RE: [ActiveDir] Protecting Active Directory
Al, I think it's appropriate to explain a little more, to avoid further confusion, as accidentally deleting + recoverying object and loosing group memberships are NOT separate problems (especially in multi-domain forests or even in Windows 2000 single-domain forests). The issues are indeed very much related to each other: tracking membership of a group to be able to undo a change "in case one of it's members gets whacked" is generally a good idea, no matter if a user has been deleted or if simply an administrator made a mistake while editing group-memberships. When tracked (e.g. via daily reports or dumps of the group-memberships - or by having a good group-concept where all owners "know" the members), the owner of a group should be able to get a group back to the state it should be. however, when you delete an object (e.g. a user, computer, contact or a group itself), these objects naturally replicate as tombstones to other DCs and GCs in the forest. When this happens, the memberships of these objects in any group in the forest is "cleaned" automatically - not only in the same domain where the objects reside, but also in all of the other domains in the forest. I.e. the objects are also removed from Universal (UG) and Domain Local Groups (DLG) of any domain in the forest. So what's the big deal? Well, if you restore a DC from a system-state backup (on tape or file) and then authoritatively restore the objects in their domain or even if you restore the whole domain authoritatively (which not recommended anyways, unless you really have to), the objects will never "repopulate" into the UGs and DLGs of the other domains in the forest. Good to know: if you restore a GC, it will at least know of the UGs of the other domains incl. their memberships (as these are a still stored in the AD database file saved at the time of taking the system-state backup), which you could leverage to repopulate the UGs in the respective Domains. However, if you've not previously dumped your DLGs in the other domains, how will you be able to recover their memberships? They are not stored on the GC you've recoverd, and they were "cleaned" when the tombstone was able to replicate to the other DCs/GCs in forest... And don't forget, that depending on your group-modell, you could also have various nested groups which are nothing else but members of other groups - these nestings will also get lost if a group gets deleted. More about these issues (and others) is described in the afforementioned whitepaper - incl. details on the differences between 2000 and 2003 rgd. the recovery challenge.Here are some ideas to master the recovery challenge and be on the safe side (besides relying on the group-owners to recover memberships themselves): hot-site approach: as mentioned in another part of this thread, you could use DCs in a hot-site (we call it LAG-site, as it's replication will be set to "lag" behind the other DCs). These will hopefully not have replicated the tombstones at the time you notice the deletion of the objects - you could then first use the appropriate DCs the hot-site to perform the authoritative restore of the objects without requiring you to perform a system restore (still need to boot the DC in to DSRM mode). And secondly, you could analyse the groups on the other DCs in the hotsite and then re-popluate the groups on a DC outside of the hotsite. Best to script these restore activities... The biggest challenge with this approach: you must hat one DC of EVERY domain in the forest in your hotsite, which is fine if you only have a few, but which can be nasty if you have many domains in your forest (should really consider using virtual hw solutions for this approach). database appoach: basically, whith this approach, you would ensure that you save all the un-recoverable links (e.g. group-memberships, but also the manager/directReports or managedBy/managedObjects links which get "cleaned" just like the group memberships...) into a separate repository. This could be a flat file, AD/AM, MSDE or "full" SQL or whatever you preferr. When scheduled with your normal backup cycle of your DCs, the stored data can ensure that you are able to "fix" the missing object-links (which is what the group-memberships and the other examples mentioned really are) by leveraging your "link-repository". Obviously, it would be good if you would include versioning into your link-storage, to be able to recover group-memberships an the other links as they were at a specific point in time. Using this approach will also allow you to easily visualize the memberships of any object in the forest, as you will have all the objectlinks accessible in the database (i.e. you can see which DLGs or UGs a user is a member of, no matter which domain the groups bel
RE: [ActiveDir] recommendation for bridgehead server?
