] "David Devlin" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 01/14/2003 08:03 AM Please respond to[EMAIL PROTECTED] To <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc Subject RE: [ActiveDir] Windows 98 clients For only 3 systems you can put a LMHOST file on each to take care of the name resolution. The LMHOST needs a line like: 192.168.10.50 hostmaneOfDomainController #PRE #DOM:DomainName You alos need to run dsclient.exe on each 9x system. David D >>> [EMAIL PROTECTED] 01/13/03 09:50PM >>>Yes, this is a NT domain that was just upgraded to windows 2000, all thewin2k machines login fine, however we have three 98 machines left thatjust can't seem to work...i haven't tried the WINS entries so I'll givethose a go.Thanks!-Original Message-From: Bryan Schlegel [mailto:[EMAIL PROTECTED] Sent: Monday, January 13, 2003 5:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Windows 98 clientsYou also have to make sure that MS networking is installed and you clicklogon to Windows NT domain. -Original Message-From: Tim Hines [mailto:[EMAIL PROTECTED] Sent: Monday, January 13, 2003 8:37 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] Windows 98 clientsWindows 98 clients do not have computer accounts in the domain. If youare unable to join the domain then you may have a name resolutionproblem. Make sure that your win 98 clients are pointing to a validWINS server. They need to be able to query wins to locate the domaincontrollers for your domain.Tim Hines, MCSA, MCSE (2000 & NT4)MVP - Active Directory- Original Message -From: "Brady" <[EMAIL PROTECTED]>To: <[EMAIL PROTECTED]>Sent: Monday, January 13, 2003 8:31 PMSubject: [ActiveDir] Windows 98 clientsWhat are the steps necessary to get a windows 98 machine to 'join' aAD/2000 domain.Do I need to add the win98 computer into the 'computers' OU or do I justneed to add a user in?I can't seem to get the win98 mac
[ActiveDir] OT: Way OT and thread hijacking to boot
I've heard about RSS but have paid Zero attention. How does it help to find this information? What type of client would I need? What are the best sources for Active Directory type information? My ignorance is showing --- I hope folks don't mind that I'm looking for the light here... Cheers -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 6:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] E2k3 Planning guides Just found out over night that the Exchange 2003 Planning and Deployment guides have been released, for those that are interested. RSS is such a cool thing Enjoy! (Watch for URL wrap.) http://www.microsoft.com/downloads/details.aspx?familyid=9fc3260f-787c-4 567- bb71-908b8f2b980d&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=77b6d819-c7b3-4 2d1- 8fbb-fe6339ffa1ed&displaylang=en Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Simultaneous password change on multiple DCs
I must say I've enjoyed this thread immensely - I think it's generated more discussion than any other innocent queries I've posted to the list :) In our case, Joe, it's a hub-and-spoke branch-office kind of model, single domain. As Roger said, I'd hate to be the PDCE back here at headquarters - if the same change happened at all 50+ remote DCs at the same time, they'd all hit the PDCE with an RPC update at (roughly) the same time. That fact alone is enough to discourage it, as far as I'm concerned. Since we're rolling out SP4 right now, I think I'll pass on that feature. Thanks for all the comments ! Dave -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 9:48 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs That nicely sums up what I've been trying to say - it would be a discrete change done on each DC, rather than one change done on multiple DC's. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 10:29 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Good explanation but I want to modify a bit. Note I am not > talking about > downlevel replication at all, that is simple, it replicates > out from the > PDC once the BDC receives the UAS_CHANGE packet, have a nice day. :o) > > Note that the mastering DC will still send the changes out as normal > replication. The straight out of band shot to the PDC will > occur (unless > specified flag is set or the PDC is out of contact) which will then > start its replication but then the mastering DC will replicate to its > direct partners as well. > > So say you have a single site with say 10 DC's with DC1 as PDC this is > what I would expect would happen. You make change on DC10. It > sends the > change to DC1 immediately as a normal change (i.e. like it was change > requested from any client for instance) and then you now have 8 DC's > with the old password and 2 with the new password. The PDC having the > change with the latest time stamp or if everything was really > fast, the > time stamp being the same as on the other DC. Now it is a race, they > both send out the change notifications and the partners will start the > pull. These changes will replicate around and depending on > how the ring > is set up (are DC10 and DC1 direct partners for instance or three hops > from each other) varying amounts of replication will occur until the > changes collide and have to go through conflict resolution. If the PDC > has the later change, it wins. If they are at the same time you go > through the rest of the resolution process probably