[ActiveDir] HELP Me: Trusting and Trusted between AD2000 Native and NT4 Domai n??

2004-02-20 Thread MAI ANH TUAN 
Hi all,

When I make trust between my Domain (windows 2000) with other domain (NT4) I
receive an error that "Can not contact domain", I'm not well about NT4 and
WINS.

Please help me to solve this problem.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VPN Server

2004-02-20 Thread Murray Wall 
Have a look I have seen this problem with checkpoint, the problem is
dns.  For whatever reason, your client is still pointen externally.
Chances are if you add a hosts file entry to the internal IP you will be
good


Murray Wall, MCSE, B.Ed CCNA/DA Master ASE
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Friday, February 20, 2004 11:15 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] VPN Server

Hi guys,

I have setup my server as a VPN Server and from the outside I have
noticed
that when I connect to the VPN Server, all the servers that are
publically
addressable, I am getting thier IP address instead of the Internal IP
address.  Is there a way to fix this?

Justin A. Salandra, MCSE
Senior Network Engineer

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] VPN Server

2004-02-20 Thread Salandra, Justin A. 
Hi guys,

I have setup my server as a VPN Server and from the outside I have noticed
that when I connect to the VPN Server, all the servers that are publically
addressable, I am getting thier IP address instead of the Internal IP
address.  Is there a way to fix this?

Justin A. Salandra, MCSE
Senior Network Engineer

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] FRS/SYSVOL replication errors

2004-02-20 Thread E Brown 
Todd,

Make sure you use FRS Troubleshooting an Monitoring tools.
These will save you big time as far as down time. GPMC can be used for
backup\restore of policies as well.
Also make sure you have the latest revision of FRS code. This is Q815473 for
W2k.
Try FRSDIAG for a start.

http://www.microsoft.com/windowsserver2003/technologies/fileandprint/file/df
s/tshootfrs.mspx

E. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 18, 2004 12:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] FRS/SYSVOL replication errors

Todd, I can not swear to this, but I read somewhere that this exact "issue"
is one of the things that are supposed to make you think twice before you
pull the "domain rename" trigger. One of the other is the presence of
Exchange. Since I've not been able to locate where I read/heard this, I may
be way off. But, all my test domain renames have always come up with one or
more "issues".
 
Having said that, is this domain "single-labelled" by any chance?
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Byrd, Todd
Sent: Wed 2/18/2004 11:43 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] FRS/SYSVOL replication errors



Hey All,

 

We are having a bit of an issue with our production network, and I've been
troubleshooting till I'm blue in the face, so I thought I'd ask here and see
if anyone else has had a similar issue.

 

We have a fairly typical multiple site network that we have recently
upgraded from win2k3 from win2k, and then gone through the domain rename
procedure (it works pretty well BTW as long as your DNS setup is error
free.)  The problem occurs where our SYSVOL folder are not replicating
properly between all DCs.
I am getting ntfrs error 13508 (sometimes followed by 13509, sometimes not)
on occasion (not regularly) but on the workstations and DC's I'm getting
Userenv 1030 and 1058 quite often. Using the frsdiag utility from Microsoft,
I'm finding several errors (mostly RPC) on my PDC, and on 3 out of 4 of my
other DC's 

 

ATM I can't push GPO's out to the enterprise as they are not replicating off
of my PDC, and while I'm pretty sure that a FSMO role transfer to another
box, demoting and repromoting the PDC and one of my GC servers (the boxes
that the others are having a hard time communicating with) will fix the
problem, I'd rather fix it without having to go to such drastic measures.

 

 

Any insight anyone can provide would be a great help.

 

--Todd

 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread AD 
Title: RE: [ActiveDir] OU/Computer accounts reorganization



I'm 
not saying to not use GPO but rather apply the GPO's at the site level - it's 
the same mechanism just at a different level.  It wouldn't resolve the 
delegated administration issue but that's really just adding and removing object 
when talking about machines.
 
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of J0mbPosted 
At: Friday, February 20, 2004 2:16 PMPosted To: 
ADConversation: [ActiveDir] OU/Computer accounts 
reorganizationSubject: R: [ActiveDir] OU/Computer accounts 
reorganization
Because each site needs different GPOs (SUS server at local 
site, different desktops, different logon scripts, certain OUs have delegated 
administration etc...I agree with the "make it simple, see it working better" 
statement, but i wouldn't certainly give up using key Win2000 AD features for 
that.

  
  
  Da: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] Per conto di 
  ADInviato: venerdì 20 febbraio 2004 19.42A: 
  [EMAIL PROTECTED]Oggetto: RE: [ActiveDir] OU/Computer 
  accounts reorganization
  
  I 
  guess one would also have to ask why not just apply the policies to the sites 
  and not worry about the ou's?  Then you don't have to worry about it now 
  or in the future.
   
  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Mulnick, 
  AlPosted At: Friday, February 20, 2004 1:24 PMPosted To: 
  ADConversation: [ActiveDir] OU/Computer accounts 
  reorganizationSubject: RE: [ActiveDir] OU/Computer accounts 
  reorganization
  Should have added this part to the last 
  email:
   
  Some books that might help:
  http://www.amazon.com/exec/obidos/ASIN/007212444X/trianglntusergro/104-1680195-3694330
   
  
  
  From: Mulnick, Al Sent: Friday, 
  February 20, 2004 1:10 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OU/Computer 
  accounts reorganization
  
  Nslookup FQDN_of_computer_name would do it. But now 
  might be a good time to look into the scripting.  It could save you a lot 
  of time and you may have to do this again some time.
  -Original Message- From: J0mb [mailto:[EMAIL PROTECTED]] 
  Sent: Friday, February 20, 2004 12:58 
  PM To: [EMAIL PROTECTED] 
  Subject: R: [ActiveDir] OU/Computer accounts 
  reorganization 
   ok...thanks for all replies. Unfortunately i 
  have a basic knowledge of scripting, so it looks like it's going to be a hard 
  job.
  Anyway, what would be the best method to achieve 
  this? Get the Ip addresses of the machines from a nslookup or ping, or is 
  there a command/function or whatever to get the ip/site from the active 
  directory?
  J 
  List info   : http://www.activedir.org/mail_list.htm 
  List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread Ken Cornetet 
Perl has a builtin function for converting host names to IP addresses.

If you are going to use VB, you could use WMI[1] to get the ip address
as well. 