Hi Rick, Thanks for the reply! Unless the KCC is a lot smarter than I think it is, I need to pick a bridgehead server so I don't have numerous conduits in my firewall for all the DCs the new site DC will want to talk to. While I don't need to control the replication frequency, I do have to make sure that traffic is only going between a very limited set of targets. Am I on the right track here or am I not seeing something important? Thanks. Mike Thommes -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Fri 3/5/2004 12:22 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] recommendation for bridgehead server? My take on it has always been unless the Knowledge Consistency Checker can't figure it out, don't set a Bridgehead - this is going to prevent the KCC from doing some good things for you. Along the lines of creating new links and reassigning the Bridgehead in the event of the preferred failing. Let the KCC do its job - it does it well. Unless, however, it's not. Then, ignore everything I just said and set one. In my case it would be to my busiest child domain - because that's where all of the physical connectivity is. And, when considering all of the sites and services stuff, it is VERY important to remember that you are modelling for AD what your physical (WAN and Router infrastructure) really looks like so that AD can make intelligent decisions about how to route, replicate, etc. Inter-site messaging is really a spanning tree algorithm - and any structure of that nature needs to know what it's running on to be effective. Hope this helps Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, March 04, 2004 7:07 AM To: Active Directory Mailing List (E-mail) Subject: [ActiveDir] recommendation for bridgehead server? Hi, Because of firewall issues, I am creating a new site that is well connected to the rest of my AD topology. This new site will contain workstations and a domain controller for an already existing child domain. This child domain DC will also be the bridgehead server in this new site. User accounts are in the root domain. These users use an Exchange server that is located in the child domain and that is located in the main site. The question is what DC in the main site should I pick to be a bridgehead partner? Is it more sensible to choose a root domain DC or a DC in the child domain? Does it matter? As always, TIA. Regards, Mike Thommes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Protecting Active Directory
Title: Message I think I see what you're getting at. I did read that whitepaper and it is interesting. What I'm trying to get at is that for the scenario of admin fat fingering a group, recreating the group membership is, IMHO preferred over the hassle of a restore. Script, etc is fine for figuring out group membership enough to recreate it. If the group itself gets whacked, that's when I see this type of solution adding value. You bring up a good point that if the group encompasses the entire forest and membership gets hosed, that a restore may be the best way but there are things to be aware of. I don't think this is a worthwhile approach if it's only one group in most situations. I think recreating it from a point in time (based on the reference information stored in a flat file, database, etc) would be a fine approach. It's not until we get into multiple simultaneous mistakes that it would make sense to me to have a solution such as what you propose. I'm considering this as a good idea for a large, multi-domain forest with decentralized administration when multiple mistakes are made. I just can't see the time and effort of restoring a group for one mistake making sense. Am I missing anything in the conversation here? For some reason I feel like there is something I'm missing, but it's not obvious to me at this point in time ;-) -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 5:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Al, I think it's appropriate to explain a little more, to avoid further confusion, as accidentally deleting + recoverying object and loosing group memberships are NOT separate problems (especially in multi-domain forests or even in Windows 2000 single-domain forests). The issues are indeed very much related to each other: tracking membership of a group to be able to undo a change "in case one of it's members gets whacked" is generally a good idea, no matter if a user has been deleted or if simply an administrator made a mistake while editing group-memberships. When tracked (e.g. via daily reports or dumps of the group-memberships - or by having a good group-concept where all owners "know" the members), the owner of a group should be able to get a group back to the state it should be. however, when you delete an object (e.g. a user, computer, contact or a group itself), these objects naturally replicate as tombstones to other DCs and GCs in the forest. When this happens, the memberships of these objects in any group in the forest is "cleaned" automatically - not only in the same domain where the objects reside, but also in all of the other domains in the forest. I.e. the objects are also removed from Universal (UG) and Domain Local Groups (DLG) of any domain in the forest. So