Re: [ActiveDir] ADUC view preferences
Mark You can adjust the column view in ADUC by selecting View - Add/Remove Columns. For example, you can add Display Name, Last Name, First Name, etc. Hopefully, this should give you what you need. I belive the Name column matches the cn, but I haven't checked this. Tony _ Wrom: RQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTNHGSWZIDREXC Sent: Donnerstag, 18. Dezember 2003 21:34 To: [EMAIL PROTECTED] Subject: [ActiveDir] ADUC view preferences Can you clear something up for me? In ADUC, the default first column is labeled Name. I would like that to always display as LastName, FirstName (sn, givenName) I thought this was controlled by DisplayName, but apparently not. What attribute would I edit to fix the ones that don't meet this desired view? Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Extending Active Directory
Special Operations Suite2.0 (SpecOps)is an AD-integrated solutionwhich extends, enhances and improves themanageability of workstations and servers without modifying your AD-schema. SpecOpsfeatures: Active Directory integrated Desktop Management Software surveillance and WMI inventory Active Directory GPO Resultant Set of Policy (RSoP) inventory Eventlog Management: search and surveillance of eventlogs HTML-messaging to client computers Remote Command execution on large numbers of client computers Extends already existing Windows 2000/XP administrative tools Business intelligence web interface (OLAP) To read thefull story about SpecOps and geta 30 Dayevaluation version, please visit: http://www.ubm-europe.com/specops.htm Ken LeDrewUnited Business Machines UBM ScandinaviaRatamestarinkatu 11B, 4th floor00520 HelsinkiFinlandtel +358-(0)9-3455011mobile +358-(0)400334024fax +3458-9-3455 066http://www.ubm-europe.comemail [EMAIL PROTECTED]
Re: [ActiveDir] Extending Active Directory [List Owner]
Ken This type of shameless product advertising is not permitted on this list. Please don't do it again. Tony -- Original Message -- Wrom: UNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTWFA Reply-To: [EMAIL PROTECTED] Date: Fri, 19 Dec 2003 10:54:44 +0200 Special Operations Suite 2.0 (SpecOps) is an AD-integrated solution which extends, enhances and improves the manageability of workstations and servers without modifying your AD-schema. SpecOps features: a.. Active Directory integrated Desktop Management a.. Software surveillance and WMI inventory a.. Active Directory GPO Resultant Set of Policy (RSoP) inventory a.. Eventlog Management: search and surveillance of eventlogs a.. HTML-messaging to client computers a.. Remote Command execution on large numbers of client computers a.. Extends already existing Windows 2000/XP administrative tools a.. Business intelligence web interface (OLAP) To read the full story about SpecOps and get a 30 Day evaluation version, please visit: a.. http://www.ubm-europe.com/specops.htm Ken LeDrew United Business Machines UBM Scandinavia Ratamestarinkatu 11B, 4th floor 00520 Helsinki Finland tel +358-(0)9-3455011 mobile +358-(0)400334024 fax +3458-9-3455 066 http://www.ubm-europe.com email [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] ADO
Do I want to use ADO if I want to search all users in a domain and then alter an attribute based on its current value, or is there a better method? Up to now, Ive only tried using ADO to return a result set, not modify. The part Im struggling with is making the search recursive through the whole domain, rather than having to specify a container or OU, and I know in ADO I can specify a subtree as the scope. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do �
[ActiveDir] Cross-domain RAS problem
Got an odd one that I can't find a solution to... W2K3 AD with 2-way trust to old NT4.0 domain. Got a member server in old, W2K server running RAS. If I connect using credentials in the old domain, I connect fine. If I try to connect using credentials in the new domain, I get a client error The authentication server did not respond in a timely fashion, and event ID 20073 pops into RAS server event log. Did some checking and found that adding the RAS server to the RAS and IAS Servers security group in AD should fix it. Problem is, I can't find any server objects/machine objects to add to the group, only users and groups. (This also happens trying to add objects to any groups) Also supposed to be able to use netsh ras add registeredserver to do this, but that fails with The specified domain either does not exist or could not be contacted. Domain and server name show correctly at that command. Trust is working for all other functions. Pre-Windows 2000 Compatible access is set to everyone. Can't migrate this box to the new AD yet since I still have remote users on the old domain and we can't migrate them for a while yet. I also don't want to migrate the remote users if they can't get to the RAS server. :-) Not using IAS. The whole Windows-based RAS is going to go away in a few months courtesy of Cisco VPN or another similar solution, but I need to make this work for now. It appears that AD doesn't support adding NT4 machine accounts to the groups. Any ideas? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 985 0975 x5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADO
Im sorry I didnt word the question very wellI understand how to get the ADO search to work, per your suggestion. Can I update the value? e.g. objRS.Update or something to that effect? Or do I need a subroutine that builds the user object first? mc -Original Message- From: Todd Povilaitis [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADO RootDSE() and subtree should do it for you. Also if you expect to returnmore than 1000 objects, you should increase the Page Size value in your ADO/ADsDSOObject query. __ Todd Povilaitis LAN Administrator Huntington Hospital [EMAIL PROTECTED] Phone: (626) 397-3392 Fax: (626) 397-2901 -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 08:31 To: [EMAIL PROTECTED] Subject: [ActiveDir] ADO Do I want to use ADO if I want to search all users in a domain and then alter an attribute based on its current value, or is there a better method? Up to now, Ive only tried using ADO to return a result set, not modify. The part Im struggling with is making the search recursive through the whole domain, rather than having to specify a container or OU, and I know in ADO I can specify a subtree as the scope. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do �
[ActiveDir] net time
Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] net time
Title: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADO
You
may need to include typelib references depending on what your
doing:
!-- Active DS Type Library 1.0
-- reference
guid="{97D25DB0-0363-11CF-ABC4-02608C9E7553}"/ !--
Microsoft ActiveX Data Objects 2.7 Library --
reference
guid="{0205--0010-8000-00AA006D2EA4}"/
You
mayneed to use Object.Get (for single valued properties) or Object.GetEx
(for mutivalued properties), Object.Put (for single valued properties) or
Object.PutEx (for mutivalued properties),and then Object.SetInfo (instead
of oRs.Update), something like:
If Not
oRs.BOF Or oRs.EOF Then
Do While Not oRs.EOF
Set oObject =
GetObject(oRs("ADsPath"))
With oObject
.Put "givenname",
"John"
.Put "inititals", "Q."
.Put "sn", "Public"
.PutEx ADS_PROPERTY_UPDATE,
"description", Array("Human Resources Staff")
.PutEx ADS_PROPERTY_UPDATE,
"otherTelephone", Array("(987) 654-3210","(987) 987-6543")
.SetInfo
End With
oRs.MoveNext
Loop
Else
'-- empty recordset
End
If
__ Todd Povilaitis LAN
Administrator Huntington Hospital
[EMAIL PROTECTED]
Phone: (626) 397-3392 Fax: (626) 397-2901
-Original Message-From: Creamer, Mark
[mailto:[EMAIL PROTECTED]Sent: Friday, December 19, 2003
09:13To: [EMAIL PROTECTED]Subject: RE:
[ActiveDir] ADO
Im sorry I didnt
word the question very wellI understand how to get the ADO search to work, per
your suggestion. Can I update the value? e.g. objRS.Update or something to
that effect?
Or do I need a
subroutine that builds the user object first?
mc
-Original
Message-From: Todd
Povilaitis [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:06
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
ADO
RootDSE() and subtree
should do it for you. Also if you expect to returnmore than 1000
objects, you should increase the "Page Size" value in your ADO/ADsDSOObject
query.
__
Todd
Povilaitis LAN Administrator
Huntington Hospital
[EMAIL PROTECTED]
Phone: (626)
397-3392 Fax: (626) 397-2901
-Original
Message-From: Creamer,
Mark [mailto:[EMAIL PROTECTED]Sent: Friday, December 19, 2003
08:31To:
[EMAIL PROTECTED]Subject: [ActiveDir]
ADO
Do I want to use ADO if I want
to search all users in a domain and then alter an attribute based on its
current value, or is there a better method? Up to now, Ive only tried using
ADO to return a result set, not modify.
The part Im struggling with is
making the search recursive through the whole domain, rather than having to
specify a container or OU, and I know in ADO I can specify a subtree as the
scope.
Thanks!