[1] While WMI is supported on everything from NT4 & win98 forward, it is
only installed by default on 2000 and above. If you have a lot of 9x
machines, WMI probably isn't an option.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J0mb
Sent: Friday, February 20, 2004 12:58 PM
To: [EMAIL PROTECTED]
Subject: R: [ActiveDir] OU/Computer accounts reorganization


 ok...thanks for all replies. Unfortunately i have a basic knowledge of
scripting, so it looks like it's going to be a hard job. Anyway, what
would be the best method to achieve this? Get the Ip addresses of the
machines from a nslookup or ping, or is there a command/function or
whatever to get the ip/site from the active directory?

J

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD lists Last Name in the First Name Field

2004-02-20 Thread deji 
Yes, it will.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Grantham, Caron
Sent: Fri 2/20/2004 10:33 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD lists Last Name in the First Name Field


Thanks Dèjì Akómöláfé,
I did find these two KB articles earlier but we are on Windows 2003 Server.
The articles don't mention this OS. Will it still work?
 
 
Caron Grantham 
Systems Engineer, ITS Dept 
[EMAIL PROTECTED]
 
* 312-742- 2731
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Friday, February 20, 2004 12:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD lists Last Name in the First Name Field
 
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q300427
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277717
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon
 


From: Grantham, Caron
Sent: Fri 2/20/2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD lists Last Name in the First Name Field
 
We used a 3rd Party Migration Tool (BindView) to migrate user accounts,
mailboxes and profiles and now we have a problem wherein the AD properties
for a user show up with their last name in the first name field and first
name in the last name field. The GAL and the name display properties are
correct however.
The problem exists when a users wishes to search by first name in Outlook.
 
My question: Is there an easy way or another tool we can use to fix these
fields?
We don't want to use the cumbersome CSV import/export tool to do this unless
it's our only option.
 
 
Caron Grantham 
Chicago Housing Authority
  Information Technology Services
[EMAIL PROTECTED]  
 
* 312-742- 2731
Working smarter towards a common goal -- EFFICIENCY
 
This e-mail and any files transmitted with it are the property of CHA, are
confidential, and are intended solely for the use of the individual or entity
to whom this e-mail is addressed. If you are not one of the named
recipient(s) or otherwise have reason to believe that you have received this
message in error, please notify the sender at 312-742.4000 and delete this
message immediately from your computer. Any other use, retention,
dissemination, forwarding, printing, or copying of this e-mail is strictly
prohibited.
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD lists Last Name in the First Name Field

2004-02-20 Thread Mulnick, Al 



Yep.
 


From: Grantham, Caron 
[mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 1:33 
PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] 
AD lists Last Name in the First Name Field


Thanks 
Dèjì 
Akómöláfé,
I 
did find these two KB articles earlier but we are on Windows 2003 Server. The 
articles don't mention this OS. Will it still 
work?
 
 

Caron 
Grantham 
Systems 
Engineer, ITS Dept 
, [EMAIL PROTECTED]
 
( 
312-742- 
2731
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of deji AgbaSent: Friday, February 20, 2004 12:09 
PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD lists Last Name 
in the First Name Field
 


http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q300427

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277717

 



 

Sincerely,Dèjì Akómöláfé, 
MCSE 
MCSA MCP+I

Microsoft 
MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the 
Tomorrow you were worried about Yesterday?  
-anon

 



From: Grantham, 
CaronSent: Fri 2/20/2004 9:55 
AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] AD lists Last Name in 
the First Name Field

 
We used a 3rd Party 
Migration Tool (BindView) to migrate user accounts, mailboxes and profiles and 
now we have a problem wherein the AD properties for a user show up with their 
last name in the first name field and first name in the last name field. The GAL 
and the name display properties are correct 
however.
The problem exists when a users 
wishes to search by first name in Outlook.
 
My 
question: Is there an easy way or another tool we can use to fix these 
fields?
We don't want to use the cumbersome 
CSV import/export tool to do this unless it's our only 
option.
 
 
Caron 
Grantham 
Chicago 
Housing Authority
  
Information 
Technology Services
, [EMAIL PROTECTED]
 
( 
312-742- 
2731
Working 
smarter towards a common goal -- EFFICIENCY
 
This 
e-mail and any files transmitted with it are the property of CHA, are 
confidential, and are intended solely for the use of the individual or entity to 
whom this e-mail is addressed. If you are not one of the 
named
recipient(s) 
or otherwise have reason to believe that you have received this message in 
error, please notify the sender at 312-742.4000 and delete this message 
immediately from your computer. Any other use, retention, dissemination, 
forwarding, printing, or copying of this e-mail is strictly 
prohibited.
 

R: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread J0mb 
Title: RE: [ActiveDir] OU/Computer accounts reorganization



Because each site needs different GPOs (SUS server at local 
site, different desktops, different logon scripts, certain OUs have delegated 
administration etc...I agree with the "make it simple, see it working better" 
statement, but i wouldn't certainly give up using key Win2000 AD features for 
that.

  
  
  Da: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] Per conto di 
  ADInviato: venerdì 20 febbraio 2004 19.42A: 
  [EMAIL PROTECTED]Oggetto: RE: [ActiveDir] OU/Computer 
  accounts reorganization
  
  I 
  guess one would also have to ask why not just apply the policies to the sites 
  and not worry about the ou's?  Then you don't have to worry about it now 
  or in the future.
   
  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Mulnick, 
  AlPosted At: Friday, February 20, 2004 1:24 PMPosted To: 
  ADConversation: [ActiveDir] OU/Computer accounts 
  reorganizationSubject: RE: [ActiveDir] OU/Computer accounts 
  reorganization
  Should have added this part to the last 
  email:
   
  Some books that might help:
  http://www.amazon.com/exec/obidos/ASIN/007212444X/trianglntusergro/104-1680195-3694330
   
  
  
  From: Mulnick, Al Sent: Friday, 
  February 20, 2004 1:10 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OU/Computer 
  accounts reorganization
  
  Nslookup FQDN_of_computer_name would do it. But now 
  might be a good time to look into the scripting.  It could save you a lot 
  of time and you may have to do this again some time.
  -Original Message- From: J0mb [mailto:[EMAIL PROTECTED]] 
  Sent: Friday, February 20, 2004 12:58 
  PM To: [EMAIL PROTECTED] 
  Subject: R: [ActiveDir] OU/Computer accounts 
  reorganization 
   ok...thanks for all replies. Unfortunately i 
  have a basic knowledge of scripting, so it looks like it's going to be a hard 
  job.
  Anyway, what would be the best method to achieve 
  this? Get the Ip addresses of the machines from a nslookup or ping, or is 
  there a command/function or whatever to get the ip/site from the active 
  directory?
  J 
  List info   : http://www.activedir.org/mail_list.htm 
  List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread AD 
Title: RE: [ActiveDir] OU/Computer accounts reorganization



I 
guess one would also have to ask why not just apply the policies to the sites 
and not worry about the ou's?  Then you don't have to worry about it now or 
in the future.
 
