RE: [ActiveDir] LDAP'ing a computer object in AD
Title: Message OK, Ifigured it outusing your tip on theSAM account: Dim compnameDim domnamecompname = "MYHOSTNAME"domname = "MYDOMAIN" Set Set oTrans = CreateObject("NameTranslate") oTrans.Init 1, domnameoTrans.Set 3, domname "\" compname "$"sAdsPath = oTrans.Get(1) Set >Set oTrans = Nothingwscript.echo "LDAP path: " sAdsPath Thanks greetings, Frederic Allaert System Engineer Johnson Pump AB -Original Message-From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a computer object in AD I think this is what you want.Search for samaccountname=computername$ (append a "$" to the computer name). -Original Message-From: Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 8:50 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP'ing a computer object in AD Hello all, I have been searching some good, clear examples how to determine the LDAP path for a computer object, (without knowing the "location" in AD), with the only input being the hostname of the computer, and the DNS-name for the domain. All this using a .VBS-script... Can someone produce such an example, or direct me to some good resource websites on this topic? Greetings, Frederic Allaert
RE: [ActiveDir] OT? - LEGACY EXCHANGE DN
Title: Message Al, sorry about the delay in responding minor incident here at the house! FIRE!!! All resolved and back up and running. Thank you for the very good tutorial and I must agree w/Joe that MS has snookered us in their handling of this product. Having said that, I have a pretty good understanding of the workings. Obviously I need to bump up the schedule of the E2K migration effort although I do not control the funding just make recommendations. I did find one problem with my methodology. In using ADSI Edit to change the user attribute, I was just copying and pasting then editing. That does not work looks like it does, but goes right back after you exit. Tried hitting the Clear button that cleared the attribute and copied it to the edit line. I then edited the attribute, hit Set and Apply, and exited. Worked fine. Went back after a couple of reps and it was staying as put. Deleted the user forced a replication, saw that it was gone from the domain B GAL. Turned off the ADC Service, created a new user w/mailbox, edited the attribute to show the proper container (ou), turned on the ADC Service, and the user shows up in the correct container of domain B GAL. If only MS allowed the AD to pickup on the value of the container that a user resides in Again, thanks for your assistance! R/Bill -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 7:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT? - LEGACY EXCHANGE DN Well for better or worse, what you explained is how I understood it myself. Though I admit to not knowing it really well, never wanted to know it all but damn MS to hell for inserting AD and Exchange into each other like they did... (Hey I haven't ranted on here about E2K in at least a week) Oh one other thing is that some of that info gets stamped into the msExchADCGlobalNames attribute but in a DN format. I believe the AD side of that gets stamped by the E55-ADwork and then the E55 side gets stamped by the opposite direction. Though the 5.5 directory side would have the location in the AD tree being stamped, not the 5.5 location. For Exchange, I'm only an egg. I don't Grok it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, October 16, 2003 4:23 PM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Let me play this back to see if I have it straight: One Domain = Empty Root Domain A = Child Domain Domain B = Child Domain Domain A = Exchange 2000 (really, this is Forest Wide, but we'll assume that you only consider it installed in this domain) Domain B = Exchange 5.5 installed Is that right so far? How many ADC's do you have? I assume just the one from Exchange 2000 media rev'd to SP3 or later with the standard CA's plus the recipients and public folders. When you create a user in domain A, it's (presumably) an Exchange 2000 mail-enabled user object. Correct? The ADC CA picks this up from Domain A where it originated as new, and replicates the data to the Exchange 5.5 directory. At the point of creation and RUS processing, the mail-enabled user object has a legacyExchangeDN ending in \Recipients. If you stopped the CA prior to creating the user-object, this would still be the case because Exchange 2000 has no concept of containers like Exchange 5.5 does. The legacyExchangeDN gets created assuming that the Recipients container is the only one. Now turn the ADC CA back on to replicate. The replication starts, picks up the new mail-enabled user object, realizes there is no corresponding object, checks its rules regarding this situation (advanced tab as I recall) and creates the 5.5 directory entry in the container that follows those rules. Often, these rules will be set to follow legacyExchangeDN so you don't get a bazillion containers to mimic the OU structure in Active Directory. Your's probably is set that way. It doesn't end there. Now on the next replication cycle, the ADC CA realizes that 5.5 has a new object and replicates it back to the Active Directory. Anything that was changed on the 5.5 side is now replicated to Active Directory and the CA is now done with that object. If you create the mailbox-enabled object in 5.5 first, the legacyExchangeDN is, by nature, whatever the relative path is for the object in the directory. So if you have an object that is in a different container called new then your legacyExchangeDN would end in \new. Right? So when the ADC CA wakes up, it realizes it has a new 5.5 object, replicates it to the target OU in Active Directory and then replicates the information back to the 5.5 directory. As far as 5.5 users are concerned, it is in the correct container. What you described is expected behavior. What you seem to want to do is modify that behavior so that if you create a user in a particular OU in Active Directory, the ADC knows to put in a particular CN in 5.5. Unfortunately,
