RE: [ActiveDir] Move FSMO Roles Affect Permissions?
No FRS problems. I say that from event logs and the output from replmon... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Saturday, April 03, 2004 3:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange. The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesnt get SYSVOL properly, the rights added by the Exchange domain prep wont replicate to that dc and exchange wont start properly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Saturday, April 03, 2004 1:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. Im the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldnt log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There are no failures in the security log. I didnt take a network trace. L As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasnt answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it. Since I wrote the original email, Ive poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldnt access the mailbox and began generating errors. Moving the FSMO roles definitely had some security impact; one Ive never heard of before; and it worries me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 03, 2004 12:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Interesting. I can't think of anything that a FSMO role move would have changed that would have caused that behavior. However, my love of exchange is not unknown on this list nor is it, in my opinion, unfounded. There are many things in Exchange that aren't quite logical. :o) So anyway, did anything ELSE change and are you sure and how do you know? I would assume that you set up the mailbox so that DC2 machine account had full mailbox access? If not, how was it accessing the mailbox? Any errors in the event log? What do you see in a network trace? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 02, 2004 7:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Move FSMO Roles Affect Permissions? Windows 2000 Native Mode, flat (single) domain, single site. DC1 and DC2 are both Windows 2000 servers w/sp3 plus all current hotfixes. Until last Sunday (3/28),DC1 holds all FSMO roles. Both DC1 and DC2 are GCs. DC2 runs a service, under localsystem, that logs into an Exchange mailbox, which is explicitly set to allow "Domain Admins" to have "Full Mailbox Access". Everythingworks fine. TwoWednesdays ago (3/24), a Windows 2003 DC (DC3) was introduced into the mix. It was allowed to be there for five days to ensure no problems happened. Last Sunday (3/28), all FSMO roles were moved to DC3. This Wednesday (3/31) the service running on DC2 suddenly reports that it can't log into the Exchange mailbox anymore. After a restart it reports the same thing. After a reboot it reports the same thing. It took changing the service account to a domain admin account for the service to start operating again. Two questions: 1) Just WTF? :-) 2) Should I have expected that transferring FSMO roles would affect how permissions of localsystem on a DC were applied? 3) Why the 3 day delay? (yeah yeah, I know that was three, not two, but the first one was really specious.) Thanks, Michael
RE: [ActiveDir] Move FSMO Roles Affect Permissions?
I could rebuild it in a lab, it would be painful. My real question is: should anything at all have happened when I moved FSMO roles from a W2K server to a W2K3 server? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 03, 2004 5:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Any chance you have a lab for this that you can mock up and try to duplicate? Obviously you can't back the DC into the old config unless you have maintenance windows you can play in. What kind of log files did it say it couldn't access? What FSMO roles was DC2 holding before the switch? Is Exchange running on the DCs or as a member? Can you install this service on say DC1 with another mailbox in the old way to see if you can duplicate the problem there (Assuming no lab)? At this point, I would probably 1. Check to make sure that the mailbox still has the access of dc2 with full mailbox access. 2. Check the policy(fully - all settings - secpol.msc) on the new DC as Eric is suggesting. It shouldn't prevent accessing of the mailbox but is still good to doublecheck in case there is a delta between that DC and the others. Very carefully checking replication of FRS/AD. 3. Check what DC that the Exchange server is using for the various pieces (GC, DC, Config). 4. If you can get a chance to switch it back to local system, get a network trace of the failure which may give some sort of clue. Sorry for vagueness, you are doing something way outside what we do and just trying to guess what I would try to do to troubleshoot that. Having a lab even if in VM would be a great plus. - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Saturday, April 03, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. Im the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldnt log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There are no failures in the security log. I didnt take a network trace. L As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasnt answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it. Since I wrote the original email, Ive poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldnt access the mailbox and began generating errors. Moving the FSMO roles definitely had some security impact; one Ive never heard of before; and it worries me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 03, 2004 12:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Interesting. I can't think of anything that a FSMO role move would have changed that would have caused that behavior. However, my love of exchange is not unknown on this list nor is it, in my opinion, unfounded. There are many things in Exchange that aren't quite logical. :o) So anyway, did anything ELSE change and are you sure and how do you know? I would assume that you set up the mailbox so that DC2 machine account had full mailbox access? If not, how was it accessing the mailbox? Any errors in the event log? What do you see in a network trace? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 02, 2004 7:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Move FSMO Roles Affect Permissions? Windows 2000 Native Mode, flat (single) domain, single site. DC1 and DC2 are both Windows 2000 servers w/sp3 plus all current hotfixes. Until last Sunday (3/28),DC1 holds all FSMO roles. Both DC1 and DC2 are GCs. DC2 runs a service, under localsystem, that logs into an Exchange mailbox, which is explicitly set to allow "Domain Admins" to have "Full Mailbox Access". Everythingworks fine. TwoWednesdays ago (3/24), a Windows 2003 DC (DC3) was introduced into the mix. It was allowed to be there for five days to ensure no problems happened. Last Sunday (3/28), all FSMO roles were moved to DC3. This Wednesday (3/31) the
RE: [ActiveDir] Move FSMO Roles Affect Permissions?