what's the big deal? Well, if you restore a DC from a system-state backup (on tape or file) and then authoritatively restore the objects in their domain or even if you restore the whole domain authoritatively (which not recommended anyways, unless you really have to), the objects will never "repopulate" into the UGs and DLGs of the other domains in the forest. Good to know: if you restore a GC, it will at least know of the UGs of the other domains incl. their memberships (as these are a still stored in the AD database file saved at the time of taking the system-state backup), which you could leverage to repopulate the UGs in the respective Domains. However, if you've not previously dumped your DLGs in the other domains, how will you be able to recover their memberships? They are not stored on the GC you've recoverd, and they were "cleaned" when the tombstone was able to replicate to the other DCs/GCs in forest... And don't forget, that depending on your group-modell, you could also have various nested groups which are nothing else but members of other groups - these nestings will also get lost if a group gets deleted. More about these issues (and others) is described in the afforementioned whitepaper - incl. details on the differences between 2000 and 2003 rgd. the recovery challenge.Here are some ideas to master the recovery challenge and be on the safe side (besides relying on the group-owners to recover memberships themselves): hot-site approach: as mentioned in another part of this thread, you could use DCs in a hot-site (we call it LAG-site, as it's replication will be set to "lag" behind the other DCs). These will hopefully not have replicated the tombstones at the time you notice the deletion of the objects - you could then first use the appropriate DCs the hot-site to perform the authoritative re
RE: [ActiveDir] OT: Toolkit CD
I find some of the foundstone free utilities useful at times. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Adner Sent: Thursday, March 04, 2004 4:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Toolkit CD I'm about to re-enter the wonderful world of onsite vendor support, so I figure I should re-assemble my handy-dandy CD (used to be floppies) of useful tools and such. I know little, portable USB drives can be used, too, but I'll still have a some CD's with the bulk of the tools. So, I'm looking for any suggestions on what you guys have or used to have. Items on my short list include: 1. Several of the tools from Sysinternals 2. Tools from joeware.net (some of you here may have heard of the site ;> ) 3. Support Tools for 2000 (various SP's), and 2003 4. Misc Resource Kit tools from NT, 2000, and anything I can find for 2003 I haven't really used MS's Support Reporting Tools(?), which I glanced at briefly a while back. It seemed to be a bunch of scripts and batch files that collect a bunch of system info. Anyone have much experience with them? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Toolkit CD
Absolutely useful. Additionally, some of the reporting you mention, such as MPS reports can be useful as can some of the tools from ecora. Some are free some are not, but the value of the information can make it worthwhile depending on what you have to support. Al -Original Message- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 9:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Toolkit CD I find some of the foundstone free utilities useful at times. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of David Adner Sent: Thursday, March 04, 2004 4:58 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Toolkit CD I'm about to re-enter the wonderful world of onsite vendor support, so I figure I should re-assemble my handy-dandy CD (used to be floppies) of useful tools and such. I know little, portable USB drives can be used, too, but I'll still have a some CD's with the bulk of the tools. So, I'm looking for any suggestions on what you guys have or used to have. Items on my short list include: 1. Several of the tools from Sysinternals 2. Tools from joeware.net (some of you here may have heard of the site ;> ) 3. Support Tools for 2000 (various SP's), and 2003 4. Misc Resource Kit tools from NT, 2000, and anything I can find for 2003 I haven't really used MS's Support Reporting Tools(?), which I glanced at briefly a while back. It seemed to be a bunch of scripts and batch files that collect a bunch of system info. Anyone have much experience with them? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] gc._msdcs PTR Record
Recently I've done some work for the company rebuilding the DC's for concerns of naming conventions including a "_" character. Everything seems to have gone smoothly with the exception of 1 thing that I've recently noticed. In the reverse DNS zone there is a record containing reference to gc._msdcs.(domainname) which refers to the IP of the server I transferred the GC role to during the time I was rebuilding the original holder of the GC and all FSMO roles. This server is no longer a GC and I was wondering if this may be having an unseen effect on authentication. Also, I'm not even sure that that record should exist in the reverse DNS zone? Any help is greatly appreciated.
