[ActiveDir] [OT] Really off-topic!
Sorry for the really off topic posting, but is anyone on the list in, or around, the area of Salzburg, Austria ? I need to get hold of something from a certain shop there, and I need someone to see if they can get the phone number for me. Thanks Olly
RE: [ActiveDir] [OT] Really off-topic!
I live in Munich...about an hour and a half away. Maybe I can get some info for you. -Original Message- From: Oliver Marshall [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] [OT] Really off-topic! Sorry for the really off topic posting, but is anyone on the list in, or around, the area of Salzburg, Austria ? I need to get hold of something from a certain shop there, and I need someone to see if they can get the phone number for me. Thanks Olly
[ActiveDir] ADUC MMC
After delegating control to a specific number of users to reset and unlock locked accounts I ran into a very weird problem. The delegated users were able to open the properties of users under ADUC. Now, when they attempt to open the properties tab, ADUC just closes itself as if the delegated user clicked on the x to exit ADUC. This phenomenon only happens under the Users Tab under ADUC. In other OUs the delegated users can open the properties page of a user and unlock locked accounts. Does anyone have a clue as how to fix this problem? I have delegated control to specific people in order to alleviate certain admins from such a tedious task of unlocking locked users. I should also mention the fact that this does not happen on another DC in my domain. The other DC has SP4 installed while this one with the problem does not. I ran into trouble after installing SP 4 and decided to return to SP 3 with all the post SP3 security patches installed. Thanks in advance. George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321
RE: [ActiveDir] ADUC MMC
George Sounds like the problem has more to do with the troubled upgrade to SP4 on that DC than anything else. What were the problems you had after installing SP4? It seems strange that you should have issues with applying an SP on one DC but not the other. Some other thoughts: 1. Are the delegated users running ADUC on their own machines, or are they connecting directly to the DC via TS? 2. Anything in the event logs when the problem occurs? 3. Do you also see the problem when you use ADUC on the SP4 DC to connect to the SP3 DC (using the "connect to Domain Controller" option)? Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: Dienstag, 4. November 2003 10:08To: [EMAIL PROTECTED]Subject: [ActiveDir] ADUC MMC After delegating control to a specific number of users to reset and unlock locked accounts I ran into a very weird problem. The delegated users were able to open the properties of users under ADUC. Now, when they attempt to open the properties tab, ADUC just closes itself as if the delegated user clicked on the x to exit ADUC. This phenomenon only happens under the Users Tab under ADUC. In other OUs the delegated users can open the properties page of a user and unlock locked accounts. Does anyone have a clue as how to fix this problem? I have delegated control to specific people in order to alleviate certain admins from such a tedious task of unlocking locked users. I should also mention the fact that this does not happen on another DC in my domain. The other DC has SP4 installed while this one with the problem does not. I ran into trouble after installing SP 4 and decided to return to SP 3 with all the post SP3 security patches installed. Thanks in advance. George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321
RE: [ActiveDir] ADUC MMC
"I should also mention the fact that this does not happen on another DC in my domain." => do you mean that your ADUC had issues when connected to the SP3 DC, or was the ADUS running on the respective server (logged onto the console or via TS) ? I doubt the latter, however I've not seen the problem myself - so which version of the adminpac is installed on your delegated admin's machines? Who knows, maybe there's a bug with specific versions of ADUC connected to specific SP versions of a DC, but this would be awkward. "This phenomenon only happens under the Users Tab under ADUC" - do you mean the Users container in AD? You have the issue in this container, but not in any OU that your delegated users are accessing - correct? What permissions did you set exactly and where? From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Dienstag, 4. November 2003 10:08To: [EMAIL PROTECTED]Subject: [ActiveDir] ADUC MMC After delegating control to a specific number of users to reset and unlock locked accounts I ran into a very weird problem. The delegated users were able to open the properties of users under ADUC. Now, when they attempt to open the properties tab, ADUC just closes itself as if the delegated user clicked on the x to exit ADUC. This phenomenon only happens under the Users Tab under ADUC. In other OUs the delegated users can open the properties page of a user and unlock locked accounts. Does anyone have a clue as how to fix this problem? I have delegated control to specific people in order to alleviate certain admins from such a tedious task of unlocking locked users. I should also mention the fact that this does not happen on another DC in my domain. The other DC has SP4 installed while this one with the problem does not. I ran into trouble after installing SP 4 and decided to return to SP 3 with all the post SP3 security patches installed. Thanks in advance. George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321
RE: [ActiveDir] ADUC MMC
Tony, Delegated users are running ADUC via TS. No out of the ordinary events in the EV logs No I do not see the problem when connecting to the SP4 DC via “Connect to Domain Controller” option From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, November 04, 2003 10:38 AM To: [EMAIL PROTECTED] George Sounds like the problem has more to do with the troubled upgrade to SP4 on that DC than anything else. What were the problems you had after installing SP4? It seems strange that you should have issues with applying an SP on one DC but not the other. Some other thoughts: 1. Are the delegated users running ADUC on their own machines, or are they connecting directly to the DC via TS? 2. Anything in the event logs when the problem occurs? 3. Do you also see the problem when you use ADUC on the SP4 DC to connect to the SP3 DC (using the "connect to Domain Controller" option)? Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina Sent: Dienstag, 4. November 2003 10:08 To: [EMAIL PROTECTED] Subject: [ActiveDir] ADUC MMC After delegating control to a specific number of users to reset and unlock locked accounts I ran into a very weird problem. The delegated users were able to open the properties of users under ADUC. Now, when they attempt to open the properties tab, ADUC just closes itself as if the delegated user clicked on the x to exit ADUC. This phenomenon only happens under the Users Tab under ADUC. In other OUs the delegated users can open the properties page of a user and unlock locked accounts. Does anyone have a clue as how to fix this problem? I have delegated control to specific people in order to alleviate certain admins from such a tedious task of unlocking locked users. I should also mention the fact that this does not happen on another DC in my domain. The other DC has SP4 installed while this one with the problem does not. I ran into trouble after installing SP 4 and decided to return to SP 3 with all the post SP3 security patches installed. Thanks in advance. George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321
RE: [ActiveDir] ADUC MMC
=> do you mean that your ADUC had issues when connected to the SP3 DC, or was the ADUS running on the respective server (logged onto the console or via TS) ? Already running on the SP3 prior to install of SP4 without any problems. do you mean the Users container in AD? You have the issue in this container, but not in any OU that your delegated users are accessing - correct? What permissions did you set exactly and where? Yes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Tuesday, November 04, 2003 10:29 AM To: [EMAIL PROTECTED] "I should also mention the fact that this does not happen on another DC in my domain." => do you mean that your ADUC had issues when connected to the SP3 DC, or was the ADUS running on the respective server (logged onto the console or via TS) ? I doubt the latter, however I've not seen the problem myself - so which version of the adminpac is installed on your delegated admin's machines? Who knows, maybe there's a bug with specific versions of ADUC connected to specific SP versions of a DC, but this would be awkward. "This phenomenon only happens under the Users Tab under ADUC" - do you mean the Users container in AD? You have the issue in this container, but not in any OU that your delegated users are accessing - correct? What permissions did you set exactly and where? From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Dienstag, 4. November 2003 10:08 To: [EMAIL PROTECTED] Subject: [ActiveDir] ADUC MMC After delegating control to a specific number of users to reset and unlock locked accounts I ran into a very weird problem. The delegated users were able to open the properties of users under ADUC. Now, when they attempt to open the properties tab, ADUC just closes itself as if the delegated user clicked on the x to exit ADUC. This phenomenon only happens under the Users Tab under ADUC. In other OUs the delegated users can open the properties page of a user and unlock locked accounts. Does anyone have a clue as how to fix this problem? I have delegated control to specific people in order to alleviate certain admins from such a tedious task of unlocking locked users. I should also mention the fact that this does not happen on another DC in my domain. The other DC has SP4 installed while this one with the problem does not. I ran into trouble after installing SP 4 and decided to return to SP 3 with all the post SP3 security patches installed. Thanks in advance. George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321
RE: [ActiveDir] ADUC MMC
what version is the ADUC on your TS and is this a separate machine, or one of the DCs themselves? you didn't mention the permissions you set... From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Dienstag, 4. November 2003 11:12To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] ADUC MMC => do you mean that your ADUC had issues when connected to the SP3 DC, or was the ADUS running on the respective server (logged onto the console or via TS) ? Already running on the SP3 prior to install of SP4 without any problems. do you mean the Users container in AD? You have the issue in this container, but not in any OU that your delegated users are accessing - correct? What permissions did you set exactly and where? Yes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Tuesday, November 04, 2003 10:29 AMTo: [EMAIL PROTECTED] "I should also mention the fact that this does not happen on another DC in my domain." => do you mean that your ADUC had issues when connected to the SP3 DC, or was the ADUS running on the respective server (logged onto the console or via TS) ? I doubt the latter, however I've not seen the problem myself - so which version of the adminpac is installed on your delegated admin's machines? Who knows, maybe there's a bug with specific versions of ADUC connected to specific SP versions of a DC, but this would be awkward. "This phenomenon only happens under the Users Tab under ADUC" - do you mean the Users container in AD? You have the issue in this container, but not in any OU that your delegated users are accessing - correct? What permissions did you set exactly and where? From: George Arezina [mailto:[EMAIL PROTECTED] Sent: Dienstag, 4. November 2003 10:08To: [EMAIL PROTECTED]Subject: [ActiveDir] ADUC MMC After delegating control to a specific number of users to reset and unlock locked accounts I ran into a very weird problem. The delegated users were able to open the properties of users under ADUC. Now, when they attempt to open the properties tab, ADUC just closes itself as if the delegated user clicked on the x to exit ADUC. This phenomenon only happens under the Users Tab under ADUC. In other OUs the delegated users can open the properties page of a user and unlock locked accounts. Does anyone have a clue as how to fix this problem? I have delegated control to specific people in order to alleviate certain admins from such a tedious task of unlocking locked users. I should also mention the fact that this does not happen on another DC in my domain. The other DC has SP4 installed while this one with the problem does not. I ran into trouble after installing SP 4 and decided to return to SP 3 with all the post SP3 security patches installed. Thanks in advance. George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321
[ActiveDir] Permissions Required For Installing Child Domain
Hi all, What is the permission required for configuring a child domain in an existing forest? Is it Enterprise Admin? Thanks in advance Santhosh
RE: [ActiveDir] Windows 2003 domain in Windows 2000
Thanks for the response. I found an issue with Schema update if you have Exchange 2000. Here is the KB Article http://support.microsoft.com/default.aspx?scid=kb;en-us;314649 Has anyone seen this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DeGrands, Charles Sent: Thursday, October 30, 2003 1:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 2003 domain in Windows 2000 We’ve got the root 2000\ child 2003 forest running in our environment. No issues so far. One division was on the early adopters program, but we couldn’t get the other divisions to agree to upgrade the root. You can upgrade the Schema with the Forestprep and Domainprep utilities that are located on the 2003 media. From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 11:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 domain in Windows 2000 How you do upgrade the schema without upgrading the OS? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Thursday, October 30, 2003 1:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 2003 domain in Windows 2000 I would think it is possible if you update the Windows 2000 schema first. Don't know for sure as I haven't worked much with Windows Server 2003 yet. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 1:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Windows 2003 domain in Windows 2000 One simple question: Is it possible to add a Windows 2003 child domain to an existing Windows 2000 for forest? I have a Windows 2000 forest called ABC.COM. I would like to create a child Windows 2003 domain (XZY.ABC.COM) for one more my branch office and joined with ABC.COM forest. Is it possible? because Schema Master is holding the Windows 2000 Schema not windows 2003. Thanks in advance, Santhosh
RE: [ActiveDir] Permissions Required For Installing Child Domain
yes, you'll need to have Enterprise Admin permissions to add the first DC of a new child-domain. Afterwards Domain Admins can continue to add DCs of that domain. /Guido From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Dienstag, 4. November 2003 13:16To: [EMAIL PROTECTED]Subject: [ActiveDir] Permissions Required For Installing Child Domain Hi all, What is the permission required for configuring a child domain in an existing forest? Is it Enterprise Admin? Thanks in advance Santhosh
RE: [ActiveDir] Another scripting bug...