RE: [ActiveDir] Intrasite Replication Schedule
Thanks for the replies. I have tested the 15/3 settings in our lab and will implement in a pilot site over the next couple of days. Our DC's are way overpowered. If it does becomes a performance issue, I'll drop it back to 30/15 analyze the results. Thanks again, guys. -Rick Dayton --- Joe [EMAIL PROTECTED] wrote: I have modified our production and lab environments to 30 seconds pause after modify and 15 second pause between DSA's and have been running in that configuration for months with no perceived issues. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FDiskThePC Sent: Wednesday, October 15, 2003 7:46 PM To: [EMAIL PROTECTED] As most of you know, the default intrasite replication schedule in Windows 2000 is 5 minutes yet 15 seconds in Windows Server 2003. Has anyone changed the setting in a Windows 2000 domain (Q214678) to match the settings that are now the default in Windows Server 2003? The five minute replication is frustrating, because it can actually be up to 15 minutes with lots of DC's in a site. Any advice would be appreciated. Thanks. -Rick Dayton __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Connectivity with FSMO role machines
Title: Message Probably a dumb question but here goes. We have recently installed a new DC into our domain to manage an increasing number of machines located in a DMZ.The domain itself is spread across two locations Germany and France. The new DC has open connectivity to theDC'sthat are locatedinGermany, however thanks to various political and bureaucratic idocies, there is notopen connectivity with the DMZ and the FSMOholding DC's in the French location. This means that the new server is currently unable to create new users or other objects as it is unable to connect with the RID master. My question: Is there a way around this problem apart from opening up the connectivity from the DMZ to France (which will never be allowed) or secondly moving the RID master to a DC in Germany (which will be a nightmare of discussions and arguements) Many thanks
RE: [ActiveDir] LDAP'ing a computer object in AD
Title: Message compname = InputBox ("Enter name of computer", "GetComputerName", "mycomputername") domname = InputBox ("Enter name of domain", "GetDomainName", "myhostname") blah blah blah From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:21 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a computer object in AD Anyway to make screen pops asking for compname and domname? Shawn -Original Message-From: Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 3:17 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] LDAP'ing a computer object in AD OK, Ifigured it outusing your tip on theSAM account: Dim compnameDim domnamecompname = "MYHOSTNAME"domname = "MYDOMAIN" Set Set oTrans = CreateObject("NameTranslate") oTrans.Init 1, domnameoTrans.Set 3, domname "\" compname "$"sAdsPath = oTrans.Get(1) Set >Set oTrans = Nothingwscript.echo "LDAP path: " sAdsPath Thanks greetings, Frederic Allaert System Engineer Johnson Pump AB -Original Message-From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDAP'ing a computer object in AD I think this is what you want.Search for samaccountname=computername$ (append a "$" to the computer name). -Original Message-From: Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 8:50 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDAP'ing a computer object in AD Hello all, I have been searching some good, clear examples how to determine the LDAP path for a computer object, (without knowing the "location" in AD), with the only input being the hostname of the computer, and the DNS-name for the domain. All this using a .VBS-script... Can someone produce such an example, or direct me to some good resource websites on this topic? Greetings, Frederic Allaert
RE: [ActiveDir] Creating programatically when password complexity is in force
Title: RE: [ActiveDir] Creating programatically when password complexity is in force And when you re-enable the account nothing freaks out , no password policies nothing? Hmm.. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, October 17, 2003 1:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Creating programatically when password complexity is in force Joe, Yeah - turning off the password policy. Hm. Yummy, chewy insides. We got it resolved, thank to Mr. Cornetet. Turns out that what I needed to do was: ' ~ Const ADS_UF_NORMAL_ACCOUNT = 512 Const ADS_UF_DISABLED_ACCOUNT = 514 set objParent = GetObject(LDAP://ParentDN) set objUser = objParent.Create(user, cn=UserName) ' e.g rickk objUser.Put sAMAccountName, UserName ' e.g rickk objUser.Put userPrincipalName, UserUPN ' e.g [EMAIL PROTECTED] objUser.Put givenName, UserFirstName ' e.g Rick objUser.Put sn, UserLastName 'e.g Kingslan objUser.Put displayName, UserFirstName UserLastName ' e.g Rick Kingslan objUser.Put userAccountControl, ADS_UF_DISABLED_ACCOUNT objUser.SetInfo objUser.SetPassword(Password) objUser.AccountDisabled = FALSE objUser.Put userAccountControl, ADS_UF_NORMAL_ACCOUNT objUser.SetInfo ' ~~~ Basically, set the account to disabled before creating it so that the account would be disabled when the password was applied. Worked like a charm, so that's one piece of the automation tools resolved. It's a start to a long road - but we're finally getting some things realized. It's a good thing(TM). Did it make it into Tuna to do the password set and useraccountcontrol set prior to the first setinfo. Sadly, no - that was my first source, and there was nothing that helped, hence the message out to you guys. Thanks for the message, however! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joe Sent: Thursday, October 16, 2003 6:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Creating programatically when password complexity is in force Rick you have two options... 