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Mulnick, 
AlPosted At: Friday, February 20, 2004 1:24 PMPosted To: 
ADConversation: [ActiveDir] OU/Computer accounts 
reorganizationSubject: RE: [ActiveDir] OU/Computer accounts 
reorganization
Should have added this part to the last 
email:
 
Some books that might help:
http://www.amazon.com/exec/obidos/ASIN/007212444X/trianglntusergro/104-1680195-3694330
 


From: Mulnick, Al Sent: Friday, 
February 20, 2004 1:10 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OU/Computer 
accounts reorganization

Nslookup FQDN_of_computer_name would do it. But now might 
be a good time to look into the scripting.  It could save you a lot of time 
and you may have to do this again some time.
-Original Message- From: J0mb [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 20, 2004 12:58 
PM To: [EMAIL PROTECTED] 
Subject: R: [ActiveDir] OU/Computer accounts 
reorganization 
 ok...thanks for all replies. Unfortunately i 
have a basic knowledge of scripting, so it looks like it's going to be a hard 
job.
Anyway, what would be the best method to achieve 
this? Get the Ip addresses of the machines from a nslookup or ping, or is there 
a command/function or whatever to get the ip/site from the active 
directory?
J 
List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD lists Last Name in the First Name Field

2004-02-20 Thread Grantham, Caron 








Thanks Dèjì Akómöláfé,

I did find these two KB articles earlier but we are
on Windows 2003 Server. The articles don’t mention this OS. Will it still
work?

 

 



Caron Grantham 

Systems Engineer,
ITS Dept 

, [EMAIL PROTECTED]

 

( 312-742- 2731



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of deji Agba
Sent: Friday, February 20, 2004
12:09 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD lists
Last Name in the First Name Field

 





http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q300427





http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277717





 











 





Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I





Microsoft
MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday?  -anon









 







From: Grantham,
Caron
Sent: Fri 2/20/2004 9:55 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AD lists Last
Name in the First Name Field





 

We used a 3rd Party
Migration Tool (BindView) to migrate user accounts, mailboxes and profiles and
now we have a problem wherein the AD properties for a user show up with their
last name in the first name field and first name in the last name field. The
GAL and the name display properties are correct however.

The problem exists when a users
wishes to search by first name in Outlook.

 

My question: Is there an easy way
or another tool we can use to fix these fields?

We don’t want to use the
cumbersome CSV import/export tool to do this unless it’s our only option.

 

 

Caron Grantham 

Chicago Housing Authority

  Information Technology Services

, [EMAIL PROTECTED]

 

( 312-742- 2731

Working smarter towards a common goal -- EFFICIENCY

 

This e-mail and any files transmitted with it are the
property of CHA, are confidential, and are intended solely for the use of the
individual or entity to whom this e-mail is addressed. If you are not one of
the named

recipient(s) or otherwise have reason to believe that
you have received this message in error, please notify the sender at
312-742.4000 and delete this message immediately from your computer. Any other
use, retention, dissemination, forwarding, printing, or copying of this e-mail
is strictly prohibited.

 

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread deji Agba 



I just posted this from my archives http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=30 .
Not pretty, but works.
 


 
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon


From: J0mbSent: Fri 2/20/2004 6:24 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] OU/Computer accounts reorganization
Good morning,
We work in a native windows 2000 AD Architecture, with a single domain and 4
sites.
Computer accounts have been organized into OUs according to which site they
belong to.
Unfortunately the reorganization wasn't performed well. We have cases of
machines that were placed in the wrong Ous with subsequent problems with
group policies which, in many cases, are linked to the Organizational units.

There are Thousands of Pc accounts, unfortunately machine names do not help
to determine their site.

Anybody might want to suggest the best strategy to reorganize the PC
accounts (maybe a script, or a commercial tool)?

Thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread Creamer, Mark 
This may be of help
http://cwashington.netreach.net/depo/view.asp?Index=881&ScriptType=vbscript




-Original Message-
From: J0mb [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 20, 2004 12:58 PM
To: [EMAIL PROTECTED]
Subject: R: [ActiveDir] OU/Computer accounts reorganization

 ok...thanks for all replies. Unfortunately i have a basic knowledge of
scripting, so it looks like it's going to be a hard job.
Anyway, what would be the best method to achieve this? Get the Ip addresses
of the machines from a nslookup or ping, or is there a command/function or
whatever to get the ip/site from the active directory?

J

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread Mulnick, Al 
Title: RE: [ActiveDir] OU/Computer accounts reorganization



Should have added this part to the last 
email:
 
Some books that might help:
http://www.amazon.com/exec/obidos/ASIN/007212444X/trianglntusergro/104-1680195-3694330
 


From: Mulnick, Al Sent: Friday, 
February 20, 2004 1:10 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] OU/Computer 
accounts reorganization

Nslookup FQDN_of_computer_name would do it. But now might 
be a good time to look into the scripting.  It could save you a lot of time 
and you may have to do this again some time.
-Original Message- From: J0mb [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 20, 2004 12:58 
PM To: [EMAIL PROTECTED] 
Subject: R: [ActiveDir] OU/Computer accounts 
reorganization 
 ok...thanks for all replies. Unfortunately i 
have a basic knowledge of scripting, so it looks like it's going to be a hard 
job.
Anyway, what would be the best method to achieve 
this? Get the Ip addresses of the machines from a nslookup or ping, or is there 
a command/function or whatever to get the ip/site from the active 
directory?
J 
List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD lists Last Name in the First Name Field

2004-02-20 Thread Mulnick, Al 



Sweet.  
 
That second one might be the easiest for what you're 
doing.  You'd want to modify this part
 
 if 
instr(usr.SamAccountName, "$") = 0 then		vLast = usr.get("Sn")		vFirst = 
usr.get("GivenName") 		vFullname = vLast + ", " + 
vFirst	    	'usr.put "displayName", 
vFullName '__change this line to the 
following two lines
usr.put "Sn", 
vFirst    ' this puts the first name in the last name 
field
usr.put "GivenName", 
vLast    ' this puts the last name in the first name 
field
 	usr.setinfo		wscript.echo 
usr.displayName	end if
 
 
 
 



From: deji Agba [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 20, 2004 1:09 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD lists Last 
Name in the First Name Field


http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q300427
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277717
 


 
Sincerely,Dèjì Akómöláfé, 
MCSE MCSA MCP+I
Microsoft MVP - 
Active Directorywww.akomolafe.comwww.iyaburo.comDo 
you now realize that Today is the Tomorrow you were worried about 
Yesterday?  -anon


From: Grantham, CaronSent: Fri 
2/20/2004 9:55 AMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] AD lists Last Name in the First Name Field


 
We used a 3rd Party 
Migration Tool (BindView) to migrate user accounts, 
mailboxes and profiles and now we have a problem wherein the AD properties for a 
user show up with their last name in the first name field and first name in the 
last name field. The GAL and the name display properties are correct 
however.
The problem exists when a users 
wishes to search by first name in Outlook.
 