Heh.
It fails on the rec.Open.
I've tried (and re-tried this morning to make sure) both
the "\" escape and the "%26" escape. Neither generate a different
error.
Thanks anyway.
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 6:29 PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Another
scripting bug...
It
probably is a bug. Wouldn't surprise me in the least. And I don't
think it would surprise anyone that I say that.
:oP
I am
not good for reading the Exchange Server side only scripts, which line
specifically blows out below? Does it fail on the rec open or the rs open? If on
the rec I would say try to escape the & with a \, if on rs try it with a %xx
where xx is the value of the & in hex which I have no clue is right this
second...
For
info, ESM appears to use MAPI instead of the DAV stuff. I could be wrong but the
traces that I have done to figure out how things work scream MAPI to me.
joe
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
SmithSent: Monday, November 03, 2003 2:10 PMTo:
[EMAIL PROTECTED]
I
asked this question of Siegfried some time ago, and he said it was a bug. I
believe him. Does anything know a way around it, oh script guru's? Or could one
of you submit a bug report to someone that would care? :-)
I have a number of
accounts whose Exchange alias has an ampersand in it. The historical reason for
that is MS' fault, but that's neither here nor there. They just are. I use the
routine below to get the size of the mailboxes. However, for those accounts
whose alias has the ampersand in it, the open fails with the
error:
Object or data matching the name, range,
or selection criteria was not found within the scope of this
operation.
Any ideas for
working around this problem? Obviously there is SOME way, because ESM doesn't
have this issue (obviously, I'd prefer a vbscript solution -- I'm not really a
programmer these days).
Thanks,
M
Function
GetMailboxSize (strMailBoxName, strDomainName) Dim
sUserName ' As String Dim mailboxSZ ' As
Double Dim sURL ' As String Dim sSQL
' As String Dim Rs ' As New
ADODB.Recordset Dim Rec ' As New
ADODB.Record On Error Resume
Next
set Rs = Wscript.CreateObject ("ADODB.Recordset") set Rec
= Wscript.CreateObject ("ADODB.Record")
mailboxSZ = 0
sUsername = strMailBoxName
sURL = "file://./backofficestorage/"
& strDomainName & "/MBX/" & sUserName
Rec.Open sURL If Err.Number <> 0
Then strErr = "Could not open: "
& sURL & " (" & err.Description &
")" GetMailboxSize =
-1 Exit
Function End If
sSQL = "Select" sSQL = sSQL & "
""http://schemas.microsoft.com" &
_
"/exchange/foldersize"" " sSQL = sSQL & ",
""DAV:displayname"" " sSQL = sSQL & " from scope
('deep traversal of " & Chr(34) sSQL = sSQL & sURL
& Chr(34) & "')" sSQL = sSQL & "Where
""DAV:isfolder""=true" Rs.Open
sSQL, Rec.ActiveConnection If Not
Rs.EOF Then
Rs.MoveFirst End If
While Not
Rs.EOF mailboxSZ = mailboxSZ +
_
Rs.Fields("http://schemas.microsoft.com/exchange/foldersize").Value
Rs.MoveNext Wend GetMailboxSize =
mailboxSZ Rs.Close
Rec.Close
set Rs = Nothing set Rec = NothingEnd
Function
RE: [ActiveDir] Permissions Required For Installing Child Domain
Yes ... EA permissions are required to create CrossRef objects which represent partitions within a forest (in this context, a partition equates to a domain). You can, however, precreate the CrossRef as an Enterprise Admins member and delegate control over it to a suitable user who will perform the DCpromo operation. The "precreate" option can be found within NTDSUTIL. Dean -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Santhosh SivarajanSent: Tuesday, November 04, 2003 7:16 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Permissions Required For Installing Child Domain Hi all, What is the permission required for configuring a child domain in an existing forest? Is it Enterprise Admin? Thanks in advance Santhosh
RE: [ActiveDir] ADUC MMC
OK right off the bat, I wouldn't let anyone besides the domain admins TS into a domain controller. That isn't the root of your problem but could be the root of others before or down the road. You will probably get someone on here that may say that the server could be hardened but I am going to say there is going to be someone who will find a bug or some hole you aren't aware of be able to do damage. Other than that if you have to use that DC in that way, I would recommend uninstall and then reinstall the adminpak from the SP that you currently have running on the machine. Note that you can script the unlock and reset of user ID's set o=getobject(LDAP://cn=userid,cn=users,dc=domain,dc=com) o.lockouttime=0 o.setinfoo.setpassword "newpassword" You simply have to know the DN or do a quick search for it or use name translate to get it, see posts from yesterday. These scripts the users could run from their machines. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: Tuesday, November 04, 2003 5:10 AMTo: [EMAIL PROTECTED] Tony, Delegated users are running ADUC via TS. No out of the ordinary events in the EV logs No I do not see the problem when connecting to the SP4 DC via “Connect to Domain Controller” option From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony MurraySent: Tuesday, November 04, 2003 10:38 AMTo: [EMAIL PROTECTED] George Sounds like the problem has more to do with the troubled upgrade to SP4 on that DC than anything else. What were the problems you had after installing SP4? It seems strange that you should have issues with applying an SP on one DC but not the other. Some other thoughts: 1. Are the delegated users running ADUC on their own machines, or are they connecting directly to the DC via TS? 2. Anything in the event logs when the problem occurs? 3. Do you also see the problem when you use ADUC on the SP4 DC to connect to the SP3 DC (using the "connect to Domain Controller" option)? Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George ArezinaSent: Dienstag, 4. November 2003 10:08To: [EMAIL PROTECTED]Subject: [ActiveDir] ADUC MMC After delegating control to a specific number of users to reset and unlock locked accounts I ran into a very weird problem. The delegated users were able to open the properties of users under ADUC. Now, when they attempt to open the properties tab, ADUC just closes itself as if the delegated user clicked on the x to exit ADUC. This phenomenon only happens under the Users Tab under ADUC. In other OUs the delegated users can open the properties page of a user and unlock locked accounts. Does anyone have a clue as how to fix this problem? I have delegated control to specific people in order to alleviate certain admins from such a tedious task of unlocking locked users. I should also mention the fact that this does not happen on another DC in my domain. The other DC has SP4 installed while this one with the problem does not. I ran into trouble after installing SP 4 and decided to return to SP 3 with all the post SP3 security patches installed. Thanks in advance. George Arezina BA, A+, Net+, MCSE 2000 Information Technology Consultant National Bank of Serbia Pop Lukina 7-9, 11000 Belgrade. * E-mail: [EMAIL PROTECTED] ( Phone:+381 (11) 3202-474 ( GSM: +381 (63) 342-321
[ActiveDir] Restoring System State from a DC
Title: Message Please can anyone tell me if it is possible to make a connection to a network share when a server has been booted up into the Directory Services Restore Mode ? I was planning to place my system state backup file on a network share. This is obviously a waste of time if I cant get to it if I need to do a restore at any time. Many thanks
RE: [ActiveDir] Another scripting bug...
Oh very cool.
That works (except for two accounts out of several hundred
for some weird reason -- still tracking that), and it's much faster than ADO. It
requires a bit more setup (since you've gotta know the specific Exchange server
a mailbox resides upon), but it works quite well.
Thanks muchly,
Michael
From: Matjaz Ladava [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 5:10 PMTo:
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Another
scripting bug...
Have you tried to use this script to obtain
mailbox size ? http://www.msexchangefaq.de/code/mbsize.vbs.txt .It
uses CDO objects instead of ADO
Give it a try and let us know.
Regards
Matjaz Ladava, MCSE, MCSA, MCT, MVP Microsoft
MVP - Active Directory[EMAIL PROTECTED], [EMAIL PROTECTED]http://ladava.com
- Original Message -
From:
Michael B.
Smith
To: [EMAIL PROTECTED]
Sent: Monday, November 03, 2003 8:09
PM
Subject: [ActiveDir] Another scripting
bug...
I asked this
question of Siegfried some time ago, and he said it was a bug. I believe him.
Does anything know a way around it, oh script guru's? Or could one of you
submit a bug report to someone that would care? :-)
I have a number of
accounts whose Exchange alias has an ampersand in it. The historical reason
for that is MS' fault, but that's neither here nor there. They just are. I use
the routine below to get the size of the mailboxes. However, for those
accounts whose alias has the ampersand in it, the open fails with the
error:
Object or data matching the name,
range, or selection criteria was not found within the scope of this
operation.
Any ideas for
working around this problem? Obviously there is SOME way, because ESM doesn't
have this issue (obviously, I'd prefer a vbscript solution -- I'm not really a
programmer these days).