RE: [ActiveDir] Protecting Active Directory
Title: Message the point you're missing is that I'm not talking about groups being deleted and thus memberships being lost. I'm talking about any object that could be a group member (e.g. users, contacts, computers and other groups) being deleted and this causing the lost memberships for the respective object. And it only takes one object to delete a whole lot of critical users contained herein: one OU. It's easy enough - mistakes can happen and do happen (via UI and CLI). Believe me, I woulnd't be so deep into this subject if I hadn't gone through hell for one of my customers, getting them back on track after they accidentally delted a whole OU - it was a nightmare recovering all cross-domain links and for 3 days this had a big impact on their operations, fileshare access and especially on the messaging (E2K) wich is built around UGs all over the forest... From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Freitag, 5. März 2004 15:20To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Protecting Active Directory I think I see what you're getting at. I did read that whitepaper and it is interesting. What I'm trying to get at is that for the scenario of admin fat fingering a group, recreating the group membership is, IMHO preferred over the hassle of a restore. Script, etc is fine for figuring out group membership enough to recreate it. If the group itself gets whacked, that's when I see this type of solution adding value. You bring up a good point that if the group encompasses the entire forest and membership gets hosed, that a restore may be the best way but there are things to be aware of. I don't think this is a worthwhile approach if it's only one group in most situations. I think recreating it from a point in time (based on the reference information stored in a flat file, database, etc) would be a fine approach. It's not until we get into multiple simultaneous mistakes that it would make sense to me to have a solution such as what you propose. I'm considering this as a good idea for a large, multi-domain forest with decentralized administration when multiple mistakes are made. I just can't see the time and effort of restoring a group for one mistake making sense. Am I missing anything in the conversation here? For some reason I feel like there is something I'm missing, but it's not obvious to me at this point in time ;-) -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 5:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Al, I think it's appropriate to explain a little more, to avoid further confusion, as accidentally deleting + recoverying object and loosing group memberships are NOT separate problems (especially in multi-domain forests or even in Windows 2000 single-domain forests). The issues are indeed very much related to each other: tracking membership of a group to be able to undo a change "in case one of it's members gets whacked" is generally a good idea, no matter if a user has been deleted or if simply an administrator made a mistake while editing group-memberships. When tracked (e.g. via daily reports or dumps of the group-memberships - or by having a good group-concept where all owners "know" the members), the owner of a group should be able to get a group back to the state it should be. however, when you delete an object (e.g. a user, computer, contact or a group itself), these objects naturally replicate as tombstones to other DCs and GCs in the forest. When this happens, the memberships of these objects in any group in the forest is "cleaned" automatically - not only in the same domain where the objects reside, but also in all of the other domains in the forest. I.e. the objects are also removed from Universal (UG) and Domain Local Groups (DLG) of any domain in the forest. So what's the big deal? Well, if you restore a DC from a system-state backup (on tape or file) and then authoritatively restore the objects in their domain or even if you restore the whole domain authoritatively (which not recommended anyways, unless you really have to), the objects will never "repopulate" into the UGs and DLGs of the other domains in the forest. Good to know: if you restore a GC, it will at least know of the UGs of the other domains incl. their memberships (as these are a still stored in the AD database file saved at the time of taking the system-state backup), which you could leverage to repopulate the UGs in the respective Domains. However, if you've not previously dumped your DLGs in the other domains, how will you be able to recover their memberships? They are not stored on the GC you've recoverd, and they were "cleaned" when the tombstone was able to re
RE: [ActiveDir] Protecting Active Directory
Title: Message Thanks Guido. That makes a whole lot more sense then. Looking forward to seeing the results of the work in action. Al -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 10:01 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory the point you're missing is that I'm not talking about groups being deleted and thus memberships being lost. I'm talking about any object that could be a group member (e.g. users, contacts, computers and other groups) being deleted and this causing the lost memberships for the respective object. And it only takes one object to delete a whole lot of critical users contained herein: one OU. It's easy enough - mistakes can happen and do happen (via UI and CLI). Believe me, I woulnd't be so deep into this subject if I hadn't gone through hell for one of my customers, getting them back on track after