My 
question: Is there an easy way or another tool we can use to fix these 
fields?
We don't want to use the cumbersome 
CSV import/export tool to do this unless it's our only 
option.
 
 
Caron 
Grantham 
Chicago 
Housing Authority
  
Information 
Technology Services
, [EMAIL PROTECTED]
 
( 
312-742- 
2731
Working 
smarter towards a common goal -- EFFICIENCY
 
This 
e-mail and any files transmitted with it are the property of 
CHA, 
are confidential, and are intended solely for the use of the individual or 
entity to whom this e-mail is addressed. If you are not one of the 
named
recipient(s) 
or otherwise have reason to believe that you have received this message in 
error, please notify the sender at 312-742.4000 and delete this message 
immediately from your computer. Any other use, retention, dissemination, 
forwarding, printing, or copying of this e-mail is strictly 
prohibited.
 

RE: [ActiveDir] AD lists Last Name in the First Name Field

2004-02-20 Thread Mulnick, Al 



CSV is not even an option at this point. CSV is only for 
create/delete operations on Active Directory.  You would have to use LDIF 
files (even more cumbersome than CSV) or better yet a script that reads each, 
builds the new fields, and puts them back.  Fairly simple to do and you can 
probably find some example scripts that would need very little modification to 
work in your environment.
 
Al


From: Grantham, Caron 
[mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 12:55 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD 
lists Last Name in the First Name Field


 
We used a 3rd Party 
Migration Tool (BindView) to migrate user accounts, 
mailboxes and profiles and now we have a problem wherein the AD properties for a 
user show up with their last name in the first name field and first name in the 
last name field. The GAL and the name display properties are correct 
however.
The problem exists when a users 
wishes to search by first name in Outlook.
 
My 
question: Is there an easy way or another tool we can use to fix these 
fields?
We don't want to use the cumbersome 
CSV import/export tool to do this unless it's our only 
option.
 
 
Caron 
Grantham 
Chicago 
Housing Authority
  
Information 
Technology Services
, [EMAIL PROTECTED]
 
( 
312-742- 
2731
Working 
smarter towards a common goal -- EFFICIENCY
 
This 
e-mail and any files transmitted with it are the property of 
CHA, 
are confidential, and are intended solely for the use of the individual or 
entity to whom this e-mail is addressed. If you are not one of the 
named
recipient(s) 
or otherwise have reason to believe that you have received this message in 
error, please notify the sender at 312-742.4000 and delete this message 
immediately from your computer. Any other use, retention, dissemination, 
forwarding, printing, or copying of this e-mail is strictly 
prohibited.
 

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread Mulnick, Al 
Title: RE: [ActiveDir] OU/Computer accounts reorganization





Nslookup FQDN_of_computer_name would do it.
But now might be a good time to look into the scripting.  It could save you a lot of time and you may have to do this again some time.

-Original Message-
From: J0mb [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 20, 2004 12:58 PM
To: [EMAIL PROTECTED]
Subject: R: [ActiveDir] OU/Computer accounts reorganization


 ok...thanks for all replies. Unfortunately i have a basic knowledge of scripting, so it looks like it's going to be a hard job.

Anyway, what would be the best method to achieve this? Get the Ip addresses of the machines from a nslookup or ping, or is there a command/function or whatever to get the ip/site from the active directory?

J


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD lists Last Name in the First Name Field

2004-02-20 Thread deji Agba 



http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q300427
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q277717
 


 
Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directorywww.akomolafe.comwww.iyaburo.comDo you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon


From: Grantham, CaronSent: Fri 2/20/2004 9:55 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD lists Last Name in the First Name Field


 
We used a 3rd Party Migration Tool (BindView) to migrate user accounts, mailboxes and profiles and now we have a problem wherein the AD properties for a user show up with their last name in the first name field and first name in the last name field. The GAL and the name display properties are correct however.
The problem exists when a users wishes to search by first name in Outlook.
 
My question: Is there an easy way or another tool we can use to fix these fields?
We don’t want to use the cumbersome CSV import/export tool to do this unless it’s our only option.
 
 
Caron Grantham 
Chicago Housing Authority
  Information Technology Services
, [EMAIL PROTECTED]
 
( 312-742- 2731
Working smarter towards a common goal -- EFFICIENCY
 
This e-mail and any files transmitted with it are the property of CHA, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named
recipient(s) or otherwise have reason to believe that you have received this message in error, please notify the sender at 312-742.4000 and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited.
 

[ActiveDir] Duplicate DNS entries OR scavenging revisited

2004-02-20 Thread Rich Milburn 








I think I scared
everyone off earlier with the Kerberos issue that I hid the DNS question in. 
So…

 

Is it significant (and
if so, to what functions) or irrelevant that there are multiple host records
for workstations in DNS for the same IP address?  

 

We are considering
turning on DNS scavenging.  I’ve read a bit about it, and about using
dnscmd to age the existing records, I guess we want to not age static records
for our DNS boxes?  We’re running DNS on Server 2003 and AD 2003. 

 

Also if anyone knows…
does Kerberos use DNS for identity checking (or any other function)?

 

Thanks

 

Rich

 

 

 

 

 

 

 







---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---  PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.

R: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread J0mb 
 ok...thanks for all replies. Unfortunately i have a basic knowledge of
scripting, so it looks like it's going to be a hard job.
Anyway, what would be the best method to achieve this? Get the Ip addresses
of the machines from a nslookup or ping, or is there a command/function or
whatever to get the ip/site from the active directory?

J

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD lists Last Name in the First Name Field

2004-02-20 Thread Grantham, Caron 








 

We used a 3rd Party Migration Tool (BindView) to migrate user accounts, mailboxes and profiles
and now we have a problem wherein the AD properties for a user show up with
their last name in the first name field and first name in the last name field.
The GAL and the name display properties are correct however.

The problem exists when a users wishes to search by first
name in Outlook.

 

My question: Is there an easy way or another tool
we can use to fix these fields?

We don’t want to use the cumbersome CSV import/export
tool to do this unless it’s our only option.