Thanks,
M
Function
GetMailboxSize (strMailBoxName, strDomainName) Dim
sUserName ' As String Dim mailboxSZ ' As
Double Dim sURL ' As String Dim
sSQL ' As String Dim Rs ' As New
ADODB.Recordset Dim Rec ' As New
ADODB.Record On Error Resume
Next
set Rs = Wscript.CreateObject ("ADODB.Recordset") set
Rec = Wscript.CreateObject ("ADODB.Record")
mailboxSZ = 0
sUsername = strMailBoxName
sURL = "file://./backofficestorage/"
& strDomainName & "/MBX/" & sUserName
Rec.Open sURL If Err.Number <> 0
Then strErr = "Could not open: "
& sURL & " (" & err.Description &
")" GetMailboxSize =
-1 Exit
Function End If
sSQL = "Select" sSQL = sSQL &
" ""http://schemas.microsoft.com"
&
_
"/exchange/foldersize"" " sSQL = sSQL & ",
""DAV:displayname"" " sSQL = sSQL & " from scope
('deep traversal of " & Chr(34) sSQL = sSQL &
sURL & Chr(34) & "')" sSQL = sSQL & "Where
""DAV:isfolder""=true" Rs.Open
sSQL, Rec.ActiveConnection If Not
Rs.EOF Then
Rs.MoveFirst End If
While Not
Rs.EOF mailboxSZ = mailboxSZ +
_
Rs.Fields("http://schemas.microsoft.com/exchange/foldersize").Value
Rs.MoveNext Wend GetMailboxSize =
mailboxSZ Rs.Close
Rec.Close
set Rs = Nothing set Rec = NothingEnd
Function
RE: [ActiveDir] Group policy
John if you want to make sure these servers never get any GPOs you might put in the domain, or make it more obvious at a glance what GPOs they are getting, you can put them in their own OU and block inheritance to that OU. Yes it is grouping them for GPO application not necessarily administrative reasons, but IME this is a pretty simple solution to what sounds like a straight-forward issue for you. Rich -Original Message- From: John Parker [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 5:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Group policy Hey all, I have a few servers that authenticate to my active directory, but I do not want the group policy to affect them. How can I accomplish this? John Parker, MCSE IS Admin. Senior Technical Specialist Digital Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] "Be excellent to each other" ---End of Line--- -Original Message- From: Free, Bob [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 5:18 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDAP wright to certains accounts not happening. Sounds like adminSDholder at work -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 10:30 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] LDAP wright to certains accounts not happening. What is interesting is these accounts are a member of Domain Administrator. Also the permissions didn't propagate down to the child objects that are in the Domain Administrator group. They propagated down to other objects child user objects though in the users container. I went in an manually added the permissions to one of the accounts, and the LDAP write operation still fails. Does anyone know if this is by design via the LDAP interface? They developer isn't using ADSI. Thanks, Todd Myrick List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restoring System State from a DC
Title: Message Booting a DC in DSRM effectively boots it into a "workgroup mode". However, you will be able to access a network share if you have another DC nearby that can authenticate the user that tries to access the network share. So, you will need to present your credentials when you're connecting to the share. Cheers! John From: Abbiss, Mark [mailto:[EMAIL PROTECTED] Sent: dinsdag 4 november 2003 14:39To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Restoring System State from a DC Please can anyone tell me if it is possible to make a connection to a network share when a server has been booted up into the Directory Services Restore Mode ? I was planning to place my system state backup file on a network share. This is obviously a waste of time if I cant get to it if I need to do a restore at any time. Many thanks
RE: [ActiveDir] Restoring System State from a DC
Title: Message yes, the DC is fully network capable, but it acts like standalone machine which you have to logon to with the "restore mode" password (basicallly you're logging onto the local SAM, which is disabled when it's booted as a DC). As such you can also logon to a machine in resotre mode via Terminal Services... Thus you can connect to any network share as long as you have a valid account that you can use to connect to it - either a domain account (if other DCs are available for authentication) or a local account on the target server. /Guido From: Abbiss, Mark [mailto:[EMAIL PROTECTED] Sent: Dienstag, 4. November 2003 14:39To: '[EMAIL PROTECTED]'Subject: [ActiveDir] Restoring System State from a DC Please can anyone tell me if it is possible to make a connection to a network share when a server has been booted up into the Directory Services Restore Mode ? I was planning to place my system state backup file on a network share. This is obviously a waste of time if I cant get to it if I need to do a restore at any time. Many thanks
RE: [ActiveDir] ADUC MMC
Joe speaking of scripts to unlock users… have you (or anyone else) ever set up an alert/script combo that triggers when an account gets locked out, brings up the user info to you with various info, and lets you acknowledge and unlock it / call the user / chase the hacker depending on the situation? At a glance this seems it might be useful, but maybe I haven’t thought through the implications… From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 6:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADUC MMC OK right off the bat, I wouldn't let anyone besides the domain admins TS into a domain controller. That isn't the root of your problem but could be the root of others before or down the road. You will probably get someone on here that may say that the server could be hardened but I am going to say there is going to be someone who will find a bug or some hole you aren't aware of be able to do damage. Other than that if you have to use that DC in that way, I would recommend uninstall and then reinstall the adminpak from the SP that you currently have running on the machine. Note that you can script the unlock and reset of user ID's set o=getobject(LDAP://cn=userid,cn=users,dc=domain,dc=com) o.lockouttime=0 o.setinfo o.setpassword "newpassword" You simply have to know the DN or do a quick search for it or use name translate to get it, see posts from yesterday. These scripts the users could run from their machines. … ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Title: Message And that's what's confusing. W2K DNS is told to use TCP for large packets, and you can force that as I recall. So in your case, the firewall was the issue, right? Slight change in the way that the DNS packets were travelling across? Al -Original Message-From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Eh... I ran across something like that during the w2k3 beta process. Something about w2k didn't support long/extended DNS responses across TCP and w2k3 does. There was also something fishy about w2k3 not properly following referrals in deeply embedded zones. I changed over to having my w2k3 servers forward to my Unix authoritative servers instead of following root hints and forgot about it. From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks for the tip. I have added the static entries to my servers. I have to admit, that in my actual operation I have not found that to be the case with the PIX. I did find the final cause of my problems from your tip. The new 6.33 code added a DNS fixup command that had no qualms at all about eating the responses being sent to my Windows 2003 dns servers I don't know why it did not eat them going to the Win2K dns. Once I disabled dns fixup, the problem ended on my test servers, and I just changed the production servers as well. They now receive long mx responses without issues. ---Miles Holt, MCPNetwork EngineerSummit Marketing[EMAIL PROTECTED]770-303-0426---"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:35 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks, I have really found all the suggestions given helpful. Even when they have rehashed things I tried before they have encouraged me to try them again. My main frustration with all of this is that with what appears to be an identical configuration, Win2K gives me results and Win2K3 does not and it just makes no sense to me. The server that I am testing with is one of my production internal DNS servers. It is also a DC. It is a Netserver LH3000 with a single Intel 10/100 nic. Below is the ipconfig /all. Windows IP Configuration Host Name . . . . . . . . . . . . : atldc1 Primary Dns Suffix . . . . . . . : summitmg.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : summitmg.com Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter Physical Address. . . . . . . . . : 00-30-6E-00-B3-71 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.100.1.220 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 10.100.1.230 DNS Servers . . . . . . . . . . . : 10.100.1.206 10.100.1.220 Primary WINS Server . . . . . . . : 10.100.1.206 Secondary WINS Server . . . . . . : 10.100.1.207 It is behind a PIX firewall, running 6.33. I have added a static acl for TCP and UDP DNS traffic (port 53) from 208.51.103.75 to the internal ip of 10.100.1.220. Note that it should not NEED this acl as the PIX should nat the outbound request and replies just fine. For the two dns servers I configured for testing this morning, there were no ACL's added. In the case of the Windows 2000 DNS all mx requests work, and for the Windows 2003 DNS only some work. I have found requests for cnn.com and bestbuy.com to work, but requests for aol.com and earthlink.net to fail on th
RE: [ActiveDir] Univ group best practice
Title: Message Agreed. There's no reason to put something in the in the empty root since by definition there's no resource they use. Al -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 6:10 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Univ group best practice In my opinion, in the domain that they will find the most use and is guaranteed to be around forever or at least as long as you need the UNI. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, November 03, 2003 9:59 AMTo: [EMAIL PROTECTED] We're just getting started with universal groups (for security, not distribution) and I'm just wondering as a best practice, where should they be located? We have a so-called empty root, and a few sub-domains, so where does it make the most sense to place the Universal Groups as they are created? Thanks! Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do
RE: [ActiveDir] Univ group best practice
I'd place them where they're managed. I.e. if a delegated admin of a sub-domain is managing a resource that is supposed to be secured with a UG, then place the UG in an OU where he is delegated enough permissions to manage the group. Usually, this also equates to hosting the UG in the domain where most users come from. But UGs can be placed into any domain, as the UG is replicated via the GC anyways. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Montag, 3. November 2003 15:59To: [EMAIL PROTECTED]Subject: [ActiveDir] Univ group best practice We’re just getting started with universal groups (for security, not distribution) and I’m just wondering as a best practice, where should they be located? We have a so-called empty root, and a few sub-domains, so where does it make the most sense to place the Universal Groups as they are created? Thanks! Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do
RE: [ActiveDir] Restoring System State from a DC
Title: Message Sure. When you boot into DSRM network works just fine. Infact I was TS-ing to one Windows server booted in DSRM and did troubleshooting AD over the network. Matjaz Ladava, MCSA, MCSE, MCT, MVP Microsoft MVP Windows Server - Active Directory[EMAIL PROTECTED] http://ladava.com From: Abbiss, Mark [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:39 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Restoring System State from a DC Please can anyone tell me if it is possible to make a connection to a network share when a server has been booted up into the Directory Services Restore Mode ? I was planning to place my system state backup file on a network share. This is obviously a waste of time if I cant get to it if I need to do a restore at any time. Many thanks
RE: [ActiveDir] Another scripting bug...
Great to hear that. ADO sometimes behaves strangely. For
example if you take ADO for querying AD. There are several ways to sort ADSI
results, but none works as it should :-(
Matjaz
Ladava, MCSA, MCSE, MCT, MVP
Microsoft
MVP Windows Server - Active Directory[EMAIL PROTECTED]
http://ladava.com
From: Michael B. Smith
[mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:43
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
Another scripting bug...
Oh very cool.
That works (except for two accounts out of several hundred
for some weird reason -- still tracking that), and it's much faster than ADO. It
requires a bit more setup (since you've gotta know the specific Exchange server
a mailbox resides upon), but it works quite well.
Thanks muchly,
Michael
From: Matjaz Ladava [mailto:[EMAIL PROTECTED]
Sent: Monday, November 03, 2003 5:10 PMTo:
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Another
scripting bug...
Have you tried to use this script to obtain
mailbox size ? http://www.msexchangefaq.de/code/mbsize.vbs.txt .It
uses CDO objects instead of ADO
Give it a try and let us know.
Regards
Matjaz Ladava, MCSE, MCSA, MCT, MVP Microsoft
MVP - Active Directory[EMAIL PROTECTED], [EMAIL PROTECTED]http://ladava.com
- Original Message -
From:
Michael B.
Smith
To: [EMAIL PROTECTED]
Sent: Monday, November 03, 2003 8:09
PM
Subject: [ActiveDir] Another scripting
bug...
I asked this
question of Siegfried some time ago, and he said it was a bug. I believe him.
Does anything know a way around it, oh script guru's? Or could one of you
submit a bug report to someone that would care? :-)
I have a number of
accounts whose Exchange alias has an ampersand in it. The historical reason
for that is MS' fault, but that's neither here nor there. They just are. I use
the routine below to get the size of the mailboxes. However, for those
accounts whose alias has the ampersand in it, the open fails with the
error:
Object or data matching the name,
range, or selection criteria was not found within the scope of this
operation.
Any ideas for
working around this problem? Obviously there is SOME way, because ESM doesn't
have this issue (obviously, I'd prefer a vbscript solution -- I'm not really a
programmer these days).