Replmon doesnt monitor FRS. Ultrasound would need to be used for that. Event logs, Ultra sound and just anecdotal observations would need to be used for that. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, April 05, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No FRS problems. I say that from event logs and the output from replmon... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, April 03, 2004 3:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange. The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesnt get SYSVOL properly, the rights added by the Exchange domain prep wont replicate to that dc and exchange wont start properly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Saturday, April 03, 2004 1:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. Im the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldnt log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There are no failures in the security log. I didnt take a network trace. L As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasnt answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it. Since I wrote the original email, Ive poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldnt access the mailbox and began generating errors. Moving the FSMO roles definitely had some security impact; one Ive never heard of before; and it worries me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 03, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Interesting. I can't think of anything that a FSMO role move would have changed that would have caused that behavior. However, my love of exchange is not unknown on this list nor is it, in my opinion, unfounded. There are many things in Exchange that aren't quite logical. :o) So anyway, did anything ELSE change and are you sure and how do you know? I would assume that you set up the mailbox so that DC2 machine account had full mailbox access? If not, how was it accessing the mailbox? Any errors in the event log? What do you see in a network trace? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Friday, April 02, 2004 7:07 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Move FSMO Roles Affect Permissions? Windows 2000 Native Mode, flat (single) domain, single site. DC1 and DC2 are both Windows 2000 servers w/sp3 plus all current hotfixes. Until last Sunday (3/28),DC1 holds all FSMO roles. Both DC1 and DC2 are GCs. DC2 runs a service, under localsystem, that logs into an Exchange mailbox, which is explicitly set to allow Domain Admins to have Full Mailbox Access. Everythingworks fine. TwoWednesdays ago (3/24), a Windows 2003 DC (DC3) was introduced into the mix. It was allowed to be there for five days to ensure no problems happened. Last Sunday (3/28), all FSMO roles were moved to DC3. This Wednesday (3/31) the service running on DC2 suddenly reports that it can't log into the Exchange mailbox anymore. After a restart it reports the same thing. After a reboot it reports the same thing. It took changing the service account to a domain admin account for the service to start operating again. Two questions: 1) Just WTF? :-) 2) Should I have expected that transferring FSMO roles would affect how permissions of localsystem on a DC were applied? 3) Why the 3 day delay? (yeah yeah, I know that was three, not two, but the first one was really specious.) Thanks, Michael
RE: [ActiveDir] Move FSMO Roles Affect Permissions?