they accidentally delted a whole OU - it was a nightmare recovering all cross-domain links and for 3 days this had a big impact on their operations, fileshare access and especially on the messaging (E2K) wich is built around UGs all over the forest... From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Freitag, 5. März 2004 15:20To: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Protecting Active Directory I think I see what you're getting at. I did read that whitepaper and it is interesting. What I'm trying to get at is that for the scenario of admin fat fingering a group, recreating the group membership is, IMHO preferred over the hassle of a restore. Script, etc is fine for figuring out group membership enough to recreate it. If the group itself gets whacked, that's when I see this type of solution adding value. You bring up a good point that if the group encompasses the entire forest and membership gets hosed, that a restore may be the best way but there are things to be aware of. I don't think this is a worthwhile approach if it's only one group in most situations. I think recreating it from a point in time (based on the reference information stored in a flat file, database, etc) would be a fine approach. It's not until we get into multiple simultaneous mistakes that it would make sense to me to have a solution such as what you propose. I'm considering this as a good idea for a large, multi-domain forest with decentralized administration when multiple mistakes are made. I just can't see the time and effort of restoring a group for one mistake making sense. Am I missing anything in the conversation here? For some reason I feel like there is something I'm missing, but it's not obvious to me at this point in time ;-) -Original Message-From: GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 5:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Protecting Active Directory Al, I think it's appropriate to explain a little more, to avoid further confusion, as accidentally deleting + recoverying object and loosing group memberships are NOT separate problems (especially in multi-domain forests or even in Windows 2000 single-domain forests). The issues are indeed very much related to each other: tracking membership of a group to be able to undo a change "in case one of it's members gets whacked" is generally a good idea, no matter if a user has been deleted or if simply an administrator made a mistake while editing group-memberships. When tracked (e.g. via daily reports or dumps of the group-memberships - or by having a good group-concept where all owners "know" the members), the owner of a group should be able to get a group back to the state it should be. however, when you delete an object (e.g. a user, computer, contact or a group itself), these objects naturally replicate as tombstones to other DCs and GCs in the forest. When this happens, the memberships of these objects in any group in the forest is "cleaned" automatically - not only in the same domain where the objects reside, but also in all of the other domains in the forest. I.e. the objects are also removed from Universal (UG) and Domain Local Groups (DLG) of any domain in the forest. So what's the big deal? Well, if you restore a DC from a system-state backup (on tape or file) and then authoritatively restore the objects in their domain or even if you restore the whole domain authoritatively (which not recommended anyways, unless you really have to), the objects will never "repopulate" into the UGs and DLGs of the other domains in the forest. Good to know: if you restore a
RE: [ActiveDir] OT: Toolkit CD
Might want to add Ethereal as well - free network sniffer -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -Original Message- > From: Mulnick, Al [mailto:[EMAIL PROTECTED] > Sent: Friday, March 05, 2004 9:49 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] OT: Toolkit CD > > > Absolutely useful. Additionally, some of the reporting you > mention, such as > MPS reports can be useful as can some of the tools from > ecora. Some are > free some are not, but the value of the information can make > it worthwhile > depending on what you have to support. > > Al > > -Original Message- > From: Douglas M. Long [mailto:[EMAIL PROTECTED] > Sent: Friday, March 05, 2004 9:23 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] OT: Toolkit CD > > > I find some of the foundstone free utilities useful at times. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of David Adner > Sent: Thursday, March 04, 2004 4:58 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] OT: Toolkit CD > > > I'm about to re-enter the wonderful world of onsite vendor > support, so I > figure I should re-assemble my handy-dandy CD (used to be floppies) of > useful tools and such. I know little, portable USB drives > can be used, too, > but I'll still have a some CD's with the bulk of the tools. > > So, I'm looking for any suggestions on what you guys have or > used to have. > Items on my short list include: > > 1. Several of the tools from Sysinternals > 2. Tools from joeware.net (some of you here may have heard > of the site ;> ) > 3. Support Tools for 2000 (various SP's), and 2003 4. Misc > Resource Kit > tools from NT, 2000, and anything I can find for 2003 > > I haven't really used MS's Support Reporting Tools(?), which > I glanced at > briefly a while back. It seemed to be a bunch of scripts and > batch files > that collect a bunch of system info. Anyone have much > experience with them? > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] [OT] SMS LIST???