Mark
Creamer
Systems
Engineer
Cintas
Corporation
Honesty and
Integrity in Everything We Do
RE: [ActiveDir] net time
Title: RE: [ActiveDir] net time That is the thing, all my other DCs point to a DC that is not configured as the Authoritative Time Source For Example DC1 DC2 - PDCE DC3 DC2 is set to time.windows.com Run a net time /set on DC3 and it asks if you want to reset the clock to the one on DC1 Net time /querysntp on DC3 and DC1 returns that the sntp is not configured Net time on DC3, DC2 and DC1 shows the time on DC1 -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ADO
Thanks Todd, thats very helpful!
mc
-Original Message-
From: Todd Povilaitis
[mailto:[EMAIL PROTECTED]
Sent: Friday, December 19, 2003
12:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADO
You may need to include
typelib references depending on what your doing:
!-- Active DS Type Library 1.0 --
reference
guid={97D25DB0-0363-11CF-ABC4-02608C9E7553}/
!-- Microsoft ActiveX Data Objects 2.7 Library --
reference
guid={0205--0010-8000-00AA006D2EA4}/
You mayneed to use
Object.Get (for single valued properties) or Object.GetEx (for mutivalued
properties), Object.Put (for single valued properties) or Object.PutEx (for
mutivalued properties),and then Object.SetInfo (instead of oRs.Update),
something like:
If Not oRs.BOF Or oRs.EOF
Then
Do While Not
oRs.EOF
Set
oObject = GetObject(oRs(ADsPath))
With
oObject
.Put givenname, John
.Put inititals, Q.
.Put sn, Public
.PutEx ADS_PROPERTY_UPDATE, description, Array(Human
Resources Staff)
.PutEx ADS_PROPERTY_UPDATE, otherTelephone, Array((987)
654-3210,(987) 987-6543)
.SetInfo
End
With
oRs.MoveNext
Loop
Else
'-- empty
recordset
End If
__
Todd Povilaitis
LAN
Administrator
Huntington
Hospital
[EMAIL PROTECTED]
Phone:
(626) 397-3392
Fax:
(626) 397-2901
-Original
Message-
From: Creamer, Mark
[mailto:[EMAIL PROTECTED]
Sent: Friday, December 19, 2003
09:13
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADO
Im sorry I
didnt word the question very wellI understand how to get the ADO
search to work, per your suggestion. Can I update the value? e.g. objRS.Update
or something to that effect?
Or do I need a subroutine
that builds the user object first?
mc
-Original Message-
From: Todd Povilaitis
[mailto:[EMAIL PROTECTED]
Sent: Friday, December 19, 2003
12:06 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] ADO
RootDSE()
and subtree should do it for you. Also if you expect to returnmore
than 1000 objects, you should increase the Page Size value in your
ADO/ADsDSOObject query.
__
Todd Povilaitis
LAN
Administrator
Huntington
Hospital
[EMAIL PROTECTED]
Phone:
(626) 397-3392
Fax:
(626) 397-2901
-Original
Message-
From: Creamer, Mark
[mailto:[EMAIL PROTECTED]
Sent: Friday, December 19, 2003
08:31
To: [EMAIL PROTECTED]
Subject: [ActiveDir] ADO
Do I want to use ADO if I want to
search all users in a domain and then alter an attribute based on its current
value, or is there a better method? Up to now, Ive only tried using ADO
to return a result set, not modify.
The part Im struggling with
is making the search recursive through the whole domain, rather than having to specify
a container or OU, and I know in ADO I can specify a subtree as the scope.
Thanks!
Mark Creamer
Systems
Engineer
Cintas
Corporation
Honesty
and Integrity in Everything We Do
�
RE: [ActiveDir] net time
Title: RE: [ActiveDir] net time net time \\DC1 /setsntp:DC2 NET TIME [\\computername | /DOMAIN[:domainname] | /RTSDOMAIN[:domainname]] [/SET] [\\computername] /QUERYSNTP [\\computername] /SETSNTP[:ntp server list] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.Sent: Friday, December 19, 2003 12:55 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] net time That is the thing, all my other DCs point to a DC that is not configured as the Authoritative Time Source For Example DC1 DC2 - PDCE DC3 DC2 is set to time.windows.com Run a net time /set on DC3 and it asks if you want to reset the clock to the one on DC1 Net time /querysntp on DC3 and DC1 returns that the sntp is not configured Net time on DC3, DC2 and DC1 shows the time on DC1 -Original Message-From: Celone, Mike [mailto:[EMAIL PROTECTED]Sent: Friday, December 19, 2003 12:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. Theinformation is intended solely for the use of the individual to whom it isaddressed. Any review, disclosure, copying, distribution, or use of thise-mail communication by others is strictly prohibited. If you are not theintended recipient, please notify us immediately by returning this messageto the sender and delete all copies. Thank you for your cooperation.