falling > to whomever > has lowest GUID wins. > > Now expand to two sites (very simple spanning tree if you can > even call > it that). The mastering DC is in site 2 and the PDC is in > site 1. Change > occurs on the masterering DC, it fires it to the PDC. The master then > replicates it around site 2 and the PDC replicates it around > site 1 both > following normal site replication rules. The changes hit the > bridgeheads > and both changes get passed both ways. Now the bridgeheads > need to look > at the change and say, hmm is this newer? If so, apply it, otherwise > toss it. If changes at the same time, go through the rest of the > conflict process. Most likely the PDC change will overwrite the change > of the local mastering DC in site 2. So Site 2 will have gone through > replication for the changes from mastering DC and then for the change > that went to the PDC. Obviously this can be modified by > timing and cross > site replication schedules and how fast the changes made it to a > bridgehead. For instance if the change was mastered on a bridgehead in > site 2 and the rep schedule was in progress already the change from > mastering DC could get to site 1 and start replicating there > as well as > in site 2 prior to the PDC change sweeping through and overwriting due > to last change. > > Now expand to more than two sites. If you have a hub and spoke changes > mastered on site 2 will most likely get no farther than site 1 (hub) > assuming they even get out of site 2. If you have a spanning tree with > multiple site hops along the tree between the mastering > DC/Site and the > PDC/PDC Site then the changes will meet somewhere in the > middle and you > have even more wasted replication. > > Now start making these changes on multiple domain controllers in the > same site, how does that affect things. First off every > change gets back > to the PDC so if you have 10 DC's you hit with a change, 10 > changes hit > the PDC via direct calls. Now things start replicating and last change > wins in all of the conflict resolution and there would be conflict > resolut
RE: [ActiveDir] Simultaneous password change on multiple DCs
LOL, glad to be of assistance, thought I might have been a little long winded which tends to happen (often) but sounds like I wasn't too bad this time. I think Gil said it most succinctly with his statement of doing that would be boneheaded. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, August 01, 2003 1:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs I must say I've enjoyed this thread immensely - I think it's generated more discussion than any other innocent queries I've posted to the list :) In our case, Joe, it's a hub-and-spoke branch-office kind of model, single domain. As Roger said, I'd hate to be the PDCE back here at headquarters - if the same change happened at all 50+ remote DCs at the same time, they'd all hit the PDCE with an RPC update at (roughly) the same time. That fact alone is enough to discourage it, as far as I'm concerned. Since we're rolling out SP4 right now, I think I'll pass on that feature. Thanks for all the comments ! Dave -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 9:48 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs That nicely sums up what I've been trying to say - it would be a discrete change done on each DC, rather than one change done on multiple DC's. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 10:29 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Good explanation but I want to modify a bit. Note I am not > talking about > downlevel replication at all, that is simple, it replicates > out from the > PDC once the BDC receives the UAS_CHANGE packet, have a nice day. :o) > > Note that the mastering DC will still send the changes out as normal > replication. The straight out of band shot to the PDC will occur > (unless specified flag is set or the PDC is out of contact) which will > then start its replication but then the mastering DC will replicate to > its direct partners as well. > > So say you have a single site with say 10 DC's with DC1 as PDC this is > what I would expect would happen. You make change on DC10. It sends > the change to DC1 immediately as a normal change (i.e. like it was > change requested from any client for instance) and then you now have 8 > DC's with the old password and 2 with the new password. The PDC having > the change with the latest time stamp or if everything was really > fast, the > time stamp being the same as on the other DC. Now it is a race, they > both send out the change notifications and the partners will start the > pull. These changes will replicate around and depending on > how the ring > is set up (are DC10 and DC1 direct partners for instance or three hops > from each other) varying amounts of replication will occur until the > changes collide and have to go through conflict resolution. If the PDC > has the later change, it wins. If they are at the same time you go > through the rest of the resolution process probably falling > to whomever > has lowest GUID wins. > > Now expand to two sites (very simple spanning tree if you can > even call > it that). The mastering DC is in site 2 and the PDC is in > site 1. Change > occurs on the masterering DC, it fires it to the PDC. The master then > replicates it around site 2 and the PDC replicates it