Go ahead and slap me if I'm being stupid... FRS is responsible for replication yes? If replmon says that replication is successful, wouldn't that indicate FRS is ok? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, April 05, 2004 7:55 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Replmon doesnt monitor FRS. Ultrasound would need to be used for that. Event logs, Ultra sound and just anecdotal observations would need to be used for that. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, April 05, 2004 7:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No FRS problems. I say that from event logs and the output from replmon... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Saturday, April 03, 2004 3:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange. The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesnt get SYSVOL properly, the rights added by the Exchange domain prep wont replicate to that dc and exchange wont start properly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Saturday, April 03, 2004 1:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. Im the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldnt log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There are no failures in the security log. I didnt take a network trace. L As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasnt answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it. Since I wrote the original email, Ive poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldnt access the mailbox and began generating errors. Moving the FSMO roles definitely had some security impact; one Ive never heard of before; and it worries me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 03, 2004 12:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Interesting. I can't think of anything that a FSMO role move would have changed that would have caused that behavior. However, my love of exchange is not unknown on this list nor is it, in my opinion, unfounded. There are many things in Exchange that aren't quite logical. :o) So anyway, did anything ELSE change and are you sure and how do you know? I would assume that you set up the mailbox so that DC2 machine account had full mailbox access? If not, how was it accessing the mailbox? Any errors in the event log? What do you see in a network trace? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 02, 2004 7:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Move FSMO Roles Affect Permissions? Windows 2000 Native Mode, flat (single) domain, single site. DC1 and DC2 are both Windows 2000 servers w/sp3 plus all current hotfixes. Until last Sunday (3/28),DC1 holds all FSMO roles. Both DC1 and DC2 are GCs. DC2 runs a service, under localsystem, that logs into an Exchange mailbox, which is explicitly set to allow "Domain Admins" to have "Full Mailbox Access". Everythingworks fine. TwoWednesdays ago (3/24), a Windows 2003 DC (DC3) was introduced into the mix. It was allowed to be there for five days to ensure no problems happened. Last Sunday (3/28), all FSMO roles were moved to DC3. This Wednesday (3/31) the service running on DC2 suddenly reports that it can't log into the Exchange mailbox anymore. After a restart it reports the same thing. After a reboot it reports the same thing. It took changing the service account to a domain admin account for the service to start operating again. Two questions: 1) Just WTF? :-) 2) Should I have expected that transferring FSMO roles would
RE: [ActiveDir] Global Catalogs and the Infrastructure Master
Thanks everyone for the feedback. Cody -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Wednesday, March 31, 2004 6:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Global Catalogs and the Infrastructure Master Ok it sounds like you left a DC in each domain as a non-GC simply to hold the infrastructure master roles. If that is the case, yes, promote all DCs to GCs. - http://www.joeware.net http://www.joeware.net/(download joeware) http://www.cafeshops.com/joewarenet http://www.cafeshops.com/joewarenet (wear joeware) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cody Fleming Sent: Tuesday, March 30, 2004 9:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Global Catalogs and the Infrastructure Master Hello, I have multiple AD domains and I currently have all DC's in my domains configured as Global Catalogs except for 1 in Each domain and it holds the Infrastructure Master role. I am considering making these servers a GC as well. Can anyone give me some feedback on if this would be good/bad or issues that may be caused by doing this? Anyone have experience running with All GC's? The reason I'm considering this is that the site where this DC lives currently has multiple DC's but the one configured as the GC is being removed from this site leaving no GC coverage. I'm not concerned with bandwidth or additional replication traffic needed for the GC. I have read this: http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows 2000/en/server/help/sag_ADgcInfFSMO.htm http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/window s2000/en/server/help/sag_ADgcInfFSMO.htm Thank you, Cody attachment: winmail.dat
RE: [ActiveDir] Move FSMO Roles Affect Permissions?