RE: [ActiveDir] net time
Title: RE: [ActiveDir] net time But you shouldnt have to do that, shouldnt they find the PDCE on their own? -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 1:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] net time net time \\DC1 /setsntp:DC2 NET TIME [\\computername | /DOMAIN[:domainname] | /RTSDOMAIN[:domainname]] [/SET] [\\computername] /QUERYSNTP [\\computername] /SETSNTP[:ntp server list] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A. Sent: Friday, December 19, 2003 12:55 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That is the thing, all my other DCs point to a DC that is not configured as the Authoritative Time Source For Example DC1 DC2 - PDCE DC3 DC2 is set to time.windows.com Run a net time /set on DC3 and it asks if you want to reset the clock to the one on DC1 Net time /querysntp on DC3 and DC1 returns that the sntp is not configured Net time on DC3, DC2 and DC1 shows the time on DC1 -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. Theinformation is intended solely for the use of the individual to whom it isaddressed. Any review, disclosure, copying, distribution, or use of thise-mail communication by others is strictly prohibited. If you are not theintended recipient, please notify us immediately by returning this messageto the sender and delete all copies. Thank you for your cooperation.
RE: [ActiveDir] net time
Title: RE: [ActiveDir] net time Have you checked your event logs? Usually it will tell you the reason why it cannot contact thePDCE or give you a hint. It is usually DNS that is the culprit. I set all of my DC'smanually regardless as I do not want my DC's in London or Japan syncing with a PDCE in Philadelphia over the WAN but rather a local time source on a well connected high speed LAN. Regards, Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.Sent: Friday, December 19, 2003 1:11 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] net time But you shouldnt have to do that, shouldnt they find the PDCE on their own? -Original Message-From: Chianese, David P. [mailto:[EMAIL PROTECTED]Sent: Friday, December 19, 2003 1:08 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] net time net time \\DC1 /setsntp:DC2 NET TIME [\\computername | /DOMAIN[:domainname] | /RTSDOMAIN[:domainname]] [/SET] [\\computername] /QUERYSNTP [\\computername] /SETSNTP[:ntp server list] -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A.Sent: Friday, December 19, 2003 12:55 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] net time That is the thing, all my other DCs point to a DC that is not configured as the Authoritative Time Source For Example DC1 DC2 - PDCE DC3 DC2 is set to time.windows.com Run a net time /set on DC3 and it asks if you want to reset the clock to the one on DC1 Net time /querysntp on DC3 and DC1 returns that the sntp is not configured Net time on DC3, DC2 and DC1 shows the time on DC1 -Original Message-From: Celone, Mike [mailto:[EMAIL PROTECTED]Sent: Friday, December 19, 2003 12:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. Theinformation is intended solely for the use of the individual to whom it isaddressed. Any review, disclosure, copying, distribution, or use of thise-mail communication by others is strictly prohibited. If you are not theintended recipient, please notify us immediately by returning this messageto the sender and delete all copies. Thank you for your cooperation.
RE: [ActiveDir] net time
Title: RE: [ActiveDir] net time I have no errors or warnings in my DC logs. Every DC can connect to the PDCE. I guess I will have to setup each server manually. -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 1:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] net time Have you checked your event logs? Usually it will tell you the reason why it cannot contact thePDCE or give you a hint. It is usually DNS that is the culprit. I set all of my DC'smanually regardless as I do not want my DC's in London or Japan syncing with a PDCE in Philadelphia over the WAN but rather a local time source on a well connected high speed LAN. Regards, Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A. Sent: Friday, December 19, 2003 1:11 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time But you shouldnt have to do that, shouldnt they find the PDCE on their own? -Original Message- From: Chianese, David P. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 1:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] net time net time \\DC1 /setsntp:DC2 NET TIME [\\computername | /DOMAIN[:domainname] | /RTSDOMAIN[:domainname]] [/SET] [\\computername] /QUERYSNTP [\\computername] /SETSNTP[:ntp server list] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Salandra, Justin A. Sent: Friday, December 19, 2003 12:55 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That is the thing, all my other DCs point to a DC that is not configured as the Authoritative Time Source For Example DC1 DC2 - PDCE DC3 DC2 is set to time.windows.com Run a net time /set on DC3 and it asks if you want to reset the clock to the one on DC1 Net time /querysntp on DC3 and DC1 returns that the sntp is not configured Net time on DC3, DC2 and DC1 shows the time on DC1 -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any accompanying attachments are confidential. The information is intended solely for the use of the individual to whom it is addressed. Any review, disclosure, copying, distribution, or use of this e-mail communication by others is strictly prohibited. If you are not the intended recipient, please notify us immediately by returning this message to the sender and delete all copies. Thank you for your cooperation.