Thanks,
M
Function
GetMailboxSize (strMailBoxName, strDomainName) Dim
sUserName ' As String Dim mailboxSZ ' As
Double Dim sURL ' As String Dim
sSQL ' As String Dim Rs ' As New
ADODB.Recordset Dim Rec ' As New
ADODB.Record On Error Resume
Next
set Rs = Wscript.CreateObject ("ADODB.Recordset") set
Rec = Wscript.CreateObject ("ADODB.Record")
mailboxSZ = 0
sUsername = strMailBoxName
sURL = "file://./backofficestorage/"
& strDomainName & "/MBX/" & sUserName
Rec.Open sURL If Err.Number <> 0
Then strErr = "Could not open: "
& sURL & " (" & err.Description &
")" GetMailboxSize =
-1 Exit
Function End If
sSQL = "Select" sSQL = sSQL &
" ""http://schemas.microsoft.com"
&
_
"/exchange/foldersize"" " sSQL = sSQL & ",
""DAV:displayname"" " sSQL = sSQL & " from scope
('deep traversal of " & Chr(34) sSQL = sSQL &
sURL & Chr(34) & "')" sSQL = sSQL & "Where
""DAV:isfolder""=true" Rs.Open
sSQL, Rec.ActiveConnection If Not
Rs.EOF Then
Rs.MoveFirst End If
While Not
Rs.EOF mailboxSZ = mailboxSZ +
_
Rs.Fields("http://schemas.microsoft.com/exchange/foldersize").Value
Rs.MoveNext Wend GetMailboxSize =
mailboxSZ Rs.Close
Rec.Close
set Rs = Nothing set Rec = NothingEnd
Function
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Title: Message No, I didn't change anything but where I sent forwards. To my authoritative servers (in my DMZ but on the other side of my PIX) instead of using root hints. We have (for the network under discussion) INTERNAL -> PIX -> DMZ -> 7200 w/IOS-FW/FS Anyway, see the google thread on "Odd DNS Issue with 2003 Server". They covered the same issue there, but did not appear to come to any real conclusions other than using forwarders corrected the problem (in microsoft.public.win2000.dns). From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:23 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 And that's what's confusing. W2K DNS is told to use TCP for large packets, and you can force that as I recall. So in your case, the firewall was the issue, right? Slight change in the way that the DNS packets were travelling across? Al -Original Message-From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Eh... I ran across something like that during the w2k3 beta process. Something about w2k didn't support long/extended DNS responses across TCP and w2k3 does. There was also something fishy about w2k3 not properly following referrals in deeply embedded zones. I changed over to having my w2k3 servers forward to my Unix authoritative servers instead of following root hints and forgot about it. From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks for the tip. I have added the static entries to my servers. I have to admit, that in my actual operation I have not found that to be the case with the PIX. I did find the final cause of my problems from your tip. The new 6.33 code added a DNS fixup command that had no qualms at all about eating the responses being sent to my Windows 2003 dns servers I don't know why it did not eat them going to the Win2K dns. Once I disabled dns fixup, the problem ended on my test servers, and I just changed the production servers as well. They now receive long mx responses without issues. ---Miles Holt, MCPNetwork EngineerSummit Marketing[EMAIL PROTECTED]770-303-0426---"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:35 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks, I have really found all the suggestions given helpful. Even when they have rehashed things I tried before they have encouraged me to try them again. My main frustration with all of this is that with what appears to be an identical configuration, Win2K gives me results and Win2K3 does not and it just makes no sense to me. The server that I am testing with is one of my production internal DNS servers. It is also a DC. It is a Netserver LH3000 with a single Intel 10/100 nic. Below is the ipconfig /all. Windows IP Configuration Host Name . . . . . . . . . . . . : atldc1 Primary Dns Suffix . . . . . . . : summitmg.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : summitmg.com Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter Physical Address. . . . . . . . . : 00-30-6E-00-B3-71 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.100.1.220 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 10.100.1.230 DNS Servers . . . . . . . . . . . : 10.100.1.206 10.100.1.220 Primary WINS Server . . . . . . . : 10.100.1.206 Secondary WINS Ser
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Title: Message So are we saying it works as long you don't use the fixup command for DNS? Do you still need to NAT and the conduits (in my case of older PIX ver.)? -Original Message- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 6:23 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 And that's what's confusing. W2K DNS is told to use TCP for large packets, and you can force that as I recall. So in your case, the firewall was the issue, right? Slight change in the way that the DNS packets were travelling across? Al -Original Message- From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Eh... I ran across something like that during the w2k3 beta process. Something about w2k didn't support long/extended DNS responses across TCP and w2k3 does. There was also something fishy about w2k3 not properly following referrals in deeply embedded zones. I changed over to having my w2k3 servers forward to my Unix authoritative servers instead of following root hints and forgot about it. From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks for the tip. I have added the static entries to my servers. I have to admit, that in my actual operation I have not found that to be the case with the PIX. I did find the final cause of my problems from your tip. The new 6.33 code added a DNS fixup command that had no qualms at all about eating the responses being sent to my Windows 2003 dns servers I don't know why it did not eat them going to the Win2K dns. Once I disabled dns fixup, the problem ended on my test servers, and I just changed the production servers as well. They now receive long mx responses without issues. --- Miles Holt, MCP Network Engineer Summit Marketing [EMAIL PROTECTED] 770-303-0426 --- "Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune" From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:35 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks, I have really found all the suggestions given helpful. Even when they have rehashed things I tried before they have encouraged me to try them again. My main frustration with all of this is that with what appears to be an identical configuration, Win2K gives me results and Win2K3 does not and it just makes no sense to me. The server that I am testing with is one of my production internal DNS servers. It is also a DC. It is a Netserver LH3000 with a single Intel 10/100 nic. Below is the ipconfig /all. Windows IP Configuration Host Name . . . . . . . . . . . . : atldc1 Primary Dns Suffix . . . . . . . : summitmg.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : summitmg.com Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP NetServer 10/100TX PCI LAN Adapter Physical Address. . . . . . . . . : 00-30-6E-00-B3-71 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.100.1.220 Subnet Mask . . . . . . . . . . . : 255.255.0.0 Default Gateway . . . . . . . . . : 10.100.1.230 DNS Servers . . . . . . . . . . . : 10.100.1.206 10.100.1.220 Primary WINS Server . . . . . . . : 10.100.1.206 Secondary WINS Server . . . . . . : 10.100.1.207 It is behind a PIX firewall, running 6.33. I have added a static acl for TCP and UDP DNS traffic (port 53) from 208.51.103.75 to the internal ip of 10.100.1.220. Note that it should not NEED this acl as the PIX should nat the outbound request and replies just fine. For the two dns servers I configured for testing this morning, there were no ACL's added. In the case of the Windows 2000 DNS all mx requests work, and for the Windows 2003 DNS only so
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Title: Message In my case, yes. Disabling the DNS Fixup on my PIX made the issue disappear as soon as I entered the command. The PIX fixup was mangling the responses back to the dns servers (much like SMTP fixup does when in front of an Exchange server). Later yesterday I removed the acl and static nat entries to those DNS servers. Everything is running smooth as silk now (and I don't have any of my DC's exposed to the internet now either). Michael, the exchange issue you had during the beta is exactly what I experienced in production. Was your DNS behind a PIX with the DNS Fixup command running? If so, maybe it is not a bug with the Windows DNS, but just a stupid PIX trick. At this point I don't really care where the "bug" really lies, I have it working the way I want it too now, and I'm not having to bang my head against a wall anymore. ---Miles Holt, MCPNetwork EngineerSummit Marketing[EMAIL PROTECTED]770-303-0426---"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" From: Robert Gonzaga (306) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:14 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 So are we saying it works as long you don't use the fixup command for DNS? Do you still need to NAT and the conduits (in my case of older PIX ver.)? -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 6:23 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 And that's what's confusing. W2K DNS is told to use TCP for large packets, and you can force that as I recall. So in your case, the firewall was the issue, right? Slight change in the way that the DNS packets were travelling across? Al -Original Message-From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Eh... I ran across something like that during the w2k3 beta process. Something about w2k didn't support long/extended DNS responses across TCP and w2k3 does. There was also something fishy about w2k3 not properly following referrals in deeply embedded zones. I changed over to having my w2k3 servers forward to my Unix authoritative servers instead of following root hints and forgot about it. From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks for the tip. I have added the static entries to my servers. I have to admit, that in my actual operation I have not found that to be the case with the PIX. I did find the final cause of my problems from your tip. The new 6.33 code added a DNS fixup command that had no qualms at all about eating the responses being sent to my Windows 2003 dns servers I don't know why it did not eat them going to the Win2K dns. Once I disabled dns fixup, the problem ended on my test servers, and I just changed the production servers as well. They now receive long mx responses without issues. ---Miles Holt, MCPNetwork EngineerSummit Marketing[EMAIL PROTECTED]770-303-0426---"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:35 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks, I have really found all the suggestions given helpful. Even when they have rehashed things I tried before they have encouraged me to try them again. My main frustration with all of this is that with what appears to be an identical configuration, Win2K gives me results and Win2K3 does not and it just makes no sense to me. The server that I am testing with is one of my production internal DNS servers. It is also a DC. It is a Netserver LH3000 wi
[ActiveDir] Question on Drive Mapping by Group
Good Morning. Windows 2003 Server environment Single AD Domain/Forest We have a need to map certain drives for specific individulas. Ideally, this would be done based on Group Membership. For instance, If person X was a member of the "Accounting" group, it would map an M: drive to the accounting server share in question. We have a basic login script now and it does everything we need it to besides this individual mapping. We've tried the IFMEMBER utility, but that doesn't seem to work for some reason (rights/process?). We also are somewhat limited on budget right now, so using a 3rd Party Tool isn't a real option. Does anyone have some ideas on how to do this? I've included our current login script below for reference. TIA, Steve - REM Network Login Script REM * REM as of September 19, 2003*** REM *Unmapping of Drives REM IF EXIST F:\*.* NET USE F: /DELETE IF EXIST G:\*.* NET USE G: /DELETE IF EXIST M:\*.* NET USE M: /DELETE IF EXIST Y:\*.* NET USE Y: /DELETE IF EXIST Z:\*.* NET USE Z: /DELETE REM REM REM *IF MEMBER OF ACCOUNTING REM IFMEMBER "EXECDIR\ACCOUNTING" IF Not ERRORLEVEL 1 GOTO COMMON NET USE M: \\EDI2KAP02\APP REM REM :COMMON NET USE F: \\EDI2K3FS01\APPS NET USE G: \\EDI2K3FS01\CLIENTS NET USE H: \\EDI2K3FS01\Users\%username% REM REM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Drive Mapping by Group
Try Kix32 (KixStart). It's a free login script maker that works really well. -Original Message- From: Technology Listserves [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on Drive Mapping by Group Good Morning. Windows 2003 Server environment Single AD Domain/Forest We have a need to map certain drives for specific individulas. Ideally, this would be done based on Group Membership. For instance, If person X was a member of the "Accounting" group, it would map an M: drive to the accounting server share in question. We have a basic login script now and it does everything we need it to besides this individual mapping. We've tried the IFMEMBER utility, but that doesn't seem to work for some reason (rights/process?). We also are somewhat limited on budget right now, so using a 3rd Party Tool isn't a real option. Does anyone have some ideas on how to do this? I've included our current login script below for reference. TIA, Steve - REM Network Login Script REM * REM as of September 19, 2003*** REM *Unmapping of Drives REM IF EXIST F:\*.* NET USE F: /DELETE IF EXIST G:\*.* NET USE G: /DELETE IF EXIST M:\*.* NET USE M: /DELETE IF EXIST Y:\*.* NET USE Y: /DELETE IF EXIST Z:\*.* NET USE Z: /DELETE REM REM REM *IF MEMBER OF ACCOUNTING REM IFMEMBER "EXECDIR\ACCOUNTING" IF Not ERRORLEVEL 1 GOTO COMMON NET USE M: \\EDI2KAP02\APP REM REM :COMMON NET USE F: \\EDI2K3FS01\APPS NET USE G: \\EDI2K3FS01\CLIENTS NET USE H: \\EDI2K3FS01\Users\%username% REM REM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on Drive Mapping by Group