1. Turn off your password requirements policy and allow blank passwords... :op 2. Don't touch useraccountcontrol (i.e. Enable the user) nor the password until after you create the user object. Did it make it into Tuna to do the password set and useraccountcontrol set prior to the first setinfo. That was something I pointed out. I haven't had a chance to read through the final. Don't be worried, this is a pretty common one. Your buddy joe :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kingslan, Rick T. Sent: Thursday, October 16, 2003 8:06 AM To: [EMAIL PROTECTED] I've run into an interesting problem. If I create a user programatically, (using C#, but we've confirmed the same with VBScript) the password cannot be set until the user object exists. If I try it, we get the error: Server is unwilling to process the request when a SetInfo is done on the creation of the user object. All required fields for the user object are being entered, and checked per the 'Tuna' just to be sure. However, the user cannot exist with a blank password because the blank password violates the password complexity and the minimum length rules. And, as stated, the password cannot be set until the object exists. Would one of the scripting / programming geniuses that we have here tell me what I'm missing? I have to believe that there is a way to do this. Or, am I going to be relegated to using ADUC again to create my users (which is a major pain in the a$$, to say the least)? Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed, whose privacy should be respected. Any views or opinions are solely those of the author and do not necessarily represent those of the Trencor Group, or any of its representatives, unless specifically stated. Email transmission cannot be guaranteed to be secure, error free or without
RE: [ActiveDir] LDAP'ing a computer object in AD
Title: Message How can I take your code and save as an executable script? Ron -Original Message- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP'ing a computer object in AD compname = InputBox (Enter name of computer, GetComputerName, mycomputername) domname = InputBox (Enter name of domain, GetDomainName, myhostname) blah blah blah From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP'ing a computer object in AD Anyway to make screen pops asking for compname and domname? Shawn -Original Message- From: Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 3:17 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] LDAP'ing a computer object in AD OK, Ifigured it outusing your tip on theSAM account: Dim compname Dim domname compname = MYHOSTNAME domname = MYDOMAIN Set Set oTrans = CreateObject(NameTranslate) oTrans.Init 1, domname oTrans.Set 3, domname \ compname $ sAdsPath = oTrans.Get(1) Set > Set oTrans = Nothing wscript.echo LDAP path: sAdsPath Thanks greetings, Frederic Allaert System Engineer Johnson Pump AB -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP'ing a computer object in AD I think this is what you want.Search for samaccountname=computername$ (append a $ to the computer name). -Original Message- From: Frederic Allaert [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 8:50 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDAP'ing a computer object in AD Hello all, I have been searching some good, clear examples how to determine the LDAP path for a computer object, (without knowing the location in AD), with the only input being the hostname of the computer, and the DNS-name for the domain. All this using a .VBS-script... Can someone produce such an example, or direct me to some good resource websites on this topic? Greetings, Frederic Allaert
RE: [ActiveDir] Creating programatically when password complexity is in force
Title: RE: [ActiveDir] Creating programatically when password complexity is in force Man Joe, You beat me to it once again, basically Rick Joe's got it all covered there. Sorry I didn't get to you quicker. -Original Message- From: Joe [mailto:[EMAIL PROTECTED]] Sent: Friday, October 17, 2003 1:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Creating programatically when password complexity is in force Rick you have two options... 1. Turn off your password requirements policy and allow blank passwords... :op 2. Don't touch useraccountcontrol (i.e. Enable the user) nor the password until after you create the user object. Did it make it into Tuna to do the password set and useraccountcontrol set prior to the first setinfo. That was something I pointed out. I haven't had a chance to read through the final. Don't be worried, this is a pretty common one. Your buddy joe :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kingslan, Rick T. Sent: Thursday, October 16, 2003 8:06 AM To: [EMAIL PROTECTED] I've run into an interesting problem. If I create a user programatically, (using C#, but we've confirmed the same with VBScript) the password cannot be set until the user object exists. If I try it, we get the error: Server is unwilling to process the request when a SetInfo is done on the creation of the user object. All required fields for the user object are being entered, and checked per the 'Tuna' just to be sure. However, the user cannot exist with a blank password because the blank password violates the password complexity and the minimum length rules. And, as stated, the password cannot be set until the object exists. Would one of the scripting / programming geniuses that we have here tell me what I'm missing? I have to believe that there is a way to do this. Or, am I going to be relegated to using ADUC again to create my users (which is a major pain in the a$$, to say the least)? Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - This email and any files transmitted are confidential and intended solely for the use of the individual or entity to which they are addressed, whose privacy should be respected. Any views or opinions are solely those of the author and do not necessarily represent those of the Trencor Group, or any of its representatives, unless specifically stated. Email transmission cannot be guaranteed to be secure, error free or without virus contamination. The sender therefore accepts no liability for any errors or omissions in the contents of this message, nor for any virus infection that might result from opening this message. Trencor is not responsible in the event of any third party interception of this email. If you have received this email in error please notify [EMAIL PROTECTED] For more information about Trencor, visit www.trencor.net http://www.trencor.net