[ActiveDir] Search filter for createTimestamp search with LDP
I need to search for user objects created or modified after a specific date. The createTimeStamp and modifyTimeStamp Attributes appear hold this information for each object. The problem I have is that I cannot get the correct LADP search filter to return any matches. Assuming BASE DN is correct and Sub tree is selected, If I set the filter to (createTimeStamp=*) I get a list of all the objects in the sub tree. Other searches (i.e. (samaccountname=doe*)) also behave as suspected. When I attempt to set the filter as either of the following; (createTimeStamp=12/11/2003*) (createTimeStamp=20031211*) it fails. If I look up a user with LDP and retrieve the exact value of their createTimeStamp and use it in the filter, it also fails. I suspect there is a matching rule or syntax issue for UTC Coded Time, but I cannot seem to get the right combination. Any ideas? David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] net time
Salandra, Justin A. mailto:[EMAIL PROTECTED] wrote: Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Short answer- Don't use net time on a DC. Net Time uses the LANMAN NETTOD API's and is not what you want to use on DC's, it doesn't compensate reliably for network induced latency and it also uses browser mechanisms to locate a time source, ick... the time service is far more reliable and accurate and will keep accurate time in the entire forest if left alone. If you feel you must play with the time service, you want to use w32tm after stopping W32Time. As long as your PDCe in the forest root is pointing to a reliable NTP source, just leave the rest of the DC's alone. They will be in NT5DS mode by default and generally a DC will peer up to the PCCe in it's own domain but not always, sometimes it will select another DC in it's own domain. That's fine. Time synchronization will occur authenticated over the secure channels between machines. Manually specified time sources are not authenticated, you can also create loops in the synchronization tree and cause unpredictable results. If you have mucked with the child DC's SNTP sources, you can just issue net time /setsntp with no argument and it will clear the SNTP server entry in the registry and return the box from NTP to NT5DS mode. If you are familiar with full NTP,the w32time SNTP implementation's stratum hierarchy looks this- Stratum 1 External NTP time source 2 PDC emulator of the forest root domain 3 Domain controllers in the forest root domain or PDC emulators in child domains 4 Workstations and member servers in the forest root domain or domain controllers in child domains 5 Workstations and member servers in child domains Bob Free Sr Network Specialist PGE Auburn, Ca. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] net time
Title: Message That would appear to be working correctly. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:55 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] net time That is the thing, all my other DCs point to a DC that is not configured as the Authoritative Time Source For Example DC1 DC2 - PDCE DC3 DC2 is set to time.windows.com Run a net time /set on DC3 and it asks if you want to reset the clock to the one on DC1 Net time /querysntp on DC3 and DC1 returns that the sntp is not configured Net time on DC3, DC2 and DC1 shows the time on DC1 -Original Message-From: Celone, Mike [mailto:[EMAIL PROTECTED]Sent: Friday, December 19, 2003 12:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] net time
Title: Message Maybe I just dont understand the difference between NT5DS time through w32time and NTP through net time. Does anyone have any articles comparing the differences and similarities between these two services? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 3:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That would appear to be working correctly. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:55 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That is the thing, all my other DCs point to a DC that is not configured as the Authoritative Time Source For Example DC1 DC2 - PDCE DC3 DC2 is set to time.windows.com Run a net time /set on DC3 and it asks if you want to reset the clock to the one on DC1 Net time /querysntp on DC3 and DC1 returns that the sntp is not configured Net time on DC3, DC2 and DC1 shows the time on DC1 -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] net time