Title: [OT] SMS LIST??? To All, Can anyone recommend a list for SMS that has quality contributors – like this one? R/Bill
RE: [ActiveDir] [OT] SMS LIST???
Title: [OT] SMS LIST??? SMS list www.topica.com/lists/mssms SMS web site www.myITforum.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bill [contractor]Sent: Friday, March 05, 2004 3:22 PMTo: ActiveDirListSubject: [ActiveDir] [OT] SMS LIST??? To All, Can anyone recommend a list for SMS that has quality contributors – like this one? R/Bill
RE: [ActiveDir] [OT] SMS LIST???
Title: [OT] SMS LIST??? There's one hosted by Topica. The address is [EMAIL PROTECTED]. Excellent contributors on the list and it's very very active. FYI it's run by www.MyItForum.com and will be migrating to their list server starting Monday so you may want to wait till then to subscribe. Rod Trent runs the list (whom I'm pretty sure subscribes to this list too) so he can provide more information. Mike From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 3:22 PMTo: ActiveDirListSubject: [ActiveDir] [OT] SMS LIST??? To All, Can anyone recommend a list for SMS that has quality contributors - like this one? R/Bill
RE: [ActiveDir] [OT] SMS LIST???
Title: [OT] SMS LIST??? [EMAIL PROTECTED] the best available. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Brown, Bill [contractor]Sent: Friday, March 05, 2004 3:22 PMTo: ActiveDirListSubject: [ActiveDir] [OT] SMS LIST??? To All, Can anyone recommend a list for SMS that has quality contributors - like this one? R/Bill
RE: [ActiveDir] [OT] SMS LIST???
Title: [OT] SMS LIST??? Yes...the migration will start Monday. The SMS list is the last one to migrate. Here's where its migrating to: http://www.listleague.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, MikeSent: Friday, March 05, 2004 3:28 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] [OT] SMS LIST??? There's one hosted by Topica. The address is [EMAIL PROTECTED]. Excellent contributors on the list and it's very very active. FYI it's run by www.MyItForum.com and will be migrating to their list server starting Monday so you may want to wait till then to subscribe. Rod Trent runs the list (whom I'm pretty sure subscribes to this list too) so he can provide more information. Mike From: Brown, Bill [contractor] [mailto:[EMAIL PROTECTED] Sent: Friday, March 05, 2004 3:22 PMTo: ActiveDirListSubject: [ActiveDir] [OT] SMS LIST??? To All, Can anyone recommend a list for SMS that has quality contributors - like this one? R/Bill
RE: [ActiveDir] OU design quandary
Thanks for the replies and sorry about my delay posting more. Conference calls and meetings sucking up lots o' time. We do have a fairly centralized administration team in that user administration, helpdesk, provisioning, and deskside support has been outsourced globally. They'll have a staff in North America and a staff in Europe. Our link to Europe isn't robust enough to support having a single user domain across the Atlantic thus why we have a European domain and a North American domain. However, those of us not outsourced are considering ourselves to be the "managers" of active directory. We create the OU structure, GPO's, troubleshooting of things, group creation, ACL'ing, etc. The staff performing this function is very decentralized but we're working with a common framework in place. Software distribution will not be done via GPO. I liked the "self-documenting statement below". I also liked Hunter's comments regarding GPO. Got them on that one. OK, I'll fess up. I'm definitely in Camp 2. I see no benefit at all to lumping all users into a single OU. As long as we don't get absurd with the number of OUs and work out a logical rationale for how we're going to breakdown the structure I believe that it creates a superior design. Yes, it will be a bit more work, especially in provisioning. When a user is created or moves from one office to another (permanently) we'll have to move some things around. The people in the project in North America are all in Camp 2. Our European counterparts are in Camp 1. Not at all sure why. I don't believe it's cultural. Maybe Microsoft