[ActiveDir] Removing Failed Forest Trust From Logon
People, Thanks for reading this in advance. I have a Forest Trust that failed as the DC in one Forest crashed and needed to be rebuilt. There was no BDC as the Forest was moderately insignificant and only hosted two servers which were multi-homed and could still be seen cross forest. However, after the Trust was set initially, on my primary Domain, I now had a third logon option, Local Machine, Primary Domain and NewlyCreatedForestTrustDomain. The problem is that now with that third Domain Controller being rebuilt and hosting a different Domain name, My Primary Domain Users still see the Old NewlyCreatedForestTrustDomain name at login and not the new one. As expected, you can't log in to the old one as it says I can't find the DC. I have run MS's KB 216498 to clean up the Metadata but my AD still shows the old Trust in Domains and Trusts and it won't let me delete it as the remove button is greyed out when you highlight the dead Domain. Would anyone know how to clean this up and get the new Domain back in the login box? Again, Thanks. - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Simple DNS Question
We are getting ready to upgrade out NT4 domain to AD and I have a simple DNS question. Right now we use domain.com internally for our network. However when we go to AD we want to use ad.domain.com for our domain name and keep domain.com for just our static DNS entries we have. This way all the dynamic entries are seperated from the static ones. My question is I want to create the domain name before we upgrade our PDC.Our PDC is also our primary DNS server.In the NT4 DNS admindo I create the DNS zone under domain.com (shows up as a subfolder) or do I create a totally new zone called ad.domain.com (shows up as a seperate domain from domain.com in the list)? Or is there any difference in how I set it up? Oram I just being picky about something that doesn't even matter? Thanks Mike
[ActiveDir] Simple DNS Question
Return Receipt Your [ActiveDir] Simple DNS Question document : was James S. Cate/CONTRACTOR/FIA/CO/GSA/GOV received by: at: 10/17/2003 11:21:46 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Database move
Is it possible to move ntds folderto another drive? If so, what tool can be used? Note: The information contained in this email and in any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or proprietary material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. The recipient should check this email and any attachments for the presence of viruses. Sender accepts no liability for any damages caused by any virus transmitted by this email. If you have received this email in error, please notify us immediately by replying to the message and delete the email from your computer. This e-mail is and any response to it will be unencrypted and, therefore, potentially unsecure. Thank you.
RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network
Title: Message Is there some requirement that the peope/devices in the test labs be able to access the production network? Would a firewall between the two help? -gil -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 6:17 PMTo: [EMAIL PROTECTED]Subject: VERY OT: Preventing Viruses from Lab to Live network I'm sure this does not have much bearing on AD, per se. So, I apologize for sending it to this forum that has one of the best collection of brains I've ever seen. I havesome Engineering TestingLabs with a number of Domains and computers sharing the same network with my LIVE domain. It's actually worse than just sharing, but that's another story. Business requirements prevent someclients on these domains frominstalling AV clients, updating patches or even having passwords for the local admin password. Yeah, I know, but, again, another story entirely. But, as you can deduce, Viruses happen in these Labs. My question is this. How do you protect your Production networks from settings like these? All production systems follow strict adherence to strict security practices, but we occasionally have slippage (like someone on a month-long vacation turning off a computer and thereby not getting patches and AV pattern updates). How do youPREVENT share-eating Viruses like Mofei, Nachi, etc from spreading from the Lab toyour live network?I have been evaluating a Product called Fortigate (from Fortinet), but I gave it up as soon as I discovered that they do not protect against NetBIOS, share-borne Viruses. Any product there that can help me out? Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
RE: [ActiveDir] Database move
Don, Never tried this but KB article 257420 describes what I believe you are asking. Good luck R/Bill -Original Message- From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 11:24 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Database move Is it possible to move ntds folderto another drive? If so, what tool can be used? Note: The information contained in this email and in any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or proprietary material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. The recipient should check this email and any attachments for the presence of viruses. Sender accepts no liability for any damages caused by any virus transmitted by this email. If you have received this email in error, please notify us immediately by replying to the message and delete the email from your computer. This e-mail is and any response to it will be unencrypted and, therefore, potentially unsecure. Thank you.