Title: Message No slap coming from here... :-) As far as I understand it - REPLMON looks at AD replication.. that's not the same as replication of the contents of sysvol but I might be heading for a slap!! Jack -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: 05 April 2004 14:00To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Go ahead and slap me if I'm being stupid... FRS is responsible for replication yes? If replmon says that replication is successful, wouldn't that indicate FRS is ok? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, April 05, 2004 7:55 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Replmon doesn't monitor FRS. Ultrasound would need to be used for that. Event logs, Ultra sound and just anecdotal observations would need to be used for that. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, April 05, 2004 7:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No FRS problems. I say that from event logs and the output from replmon... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Saturday, April 03, 2004 3:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange. The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesn't get SYSVOL properly, the rights added by the Exchange domain prep won't replicate to that dc and exchange won't start properly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Saturday, April 03, 2004 1:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. I'm the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldn't log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There are no failures in the security log. I didn't take a network trace. L As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasn't answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it. Since I wrote the original email, I've poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldn't access the mailbox and began generating errors. Moving the FSMO roles definitely had some security impact; one I've never heard of before; and it worries me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 03, 2004 12:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Interesting. I can't think of anything that a FSMO role move would have changed that would have caused that behavior. However, my love of exchange is not unknown on this list nor is it, in my opinion, unfounded. There are many things in Exchange that aren't quite logical. :o) So anyway, did anything ELSE change and are you sure and how do you know? I would assume that you set up the mailbox so that DC2 machine account had full mailbox access? If not, how was it accessing the mailbox? Any errors in the event log? What do you see in a network trace? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 02, 2004 7:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Move FSMO Roles Affect Permissions? Windows 2000 Native Mode, flat (single) domain, single site. DC1 and DC2 are both Windows 2000 servers w/sp3 plus all current hotfixes. Until last Sunday (3/28),DC1 holds all FSMO roles. Both DC1 and DC2 are GCs.
RE: [ActiveDir] Move FSMO Roles Affect Permissions?
Hello Michael, this is a different kind of replication. Replmon monitors the replication of Active Directory Informations, such as configuration, the global Schema and the Domain Informations like your OU-Structure, Users, Groups and Computers (to name the most common examples). FRS is the File Replication Service, it depends on AD since it's infrastructure informations are configured there as well, however the file replication infrastructure is independend from the AD replication infrastructure, a different technology and therefor different tools to monitor. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Montag, 5. April 2004 06:00To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Go ahead and slap me if I'm being stupid... FRS is responsible for replication yes? If replmon says that replication is successful, wouldn't that indicate FRS is ok? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, April 05, 2004 7:55 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Replmon doesnt monitor FRS. Ultrasound would need to be used for that. Event logs, Ultra sound and just anecdotal observations would need to be used for that. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, April 05, 2004 7:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No FRS problems. I say that from event logs and the output from replmon... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Saturday, April 03, 2004 3:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange. The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesnt get SYSVOL properly, the rights added by the Exchange domain prep wont replicate to that dc and exchange wont start properly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Saturday, April 03, 2004 1:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. Im the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldnt log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There are no failures in the security log. I didnt take a network trace. L As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasnt answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it. Since I wrote the original email, Ive poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldnt access the mailbox and began generating errors. Moving the FSMO roles definitely had some security impact; one Ive never heard of before; and it worries me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, April 03, 2004 12:32 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Interesting. I can't think of anything that a FSMO role move would have changed that would have caused that behavior. However, my love of exchange is not unknown on this list nor is it, in my opinion, unfounded. There are many things in Exchange that aren't quite logical. :o) So anyway, did anything ELSE change and are you sure and how do you know? I would assume that you set up the mailbox so that DC2 machine account had full mailbox access? If not, how was it accessing the mailbox? Any errors in the event log? What do you see in a network trace? joe - http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Friday, April 02, 2004 7:07 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Move FSMO Roles Affect Permissions? Windows 2000 Native Mode, flat (single) domain, single site. DC1 and DC2 are both Windows 2000 servers w/sp3 plus all current hotfixes. Until last Sunday (3/28),DC1 holds all FSMO roles. Both DC1 and DC2 are GCs. DC2 runs a service, under localsystem, that logs
RE: [ActiveDir] Move FSMO Roles Affect Permissions?