I just went through this. Here are a few sites I used. The RLMueller site has actual scripts you can use freely and adapt to your needs. Good Luck! http://www.rlmueller.net/ http://cwashington.netreach.net/depo/view.asp?Index=804&ScriptType=vbscr ipt http://www.kouti.com/tables/userattributes.htm http://cwashington.netreach.net/depo/default.asp?topic=results -Original Message- From: Technology Listserves [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:35 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on Drive Mapping by Group Good Morning. Windows 2003 Server environment Single AD Domain/Forest We have a need to map certain drives for specific individulas. Ideally, this would be done based on Group Membership. For instance, If person X was a member of the "Accounting" group, it would map an M: drive to the accounting server share in question. We have a basic login script now and it does everything we need it to besides this individual mapping. We've tried the IFMEMBER utility, but that doesn't seem to work for some reason (rights/process?). We also are somewhat limited on budget right now, so using a 3rd Party Tool isn't a real option. Does anyone have some ideas on how to do this? I've included our current login script below for reference. TIA, Steve - REM Network Login Script REM * REM as of September 19, 2003*** REM *Unmapping of Drives REM IF EXIST F:\*.* NET USE F: /DELETE IF EXIST G:\*.* NET USE G: /DELETE IF EXIST M:\*.* NET USE M: /DELETE IF EXIST Y:\*.* NET USE Y: /DELETE IF EXIST Z:\*.* NET USE Z: /DELETE REM REM REM *IF MEMBER OF ACCOUNTING REM IFMEMBER "EXECDIR\ACCOUNTING" IF Not ERRORLEVEL 1 GOTO COMMON NET USE M: \\EDI2KAP02\APP REM REM :COMMON NET USE F: \\EDI2K3FS01\APPS NET USE G: \\EDI2K3FS01\CLIENTS NET USE H: \\EDI2K3FS01\Users\%username% REM REM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Latest FRS info from MS
Thanks for the help yesterday with this, and MS got back to me today. I thought I'd share the info, for those out there that might be interested. -- This is the latest version for Windows 2000. File Replication Service Does Not Log Errors on Sharing Violations WGID:583 ID: Q815473.KB.EN-US CREATED: 2003-02-26 MODIFIED: 2003-11-03 Date Time Version Size File name -- 27-Jun-2003 01:17 5.0.2195.6763 747,792 Ntfrs.exe 27-Jun-2003 02:06 5.0.2195.676356,080 Ntfrsapi.dll 27-Jun-2003 02:06 5.0.2195.676322,288 Ntfrsprf.dll 27-Jun-2003 01:17 5.0.2195.676346,352 Ntfrsupg.exe 27-Jun-2003 01:17 5.0.2195.676340,720 Ntfrsutl.exe The above versions supersede the following more common fix: Issues That Are Fixed in the Post-Service Pack 3 Release of Ntfrs.exe WGID:325 ID: Q811370.KB.EN-US CREATED: 2002-12-10 MODIFIED: 2003-10-07 -- 07-May-2003 19:14 5.0.2195.6743 745,232 Ntfrs.exe 15-May-2003 22:31 5.0.2195.6743 56,080 Ntfrsapi.dll 15-May-2003 22:31 5.0.2195.6743 22,288 Ntfrsprf.dll 07-May-2003 19:14 5.0.2195.6743 40,720 Ntfrsutl.exe List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Forcing Replication from a Source DC
Okay, guys, I've done quite a bit of research here, but I need some help. I don't know about you guys, but I find it frustrating that AD has been out for over three years and so much of this stuff is still undocumented! Argh! First problem was delegating the right for remote admins to synchronize the domain. For those out there that may still be searching, you need to delegate the "Replication Synchronization" right to your Domain Naming Context (NC) and any other NC's (Schema, Config, etc.) that you may have. Note that if you do not delegate this right to every NC, AD Sites & Services will still fail because a "Replicate Now" tries to sync every NC behind the scenes - there is no way with this tool to sync a particular NC. Note that ADSIEdit will probably be needed to make the delegation. Okay, second problem that I still need an answer to. I need a way to force replication from one source DC to all my other DC's. Ah! Use replmon you say choosing "Push Mode" and "Cross Site Boundaries". That works great, actually, but not for my remote admins. Come to find out, replmon doesn't work unless the remote admin is also given the "Replicating Directory Changes" and "Manage Replication Topology" permission. And I am not about to do that. I've also looked at repadmin. It appears that some changes have been made to this command in W2K3, but I'd like to do this in a W2K setting. Unfortunately, the W2K tool requires that you use actual GUIDS, but the more important thing is that I can't figure out how to push changes rather than pull! I did come across one undocumented switch with repadmin. Using repadmin /p /e /d server1.company.com forces server1 to pull any and all changes from every other server (transitively). Any advice on how to best take one DC's changes and push them out to all other DC's would be GREATLY appreciated. Sounds like a script to me. Thanks. -Rick Dayton __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
re: [ActiveDir] Forcing Replication from a Source DC
Well, this is more of a blanket suggestion, than a solution to your problem. After coming to find many tasks that remote admins should be able to do, but that I don't want to give them rights to do, I tend to try and centralize tools. I've created ASP driven "admin portal" which is nothing more than VB scripts to do the processes. The Remote admins are given access permission to the portal for their specific tasks, but the actual processing of the tasks is done with a "service" account with the privs, and not the user. So they can kick off the tasks, see the results, but not ever have the permissions themselves. I built in a logging interface, so I can tell when an admin did such a thing, which is much easier than parsing other logs. Replicate the site/DB around the world, and it's proven to be a very good source. I can fix add tools as needed, and not worry about older versions still floating around. I know that's not really going to help you, but with a little scripting experience, you might be able to create a front end utilizing replmon for the same thing. Jef Original Message: >From: FDiskThePC <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: [ActiveDir] Forcing Replication from a Source DC >Date: Tue, 4 Nov 2003 09:36:02 -0800 (PST) >Okay, guys, I've done quite a bit of research here, >but I need some help. I don't know about you guys, >but I find it frustrating that AD has been out for >over three years and so much of this stuff is still >undocumented! Argh! > >First problem was delegating the right for remote >admins to synchronize the domain. For those out there >that may still be searching, you need to delegate the >"Replication Synchronization" right to your Domain >Naming Context (NC) and any other NC's (Schema, >Config, etc.) that you may have. Note that if you do >not delegate this right to every NC, AD Sites & >Services will still fail because a "Replicate Now" >tries to sync every NC behind the scenes - there is no >way with this tool to sync a particular NC. Note that >ADSIEdit will probably be needed to make the >delegation. > >Okay, second problem that I still need an answer to. >I need a way to force replication from one source DC >to all my other DC's. Ah! Use replmon you say >choosing "Push Mode" and "Cross Site Boundaries". >That works great, actually, but not for my remote >admins. Come to find out, replmon doesn't work unless >the remote admin is also given the "Replicating >Directory Changes" and "Manage Replication Topology" >permission. And I am not about to do that. > >I've also looked at repadmin. It appears that some >changes have been made to this command in W2K3, but >I'd like to do this in a W2K setting. Unfortunately, >the W2K tool requires that you use actual GUIDS, but >the more important thing is that I can't figure out >how to push changes rather than pull! I did come >across one undocumented switch with repadmin. Using >repadmin /p /e /d server1.company.com forces server1 >to pull any and all changes from every other server >(transitively). > >Any advice on how to best take one DC's changes and >push them out to all other DC's would be GREATLY >appreciated. Sounds like a script to me. Thanks. > >-Rick Dayton > >__ >Do you Yahoo!? >Protect your identity with Yahoo! Mail AddressGuard >http://antispam.yahoo.com/whatsnewfree >List info : http://www.activedir.org/mail_list.htm >List FAQ: http://www.activedir.org/list_faq.htm >List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Display Change
Title: Message I have received a request to change an AD field that shows up in the GAL as Home2. We would like to basically rename this fields description from "Home2" to "Radio". Does anyone know what I would need to do to make that happen? It may not be possible at all but I thought I would run it by the experts here and see. Thanks, Travis Weeks Cox Communications, Inc. �
[ActiveDir] W32time Service
Hello, I currently manage a 2000 Mixed Mode Child Domain. When an Enterprise Admin runs replmon, everything works fine except for one thing. We get an access denied error when trying to communicate with the W32time service. * Checking Service: w32time Could not open w32time Service on [SERVERNAME]:failed with 5: Access is denied. Is the only place to change this in the GPO? I did set permissions on that service, and realized that was probably causing the error. I removed the settings for the Time Service in the GPO (changed it to "Not Defined"). That didn't work. Your help is appreciated, Cory List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Display Change
Title: Message I want to say this is possible at the attrib level, but the display name (text caption in the UI) is set at the UI. What has me more curious is why you want to change that field? Why not use another field somewhere that will never ever be used? Al -Original Message-From: Weeks, Travis (COX-Atlanta) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Display Change I have received a request to change an AD field that shows up in the GAL as Home2. We would like to basically rename this fields description from "Home2" to "Radio". Does anyone know what I would need to do to make that happen? It may not be possible at all but I thought I would run it by the experts here and see. Thanks, Travis Weeks Cox Communications, Inc.
RE: [ActiveDir] Display Change
Title: Message Additional information. You could create your own class and field and a custom app to display it in the MMC. http://msdn.microsoft.com/library/default.asp?url=""> -Original Message-From: Weeks, Travis (COX-Atlanta) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Display Change I have received a request to change an AD field that shows up in the GAL as Home2. We would like to basically rename this fields description from "Home2" to "Radio". Does anyone know what I would need to do to make that happen? It may not be possible at all but I thought I would run it by the experts here and see. Thanks, Travis Weeks Cox Communications, Inc.
RE: [ActiveDir] Display Change
Title: Message Travis, You need to update the English language template to display “Radio” instead of “Home2”. Another method is to create a new attribute called, say, “radioNumber”, copy the MAPIID from an unused attribute to it, and then modify the template to display that. You then, of course, need to provision the data in that new attribute. Either way, however, you need to modify the template. And if you have users who use languages other than English, you’ll need to modify those language templates, too. -Joel -Original Message- From: Weeks, Travis (COX-Atlanta) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:15 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Display Change I have received a request to change an AD field that shows up in the GAL as Home2. We would like to basically rename this fields description from "Home2" to "Radio". Does anyone know what I would need to do to make that happen? It may not be possible at all but I thought I would run it by the experts here and see. Thanks, Travis Weeks Cox Communications, Inc. This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. �
RE: [ActiveDir] Display Change
Title: Message Actually Im not dead set on renaming that field. I just need a field in the phone/notes tab in the gal that can be named Radio. -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:53 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Display Change I want to say this is possible at the attrib level, but the display name (text caption in the UI) is set at the UI. What has me more curious is why you want to change that field? Why not use another field somewhere that will never ever be used? Al -Original Message-From: Weeks, Travis (COX-Atlanta) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Display Change I have received a request to change an AD field that shows up in the GAL as Home2. We would like to basically rename this fields description from "Home2" to "Radio". Does anyone know what I would need to do to make that happen? It may not be possible at all but I thought I would run it by the experts here and see. Thanks, Travis Weeks Cox Communications, Inc. �
[ActiveDir] GP and TS lockdown
I just spent the morning looking around at resources and doing some things to lock down a new W2K TS. This box is a member server in a W3K domain, and is hosting an app that end users hit. We needed to make it so that was the only thing they could do on the box, but we still needed admin access. So here's what I did. I'm looking for any gotchas on this before it swings into production... New OU, termservers. 2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 is an Admin access, which disables everything in the lockdown for those times that we need to do something to the box. Set Admin GP at top w/no override, lockdown second. Appropriate rights assignments. Seems to work pretty well. Any glaring issues? Found a couple of interesting nasties while trying to lockdown the box, though. Why the heck is it SO difficult to prevent IE from running? We don't want a browser to open on this box for users at all. Couldn't find any way to lock it down within the policy, and didn't want to get involved with IEAK at this point. So, I put it on the list of apps that you can't run. Also added the one app we want to the list of apps you can run. (along with all the other lockdown tweaks in the policy) That should do it, right? Wrong. Picture this. Locked down desktop, with a log off command and one icon for the app we want to run. Can't do much, except hit F1. Hit F1, up comes a help box. On the top bar is "Web Help". Click on that, a browser opens. Nice. Let's you do anything at that point. Even though it's on the prohibited list, it still runs. OK, lock down NTFS on iexplore.exe. Removed users, etc., left admins, system. Still the same problem. Cute. IE runs in the system context when launched from help. Removed perms for system account and that finally did it. Nasty. Not exactly the context I want a web browser running from... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Lookup Problem - Windows 2003