Does anyone have any articles comparing the differences and similarities between these two services? The definitive article from the horse's mouth- http://www.microsoft.com/windows2000/techinfo/howitworks/security/wintim eserv.asp Very nice paper from a 3rd party perspective- http://www.greyware.com/software/domaintime/product/w32time.asp#overview From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time Maybe I just don't understand the difference between NT5DS time through w32time and NTP through net time. Does anyone have any articles comparing the differences and similarities between these two services? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 3:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That would appear to be working correctly. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:55 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That is the thing, all my other DCs point to a DC that is not configured as the Authoritative Time Source For Example DC1 DC2 - PDCE DC3 DC2 is set to time.windows.com Run a net time /set on DC3 and it asks if you want to reset the clock to the one on DC1 Net time /querysntp on DC3 and DC1 returns that the sntp is not configured Net time on DC3, DC2 and DC1 shows the time on DC1 -Original Message- From: Celone, Mike [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] net time That's the way it's supposed to work. All your DCs will act as time servers and your clients will synch with them. They just synch their time with the PDC-E which should be set to use and outside time service. Mike Celone Systems Specialist Radio Frequency Systems v 203-630-3311 x1031 f 203-634-2027 m 203-537-2406 -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 12:38 PM To: ActiveDir (E-mail) Subject: [ActiveDir] net time Everyone, I have my PDC Emulator on a server that is set to a SNTP server on the web, however all my others servers when I type in net time /set point to a different server that holds no roles what so ever for AD, it is just a DC. What am I doing worng. Justin A. Salandra, MCSE Senior Network Engineer Catholic Healthcare System 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Search filter for createTimestamp search with LDP
David, Try (whenChanged=20020608131321.0Z) with the appropriate data and time. Jerry Jerry Welch CPS Systems SimpleSync US/Canada: 888-666-0277 International: +1 703 827 0919 (-6 GMT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Friday, December 19, 2003 2:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Search filter for createTimestamp search with LDP I need to search for user objects created or modified after a specific date. The createTimeStamp and modifyTimeStamp Attributes appear hold this information for each object. The problem I have is that I cannot get the correct LADP search filter to return any matches. Assuming BASE DN is correct and Sub tree is selected, If I set the filter to (createTimeStamp=*) I get a list of all the objects in the sub tree. Other searches (i.e. (samaccountname=doe*)) also behave as suspected. When I attempt to set the filter as either of the following; (createTimeStamp=12/11/2003*) (createTimeStamp=20031211*) it fails. If I look up a user with LDP and retrieve the exact value of their createTimeStamp and use it in the filter, it also fails. I suspect there is a matching rule or syntax issue for UTC Coded Time, but I cannot seem to get the right combination. Any ideas? David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Search filter for createTimestamp search with LDP
Thanks Jerry, I was missing the proper date format, specifically the final .0Z. I guess the *(any) does not work there. This time format works in both the whencreated/whenmodified attributes and the createtimestamp/modifytimestamp. According to something I stumbled over in my search for this answer, createtimestamp and modifytimestamp are the recommended attributes to use as they are replicated to all DCs. -Original Message- From: Jerry Welch [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 4:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Search filter for createTimestamp search with LDP David, Try (whenChanged=20020608131321.0Z) with the appropriate data and time. Jerry Jerry Welch CPS Systems SimpleSync US/Canada: 888-666-0277 International: +1 703 827 0919 (-6 GMT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Friday, December 19, 2003 2:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Search filter for createTimestamp search with LDP I need to search for user objects created or modified after a specific date. The createTimeStamp and modifyTimeStamp Attributes appear hold this information for each object. The problem I have is that I cannot get the correct LADP search filter to return any matches. Assuming BASE DN is correct and Sub tree is selected, If I set the filter to (createTimeStamp=*) I get a list of all the objects in the sub tree. Other searches (i.e. (samaccountname=doe*)) also behave as suspected. When I attempt to set the filter as either of the following; (createTimeStamp=12/11/2003*) (createTimeStamp=20031211*) it fails. If I look up a user with LDP and retrieve the exact value of their createTimeStamp and use it in the filter, it also fails. I suspect there is a matching rule or syntax issue for UTC Coded Time, but I cannot seem to get the right combination. Any ideas? David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GC partition rebuild algorithm