 

 

Caron Grantham 

Chicago Housing Authority

  Information Technology Services

, [EMAIL PROTECTED]

 

( 312-742- 2731

Working smarter towards a common
goal -- EFFICIENCY

 

This e-mail and any files transmitted with it are the property of CHA, are confidential, and are
intended solely for the use of the individual or entity to whom this e-mail is
addressed. If you are not one of the named

recipient(s) or otherwise have reason to believe that you have received
this message in error, please notify the sender at 312-742.4000 and delete this
message immediately from your computer. Any other use, retention,
dissemination, forwarding, printing, or copying of this e-mail is strictly
prohibited.

 

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread Creamer, Mark 
You could start with something like this as the framework (From MS Script Center)

Set objNewOU = GetObject("LDAP://OU=Finance,DC=fabrikam,DC=com";)
Set objMoveComputer = objNewOU.MoveHere _
("LDAP://CN=atl-pro-03,CN=Computers,DC=fabrikam,DC=com";, "CN=atl-pro-03")


-Original Message-
From: Ken Cornetet [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 20, 2004 12:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OU/Computer accounts reorganization

A perl or VB script that:

1. Lists all the workstations in the domain.
2. Gets the ip address of each workstation.
3. Moves to OU based on subnet.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J0mb
Sent: Friday, February 20, 2004 9:25 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OU/Computer accounts reorganization


Good morning,
We work in a native windows 2000 AD Architecture, with a single domain
and 4 sites. Computer accounts have been organized into OUs according to
which site they belong to. Unfortunately the reorganization wasn't
performed well. We have cases of machines that were placed in the wrong
Ous with subsequent problems with group policies which, in many cases,
are linked to the Organizational units.

There are Thousands of Pc accounts, unfortunately machine names do not
help to determine their site.

Anybody might want to suggest the best strategy to reorganize the PC
accounts (maybe a script, or a commercial tool)?

Thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DC IP Address Change

2004-02-20 Thread Santhosh Sivarajan 
Good Morning,

I need more clarification on changing the IP address on a Windows 2003
Domain Controller.  I am familiar with the “Staging Domain Controller”
procedure.  Are there any other issues that you're familiar with in Windows
2003 or is it just a matter of changing the IP address, making sure the
records are replicated and giving enough time for replication?   Is there
anything else I need to consider or keep in mind?

Thanks in advance!
Santhosh

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread Ken Cornetet 
A perl or VB script that:

1. Lists all the workstations in the domain.
2. Gets the ip address of each workstation.
3. Moves to OU based on subnet.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J0mb
Sent: Friday, February 20, 2004 9:25 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OU/Computer accounts reorganization


Good morning,
We work in a native windows 2000 AD Architecture, with a single domain
and 4 sites. Computer accounts have been organized into OUs according to
which site they belong to. Unfortunately the reorganization wasn't
performed well. We have cases of machines that were placed in the wrong
Ous with subsequent problems with group policies which, in many cases,
are linked to the Organizational units.

There are Thousands of Pc accounts, unfortunately machine names do not
help to determine their site.

Anybody might want to suggest the best strategy to reorganize the PC
accounts (maybe a script, or a commercial tool)?

Thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange 2003 Migration Question

2004-02-20 Thread Kent Maxwell 
Title: Message



 Nicolas,
 
Thank 
you very much!  I found your email very informative!  We are going to 
be doing three migrations.  The first is 400+ mailboxes, one exchange 
server.  The second will be 100 mailboxes, to a different exchange server 
in a different site.  The third will be 300+ mailboxes to another exchange 
server in a different site.  I am particularly interested in the 3rd party 
tool you would recommend to connect the exchange organizations and if you know 
of any good tool to change the client outlook profiles.  I also have a 
problem that in one site they have many PST files and did not retain the email 
in their exchange mailbox and I need to not only get their new MAPI profile 
connected with the PST(s) but also migrate all the email in the PST back to 
Exchange.
 
Thank 
you!
 
Kent

  
  -Original Message-From: Nicolas Blank 
  [mailto:[EMAIL PROTECTED] Sent: Friday, February 20, 2004 
  3:19 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Exchange 2003 Migration Question
  
  Kent
  There's a number of 
  factor you need to consider here, and three of the biggest one's that come to 
  mind are co-existence, user profile re-pointing, and freezing the admin 
  environment for the duration on one or both 
sides.
  You didn't mention 
  how many mailboxes, servers or mail you had, so it's hard to advise on the 
  purchase on a 3'rd party tool, native tool or manual options, although I would 
  recommend you look at a number of the 3'rd party tools that are available, 
  especially when you look at an extended co-existence period where you need 
  solid dir-sync to maintain both set's of 
  directories.
   
  If you go the tool 
  route, you should look at a solution which will build and maintain the target 
  GAL, plus build objects, or in your case match on the objects which you 
  already have which is matching the associated NT account on the 5.5 mailbox to 
  the AD user's sidHistory 
  attribute.
   
  This can be done 
  natively, but not as cleanly as I've done with third 
  party.
   
  In essence your 
  migration path would be the following:
  Setup routing between 
  the two org's - preferably X.400 connector, since 
  this allows you to maintain your SMTP namespace in both orgs and still have a 
  namespace to route against
   
  Build a target GAL 
  that would route mail back to the source org using x400 proxy's, but mace sure the GAL is built using mail enabled 
  users that are stamped with the source org's DN as 
  x500 addresses. This will absorb reply-ability between source and target org, 
  including outstanding meeting request, etc
   
  Batch MAILBOX ENABLE 
  as many users as you wish to migrate at a time and transfer their mail. Since 
  the target object's will be overwritten the x400 
  proxy route will be overwritten.
   
  Set alternate 
  recipients on the source mailboxes to route new mail to the target 
  GAL.
   
  The advantage of this 
  method is that you have a co-existence model which will allow you to co-exist 
  for a while, plus once your target GAL is built you can switch your MX record 
  over at any time.
   
  This is one method of 
  migrating/coexisting, and while it's not detailed exhaustively, it gives you a 
  route to start thinking on.
   
  I strongly suggest 
  you stay away from the ADC and use a third party tool to do this with, unless 
  you have enough time to break your lab several times and rebuild it  
  ;)
   
  Please respond with 
  your migration parameters, such as mailbox count, server count and mail 
  volume, as these will all influence your migration time 
  considerably
   
   
   
  Nic
   
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Kent 
  MaxwellSent: 19 February 
  2004 05:19 PMTo: 
  '[EMAIL PROTECTED]'Subject: [ActiveDir] Exchange 2003 
  Migration Question
   
  I 
  know this isn't quite an Active Directory question... 
  