around > site 1 both > following normal site replication rules. The changes hit the > bridgeheads > and both changes get passed both ways. Now the bridgeheads > need to look > at the change and say, hmm is this newer? If so, apply it, otherwise > toss it. If changes at the same time, go through the rest of the > conflict process. Most likely the PDC change will overwrite the change > of the local mastering DC in site 2. So Site 2 will have gone through > replication for the changes from mastering DC and then for the change > that went to the PDC. Obviously this can be modified by > timing and cross > site replication schedules and how fast the changes made it to a > bridgehead. For instance if the change was mastered on a bridgehead in > site 2 and the rep schedule was in progress already the change from > mastering DC could get to site 1 and start replicating there > as well as > in site 2 prior to the PDC change sweeping through and overwriting due > to last change. > > Now expand to more than two sites. If you have a hub and spoke changes > mastered on site 2 will most likely get no farther than site 1 (hub) > assuming they even get out of site 2. If you have a spanning tree with > multiple site hops along the tree between the mastering DC/Site and > the PDC/PDC S
[ActiveDir] Weblogs or Blogs
I personally use Radio and FM for my Blog (Weblog) that is hosting on Userland. I plan to move to my own hosted URL soon. Radio is a personal content management client tool, that has themes that can be used to construct a weblog. It is the one most pro's like because the content can be FTPed to a webserver and it looks professional. It formats all its information in XML syle sheets, and comes with a built-in News Aggregator. News Aggregator use URL's to pull in XML formatted data and make them look like post. Sites like Active win, and Neowin are supporting RSS 2.0 feeds. Basically it is a new way to format and share your news or personal web log with others. Here is a good book on RSS 2.0 format http://www.oreilly.com/catalog/consynrss/ Here is the link to Radio and FM. http://www.userland.com I personally want all the vendors to support RSS 2.0 news feeds about product releases, and build releases, bugs, etc. I am currently building a AD Blog for our Operations Group, This blog will link our Aelita Data Administration tools with our NETPRO data administrator tools. I am also encouraging all the vendors that support AD and Exchange 2000 Infrastructure and Data admin tools to support N-tier architecture designs, and reporting via CDO EMAIL and RSS News feeds. We currently don't hook up our stuff to Tivoli, CA, or HP Openview. These tools are too expensive, and a simple tool is much more flexible. I encourage more of you to setup a blog, and what is interesting is that if you were to use Gator (A Outlook news aggregator plug-in) you could send format email from this list into a RSS Newsfeed. BLOGS and XML are the future! Hehe Todd Myrick -Original Message- From: Bell, Stephen [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 1:00 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Way OT and thread hijacking to boot I've heard about RSS but have paid Zero attention. How does it help to find this information? What type of client would I need? What are the best sources for Active Directory type information? My ignorance is showing --- I hope folks don't mind that I'm looking for the light here... Cheers -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 6:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] E2k3 Planning guides Just found out over night that the Exchange 2003 Planning and Deployment guides have been released, for those that are interested. RSS is such a cool thing Enjoy! (Watch for URL wrap.) http://www.microsoft.com/downloads/details.aspx?familyid=9fc3260f-787c-4 567- bb71-908b8f2b980d&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=77b6d819-c7b3-4 2d1- 8fbb-fe6339ffa1ed&displaylang=en Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NETBIOS names with underscores
> I'm not sure what you mean. There's no 'old' domain to > decommission. There is only one domain, it just has two > distinct names (xxx_yyy and zzz.company.com). The only way > this domain will go away is if I built a new forest and > migrated everything over to it. At that point, the original > domain would be useless and I could retire it. > The reason I did an in-place upgrade in the first place was > to avoid that process - not that it's a bad thing, just that > it was not necessary .. I started with one NT domain with a > NetBIOS name, and ended with the same domain upgraded to AD > with two names. > Dave Ah, that's exactly the way I am planning it, and for the same reason. What I meant was moving from the interim mode to the native AD mode. Once in native AD mode, do the clients still log in using xxx_yyy\username ? > > -Original Message- > From: Sharma, Shshank [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 12:15 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] NETBIOS names with underscores > > > > > Users will see the 'old' name in the drop-down box when > they log in > >to the domain, and can continue to use it wherever they need to > >specify the domain (like xxx_yyy\username in the NET USE > command, etc.). > > When you use AD tools like ADU&C, you'll deal with the > 'new' DNS name. > > Dave > > And what happens when you decommission the old, NT domain > (the xxx_yyy). > You need to touch all the clients then ? > > Shshank > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Local Admin