in Europe? Our design was reviewed and "blessed" by Microsoft a while back. They've had Microsoft in recently and changed their position and said simpler is better. Can't get much more simple than they have it. Our CEO is requiring "site transparency". Our belief is that we will accomplish this via GPO's linked to sites to enable and define printing to local printers in each office and that office's "group share" (if any). We believe that if we create an OU structure that matches the sites then we'll be able to make it much easier to create and maintain the site GPOs. Or even if we do this by logon script (not linked to site) then having the OU structure in place will still make this a lot easier. Lastly, the staff around to manage this will be minimal. Don't know how minimal yet but roughly a dozen in North America and a dozen in Europe. Not counting the administrative staff. Thanks, Mike "Arden Pineda" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent by:cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU design quandary tivedir.org 03/04/2004 12:40 PM Please respond to ActiveDir I would think that the 1st approach may work well for a small environment. However, for larger organizations and as you start to use GPOs and delegation, you may see that it makes more sense to create an OU hierarchy that reflects your IT administration management model. As has been said before, this makes it a easier to granularly assign Group Policies and delegation of administration. As much as possible, I avoid using the GPO inheritance changing options, such as Filter GPO permission, but this is what you'll end up having to do if you take approach 1. Instead, I group objects with common management requirements and create separate child OUs. This, you can assign standard GPO settings at the top-level OU, and create and link custom GPOs and
[ActiveDir] Exchange 2003
Can anyone recommend a good site for Exchange 2003 that has quality contributors - like this one? Or a good white paper on adding and removing Exchange 2003 servers to a site. This message is intended for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message in not the intended recipient or the employer or agent responsible for delivering the message to the recipient, you are hereby notified that dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by email or telephone, and delete this message and all of its attachments.
RE: [ActiveDir] [OT] SMS LIST???
Title: [OT] SMS LIST??? http://www.topica.com/lists/MSSMS/ Rod Trent, Larry Duncan et al. SMS gurus-extraordinaire :-] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brown, Bill [contractor]Sent: Friday, March 05, 2004 12:22 PMTo: ActiveDirListSubject: [ActiveDir] [OT] SMS LIST??? To All, Can anyone recommend a list for SMS that has quality contributors – like this one? R/Bill
RE: [ActiveDir] OT: Toolkit CD
David Adner <> wrote: > I'm about to re-enter the wonderful world of onsite vendor support, > so I figure I should re-assemble my handy-dandy CD (used to be > floppies) of useful tools and such. I know little, portable USB > drives can be used, too, but I'll still have a some CD's with the > bulk of the tools. > > So, I'm looking for any suggestions on what you guys have or used to > have. MPS reports are very cool and besides the scripts also include a few useful utilities. The exe installers for all 5 versions are less than 3 MB. The stuff I carry in my bag off the top of my head and in no particular order- joeware pstools (sysinternals) The usual RK and support tool favorites past and present Current GPMC Latest RDP client Stuff in the AlTools like EventCombMT,LockoutStatus etc Portqry(v2),Nblookup,rpcping blat or equivalent CLI mailer of choice hfnetchk / mbsacli / qfecheck joeware grep and tail *NIX type fave text tools for parsing text logs Windows Memory Diagnostic (windiag) iso file to make bootable CD http://oca.microsoft.com/en/windiag.asp NAI's Stinger or equivalent for rudimentary virus tool Windows Blaster Worm Removal Tool and similar ilk from MS and other vendors ethereal, NmapNT, fport, tcpview etc AIDA32 if you like to dig into WMI info really easily delpart.exe from the old 3.5 RK for pesky disk partions collection of favorite tweaking .reg files sysinternals,sysinternals,sysinternals joeware,joeware,joeware,joeware,joeware,joeware,joeware,joeware vendor support account/contract/contact #'s etc joe,guido,tony,rick etc pager,cell/home phone number's...Just kidding, I am not worthy ;-) Bob Free Sr Network Specialist PG&E Auburn, Ca. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 2003