  I 
  am working on finding a way to migrate private mailboxes and public folders 
  stored in an Exchange 5.5 server to a Exchange 2003 server.  The Exchange 
  Organization is different for both servers.  The user accounts that were 
  associated with the mailboxes in the Exchange 5.5 have been migrated to the 
  new ADS running on Windows 2003 with the SIDHistory intact.  
  
  Can any one give me suggestions on 
  what has worked for you to migrate accounts in a situation similar to 
  this?  I am looking for anything...even if it will cost me 
  money.
  Thanks, 
  
  Kent 
  
  ---This e-mail is intended for the use of the 
  addressee (s) only and may contain privileged, confidential, or proprietary 
  information that is exempt from disclosure under law. If you have received 
  this message in error, please inform us promptly by reply e-mail, then delete 
  the e-mail and destroy any printed copy. Thank 
  you.
---
This e-mail is intended for the use of the addressee (s) only and may contain privileged, confidential,

RE: [ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread Mulnick, Al 
The key to that is to know what site the machine is part of and what OU they
therefore belong in.  A script might be useful if it first looks up their
site information and then moves them to the appropriate OU.  The logic would
be to look at the machine account, find the corresponding address, correlate
to the site it belongs to, and move it else leave it if appropriate. That
would likely be resource intensive, but it's a one-time app anyway.

Al 

-Original Message-
From: J0mb [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 20, 2004 9:25 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] OU/Computer accounts reorganization

Good morning,
We work in a native windows 2000 AD Architecture, with a single domain and 4
sites.
Computer accounts have been organized into OUs according to which site they
belong to.
Unfortunately the reorganization wasn't performed well. We have cases of
machines that were placed in the wrong Ous with subsequent problems with
group policies which, in many cases, are linked to the Organizational units.

There are Thousands of Pc accounts, unfortunately machine names do not help
to determine their site.

Anybody might want to suggest the best strategy to reorganize the PC
accounts (maybe a script, or a commercial tool)?

Thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD permissions for external clients

2004-02-20 Thread Mulnick, Al 



I think you may be looking in the wrong place to 
lock them down.  You should be locking them down at the point of entry 
(ISA) to prevent them from going anywhere other than to the portal from a 
network perspective.  They additionally could be locked down to specific 
hours of operation as well as not given any permissions anywhere else on the 
network.  But they at no time should be allowed to traverse the network to 
any other destination other than the IIS server they need (least 
permissions).  Additionally, you could lock down any desktops that they 
could get onto through GPO, but I think that's outside of what you're after and 
you could also deny access to all servers with the ISA as an exception (logon 
via the network is what I'm thinking of here).
 
Just some ideas.
Al


From: Pelle, Joe [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 20, 2004 10:31 AMTo: 
[EMAIL PROTECTED]Cc: Schrock, AdamSubject: 
[ActiveDir] AD permissions for external clients


 
I need to get some security advice with 
Sharepoint portal server / ISA Server / IIS Server.  The problem we're 
trying to solve is actually for 2 similar scenarios, but different 
applications.
 
1.   
We have an internal IIS server that 
we need to open up to external clients.  Also, we need to use integrated 
security on the web due to back end DB permissions etc - so basically, we need 
users in AD.  We currently handle this through ISA server and it works fine 
from a security standpoint.  The question is - now that we're actually 
rolling this app out to clients, I need to create users in our internal 
AD.  I have created a separate OU for these users and planned on locking 
them down via Group Policy (in theory) so they could only get to the web app - 
and nothing else on the network.  But I don't see anywhere in GPO where 
this can be done, and even if I did I don't think it will work because these 
user are not really logging onto the domain, they are just passing a valid 
username/password to get through the ISA server.  GPO can't do anything to 
an Internet user...
 
2.   
Similar problem but using Sharepoint 
Portal Server.  We have the need for external suppliers/clients to access 
Sharepoint but I need to lockdown their accounts in AD so they can only access 
the Sharepoint resource and nothing else...
 
Hope that makes sense - I haven't been able 
to find any information on-line about this problem.
 
 
 
Joe 
Pelle
Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may have 
included proprietary or protected information.  This message and the 
information contained herein are not to be further communicated without my 
express written consent.
 

[ActiveDir] AD permissions for external clients

2004-02-20 Thread Pelle, Joe 








 

I need to get some
security advice with Sharepoint portal server / ISA Server / IIS Server. 
The problem we’re trying to solve is actually for 2 similar scenarios,
but different applications.

 

1.   We
have an internal IIS server that we need to open up to external clients. 
Also, we need to use integrated security on the web due to back end DB
permissions etc – so basically, we need users in AD.  We currently
handle this through ISA server and it works fine from a security
standpoint.  The question is – now that we’re actually rolling
this app out to clients, I need to create users in our internal AD.  I
have created a separate OU for these users and planned on locking them down via
Group Policy (in theory) so they could only get to the web app – and
nothing else on the network.  But I don’t see anywhere in GPO where
this can be done, and even if I did I don’t think it will work because
these user are not really logging onto the domain, they are just passing a
valid username/password to get through the ISA server.  GPO can’t do
anything to an Internet user…

 

2.   Similar
problem but using Sharepoint Portal Server.  We have the need for external
suppliers/clients to access Sharepoint but I need to lockdown their accounts in
AD so they can only access the Sharepoint resource and nothing else…

 

Hope that makes sense
– I haven’t been able to find any information on-line about this
problem.

 

 

 

Joe
Pelle

Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may have included
proprietary or protected information.  This message and the information
contained herein are not to be further communicated without my express written
consent.

 

RE: [ActiveDir] KRB_AP_ERR_MODIFIED error

2004-02-20 Thread Rich Milburn 








I think I’m making a little progress… we have
not yet enabled scavenging on DNS and there seems to be a pattern with
duplicate registrations in DNS.  For example, in the one below, there are
two A records with the same IP address – REM4649XP and REM4724. 
These two clients happen to be remote, coming in through the VPN or RAS. 
But not all clients with duplicates are remote – some are local.  So…
you ping REM4649XP and you get 192.168.20.20, and you ping REM4724 and you get
192.168.20.20.  “So what?” someone asked.  We have had a
problem with remote users over the VPN having really slow response on Exchange –
it asks Retry, Work offline, or Cancel the first time Outlook 2000 tries to
contact the Exchange server, click Retry and it comes up, minutes later.  

 

What am I getting at?  Two things: 

 

1)  
What are
the ramifications of having duplicates in DNS for workstations?