This is if the user has admin rights, which is where the challenge comes in. Ray at work -Original Message- From: Joe [mailto:[EMAIL PROTECTED] You can use either a computer startup script or a logon script. Simply have in the script: net localgroup administrators "domain users" /delete >nul ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically "opts-out" of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Way OT and thread hijacking to boot
http://radio.weblogs.com/0001011/stories/2003/07/09/microsoftRssResources.ht ml has a decent introduction. For some reason, I can't get to the referenced thundermain feed right now. I'm running SharpReader (http://www.sharpreader.net/) for an aggregator and like it. Http://www.kbalertz.com is also providing RSS feeds for updates to MS's Knowledge Base. Hunter -Original Message- From: Bell, Stephen [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 11:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Way OT and thread hijacking to boot I've heard about RSS but have paid Zero attention. How does it help to find this information? What type of client would I need? What are the best sources for Active Directory type information? My ignorance is showing --- I hope folks don't mind that I'm looking for the light here... Cheers -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 6:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] E2k3 Planning guides Just found out over night that the Exchange 2003 Planning and Deployment guides have been released, for those that are interested. RSS is such a cool thing Enjoy! (Watch for URL wrap.) http://www.microsoft.com/downloads/details.aspx?familyid=9fc3260f-787c-4 567- bb71-908b8f2b980d&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=77b6d819-c7b3-4 2d1- 8fbb-fe6339ffa1ed&displaylang=en Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] I sent a virus on accident...
Title: Message There is a virus I sent on accident that has an attachment called message.zip Erase that email and DO NOT open the attachment. Sorry about this. Chris J. Popp
RE: [ActiveDir] OT: Way OT and thread hijacking to boot
There's a lot of folks that rave about NewsGator because it runs within MS Outlook (http://www.newsgator.com/). But, I've been running FeedDemon for a couple weeks, and love it. Best one I've found so far: http://www.bradsoft.com/feeddemon/index.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Friday, August 01, 2003 4:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT: Way OT and thread hijacking to boot http://radio.weblogs.com/0001011/stories/2003/07/09/microsoftRssResources.ht ml has a decent introduction. For some reason, I can't get to the referenced thundermain feed right now. I'm running SharpReader (http://www.sharpreader.net/) for an aggregator and like it. Http://www.kbalertz.com is also providing RSS feeds for updates to MS's Knowledge Base. Hunter -Original Message- From: Bell, Stephen [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 11:00 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Way OT and thread hijacking to boot I've heard about RSS but have paid Zero attention. How does it help to find this information? What type of client would I need? What are the best sources for Active Directory type information? My ignorance is showing --- I hope folks don't mind that I'm looking for the light here... Cheers -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 6:26 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] E2k3 Planning guides Just found out over night that the Exchange 2003 Planning and Deployment guides have been released, for those that are interested. RSS is such a cool thing Enjoy! (Watch for URL wrap.) http://www.microsoft.com/downloads/details.aspx?familyid=9fc3260f-787c-4 567- bb71-908b8f2b980d&displaylang=en http://www.microsoft.com/downloads/details.aspx?familyid=77b6d819-c7b3-4 2d1- 8fbb-fe6339ffa1ed&displaylang=en Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NETBIOS names with underscores
Even in native mode, the domain still has both names. Anyplace where you would use the notation domain\user, you would still use the NetBIOS name, and that's still what shows up in the dropdown box when you do a ctrl-alt-del to log in. Even on Win2K workstations. There really aren't too many places where a typical user will encounter the DNS name of the domain anyhow; one would be if they use the UPN to log in and you use the default UPN suffix. Another would be if they go to My Network Places...Entire Network..Entire Contents to search for something. Best thing to tell you is to try it in the lab - Make a test NT4 domain with (at least) a PDC and a workstation, and name it TEST_DOM. Upgrade the PDC and call the AD domain lab.local. Poke around and see what things look like. Have fun ! Dave -Original Message- From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: Friday, August 01, 2003 3:46 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] NETBIOS names with underscores > I'm not sure what you mean. There's no 'old' domain to > decommission. There is only one domain, it just has two > distinct names (xxx_yyy and zzz.company.com). The