RE: [ActiveDir] Connectivity with FSMO role machines
Title: Message Gnerally speaking, all DCs need to be able to contact the RID master periodically to get a RID allocation. I have some thoughts about how to work around the problem, but I've never tried them, so you get to be the test pilot on your first flight :) 1. You can change the size of the RID block allocated to the DC so that it gets "enough" RIDs to last a really long time. There's a reg setting is defined in KB316201. There are some caveats when setting the value to a really large number. 2. Point whatever processes are creating security principals (users, computers, groups) to a DC not in the DMZ. That way the DC in the DMZ won't have to allocate any RIDs. HTH, -gil Gil KirkpatrickCTO, NetPro -Original Message-From: Abbiss, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 4:27 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Connectivity with FSMO role machines Probably a dumb question but here goes. We have recently installed a new DC into our domain to manage an increasing number of machines located in a DMZ.The domain itself is spread across two locations Germany and France. The new DC has open connectivity to theDC'sthat are locatedinGermany, however thanks to various political and bureaucratic idocies, there is notopen connectivity with the DMZ and the FSMOholding DC's in the French location. This means that the new server is currently unable to create new users or other objects as it is unable to connect with the RID master. My question: Is there a way around this problem apart from opening up the connectivity from the DMZ to France (which will never be allowed) or secondly moving the RID master to a DC in Germany (which will be a nightmare of discussions and arguements) Many thanks
[ActiveDir] Simple DNS Question
Return Receipt Your [ActiveDir] Simple DNS Question document : was James Day/Contractor/NPS received by: at: 10/17/2003 12:22:25 PM EDT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network
[EMAIL PROTECTED] wrote: I forgot to mention that. Yeah, there is a requirement for connectivity between the 2 sides. That's why firewalling them is not an option. I've been following this because I think it's outrageous. I don't envy your problem. I think you're in a situation where you'll have to say if that's what you want, then it's going to cost you to whoever put the connectivity requirement in place. First off, you are going to want a firewall between production and lab. Set it to deny by default, then allow ONLY the EXACT traffic that you want to allow. Then configure logging and make it a point to review the logs regularly. I would also suggest a dedicated SMTP relay for the lab, with virus scanning and extensive access restrictions: again, allow only what you KNOW is safe, log everything, and review the logs regularly. Configure your firewall so that ONLY mail that's gone through the SMTP relay is allowed anywhere. This will stop a lot of SMTP-based worms from getting anywhere, as well as alerting you to their existance. Even this will not protect you from every type of attack, but it should reduce the rate of occurance significantly. Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick Sent: Fri 10/17/2003 8:49 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network Is there some requirement that the peope/devices in the test labs be able to access the production network? Would a firewall between the two help? -gil -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Thursday, October 16, 2003 6:17 PM To: [EMAIL PROTECTED] Subject: VERY OT: Preventing Viruses from Lab to Live network I'm sure this does not have much bearing on AD, per se. So, I apologize for sending it to this forum that has one of the best collection of brains I've ever seen. I have some Engineering Testing Labs with a number of Domains and computers sharing the same network with my LIVE domain. It's actually worse than just sharing, but that's another story. Business requirements prevent some clients on these domains from installing AV clients, updating patches or even having passwords for the local admin password. Yeah, I know, but, again, another story entirely. But, as you can deduce, Viruses happen in these Labs. My question is this. How do you protect your Production networks from settings like these? All production systems follow strict adherence to strict security practices, but we occasionally have slippage (like someone on a month-long vacation turning off a computer and thereby not getting patches and AV pattern updates). How do you PREVENT share-eating Viruses like Mofei, Nachi, etc from spreading from the Lab to your live network? I have been evaluating a Product called Fortigate (from Fortinet), but I gave it up as soon as I discovered that they do not protect against NetBIOS, share-borne Viruses. Any product there that can help me out? -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Revamping AD and rights
I have a network that consists of about 65 servers in 9 different states connected by T1's to all the remote offices, Each office only has a max of 10 people and everything is windows 2000 pro or server. What I am trying to do is setup Group Polices as well as get AD working better and get back control from the users. I feel this is going to be a big task but it's all I am going to be doing for the next 6 months. In the end we would like to push apps to the users as well as lock down the desktops pretty tight. Is there any books or sites that can help me get started? I just ordered the Tuna book as well as his AD book and I have the windows 2000 resource kit but that does not tell you what works best. I am also setting up a lab with 15 computers so that I can test things before they goto production. I guess I just need some direction on best practices for AD, GPO, and making sure everything is secure. Any help would be great! Thanks! Ryan McDonald Systems Administrator
RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network