Title: Message The bug lies in the "FIX up". It's a "known" PIX issue and most truthful Cisco TAC personnel will admit to that. I went back and looked in the DNS Debug log that Miles sent last week. The "SERVFAIL" portion of the response packet is a good symptom of a "FIXED UP" anomaly. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: ml.adlistSent: Tue 11/4/2003 8:00 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 In my case, yes. Disabling the DNS Fixup on my PIX made the issue disappear as soon as I entered the command. The PIX fixup was mangling the responses back to the dns servers (much like SMTP fixup does when in front of an Exchange server). Later yesterday I removed the acl and static nat entries to those DNS servers. Everything is running smooth as silk now (and I don't have any of my DC's exposed to the internet now either). Michael, the exchange issue you had during the beta is exactly what I experienced in production. Was your DNS behind a PIX with the DNS Fixup command running? If so, maybe it is not a bug with the Windows DNS, but just a stupid PIX trick. At this point I don't really care where the "bug" really lies, I have it working the way I want it too now, and I'm not having to bang my head against a wall anymore. ---Miles Holt, MCPNetwork EngineerSummit Marketing[EMAIL PROTECTED]770-303-0426---"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" From: Robert Gonzaga (306) [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 10:14 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 So are we saying it works as long you don't use the fixup command for DNS? Do you still need to NAT and the conduits (in my case of older PIX ver.)? -Original Message-From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 6:23 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 And that's what's confusing. W2K DNS is told to use TCP for large packets, and you can force that as I recall. So in your case, the firewall was the issue, right? Slight change in the way that the DNS packets were travelling across? Al -Original Message-From: Michael B. Smith [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Eh... I ran across something like that during the w2k3 beta process. Something about w2k didn't support long/extended DNS responses across TCP and w2k3 does. There was also something fishy about w2k3 not properly following referrals in deeply embedded zones. I changed over to having my w2k3 servers forward to my Unix authoritative servers instead of following root hints and forgot about it. From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks for the tip. I have added the static entries to my servers. I have to admit, that in my actual operation I have not found that to be the case with the PIX. I did find the final cause of my problems from your tip. The new 6.33 code added a DNS fixup command that had no qualms at all about eating the responses being sent to my Windows 2003 dns servers I don't know why it did not eat them going to the Win2K dns. Once I disabled dns fixup, the problem ended on my test servers, and I just changed the production servers as well. They now receive long mx responses without issues. ---Miles Holt, MCPNetwork EngineerSummit Marketing[EMAIL PROTECTED]770-303-0426---"Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse:Dune" From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Sunday, November 02, 2003 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Um, you *definitely* need to have static NAT and the correct ACL's for you DNS servers. By default, DNS uses UDP connects, which are stateless - so there is no session state to track, and the replies will be rejected. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: ml.adlist [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 3:35 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] DNS Lookup Problem - Windows 2003 Thanks, I have really found all the suggestions given helpful. Even when they have rehashed things I tried before they have encouraged me to try them again. My main frustratio
[ActiveDir] native mode
We have a domain about to go to native mode (2 others have already switched with absolutely no problems, of course.) This last domain is the result of an acquisition, and there is a skeptical staff of developers there who are trying to push back the change saying they need extensive testing in the lab beforehand (because they’re spooked by the “never go back” warning). As much as I know Native Mode means I can never put a NT 4 BDC back in that domain (like I’d want to), I need industry expert back-up to the following facts I’d like to present: Although the change is not reversible, we could restore from AD backup and be back where we were The change does not prevent downlevel applications or users from authenticating to the domain (PDCE is still present afterwards) Native Mode provides a few new capabilities we didn’t have before (Universal groups, nesting, etc.) If I am incorrect on any of this *or* if you have some suggestions on things I should add, please let me know. Thanks guys, as always. Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do �
RE: [ActiveDir] Univ group best practice
Everyone says this "as the UG is replicated via the GC anyways." but I personally don't like it because it seems to want to force you to think the group doesn't exist on normal DCs and it does, but it is also replicated across the GC's. Actually looking at it that way, the best place is the domain where most of the user's are versus where it will most be used (my earlier statement) because it will always be in your token then when you log on since you have to authenticate at a DC for your own domain. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Tuesday, November 04, 2003 9:43 AMTo: [EMAIL PROTECTED] I'd place them where they're managed. I.e. if a delegated admin of a sub-domain is managing a resource that is supposed to be secured with a UG, then place the UG in an OU where he is delegated enough permissions to manage the group. Usually, this also equates to hosting the UG in the domain where most users come from. But UGs can be placed into any domain, as the UG is replicated via the GC anyways. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Montag, 3. November 2003 15:59To: [EMAIL PROTECTED]Subject: [ActiveDir] Univ group best practice We’re just getting started with universal groups (for security, not distribution) and I’m just wondering as a best practice, where should they be located? We have a so-called empty root, and a few sub-domains, so where does it make the most sense to place the Universal Groups as they are created? Thanks! Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do
RE: [ActiveDir] Forcing Replication from a Source DC
Right off the bat (am I saying that too much lately)? Ah who cares, right off the bat, you will not push changes. Windows doesn't use push replication. All Windows Replication is pull based whether it is WINS or AD or whatever. The DC who wants the changes pulls the changes from the other DC. When you look at connection agreements between DC's, the connection agreement is a subobject of the DC that will do the pulling and is pointing at the DC it will pull from. Additionally there has to be a direct connection defined between the DC's you want replication to occur through, you won't simply push it to some replica there isn't a connection to. There is a single thread on every DC that will go out to its connection partners and PULL the changes from them. On the sending side there are 25 threads by default that the pulling DC can connect to and pull from. How do you know what to type to get a DC to PULL from one of its partners? Ex: C:\>repadmin /showreps fntxx101 B\FNTXX101 DSA Options : (none) objectGuid : 99765f71-4dad-496f-a996-a5d0af0232c6 invocationID: 69a2f2fc-c3c2-412b-81bf-2f8d12abf436 INBOUND NEIGHBORS == DC=xxx,DC=xxx,DC=com A-NADC\FMCXX104 via RPC objectGuid: d01e1848-e701-41ed-b7df-abdea09475ba Last attempt @ 2003-11-04 18:38.56 was successful. CN=Schema,CN=Configuration,DC=xxx,DC=com A-NADC\FMCXX104 via RPC objectGuid: d01e1848-e701-41ed-b7df-abdea09475ba Last attempt @ 2003-11-04 18:38.55 was successful. CN=Configuration,DC=xxx,DC=com A-NADC\FMCXX104 via RPC objectGuid: d01e1848-e701-41ed-b7df-abdea09475ba Last attempt @ 2003-11-04 18:38.54 was successful. OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS Doing that repadmin I know that my DC fntxx101 has a pull replication connection object with fmcxx104. Note there is NO GUARANTEE that there is a reciprocal connection object on fmcxx104 but there PROBABLY is. I now know that if I want to sync fntxx101 with fmcxx104's current state for the default partition I would type repadmin /sync dc=xxx,dc=xxx,dc=com fntxx101 d01e1848-e701-41ed-b7df-abdea09475ba /force I took the partition name from the repadmin for the parameter. I took the server name that is pulling as the I took the objectguid of the server I want to pull from as the Assuming I have a matching agreement going the other way I could use repadmin /sync dc=xxx,dc=xxx,dc=com fmcxx104 99765f71-4dad-496f-a996-a5d0af0232c6 /force If the connection object is missing between two servers you will get the error message DsReplicaSync failed with status 8452 (0x2104): The naming context is in the process of being removed or is not replicated from the specified server. If you want to pull from all partners for a specific context, use syncall repadmin /syncall DomainControllerName dc=domain,dc=com If you want all partitions from all direct connected partners you would do repadmin /syncall DomainControllerName I am curious about the undocumented command you mention. That is interesting, I will dig into it when I get time as the implications are rather large as it would have to force replications though the entire domain and possibly forest if it was a GC. Hope this helps. May I ask why you need to force replication like this? It is so ungodly rare that we have to force replication that I am not even sure if my team other than myself even knows how to do it through repadmin like this. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of FDiskThePC Sent: Tuesday, November 04, 2003 12:36 PM To: [EMAIL PROTECTED] Okay, guys, I've done quite a bit of research here, but I need some help. I don't know about you guys, but I find it frustrating that AD has been out for over three years and so much of this stuff is still undocumented! Argh! First problem was delegating the right for remote admins to synchronize the domain. For those out there that may still be searching, you need to delegate the "Replication Synchronization" right to your Domain Naming Context (NC) and any other NC's (Schema, Config, etc.) that you may have. Note that if you do not delegate this right to every NC, AD Sites & Services will still fail because a "Replicate Now" tries to sync every NC behind the scenes - there is no way with this tool to sync a particular NC. Note that ADSIEdit will probably be needed to make the delegation. Okay, second problem that I still need an answer to. I need a way to force replication from one source DC to all my other DC's. Ah! Use replmon you say choosing "Push Mode" and "Cross Site Boundaries". That works great, actually, but not for my remote admins. Come to find out, replmon doesn't work unless the remote admin is also given the "Replicating Directory Changes" and "Manage Replication Topology" permission. And I am not about to do that. I've also looked at repadmin. It appear
RE: [ActiveDir] native mode
1. Theoretical until you have conclusively proved in your own lab. Most likely unsupported as a rollback mechanism by MS. 2. Not necessarily true. There have been scattered reports of Samba and other SMB emulation packages choking and also I have personally seen some weird stuff with group memberships. Specifically pre-Native mode we had the Everyone security principal in the Winds Users Group. Going to Native mode that didn't work any longer and I had to add Domain Users. MS PSS never was able to give me an explanation and since I had a workaround, I wasn't willing to keep paying for them to try and learn. 3. Absolutely. Domain Local Group Scope is a great one as well as same group nesting. Personally, I would say throw the developers in the lab and have them make sure their shit doesn't break. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, November 04, 2003 5:22 PMTo: [EMAIL PROTECTED] We have a domain about to go to native mode (2 others have already switched with absolutely no problems, of course.) This last domain is the result of an acquisition, and there is a skeptical staff of developers there who are trying to push back the change saying they need extensive testing in the lab beforehand (because they’re spooked by the “never go back” warning). As much as I know Native Mode means I can never put a NT 4 BDC back in that domain (like I’d want to), I need industry expert back-up to the following facts I’d like to present: Although the change is not reversible, we could restore from AD backup and be back where we were The change does not prevent downlevel applications or users from authenticating to the domain (PDCE is still present afterwards) Native Mode provides a few new capabilities we didn’t have before (Universal groups, nesting, etc.) If I am incorrect on any of this *or* if you have some suggestions on things I should add, please let me know. Thanks guys, as always. Mark Creamer Systems Engineer Cintas Corporation http://www.cintas.com Honesty and Integrity in Everything We Do
RE: [ActiveDir] ADUC MMC
Haven't ever done it but can visualize multiple ways to pull it off
depending on how soon after the lockout you have to know about
it.
If it
is immediate I would write an LDAP API program (no other way currently) that
does change notification on the specific user object, when it detects a change
it looks at the pwdlastset attribute to see if it has been changed, if so, bam
it goes off and does what you want. This should be run against the PDC as it
should generally be the first to know an account is locked unless someone hits a
DC that can't chat with the PDC and then you don't have much you can do around
waiting for replication.
If you
can wait for a while then you can poll the attribute on X frequency. Again, once
the delta in the attribute is detected, it pulls the info you need.
Watching multiple accounts could get more involved depending on how many
there were. Watching all accounts would have to be done carefully to make sure
you aren't needlessly beating your DC.
Check
out unlock from www.joeware.net on the free
win32 tools page and you may be able to do what you want around it with perl. I
haven't seen anything else faster for enumerating locked out accounts on a
domain so you could do a unlock dc * and get all accounts currently locked out
on that DC and then parse the output and do what you want, of you wanted to
watch a specific OU you can set the baseDN for unlock to just look for
those.
If
someone needed to watch accounts only with a special attribute I have thought
about adding that capability to unlock (i.e. allow you to specify part of the
search filter). What this would allow is someone to set up some special indexed
attribute in their AD or use a specifical indexed attribute and watch only those
accounts for lockouts. If anyone thinks that would be useful, email my normal
joeware email address (find it on the web site) and say you think that would be
useful. I thought of it a while back but didn't have a use for it myself but can
see where it would be useful.
For
instance say you have a bunch of service ID's that for some reason can't be
stuck in a special service OU and have to be spread across an entire domain OU
structure, you could set up a special indexed attribute called something like
IDType and set that value equal to SVC for service accounts. Then if I
modified unlock, you could do a search like
unlock
servername * /view /f IDType=SVC
and it
would tack the IDType=SVC to the filter it uses to look for locked accounts so
only those accounts would show.