2)  
Is
Kerberos doing a DNS lookup on the SMS server, or is the client itself
confused, and do I care?  Seems to me this situation could have strange
and sometimes serious implications to the clients involved.  ??

 

Thanks – I imagine Kerberos is very few people’s
favorite subject, but maybe it’s good for me to have to learn more about
it! J

 

Rich

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rich Milburn
Sent: Tuesday, February 17, 2004
11:12 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir]
KRB_AP_ERR_MODIFIED error



 

AD 2003, 2003 domain
mode, 2000 forest mode

I just installed SMS
2003 and started seeing the following on the SMS server (running W2K3).  I
am trying to chase this down but the stuff I’m finding online is not
helpful.  I have a large (over 50) number of errors like the following on
the SMS server in the System log:

Event Type:   Error

Event
Source:  Kerberos

Event Category:   None

Event ID:   4

Date:   
2/17/2004

Time:   
8:22:12 AM

User:   
N/A

Computer: AIISMS

Description:

The kerberos client received a KRB_AP_ERR_MODIFIED error
from the server REM4649XP$.  The target name used was
cifs/REM4724.CORPORATE.DOMAIN. This indicates that the password used to encrypt
the kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the target realm
(CORPORATE.DOMAIN), and the client realm.   Please contact your
system administrator. 
(that’s me, thanks a lot)

 

Well, there would have
to be an awful lot of “identically named computers” on our network
if that is the case, and they were fine before SMS… but it seems strange
they are showing a different FQDN than the server name shown – which is
not a server but a workstation (not that it cares here I think).  I
don’t know enough about Kerberos to know if that is important, but I have
printed out the RFC.  Fun.  Anyone know anything about this
error?  Hint – I’m pretty certain the answer is not to re-add
all those workstations to the domain….

 

Thanks

 

Rich

 

 

Rich
Milburn

MS
MVP – Directory Services

MCSE
NT4/2000

 

 

 

 






---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---  PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.
---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE---  PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, I

[ActiveDir] OU/Computer accounts reorganization

2004-02-20 Thread J0mb 
Good morning,
We work in a native windows 2000 AD Architecture, with a single domain and 4
sites.
Computer accounts have been organized into OUs according to which site they
belong to.
Unfortunately the reorganization wasn't performed well. We have cases of
machines that were placed in the wrong Ous with subsequent problems with
group policies which, in many cases, are linked to the Organizational units.

There are Thousands of Pc accounts, unfortunately machine names do not help
to determine their site.

Anybody might want to suggest the best strategy to reorganize the PC
accounts (maybe a script, or a commercial tool)?

Thanks

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Dcdiag.exe giving problems.

2004-02-20 Thread Abhishek Sharma 

Hello all,

I am facing a problem in using dcdiag.exe.
I am using dcdiag.exe to diagnose the installation/configuration of a
hardened Windows 2000 box.
I have configured DNS server and there is no problem in the name resolution.
When I used dcdiag.exe on a hardened box without ADS installed, I got the
following result:

E:\Program Files\Support Tools>dcdiag /test:DcPormo /DnsDomain:admin
/newforest

 Starting test: DcPromo
  Messages logged below this line indicate whether this domain
controller will be able to dynamically register DNS records required for the
location of this DC by other devices on the network. If any
misconfiguration is detected, it might prevent dynamic DNS registration of
some records, but does not prevent successful completion of the Active
Directory Installation Wizard.However, we recommend fixing the reported
problems now,unless you plan to manually update the DNS database. 
  This domain controller cannot register domain controller Locator DNS
records. This is because it cannot locate a DNS server authoritative for the
zone admin. This is due to one of the following: 
  1. One or more DNS servers involved in the name resolution of the
admin name are not responding or contain incorrect delegation of the DNS
zones;   or 
  2. The DNS server that this computer is configured with contains
incorrect root hints. 
  The list of such DNS servers might include the DNS servers with which
this computer is configured for name resolution and the DNS servers
responsible for the following zones: admin 
  Verify the correctness of the specified domain name and contact your
network/DNS administrator to fix the problem.   
  You can also manually add the records specified in the
%systemroot%\system32\config\netlogon.dns file. 

  . inmum0048 failed test DcPromo

I tried it on a unhardened box and it yield the same result!!
What could be the problem?


After this I configured ADS on a unhardened box and tested with dcdiag,
following are the results:



E:\Program Files\Support Tools>dcdiag /s:inmum0050

Domain Controller Diagnosis
Performing initial setup:Done gathering initial info.

Doing initial required tests
   Testing server: Default-First-Site-Name\INMUM0050
  Starting test: Connectivity
 INMUM0050's server GUID DNS name could not be resolved to an 
 IP address.  Check the DNS server, DHCP, server name, etc
 Although the Guid DNS name
 (27c53983-c5be-4863-996b-c20af4099f36._msdcs.admin) couldn't be
 resolved, the server name (inmum0050.admin) resolved to the IP
address
 (10.9.65.200) and was pingable.  Check that the IP address is
 registered correctly with the DNS server.
 . INMUM0050 failed test Connectivity

Doing primary tests
   Testing server: Default-First-Site-Name\INMUM0050
  Skipping all tests, because server INMUM0050 is
  not responding to directory service requests
   Running enterprise tests on : admin
  Starting test: Intersite
 . admin passed test Intersite
  Starting test: FsmoCheck
 . admin passed test FsmoCheck


I have configured DNS and nslookup works fine.
Why is this happening?
What is the reason for the failure to resolve the Guid DNS name?
Why does it fail connectivity tests?
What is the reason for the directory services not responding to the
requests?


--
thanks,
Best regards,

Abhishek Sharma | Network Architect | netdecisions
Mumbai Software Development Centre
6th Flr, MET Building, Gen. A.K.Vaidya Chowk
Bandra Reclamation, Bandra (W), Mumbai 400050. INDIA
t Direct - +91 22 2644 0564, Board - +91 22 2644  - Extn: 564.  
f +91 22 2655 8048
Email : [EMAIL PROTECTED]
Website: www.netdecisions.com
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] run only allowed windows applications

2004-02-20 Thread Graham Turner 
am attempting the debug of an application that i suspect to be failing on
account of a "run only allowed windows applications" policy

in this respect have enabled "user environment debug logging" as per
KB221833.

was expecting the application (or one of its components) that fails to log
something to this file but this appears not to be the case

any clues as to how the application can be debugged further ?

GT



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Schema changes between 2000 and 2003

2004-02-20 Thread Flight, L. 