Microsoft's Exchange 2003 Technical Library is superb. Much more so than in past versions. http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/default.mspx I don't know of any Exchange list that is as high-level and in-depth as this one is for A/D. If you find one, please let me know as well. The Sunbelt Exchange list has several MVP's that hang out there, but it is quite noisy. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Friday, March 05, 2004 3:53 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exchange 2003 Can anyone recommend a good site for Exchange 2003 that has quality contributors - like this one? Or a good white paper on adding and removing Exchange 2003 servers to a site.
RE: [ActiveDir] Exchange 2003
Title: Message I subscribe to 2 Exchange newsgroups. Both have good people participating in them and cover any flavor of Exchange. Try: Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/Exchange2000/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/ or List Charter and FAQ at: http://www.sunbelt-software.com/exchange_list_charter.htm Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios TorontoSent: Friday, March 05, 2004 3:53 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Exchange 2003 Can anyone recommend a good site for Exchange 2003 that has quality contributors - like this one? Or a good white paper on adding and removing Exchange 2003 servers to a site. �
RE: [ActiveDir] Broadcast - 138 port
Thanks Robert and Mulnick for your help. Though my DNS has been setup properly, do I have to setup WINS? Sorry, I have no idea about these browser masters. ILyas -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sieber R., DP ITS, FII, DD Sent: Thursday, March 04, 2004 7:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Broadcast - 138 port I think these are browser announcements. Just wish it wasn't so talkative and noisy. Domain/Workgroup Announcement , Domain controller, NT workstation, domain Enum and Host announcement, workstation, server, domain controller, print queue server, nt workstation, master browser - all sending browser announcments. Try a sniffer like ethereal and take a look at the packages! Robert > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Thursday, March 04, 2004 3:02 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] Broadcast - 138 port > > > Why is your firewall dropping packets for NetBios datagrams on the > same network? Is this a personal type firewall that's running? > > Al > > -Original Message- > From: ILyas [mailto:[EMAIL PROTECTED] > Sent: Thursday, March 04, 2004 2:27 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Broadcast - 138 port > > Hi > > Have no idea whether this is normal. > My firewall log shows more broadcasts being sent to the IP > 192.168.0.255 to > the port 138. > Our network uses static IP and not DHCP in a Win 2k environment. All > the clients are Win 2k pro except 2 (win98). > > My query: > Why does it generates more broadcast traffic. The log is full of these > broadcasts dropped log, and I don't know how to reduce this traffic. > > I learnt that port 138 is for NetBIOS Datagram Service. > In a Win2k environment, would this NetBIOS be active, that too to this > extent? > > Is there a chance of performace degradation with this issue? > Thanks for any help. > > ILyas > > Conares IT Dept > Dubai, uae > Tel: +9714 8835 111 > Fax: +9714 8836 611 > Cell:+97150 6550 894 > > > * LOG * > 04/03/2004 02:19:29.416 - Broadcast packet dropped - > Source:192.168.0.127, 138, LAN - > Destination:192.168.0.255, 138, LAN > - Code:17 - > * LOG * > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