only way > this domain will go away is if I built a new forest and > migrated everything over to it. At that point, the original > domain would be useless and I could retire it. > The reason I did an in-place upgrade in the first place was > to avoid that process - not that it's a bad thing, just that > it was not necessary .. I started with one NT domain with a > NetBIOS name, and ended with the same domain upgraded to AD > with two names. > Dave Ah, that's exactly the way I am planning it, and for the same reason. What I meant was moving from the interim mode to the native AD mode. Once in native AD mode, do the clients still log in using xxx_yyy\username ? > > -Original Message- > From: Sharma, Shshank [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 12:15 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] NETBIOS names with underscores > > > > > Users will see the 'old' name in the drop-down box when > they log in > >to the domain, and can continue to use it wherever they need to > >specify the domain (like xxx_yyy\username in the NET USE > command, etc.). > > When you use AD tools like ADU&C, you'll deal with the > 'new' DNS name. > > Dave > > And what happens when you decommission the old, NT domain > (the xxx_yyy). > You need to touch all the clients then ? > > Shshank > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] I sent a virus on accident...
Title: Message No problem here, you probably want to update your virus scanner on your SMTP gateway though. Oh and next time you send a message this big, about something like this, you might want to consider adding the e-mail address you wish to send to, to the BCC portion of your mail client. That way people can't see how many people you sent this too, and it protects those peoples e-mail address from any e-mail address harvester we may have on this mailing list. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris J. PoppSent: Friday, August 01, 2003 2:21 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PR
RE: [ActiveDir] Simultaneous password change on multiple DCs
Yep - I won't disagree on the PDCE needing to be in good health and quite ready for some reasonable update traffic - local or cross-site. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, August 01, 2003 8:50 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs I'm starting to see where you're coming from - in the end, its still a bad idea, at least from a replication standpoint. At the very least, you'll get n-1 DC's worth of updates to the PDCE - as I said, I'd hate to be the PDCE in that envrionment -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, August 01, 2003 9:20 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > > Roger, > > If each DC is connected to a given DC, and the topology is laid out > even remotely properly, the max hops that a replication are going to > take is 3. > The connected partners are going to replicate, and then the event is > going to be done. There is not going to any need to replicate changes > to a DC that already has seen it - as the USNs should certainly > accommodate, and prevent. > > Consider this from Q225511: > > By default, machine account password and user password changes are > sent immediately to the PDC FSMO. In a mixed-mode domain, if a > Microsoft Windows NT 4.0 domain controller receives the request, the > client is sent to the PDC FSMO role owner (which must be a Windows > 2000-based computer) to make the password change. This change is then > replicated to other Windows 2000 domain controllers using Active > Directory replication, and to down-level domain controllers through > the down-level replication process. If a Windows 2000 domain > controller receives the request (either in mixed or native mode), the > password change is made locally, sent immediately to the PDC FSMO role > owner using the Netlogon service in the form of a Remote Procedure > Call (RPC), and the password change is then replicated to its partners > using the Active Directory replication process. Down-level domain > controllers replicate the change directly from the PDC FSMO role > owner. > > If the AvoidPdcOnWan value is set to TRUE and the PDC FSMO is located > at another site, the password change is not sent immediately to the > PDC. > However, it is notified of the change through normal Active Directory > replication, which in turn replicates it to down-level domain > controllers (if the domain is in mixed mode). If the PDC FSMO is at > the same site, the AvoidPdcOnWan value is disregarded and the password > change is immediately communicated to the PDC. > > --- > > The default clearly states that the local DC receives the change, and > then the PDC-E is immediately notified via RPC - Not normal > replication. Then, the PDC-E changes the rest of the DC's via the > normal replication cycle. > This will, in effect, reduce the overall impact of replication to some > degree, but again, to directly connected partners (max of three hops). > > Now, if AvoidPdcOnWan is modified to be TRUE, then normal replication > is the mechanism of change, but from the site DC if the PDCE is not in > the same site. But, it's still going to be a max of three hop > replication to directly connected partners. > > In now way am I saying that each DC doesn't need the update - they do. > I just suggest that it would not necessarily be a storm of updates. > In a 10 DC structure, the local is going to be changed. The PDCE is > going to be notified and is going to change itself with a call via RPC > from the changed local DC - not replication. The PDCE is then going > to send change notification to it's directly connected partners, which > could be done, theoretically, in two replication notices from the > PDCE, with two other DCs being responsible for two partners. Each of > the others would only have one. > In 3 hops maximum, you would have all 10 DC changed - 2 of those > almost immediately and not participating in replication at all. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Roger > Seielstad > Sent: Friday, August 01, 2003 6:04 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Simultaneous password change on multiple DCs > > I guess I'm trying to figure out why replication would be limited to > just the connected partners. Wouldn't the
RE: [ActiveDir] Local Admin
Title: Message Thank You Joe! Although that seems FAR too easy J Thanks, Raymond McClinnis - MCSE Network Administrator Provident Credit Union -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, August 01, 2003 12:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin You can use either a computer startup script or a logon script. Simply have in the script: net localgroup administrators "domain users" /delete >nul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Friday, August 01, 2003 1:58 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin As I’ve been reading this something else came to mind, is there any to do the opposite… A majority of newly deployed computers (100 or so) were deployed with DOMAIN USERS in the Local Admins group (Don’t ask, I’m not sure) and now I need to remove them. Any thought on how I can do this without going to every desktop. As I don’t want to Hijack this thread, I’ll be happy to take this off line. Thanks in advance for any help Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 31, 2003 8:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin By default, the Domain Administrator is a recovery agent, not the local admin. However, even the Domain Administrator can be removed as a recovery agent. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, July 31, 2003 9:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Not up on EFS as I use PGP but can't the local admin recover the data if he/she/it wants to? And if so, it isn't really very safe. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, July 30, 2003 7:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin > Means anyone who gets their hands on the machine is pretty much golden. Yeah, I think I'd subscribe a HEAVY dose of EFS for that company critical data because it's a minute away from being 'not yours anymore'. :-/ Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Wednesday, July 30, 2003 3:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Local Admin Means anyone who gets their hands on the machine is pretty much golden. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Malcolm Reitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin What about adding the NT Authority\Interactive account to the local Administrators group? That should give the currently logged-on user administrator privileges without having to explicitly name the user in the Administrators group. Malcolm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 12:59 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Local Admin Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :) The idea of the startup script was exhaustively investigated and abandon due to the fact that the name of the Laptop owner is unknown, so you don't know whom exactly you will be adding to the group. So, I could script a query for the currently logged-on user and try to pass that as a parameter to the main script, but of course that won't work because IF the user already logs in, then the script won't be a startup script anymore, and the script would then be executing in the context of the currently logged-on user, who does not have the privilege to add him/herself to the admin group - otherwise there would be no need for a script in the first place. Finally found an interesting puzzle that will likely stump Joe :) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Joe Sent: Wed 7/30/2003 4:47 AM T
[ActiveDir] ADAM Doc
http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6- a3e5-2a2a57b5c8e4&DisplayLang=en List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT (sort of) Determining if Group membership is set by policy
All, (sorry about the OT post) We are currently redoing some of the group membership management on machines in the organisation, and have done up a tool to set the local admin membership on some of our machines. Problem I have is that a number of these have the local admin membership set by AD group policy. Is there a way through code to determine if the local admin group membership is set by policy so I can inform the user and deny any changes to the group through the tool we have done ? I'm not really concerned specifically what the policy is doing, merely if there is one. Problem we are having is that local admin membership to workstations is set via GPO's on each container, but due to the OU breakdown of machines, users are getting local admin to more machines than we want. We have come up with a way to enforce a specific local admin membership (and will automatically fix it if they change it), but need to know if there is already a policy for that machine which is setting the local admin membership. If anyone has another way of doing this, thoughts would be appreciated. And no, one container per computer and using GPO's isn't going to cut it, nor will letting them have a free-for-all to local admin group membership...sorry *grin* TIA Glenn