For reference there is also a summary of of the Windows 2003 
schema modifications at:

 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/windows_server_2003_only_schema.asp

Lee Flight
Network Support, Computer Centre 
University of Leicester 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange 2003 Migration Question

2004-02-20 Thread Nicolas Blank 
Title: Exchange 2003 Migration Question








Kent

There’s a number of factor you need
to consider here, and three of the biggest one’s that come to mind are
co-existence, user profile re-pointing, and freezing the admin environment for
the duration on one or both sides.

You didn’t mention how many mailboxes,
servers or mail you had, so it’s hard to advise on the purchase on a 3’rd
party tool, native tool or manual options, although I would recommend you look
at a number of the 3’rd party tools that are available, especially when
you look at an extended co-existence period where you need solid dir-sync to
maintain both set’s of directories.

 

If you go the tool route, you should look
at a solution which will build and maintain the target GAL, plus build objects,
or in your case match on the objects which you already have which is matching
the associated NT account on the 5.5 mailbox to the AD user’s sidHistory attribute.

 

This can be done natively, but not as
cleanly as I’ve done with third party.

 

In essence your migration path would be
the following:

Setup routing between the two org’s – preferably X.400 connector, since this
allows you to maintain your SMTP namespace in both orgs and still have a
namespace to route against

 

Build a target GAL that would route mail
back to the source org using x400 proxy’s, but
mace sure the GAL is built using mail enabled users that are stamped with the
source org’s DN as x500 addresses. This will
absorb reply-ability between source and target org, including outstanding
meeting request, etc

 

Batch MAILBOX ENABLE as many users as you
wish to migrate at a time and transfer their mail. Since the target object’s will be overwritten the x400 proxy route will
be overwritten.

 

Set alternate recipients on the source
mailboxes to route new mail to the target GAL.

 

The advantage of this method is that you
have a co-existence model which will allow you to co-exist for a while, plus
once your target GAL is built you can switch your MX record over at any time.

 

This is one method of migrating/coexisting,
and while it’s not detailed exhaustively, it gives you a route to start
thinking on.

 

I strongly suggest you stay away from the
ADC and use a third party tool to do this with, unless you have enough time to
break your lab several times and rebuild it  ;)

 

Please respond with your migration
parameters, such as mailbox count, server count and mail volume, as these will
all influence your migration time considerably

 

 

 

Nic

 

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kent Maxwell
Sent: 19 February 2004 05:19 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Exchange 2003
Migration Question



 

I
know this isn't quite an Active Directory question... 

I
am working on finding a way to migrate private mailboxes and public folders
stored in an Exchange 5.5 server to a Exchange 2003 server.  The Exchange
Organization is different for both servers.  The user accounts that were
associated with the mailboxes in the Exchange 5.5 have been migrated to the new
ADS running on Windows 2003 with the SIDHistory intact.  

Can
any one give me suggestions on what has worked for you to migrate accounts in a
situation similar to this?  I am looking for anything...even if it will
cost me money.

Thanks,


Kent



---
This e-mail is intended for the use of the addressee (s) only and may contain
privileged, confidential, or proprietary information that is exempt from
disclosure under law. If you have received this message in error, please inform
us promptly by reply e-mail, then delete the e-mail and destroy any printed
copy. Thank you.

RE: [ActiveDir] Schema changes between 2000 and 2003

2004-02-20 Thread GRILLENMEIER,GUIDO (HP-Germany,ex1) 



thanks Eric for the excellent link to the new KB on 
the details of what adprep really does!


From: Eric Fleischman 
[mailto:[EMAIL PROTECTED] Sent: Donnerstag, 19. Februar 2004 
22:57To: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Schema changes between 2000 and 2003


Actually if you want to 
just understand what adprep /forestprep is doing in the context of schema 
changes, you’ll find the ldif files on the w2k03 cd itself (I believe in the 
i386 directory). See sch*.ldf for them all. All adprep is doing for schema 
upgrades is importing those files.
 
What this shows you is 
what forest prep does. What it does not capture is just a delta….that is, maybe 
you have some of them already. Clearly seeing the absolute work it does will not 
show you that, but Guido’s method will.
 
There is one schema 
issue that we are aware of and documented even before w2k03 shipped that is in 
the context of Exchange. That, how to avoid it, and how to fix it should you 
forget to avoid it (not that you would of course J) can be found in this 
KB:How to Upgrade Windows 2000 Domain Controllers to Windows Server 
2003
http://support.microsoft.com/?kbid=325379
Keyword search on the 
word ‘exchange’ should let you find it in that article pretty 
quickly.
 
One last link then I’m 
done.J
Here is a kb that talks 
about what adprep does (both forest and domain) in great 
detail:
Operations That Are 
Performed by the Adprep.exe Utility When You Add a Windows Server 2003 Domain 
Controller to a Windows 2000 Domain or Forest
http://support.microsoft.com/Default.aspx?kbid=309628
 
~Eric
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of GRILLENMEIER,GUIDO 
(HP-Germany,ex1)Sent: 
Thursday, February 19, 2004 11:46 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Schema changes 
between 2000 and 2003
 
the simplest way to get 
what you want is to do a schema dump before and after ADPREPing a 2000 AD - you 
can then do a simple file compare with WinDiff and voila, you'll get all the 
changes. I'd use CSVDE to dump the classes and 
attributes.
 
csvde –f 
classes.txt –d cn=schema,cn=configuration,dc=ROOTDOMAIN –r 
(objectCategory=classSchema)
csvde –f 
attribute.txt –d cn=schema,cn=configuration,dc=ROOTDOMAIN –r 
(objectCategory=attributeSchema)

 

from these, remove the 
following columns prior to comparing the respective 
files:

· 
uSNChanged 

· 
uSNCreated
· 
whenChanged
· 
whenCreated
· 
DITContentRules
· 
ExtendedClassInfo
· 
modifyTimeStamp
· 
extendedAttributeInfo

/Guido
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Donnerstag, 19. Februar 
2004 20:26To: 
[EMAIL PROTECTED]Subject: [ActiveDir] Schema changes between 
2000 and 2003

We recently upgraded our schema to 
support Exchange 2003 and one of the LDAP display names for an existing 
attribute changed and it broke some of our apps.  Now we are preparing to 
upgrade the schema to support upgrading to 2003, but I want to be sure of all 
changes to existing schema attributes so I can prepare applications to make 
proper changes.  I haven't found a comprehensive list of changes that are 
made and was hoping someone here could point me in the right 
direction.

 

Thanks,

 

-Jon
This 
message is for the designated recipient only and may contain privileged, 
proprietary, or otherwise private information. If you have received it in error, 
please notify the sender immediately and delete the original. Any other use of 
the email by you is prohibited.