Thanks, Bill. We all have had to live with management-driven decisions at one time or the other, no? We change what we can, and accept what we can't and try to make the best of it. This is one of those situations. The line of thought is we don't care what's running around in the Labs as long as they remain in the Labs, but, by the way, we need to be able to pull files from our Labs machines to our production desktops so we can work on them. So, you see, you can't block off the Labs Anyway, the cost is really not a factor. Finding what to invest the money in is the issue. The PRIMARY (and, maybe, ONLY) concern is keeping viruses that propagate through network shares from coming to the production network. The device I was testing does SMTP, POP and Web filtering, but 90% of the Virus problems is NetBIOS borne. And, no, I can't filter out NetBIOS ports between the Labs and the production sides. That is my dilemma. IF there is a device on the market that does NetBIOS virus scanning and prevention, a big part of my problem will disappear overnight. And, if wishes were horses :-p From the look of things, though, it seems that this is on of the situations where we say There are seldom good technological solutions to behavioral problems. Apologies to Ed Crowley :) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bill Moran Sent: Fri 10/17/2003 10:08 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network [EMAIL PROTECTED] wrote: I forgot to mention that. Yeah, there is a requirement for connectivity between the 2 sides. That's why firewalling them is not an option. I've been following this because I think it's outrageous. I don't envy your problem. I think you're in a situation where you'll have to say if that's what you want, then it's going to cost you to whoever put the connectivity requirement in place. First off, you are going to want a firewall between production and lab. Set it to deny by default, then allow ONLY the EXACT traffic that you want to allow. Then configure logging and make it a point to review the logs regularly. I would also suggest a dedicated SMTP relay for the lab, with virus scanning and extensive access restrictions: again, allow only what you KNOW is safe, log everything, and review the logs regularly. Configure your firewall so that ONLY mail that's gone through the SMTP relay is allowed anywhere. This will stop a lot of SMTP-based worms from getting anywhere, as well as alerting you to their existance. Even this will not protect you from every type of attack, but it should reduce the rate of occurance significantly. -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] Database move
Title: Message I can confirm that in practicethe procedure cited in the given KB will work quitewell. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryLAN Administration - Windows 2000West Corporation [EMAIL PROTECTED] -Original Message-From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, October 17, 2003 10:50 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Database move Don, Never tried this but KB article 257420 describes what I believe you are asking. Good luck R/Bill -Original Message-From: Don Murawski (Lenox) [mailto:[EMAIL PROTECTED]Sent: Friday, October 17, 2003 11:24 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Database move Is it possible to move ntds folderto another drive? If so, what tool can be used? Note: The information contained in this email and in any attachments is intended only for the person or entity to which it is addressed and may contain confidential and/or proprietary material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. The recipient should check this email and any attachments for the presence of viruses. Sender accepts no liability for any damages caused by any virus transmitted by this email. If you have received this email in error, please notify us immediately by replying to the message and delete the email from your computer. This e-mail is and any response to it will be unencrypted and, therefore, potentially unsecure. Thank you.
Re: [ActiveDir] Revamping AD and rights
start by getting control out of thier hands, Not local logins, all machines members of the same ad domain You then can control everything thru domain group policy - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 17, 2003 11:05 AM Subject: [ActiveDir] Revamping AD and rights I have a network that consists of about 65 servers in 9 different states connected by T1's to all the remote offices, Each office only has a max of 10 people and everything is windows 2000 pro or server. What I am trying to do is setup Group Polices as well as get AD working better and get back control from the users. I feel this is going to be a big task but it's all I am going to be doing for the next 6 months. In the end we would like to push apps to the users as well as lock down the desktops pretty tight. Is there any books or sites that can help me get started? I just ordered the Tuna book as well as his AD book and I have the windows 2000 resource kit but that does not tell you what works best. I am also setting up a lab with 15 computers so that I can test things before they goto production. I guess I just need some direction on best practices for AD, GPO, and making sure everything is secure. Any help would be great! Thanks!Ryan McDonaldSystems Administrator
Re: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network
[EMAIL PROTECTED] wrote: Thanks, Bill. We all have had to live with management-driven decisions at one time or the other, no? We change what we can, and accept what we can't and try to make the best of it. This is one of those situations. But sometimes you have to have the fortitude to stand up to management and tell them they're asking for something that's not possible. You can't have 100% security and 100% access at the same time. The line of thought is we don't care what's running around in the Labs as long as they remain in the Labs, but, by the way, we need to be able to pull files from our Labs machines to our production desktops so we can work on them. So, you see, you can't block off the Labs Anyway, the cost is really not a factor. Finding what to invest the money in is the issue. The PRIMARY (and, maybe, ONLY) concern is keeping viruses that propagate through network shares from coming to the production network. The device I was testing does SMTP, POP and Web filtering, but 90% of the Virus problems is NetBIOS borne. And, no, I can't filter out NetBIOS ports between the Labs and the production sides. That is my dilemma. IF there is a device on the market that does NetBIOS virus scanning and prevention, a big part of my problem will disappear overnight. And, if wishes were horses :-p Well, I still think you could work it out with an intermediate machine. Just put a Server in between the two networks with two interfaces on it. Load it up with all the virus protection you can find (most server-based virus protection will check incomming and outgoing files as they are up/downloaded) and keep the machine updated with all patches/etc. Then set it up so the only way to get files from production to lab is to copy them on to this server first. It's a little annoying for the people copying the files (Damn ... I forgot to copy this to the transfer server from the lab) but I would say that this is where you've got to draw the line if you want have any level of safety/protection whatsoever. From the look of things, though, it seems that this is on of the situations where we say There are seldom good technological solutions to behavioral problems. Apologies to Ed Crowley :) I agree. I think the only way you're going to get any sane level of protection is to come to a compromise. Sometimes you have to be willing to push back. Good luck in whatever approach you take. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bill Moran Sent: Fri 10/17/2003 10:08 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network [EMAIL PROTECTED] wrote: I forgot to mention that. Yeah, there is a requirement for connectivity between the 2 sides. That's why firewalling them is not an option. I've been following this because I think it's outrageous. I don't envy your problem. I think you're in a situation where you'll have to say if that's what you want, then it's going to cost you to whoever put the connectivity requirement in place. First off, you are going to want a firewall between production and lab. Set it to deny by default, then allow ONLY the EXACT traffic that you want to allow. Then configure logging and make it a point to review the logs regularly. I would also suggest a dedicated SMTP relay for the lab, with virus scanning and extensive access restrictions: again, allow only what you KNOW is safe, log everything, and review the logs regularly. Configure your firewall so that ONLY mail that's gone through the SMTP relay is allowed anywhere. This will stop a lot of SMTP-based worms from getting anywhere, as well as alerting you to their existance. Even this will not protect you from every type of attack, but it should reduce the rate of occurance significantly. -- Bill Moran Potential Technologies http://www.potentialtech.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network
Title: Message Deji, Technically - aside from the purely political, you have a problem. I'm not aware of anything that is going to filter the incoming/outgoing traffic in the manner that you're looking to do. In essence, you're looking for an application level firewall with the ability to do protocol scrubbing from layer 1 to layer 7. What might be possible is to treat the lab as a 'quarrantine area'. Anything that gets brought up in the lab, through private VLAN and switching, as well as an active scanning and scripting process, would be brought up asa part of the 'private vlan' that would be separate from all other traffic until it was checked and scrubbed by the virus checking and the automated scripts. Once that is accomplished, you can give it access to the private vlan that feeds into the rest of the environment by allowing ACLs or a simple command to the switching gear to switch it's membership in the vlan structure. Granted, this will not allow all machines in the lab to communicate whith each other constantly, because when the machine shuts down, it should also be removed from the PVLAN as an automated or manual process to ensure the integrity of the more public VLAN. The whole point of this is to show that it would be possible to do what you want - it's all a matter of policy, rules, and automation enforcing the rules. This is a compromise, at best. It's not giving management everything that they want, but at the same time - you're not getting everything that you want either. Possibly the best that you're going to do and still be able to provide a safe environment. Otherwise, open the lab up and batten down the hatches on everything else. Create the perimeter at the individual systems and servers. But, I can also see this solution costing a fair amount of cash in the network management department, too. Tools to automate switching and VLAN management don't usually come too cheap. That's my shot at it.. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryLAN Administration - Windows 2000West Corporation[EMAIL PROTECTED] -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, October 17, 2003 1:21 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network Thanks, Bill. We all have had to live with management-driven decisions at one time or the other, no? We change what we can, and accept what we can't and try to make the best of it. This is one of those situations. The line of thought is "we don't care what's running around in the Labs as long as they remain in the Labs, but, by the way, we need to be able to pull files from our Labs machines to our production desktops so we can work on them. So, you see, you can't block off the Labs" Anyway, the cost is really not a factor. Finding what to invest the money in is the issue. The PRIMARY (and, maybe, ONLY) concern is keeping viruses that propagate through network shares from coming to the production network. The device I was testing does SMTP, POP and Web filtering, but 90% of the Virus problems is NetBIOS borne. And, no, I can't filter out NetBIOS ports between the Labs and the production sides. That is my dilemma. IF there is a device on the market that does NetBIOS virus scanning and prevention, a big part of my problem will disappear overnight. And, if wishes were horses :-p From the look of things, though, it seems that this is on of the situations where we say "There are seldom good technological solutions to behavioral problems." Apologies to Ed Crowley :) Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Bill MoranSent: Fri 10/17/2003 10:08 AMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] VERY OT: Preventing Viruses from Lab to Live network [EMAIL PROTECTED] wrote: I forgot to mention that. Yeah, there is a requirement for connectivity between the 2 sides. That's why firewalling them is not an option.I've been following this because I think it's outrageous. I don't envyyour problem.I think you're in a situation where you'll have to say "if that's whatyou want, then it's going to cost you" to whoever put the connectivityrequirement in place.First off, you are going to want a firewall between production and lab.Set it to deny by default, then allow ONLY the EXACT traffic that youwant to allow. Then configure logging and make it a point to reviewthe logs regularly.I would also suggest a dedicated SMTP relay for the lab, with virusscanning and extensive access restrictions: again, allow only whatyou KNOW is safe, log everything, and review the logs