The
value there is say you have service ID's that if they get locked out from
someone trying to hack or a worm or virus or screwed up program, you have apps
that will stop working because of it so you need to know RIGHT NOW when those
ID's lock.
To do
it with the current version of the tool I would add all those special ID's to
one single OU and then use the /b option to specify that OU as the start base
for my search OR name the ID's in some pattern like SVC-whatever so you could
set the name filter to be SVC-*. The perl script running it would run the unlock
command on some frequency X.
The
run output for unlock looks like this:
F:\Dev\cpp\Unlock>unlock
joehome.com * /view
Unlock V02.00.00cpp Joe Richards ([EMAIL PROTECTED]) March 2003
Processed at
w2kasdc1.joehome.comDefault Naming Context: DC=joehome,DC=com
1:
joe
11/04/2003-19:27:51 LOCKED VIEW_ONLY
F:\Dev\cpp\Unlock>
A quick perl script could be (and this is from the hip)
and most of it is so you don't have to enter parameters to get it to go or
telling you what is going on, the stripped version would be tiny.
__watch.pl__
$watchserver=shift;$sleeptime=shift;$watchid=shift;$watchou=shift;if
($watchou) {$watchou="/b \"$watchou\""};if (!$watchserver)
{$watchserver="."};if (!$sleeptime) {$sleeptime="60"};if (!$watchid)
{$watchid="*"};
print "Watching Server: $watchserver\n";print "Poll
Period: $sleeptime\n";print "ID Filter: $watchid\n";print "Base OU:
$watchou\n";
$istillcareaboutthisjob=1;while($istillcareaboutthisjob) {
print "Querying...\n"; $cmd="unlock $watchserver $watchid $watchou
/view"; @out=`$cmd 2>nul`; if ($out[0]!~/No
objects/) { print "We have locked out
Accounts!!!\n"; map {print $_; DoSomething($_)}
@out; } print "Sleeping...\n";
sleep($sleeptime); }
sub DoSomething { my $item=shift; chomp
$item; print "I am doing something to locked out item - [$item]\n";
}
Then if you ran it like
watch.pl
It would watch the default domain for any locked out
ID's and send them through the DoSomething function each time it hit them with a
60 second poll.
If you did
watch.pl server3 2
SVC-*
would find all ID's that start with SVC- that are in
the default domain partition of server3 and would poll every 2
seconds...
Here is a live
example:
F:\Dev\cpp\Unlock>watch.pl . 1Watching Server:
RE: [ActiveDir] GP and TS lockdown
Title: Message Hi Deji. I'm not sure I'm following you here. TS is installed in application mode. When a non-admin user logs on, they get a desktop with only the app shortcut on it. Never having worked with TS before, I haven't figured out how to have just the application run instead of the desktop. Tried using CCM to create a connection and run the app, but it still gave me a desktop. I tried denying logon locally rights to the test user and that account couldn't connect at all. Nothing I've read shows me that I can run just an app instead of a windowed desktop (as in citrix). The app ties to a SQL instance and requires SQL client connectivity, and we don't want to make those connections across WAN links from the client PCs. So the app runs on the TS box local to the SQL box. If you've got a way that will allow me to run (on the TS) just the app at the client without a desktop session, I'd love to use it. Enlighten me... :-) **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083** -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GP and TS lockdown Is there a good reason you don't just install TS in application mode on this server? If I were doing this (and there is no political/technical/budget reason against it), I'd do it that way and then deny logon locally rights to everyone but Admins. You can then configure TS to auto-launch the specific application that users need to use on the server. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie KaiserSent: Tue 11/4/2003 1:57 PMTo: ([EMAIL PROTECTED])Subject: [ActiveDir] GP and TS lockdown I just spent the morning looking around at resources and doing some thingsto lock down a new W2K TS. This box is a member server in a W3K domain, andis hosting an app that end users hit. We needed to make it so that was theonly thing they could do on the box, but we still needed admin access. Sohere's what I did. I'm looking for any gotchas on this before it swings intoproduction...New OU, termservers.2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 isan Admin access, which disables everything in the lockdown for those timesthat we need to do something to the box.Set Admin GP at top w/no override, lockdown second. Appropriate rightsassignments.Seems to work pretty well. Any glaring issues?Found a couple of interesting nasties while trying to lockdown the box,though. Why the heck is it SO difficult to prevent IE from running? We don'twant a browser to open on this box for users at all. Couldn't find any wayto lock it down within the policy, and didn't want to get involved with IEAKat this point. So, I put it on the list of apps that you can't run. Alsoadded the one app we want to the list of apps you can run. (along with allthe other lockdown tweaks in the policy) That should do it, right? Wrong.Picture this. Locked down desktop, with a log off command and one icon forthe app we want to run. Can't do much, except hit F1. Hit F1, up comes ahelp box. On the top bar is "Web Help". Click on that, a browser opens.Nice. Let's you do anything at that point. Even though it's on theprohibited list, it still runs. OK, lock down NTFS on iexplore.exe. Removedusers, etc., left admins, system. Still the same problem. Cute. IE runs inthe system context when launched from help. Removed perms for system accountand that finally did it. Nasty. Not exactly the context I want a web browserrunning from...**Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083**List info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GP and TS lockdown
Title: Message I think you have to make the changes under the Terminal Services manager… and under the properties of the RDP settings or something like that. Been awhile since I’ve done it… but the options are there. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, November 04, 2003 8:14 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] GP and TS lockdown Hi Deji. I'm not sure I'm following you here. TS is installed in application mode. When a non-admin user logs on, they get a desktop with only the app shortcut on it. Never having worked with TS before, I haven't figured out how to have just the application run instead of the desktop. Tried using CCM to create a connection and run the app, but it still gave me a desktop. I tried denying logon locally rights to the test user and that account couldn't connect at all. Nothing I've read shows me that I can run just an app instead of a windowed desktop (as in citrix). The app ties to a SQL instance and requires SQL client connectivity, and we don't want to make those connections across WAN links from the client PCs. So the app runs on the TS box local to the SQL box. If you've got a way that will allow me to run (on the TS) just the app at the client without a desktop session, I'd love to use it. Enlighten me... :-) ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** -Original Message- From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] GP and TS lockdown Is there a good reason you don't just install TS in application mode on this server? If I were doing this (and there is no political/technical/budget reason against it), I'd do it that way and then deny logon locally rights to everyone but Admins. You can then configure TS to auto-launch the specific application that users need to use on the server. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Tue 11/4/2003 1:57 PM To: ([EMAIL PROTECTED]) Subject: [ActiveDir] GP and TS lockdown I just spent the morning looking around at resources and doing some things to lock down a new W2K TS. This box is a member server in a W3K domain, and is hosting an app that end users hit. We needed to make it so that was the only thing they could do on the box, but we still needed admin access. So here's what I did. I'm looking for any gotchas on this before it swings into production... New OU, termservers. 2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 is an Admin access, which disables everything in the lockdown for those times that we need to do something to the box. Set Admin GP at top w/no override, lockdown second. Appropriate rights assignments. Seems to work pretty well. Any glaring issues? Found a couple of interesting nasties while trying to lockdown the box, though. Why the heck is it SO difficult to prevent IE from running? We don't want a browser to open on this box for users at all. Couldn't find any way to lock it down within the policy, and didn't want to get involved with IEAK at this point. So, I put it on the list of apps that you can't run. Also added the one app we want to the list of apps you can run. (along with all the other lockdown tweaks in the policy) That should do it, right? Wrong. Picture this. Locked down desktop, with a log off command and one icon for the app we want to run. Can't do much, except hit F1. Hit F1, up comes a help box. On the top bar is "Web Help". Click on that, a browser opens. Nice. Let's you do anything at that point. Even though it's on the prohibited list, it still runs. OK, lock down NTFS on iexplore.exe. Removed users, etc., left admins, system. Still the same problem. Cute. IE runs in the system context when launched from help. Removed perms for system account and that finally did it. Nasty. Not exactly the context I want a web browser running from... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Latest FRS info from MS
Jun 2003... sure am glad they stabilized that POS. thank god for robocopy... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jef Kazimer Sent: Tuesday, November 04, 2003 11:52 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Latest FRS info from MS Thanks for the help yesterday with this, and MS got back to me today. I thought I'd share the info, for those out there that might be interested. -- This is the latest version for Windows 2000. File Replication Service Does Not Log Errors on Sharing Violations WGID:583 ID: Q815473.KB.EN-US CREATED: 2003-02-26 MODIFIED: 2003-11-03 Date Time Version Size File name -- 27-Jun-2003 01:17 5.0.2195.6763 747,792 Ntfrs.exe 27-Jun-2003 02:06 5.0.2195.676356,080 Ntfrsapi.dll 27-Jun-2003 02:06 5.0.2195.676322,288 Ntfrsprf.dll 27-Jun-2003 01:17 5.0.2195.676346,352 Ntfrsupg.exe 27-Jun-2003 01:17 5.0.2195.676340,720 Ntfrsutl.exe The above versions supersede the following more common fix: Issues That Are Fixed in the Post-Service Pack 3 Release of Ntfrs.exe WGID:325 ID: Q811370.KB.EN-US CREATED: 2002-12-10 MODIFIED: 2003-10-07 -- 07-May-2003 19:14 5.0.2195.6743 745,232 Ntfrs.exe 15-May-2003 22:31 5.0.2195.6743 56,080 Ntfrsapi.dll 15-May-2003 22:31 5.0.2195.6743 22,288 Ntfrsprf.dll 07-May-2003 19:14 5.0.2195.6743 40,720 Ntfrsutl.exe List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forcing Replication from a Source DC
Thanks for your lengthy response, Joe. I appreciate it. I actually knew that all AD replication was pull replication. But replmon does have a "push mode" which basically sends out a change notification to the DC's partners so that they will immediately come pull its changes. What's cool is that unless you disable transitive replication with "push mode", the direct partners of the original DC will in turn send out change notifications to their partners as well. In essence, all DC's get the change from the source DC. And this is exactly what I want to do, but using something other than replmon. Why do I need to force replication like this? Good question. I wish I knew, and I've hit the list on this before, but didn't get many responses. Basically we'll add a computer to the domain and upon reboot, get the classic "the computer account is its primary domain is missing". I know it sounds like the computer account isn't being created on a DC in the local site, but a few times I verified that it is. Sync'ing the domain like I describe immediately fixes the problem. It sounds like I may want to call MS PSS if other folks have not seen this issue. -Rick --- Joe <[EMAIL PROTECTED]> wrote: > Right off the bat (am I saying that too much > lately)? > > Ah who cares, right off the bat, you will not push > changes. Windows doesn't > use push replication. All Windows Replication is > pull based whether it is > WINS or AD or whatever. The DC who wants the changes > pulls the changes from > the other DC. When you look at connection agreements > between DC's, the > connection agreement is a subobject of the DC that > will do the pulling and > is pointing at the DC it will pull from. > Additionally there has to be a > direct connection defined between the DC's you want > replication to occur > through, you won't simply push it to some replica > there isn't a connection > to. > > There is a single thread on every DC that will go > out to its connection > partners and PULL the changes from them. On the > sending side there are 25 > threads by default that the pulling DC can connect > to and pull from. > > How do you know what to type to get a DC to PULL > from one of its partners? > > Ex: > > C:\>repadmin /showreps fntxx101 > B\FNTXX101 > DSA Options : (none) > objectGuid : 99765f71-4dad-496f-a996-a5d0af0232c6 > invocationID: 69a2f2fc-c3c2-412b-81bf-2f8d12abf436 > > INBOUND NEIGHBORS > == > > DC=xxx,DC=xxx,DC=com > A-NADC\FMCXX104 via RPC > objectGuid: > d01e1848-e701-41ed-b7df-abdea09475ba > Last attempt @ 2003-11-04 18:38.56 was > successful. > > CN=Schema,CN=Configuration,DC=xxx,DC=com > A-NADC\FMCXX104 via RPC > objectGuid: > d01e1848-e701-41ed-b7df-abdea09475ba > Last attempt @ 2003-11-04 18:38.55 was > successful. > > CN=Configuration,DC=xxx,DC=com > A-NADC\FMCXX104 via RPC > objectGuid: > d01e1848-e701-41ed-b7df-abdea09475ba > Last attempt @ 2003-11-04 18:38.54 was > successful. > > OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS > > > > > Doing that repadmin I know that my DC fntxx101 has a > pull replication > connection object with fmcxx104. Note there is NO > GUARANTEE that there is a > reciprocal connection object on fmcxx104 but there > PROBABLY is. > > I now know that if I want to sync fntxx101 with > fmcxx104's current state for > the default partition I would type > > repadmin /sync dc=xxx,dc=xxx,dc=com fntxx101 > d01e1848-e701-41ed-b7df-abdea09475ba /force > > I took the partition name from the repadmin for the > > parameter. > I took the server name that is pulling as the DSA> > I took the objectguid of the server I want to pull > from as the UUID> > > > Assuming I have a matching agreement going the other > way I could use > > repadmin /sync dc=xxx,dc=xxx,dc=com fmcxx104 > 99765f71-4dad-496f-a996-a5d0af0232c6 /force > > > If the connection object is missing between two > servers you will get the > error message > > DsReplicaSync failed with status 8452 (0x2104): > The naming context is in the process of being > removed or is not > replicated from the specified server. > > > If you want to pull from all partners for a specific > context, use syncall > > repadmin /syncall DomainControllerName > dc=domain,dc=com > > If you want all partitions from all direct connected > partners you would do > > repadmin /syncall DomainControllerName > > > I am curious about the undocumented command you > mention. That is > interesting, I will dig into it when I get time as > the implications are > rather large as it would have to force replications > though the entire domain > and possibly forest if it was a GC. > > Hope this helps. > > > May I ask why you need to force replication like > this? It is so ungodly rare > that we have to force replication that I am not even > sure if my team other > than myself even knows how to do it through repadmin