Re: [ActiveDir] OT (sort of) Determining if Group membership is set by policy
sorry about recovering this, just noticed there is an active thread on the subject. in that case, dont worry about other ways to do this (i'll work my way through the other thread), but would still like to know if I can determine whether a policy is setting local admin membership. Cheers. Glenn - Original Message - From: Glenn Corbett To: [EMAIL PROTECTED] Sent: Saturday, August 02, 2003 1:23 PM Subject: [ActiveDir] OT (sort of) Determining if Group membership is set by policy All, (sorry about the OT post) We are currently redoing some of the group membership management on machines in the organisation, and have done up a tool to set the local admin membership on some of our machines. Problem I have is that a number of these have the local admin membership set by AD group policy. Is there a way through code to determine if the local admin group membership is set by policy so I can inform the user and deny any changes to the group through the tool we have done ? I'm not really concerned specifically what the policy is doing, merely if there is one. Problem we are having is that local admin membership to workstations is set via GPO's on each container, but due to the OU breakdown of machines, users are getting local admin to more machines than we want. We have come up with a way to enforce a specific local admin membership (and will automatically fix it if they change it), but need to know if there is already a policy for that machine which is setting the local admin membership. If anyone has another way of doing this, thoughts would be appreciated. And no, one container per computer and using GPO's isn't going to cut it, nor will letting them have a free-for-all to local admin group membership...sorry *grin* TIA Glenn
RE: [ActiveDir] I sent a virus on accident...
Title: Message Yeah, Chris good point. One that you might consider the next time you hit reply to a message that has the same information still contained in the header! Knowing it or not - it was sent out again. ;o) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher HummertSent: Friday, August 01, 2003 4:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I sent a virus on accident... No problem here, you probably want to update your virus scanner on your SMTP gateway though. Oh and next time you send a message this big, about something like this, you might want to consider adding the e-mail address you wish to send to, to the BCC portion of your mail client. That way people can't see how many people you sent this too, and it protects those peoples e-mail address from any e-mail address harvester we may have on this mailing list. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris J. PoppSent: Friday, August 01, 2003 2:21 PMTo: (all the e-mail addresses repeated again) Subject: [ActiveDir] I sent a virus on accident... There is a virus I sent on accident that has an attachment called message.zip Erase that email and DO NOT open the attachment. Sorry about this. Chris J. Popp
RE: [ActiveDir] Local Admin
Title: Message Raymond, Make no mistake - it works quite well. I have it implemented in a number of GPO based scripts for managing such issues as removing users from local groups. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Friday, August 01, 2003 4:45 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Thank You Joe! Although that seems FAR too easy J Thanks, Raymond McClinnis - MCSE Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Friday, August 01, 2003 12:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin You can use either a computer startup script or a logon script. Simply have in the script: net localgroup administrators "domain users" /delete >nul -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnisSent: Friday, August 01, 2003 1:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin As Ive been reading this something else came to mind, is there any to do the opposite A majority of newly deployed computers (100 or so) were deployed with DOMAIN USERS in the Local Admins group (Dont ask, Im not sure) and now I need to remove them. Any thought on how I can do this without going to every desktop. As I dont want to Hijack this thread, Ill be happy to take this off line. Thanks in advance for any help Thanks, Raymond McClinnis Network Administrator Provident Credit Union -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, July 31, 2003 8:07 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin By default, the Domain Administrator is a recovery agent, not the local admin. However, even the Domain Administrator can be removed as a recovery agent. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Thursday, July 31, 2003 9:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Not up on EFS as I use PGP but can't the local admin recover the data if he/she/it wants to? And if so, it isn't really very safe. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, July 30, 2003 7:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin > Means anyone who gets their hands on the machine is pretty much golden. Yeah, I think I'd subscribe a HEAVY dose of EFS for that company critical data because it's a minute away from being 'not yours anymore'. :-/ Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, July 30, 2003 3:19 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Local Admin Means anyone who gets their hands on the machine is pretty much golden. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Malcolm Reitz [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin What about adding the NT Authority\Interactive account to the local Administrators group? That should give the currently logged-on user administrator privileges without having to explicitly name the user in the Administrators group. Malcolm -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 30, 2003 12:59 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Local Admin Making users admins on their "personal" computers is not at all appealing. But beauty and appeals were not of great importance at the time. Remember, it was a Management top-down mandate that had to be met as long as you want the paychecks to keep coming :)
RE: [ActiveDir] ADAM Doc
Todd and all - This is more than just the Docs - this is the release of AD/AM and the included materials - a walkthrough (lab type material) and demo setup files. This is the same material that we were presented with for beta and is really quite good for getting your hands dirty. Enjoy! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Friday, August 01, 2003 7:39 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] ADAM Doc http://www.microsoft.com/downloads/details.aspx?FamilyID=9688f8b9-1034-4ef6- a3e5-2a2a57b5c8e4&DisplayLang=en List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] I sent a virus on accident...
Title: Message I knowI meant to delete that myself but someone walked into my office and distracted me. When I saw it pop up on the list I slapped myself upside the head -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Friday, August 01, 2003 9:45 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I sent a virus on accident... Yeah, Chris good point. One that you might consider the next time you hit reply to a message that has the same information still contained in the header! Knowing it or not - it was sent out again. ;o) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher HummertSent: Friday, August 01, 2003 4:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I sent a virus on accident... No problem here, you probably want to update your virus scanner on your SMTP gateway though. Oh and next time you send a message this big, about something like this, you might want to consider adding the e-mail address you wish to send to, to the BCC portion of your mail client. That way people can't see how many people you sent this too, and it protects those peoples e-mail address from any e-mail address harvester we may have on this mailing list. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris J. PoppSent: Friday, August 01, 2003 2:21 PMTo: (all the e-mail addresses repeated again) Subject: [ActiveDir] I sent a virus on accident... There is a virus I sent on accident that has an attachment called message.zip Erase that email and DO NOT open the attachment. Sorry about this. Chris J. Popp
Re: [ActiveDir] I sent a virus on accident...
Title: Message hehe, I'm sure you got a few hundred virtual slaps upside the head too :P G. - Original Message - From: Christopher Hummert To: [EMAIL PROTECTED] Sent: Saturday, August 02, 2003 3:50 PM Subject: RE: [ActiveDir] I sent a virus on accident... I knowI meant to delete that myself but someone walked into my office and distracted me. When I saw it pop up on the list I slapped myself upside the head -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Friday, August 01, 2003 9:45 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I sent a virus on accident... Yeah, Chris good point. One that you might consider the next time you hit reply to a message that has the same information still contained in the header! Knowing it or not - it was sent out again. ;o) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christopher HummertSent: Friday, August 01, 2003 4:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] I sent a virus on accident... No problem here, you probably want to update your virus scanner on your SMTP gateway though. Oh and next time you send a message this big, about something like this, you might want to consider adding the e-mail address you wish to send to, to the BCC portion of your mail client. That way people can't see how many people you sent this too, and it protects those peoples e-mail address from any e-mail address harvester we may have on this mailing list. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris J. PoppSent: Friday, August 01, 2003 2:21 PMTo: (all the e-mail addresses repeated again) Subject: [ActiveDir] I sent a virus on accident... There is a virus I sent on accident that has an attachment called message.zip Erase that email and DO NOT open the attachment. Sorry about this. Chris J. Popp