[ActiveDir] Determining Where Global Groups Have Access
I'm interested in how people keep track/audit where global groups or domain local groups have been granted access to member servers. It's easiest enough to determine a global group's membership, but not all the places this group has access. Any thoughts are appreciated. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Creating programatically when password complexity is in force
Actually, don't set the useraccountcontrol at all before the first setinfo. When you do that it will automatically create the account disabled and as a normal user account. I just looked at the Tuna example. It does have the useraccountcontrol being set to ads_uf_normal_account prior to the first setinfo which isn't correct. Here is the generic example of how it should look set objParent = GetObject(LDAP://ParentDN) set objUser = objParent.Create(user, cn=UserName) objUser.Put sAMAccountName, UserName objUser.Put userPrincipalName, UserUPN objUser.Put givenName, UserFirstName objUser.Put sn, UserLastName objUser.Put displayName, UserFirstName UserLastName objUser.SetInfo objUser.SetPassword password1 objUser.AccountDisabled=FALSE objUser.SetInfo Obviously the version you posted will work fine as well. :op joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, October 16, 2003 7:38 PM To: [EMAIL PROTECTED] Joe, Yeah - turning off the password policy. Hm. Yummy, chewy insides. We got it resolved, thank to Mr. Cornetet. Turns out that what I needed to do was: ' ~ Const ADS_UF_NORMAL_ACCOUNT = 512 Const ADS_UF_DISABLED_ACCOUNT = 514 set objParent = GetObject(LDAP://ParentDN) set objUser = objParent.Create(user, cn=UserName) ' e.g rickk objUser.Put sAMAccountName, UserName ' e.g rickk objUser.Put userPrincipalName, UserUPN ' e.g [EMAIL PROTECTED] objUser.Put givenName, UserFirstName ' e.g Rick objUser.Put sn, UserLastName 'e.g Kingslan objUser.Put displayName, UserFirstName UserLastName ' e.g Rick Kingslan objUser.Put userAccountControl, ADS_UF_DISABLED_ACCOUNT objUser.SetInfo objUser.SetPassword(Password) objUser.AccountDisabled = FALSE objUser.Put userAccountControl, ADS_UF_NORMAL_ACCOUNT objUser.SetInfo ' ~~~ Basically, set the account to disabled before creating it so that the account would be disabled when the password was applied. Worked like a charm, so that's one piece of the automation tools resolved. It's a start to a long road - but we're finally getting some things realized. It's a good thing(TM). Did it make it into Tuna to do the password set and useraccountcontrol set prior to the first setinfo. Sadly, no - that was my first source, and there was nothing that helped, hence the message out to you guys. Thanks for the message, however! Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Thursday, October 16, 2003 6:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Creating programatically when password complexity is in force Rick you have two options... 1. Turn off your password requirements policy and allow blank passwords... :op 2. Don't touch useraccountcontrol (i.e. Enable the user) nor the password until after you create the user object. Did it make it into Tuna to do the password set and useraccountcontrol set prior to the first setinfo. That was something I pointed out. I haven't had a chance to read through the final. Don't be worried, this is a pretty common one. Your buddy joe :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kingslan, Rick T. Sent: Thursday, October 16, 2003 8:06 AM To: [EMAIL PROTECTED] I've run into an interesting problem. If I create a user programatically, (using C#, but we've confirmed the same with VBScript) the password cannot be set until the user object exists. If I try it, we get the error: Server is unwilling to process the request when a SetInfo is done on the creation of the user object. All required fields for the user object are being entered, and checked per the 'Tuna' just to be sure. However, the user cannot exist with a blank password because the blank password violates the password complexity and the minimum length rules. And, as stated, the password cannot be set until the object exists. Would one of the scripting / programming geniuses that we have here tell me what I'm missing? I have to believe that there is a way to do this. Or, am I going to be relegated to using ADUC again to create my users (which is a major pain in the a$$, to say the least)? Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory LAN Administration - Windows 2000 West Corporation [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
[ActiveDir] Way OT: SSL to SQL over the i-net
I know its way OT but have yet to find any good SQL lists. If you know of any please point me to those. We have a web app that lives on our hosts web server. It talks to our internal SQL box. All works and works like it should...except now I want to encrypt the traffic. I know the connection string to put in on the web programming...what I cant figure out is who gets which Certs from our CA. Web box is Win2k3 IIS 6 SQL box is Win2k sp3 SQL 2k sp3 Any help or suggestions of other lists are much appreciated. TIA Mark Nold List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Way OT: SSL to SQL over the i-net
According to Books Online - you need two certs - one for the app server, and one for the SQL Server. People from the MS SQL Server security team (Richard Waymire etc) are on: news://microsoft.public.sqlserver.security Cheers Ken ~~ From: Mark Nold [EMAIL PROTECTED] Subject: [ActiveDir] Way OT: SSL to SQL over the i-net I know its way OT but have yet to find any good SQL lists. If you know of any please point me to those. We have a web app that lives on our hosts web server. It talks to our internal SQL box. All works and works like it should...except now I want to encrypt the traffic. I know the connection string to put in on the web programming...what I cant figure out is who gets which Certs from our CA. Web box is Win2k3 IIS 6 SQL box is Win2k sp3 SQL 2k sp3 Any help or suggestions of other lists are much appreciated. TIA Mark Nold List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/