RE: [ActiveDir] GP and TS lockdown
Title: Message I tried sending a screen-shot as a guide, but it's too large for the list. the Configuration is done on the RDP Properties. Go to Admin Tools -> Terminal Services Configuration -> Connections -> RDP-Tcp (or whatever your connection is named). Double-click on it and go to Environment. Check the "Override settings from user." option. Then, in the "Program path and file name", specify the path to the executable of the application you want to auto-launch (with the name of the executable, e.g. C:\winnt\system32\notepad.exe). For the "start in" option, I would put in the path to the executable (without the name of the executable, e.g. C:\winnt\system32). Forget what I said earlier about "logon locally". If you still need to see the screen shot, email me offline at deji at akomolafe dot com HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie KaiserSent: Tue 11/4/2003 5:14 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GP and TS lockdown Hi Deji. I'm not sure I'm following you here. TS is installed in application mode. When a non-admin user logs on, they get a desktop with only the app shortcut on it. Never having worked with TS before, I haven't figured out how to have just the application run instead of the desktop. Tried using CCM to create a connection and run the app, but it still gave me a desktop. I tried denying logon locally rights to the test user and that account couldn't connect at all. Nothing I've read shows me that I can run just an app instead of a windowed desktop (as in citrix). The app ties to a SQL instance and requires SQL client connectivity, and we don't want to make those connections across WAN links from the client PCs. So the app runs on the TS box local to the SQL box. If you've got a way that will allow me to run (on the TS) just the app at the client without a desktop session, I'd love to use it. Enlighten me... :-) **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083** -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GP and TS lockdown Is there a good reason you don't just install TS in application mode on this server? If I were doing this (and there is no political/technical/budget reason against it), I'd do it that way and then deny logon locally rights to everyone but Admins. You can then configure TS to auto-launch the specific application that users need to use on the server. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie KaiserSent: Tue 11/4/2003 1:57 PMTo: ([EMAIL PROTECTED])Subject: [ActiveDir] GP and TS lockdown I just spent the morning looking around at resources and doing some thingsto lock down a new W2K TS. This box is a member server in a W3K domain, andis hosting an app that end users hit. We needed to make it so that was theonly thing they could do on the box, but we still needed admin access. Sohere's what I did. I'm looking for any gotchas on this before it swings intoproduction...New OU, termservers.2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 isan Admin access, which disables everything in the lockdown for those timesthat we need to do something to the box.Set Admin GP at top w/no override, lockdown second. Appropriate rightsassignments.Seems to work pretty well. Any glaring issues?Found a couple of interesting nasties while trying to lockdown the box,though. Why the heck is it SO difficult to prevent IE from running? We don'twant a browser to open on this box for users at all. Couldn't find any wayto lock it down within the policy, and didn't want to get involved with IEAKat this point. So, I put it on the list of apps that you can't run. Alsoadded the one app we want to the list of apps you can run. (along with allthe other lockdown tweaks in the policy) That should do it, right? Wrong.Picture this. Locked down desktop, with a log off command and one icon forthe app we want to run. Can't do much, except hit F1. Hit F1, up comes ahelp box. On the top bar is "Web Help". Click on that, a browser opens.Nice. Let's you do anything at that point. Even though it's on theprohibited list, it still runs. OK, lock down NTFS on iexplore.exe. Removedusers, etc., left admins, system. Still the same problem. Cute. IE runs inthe system context when launched from help. Removed perms for system accountand that finally did it. Nasty. Not exactly the context I want a web browserrunning from...**Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083**List info : http://www.actived
RE: [ActiveDir] GP and TS lockdown
Title: Message OK, got it. Yes, that worked. Sweet. 2 hours of MSKB and Google and couldn't find anything that mentioned the ability to do that, much less how. Thanks, Deji. I appreciate it! **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083** -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 9:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GP and TS lockdown I tried sending a screen-shot as a guide, but it's too large for the list. the Configuration is done on the RDP Properties. Go to Admin Tools -> Terminal Services Configuration -> Connections -> RDP-Tcp (or whatever your connection is named). Double-click on it and go to Environment. Check the "Override settings from user." option. Then, in the "Program path and file name", specify the path to the executable of the application you want to auto-launch (with the name of the executable, e.g. C:\winnt\system32\notepad.exe). For the "start in" option, I would put in the path to the executable (without the name of the executable, e.g. C:\winnt\system32). Forget what I said earlier about "logon locally". If you still need to see the screen shot, email me offline at deji at akomolafe dot com HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie KaiserSent: Tue 11/4/2003 5:14 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] GP and TS lockdown Hi Deji. I'm not sure I'm following you here. TS is installed in application mode. When a non-admin user logs on, they get a desktop with only the app shortcut on it. Never having worked with TS before, I haven't figured out how to have just the application run instead of the desktop. Tried using CCM to create a connection and run the app, but it still gave me a desktop. I tried denying logon locally rights to the test user and that account couldn't connect at all. Nothing I've read shows me that I can run just an app instead of a windowed desktop (as in citrix). The app ties to a SQL instance and requires SQL client connectivity, and we don't want to make those connections across WAN links from the client PCs. So the app runs on the TS box local to the SQL box. If you've got a way that will allow me to run (on the TS) just the app at the client without a desktop session, I'd love to use it. Enlighten me... :-) **Charlie KaiserMCSE, CCNASystems EngineerEssex Credit / Brickwalk510 985 0975 x5083** -Original Message-From: deji Agba [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 2:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] GP and TS lockdown Is there a good reason you don't just install TS in application mode on this server? If I were doing this (and there is no political/technical/budget reason against it), I'd do it that way and then deny logon locally rights to everyone but Admins. You can then configure TS to auto-launch the specific application that users need to use on the server. Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Charlie KaiserSent: Tue 11/4/2003 1:57 PMTo: ([EMAIL PROTECTED])Subject: [ActiveDir] GP and TS lockdown I just spent the morning looking around at resources and doing some thingsto lock down a new W2K TS. This box is a member server in a W3K domain, andis hosting an app that end users hit. We needed to make it so that was theonly thing they could do on the box, but we still needed admin access. Sohere's what I did. I'm looking for any gotchas on this before it swings intoproduction...New OU, termservers.2 GPs for that OU. 1 is a lockdown, strips everything except that app. 2 isan Admin access, which disables everything in the lockdown for those timesthat we need to do something to the box.Set Admin GP at top w/no override, lockdown second. Appropriate rightsassignments.Seems to work pretty well. Any glaring issues?Found a couple of interesting nasties while trying to lockdown the box,though. Why the heck is it SO difficult to prevent IE from running? We don'twant a browser to open on this box for users at all. Couldn't find any wayto lock it down within the policy, and didn't want to get involved with IEAKat this point. So, I put it on the list of apps that you can't run. Alsoadded the one app we want to the list of apps
RE: [ActiveDir] OUs by server function?
Title: Message Yeah, that's what I hear. ;o) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Missy KosloskySent: Sunday, November 02, 2003 3:57 PMTo: [EMAIL PROTECTED]Subject: Re: [ActiveDir] OUs by server function? Hey! You're gonna get me in trouble, and Roger's a little bigger than I am! Missy - Original Message - From: Rick Kingslan To: [EMAIL PROTECTED] Sent: Sunday, November 02, 2003 4:13 PM Subject: RE: [ActiveDir] OUs by server function? And, Mr. Seielstad, who do you think I was speaking of? ;o) Missy and I submitted your name. It was a coordinated effort to corrupt you further. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Sunday, November 02, 2003 2:28 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OUs by server function? Um, yeah. Like me for instance. I've rarely posted to the Microsoft news groups, but I've been here for quite a while and some other public email lists for 6-7 years. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, November 01, 2003 4:33 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OUs by server function? Michael, Not necessarily where there is a Microsoft presence. There are some folks on this list who have been nominated and are now MVPs because of involvement here - not necessarily on the Public NGs. Participationon th public NGs is but one way. Community, and contributing to it is a many faceted thing. Remember, this is peer recognition of excellence and professionalism - and not necessarily by a Microsoft peer. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, October 31, 2003 1:50 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OUs by server function? Interesting. So people that are active on mailing lists where MS isn't present don't stand a chance? I need to resign from all these mailing lists and spend the time on newsgroups! :-) From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 2:34 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OUs by server function? Michael Any tricks involving wine are welcomed, but Microsoft does have other criteria too: http://mvp.support.microsoft.com/default.aspx?scid=fh;EN-GB;mvpfaqs Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Freitag, 31. Oktober 2003 18:27To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OUs by server function? What does one have to do to become an MVP? Does it involve parting bodies of water or turning them into wine? :-) Michael Parent MCSE MCTAnalyst I - Web Services ITOS - Systems EnablementMaritime Life Assurance Company(902) 453-7300 x3456 Rich Milburn <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 10/31/2003 12:16 PM Please respond to ActiveDir To: [EMAIL PROTECTED] cc: Subject: RE: [ActiveDir] OUs by server function?You're right, I was referring to WMI filtering. Thanks for the welcome, I've never seen so many MVPs in one place!! J I looked on winnetmag.com and didn't find it, I'll have a look for the hardcopy I read it in at home... Rich From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 9:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OUs by server function? Rich Welcome to the list! If you have a link to the article, please post it. I'm sure others would be interested. Scope filtering using security groups is not new to 2003. You might be thinking of WMI filtering, which is new with XP/2003. The problem with scope filtering is (as you rightly point out) the reporting side of things. I'm not sure whether the GPMC includes anything for this or not, but if it does I haven't used it. The new scripting functions probably offer the ability to display the appropriate reports. My friend Matty Holland