What I've read from Microsoft ... GC Partial Attribute Set (PAS) In Windows 2000, modification required full rebuild of GC (full synchronization of read-only naming context) When an additional attribute was marked for inclusion in the GC, all GC servers reset their USNs for GC attributes to 0 and rebuilt the Partial Attribute Set (PAS) from scratch In Windows Server 2003, can preserve GC synchronization state instead of resetting Propagation of PAS thus no longer results in full rebuild of global catalog partitions Only the newly-included attributes are replicated- the PAS is not completely rebuilt In a mixed environment of Windows 2000 and Windows Server 2003 domain controllers, Do the Windows 2000 domain controllers rebuild their global catalog partitions? Do the Windows Server 2003 domain controllers not rebuild their global catalog partitions? What is the definitive algorithm? Alan A Isham Messaging and Active Directory Engineering Intel Corporation in Folsom, California image001.gif
RE: [ActiveDir] GC partition rebuild algorithm
Assuming both 2000 and 2003 DCs are present within the forest - * 2000 GCs WILL full sync. * 2003 GCs will NOT full sync. assuming - they have a connection object representing a DC in the foreign domain that is also running 2003 - if multiple domains exist, it depends on the OS of the DC from which the GC sources THAT partition In short, 2003 GCs will incrementally sync. from other 2003 DCs and will full sync. from 2000 DCs. Dean -- Dean Wells MSEtechnology ( Tel: +1 (954) 501-4307 * Email: dwells@msetechnology.com http://msetechnology.com -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Isham, Alan ASent: Friday, December 19, 2003 7:31 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] GC partition rebuild algorithm What I've read from Microsoft ... GC Partial Attribute Set (PAS) In Windows 2000, modification required full rebuild of GC (full synchronization of read-only naming context) When an additional attribute was marked for inclusion in the GC, all GC servers reset their USNs for GC attributes to 0 and rebuilt the Partial Attribute Set (PAS) from scratch In Windows Server 2003, can preserve GC synchronization state instead of resetting Propagation of PAS thus no longer results in full rebuild of global catalog partitions Only the newly-included attributes are replicated- the PAS is not completely rebuilt In a mixed environment of Windows 2000 and Windows Server 2003 domain controllers, Do the Windows 2000 domain controllers rebuild their global catalog partitions? Do the Windows Server 2003 domain controllers not rebuild their global catalog partitions? What is the definitive algorithm? Alan A Isham Messaging and Active Directory EngineeringIntel Corporation in Folsom, California image001.gif
RE: [ActiveDir] Search filter for createTimestamp search with LDP
Correct, you can not wildcard that type of attribute like you can't wildcard DNs. If you want everything from June 1, 2003 on you can do something like Whenchanged=2003060100.0Z joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 19, 2003 5:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Search filter for createTimestamp search with LDP Thanks Jerry, I was missing the proper date format, specifically the final .0Z. I guess the *(any) does not work there. This time format works in both the whencreated/whenmodified attributes and the createtimestamp/modifytimestamp. According to something I stumbled over in my search for this answer, createtimestamp and modifytimestamp are the recommended attributes to use as they are replicated to all DCs. -Original Message- From: Jerry Welch [mailto:[EMAIL PROTECTED] Sent: Friday, December 19, 2003 4:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Search filter for createTimestamp search with LDP David, Try (whenChanged=20020608131321.0Z) with the appropriate data and time. Jerry Jerry Welch CPS Systems SimpleSync US/Canada: 888-666-0277 International: +1 703 827 0919 (-6 GMT) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Friday, December 19, 2003 2:03 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Search filter for createTimestamp search with LDP I need to search for user objects created or modified after a specific date. The createTimeStamp and modifyTimeStamp Attributes appear hold this information for each object. The problem I have is that I cannot get the correct LADP search filter to return any matches. Assuming BASE DN is correct and Sub tree is selected, If I set the filter to (createTimeStamp=*) I get a list of all the objects in the sub tree. Other searches (i.e. (samaccountname=doe*)) also behave as suspected. When I attempt to set the filter as either of the following; (createTimeStamp=12/11/2003*) (createTimeStamp=20031211*) it fails. If I look up a user with LDP and retrieve the exact value of their createTimeStamp and use it in the filter, it also fails. I suspect there is a matching rule or syntax issue for UTC Coded Time, but I cannot seem to get the right combination. Any ideas? David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