Title: Message Right, so combining threads a bit (I see Ulf replied as well). NTFRS and AD replication are different animals. Different engines, different code, different design goals. NTFRS replicates files on a disk. AD replication replicates objects in a directory. Heres where it gets confusing for most people: 0) When were talking about SYSVOL (which is an FRS replica set, aka the domain system volume) the replication topology (IE who replicates with who from an FRS perspective) mirrors the AD replication topology. So FRS respects the COs that AD creates for AD replication and uses that as its topology as well. 1) You can have FRS replication independent of that topologyaka an FRS replica set that is powering DFS. So people say so you can do that without AD, right? Well, no, you cant. We store certain critical objects about the FRS replica set, even when used with DFS, in AD. As such, even though youre using FRS that is not SYSVOL, you still need AD. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 05, 2004 8:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No slap coming from here... :-) As far as I understand it - REPLMON looks at AD replication.. that's not the same as replication of the contents of sysvol but I might be heading for a slap!! Jack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: 05 April 2004 14:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Go ahead and slap me if I'm being stupid... FRS is responsible for replication yes? If replmon says that replication is successful, wouldn't that indicate FRS is ok? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, April 05, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Replmon doesn't monitor FRS. Ultrasound would need to be used for that. Event logs, Ultra sound and just anecdotal observations would need to be used for that. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, April 05, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No FRS problems. I say that from event logs and the output from replmon... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, April 03, 2004 3:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange. The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesn't get SYSVOL properly, the rights added by the Exchange domain prep won't replicate to that dc and exchange won't start properly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Saturday, April 03, 2004 1:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. I'm the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldn't log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There are no failures in the security log. I didn't take a network trace. L As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasn't answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it. Since I wrote the original email, I've poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldn't access the mailbox and began generating errors. Moving the FSMO roles definitely had some security impact; one I've never heard of before; and it worries me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, April 03, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Interesting. I can't think of anything that a FSMO role move would have changed that would have caused that behavior. However, my love of exchange is not unknown on this list nor is it, in my opinion, unfounded. There are many things in
RE: [ActiveDir] Kerberos event ID's 677
http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1DisplayLang=en Microsoft just published a Kerberos Troubleshooting White Paper It is pretty good. Todd From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Saturday, April 03, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos event ID's 677 I just saw this post. Sorry, I would have replied sooner if I had noticed it. The good is that this is typically benign. If anything, Id say we over-report this error. Typically this error is thrown because the client asked the server to talk a language that it could not. The client then said ok how about this and life is fine, but in the meantime the server tossed an event and scared the administrator. Its unfortunate that the error text isnt better. So, you can ignore the event. There is a QFE that should help suppress them. If you call the 800 support # and ask them to send you Q824905 that should suppress some of them. But again, this is benign, so I wouldnt sweat it. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Thursday, April 01, 2004 10:12 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Kerberos event ID's 677 Has anyone else been seeing a plethora of service ticket request failed event ID 677 logs in their Security logs on their Windows 2000 SP4 DC's?? The failure code is 0xE and the sources seem to beWindows 2003 member servers. I have queried our MS support and they told me to try a hot fix from KB 824905. Unfortunately, even through the hotfix is from November 2003, the KB article is not available on TechNet or on MS premier support web site. So in keeping with today's theme of missing documentation from Microsoft... anybody have more information on this article, hotfix, or this issue in general?? I would like to know what this hotfix is actually suppose to do before actually applyingon my test bench DC's. Thanks, Stuart Fuller
[ActiveDir] Joining computer to a domain... And Kpassword port 446.
Title: Message Greetings all... I just had someone stop by my office asking what ports need to be open to allow a machine to join a domain. It appears these security experts feel that they need to limit the communication both inbound and outbound. (Dont get me started on the outbound part) They said that when they tried to join the computer to the domain that it wouldnt work. But when the turn off the outbound rule set in the high order range, Communication worked. I have several papers on firewall configuration for AD. But I have not found a reference that discusses what ports are necessary to all a machine to be joined to a domain. My assumption is that it would require all the base ports 88, 123, 54, 389, 445, but does it require any dynamic ports. I will probably run a packet sniffer later this week to check this out myself, but if anyone can quickly comment, it would be appreciated. Also, Reading the latest Microsoft Whitepaper on Kerberos Troubleshooting, I noticed that they listed port 446, for password resets for Kerberos V5. According to Microsoft Firewall White Papers for AD, this port is never mentioned. So my question is, is it required for Microsoft Kerberos clients, or if you are using a mixture of clients. Thanks, Todd
RE: [ActiveDir] Kerberos event ID's 677
ThanksTodd!! -that whitepaperis great. Eric... Thanks for the information. I thought it may be one of those "check engine" light warnings with no real world meaning. However, I am reluctant to apply the hotfix without more detailed information on what the issue is and how the HF fixes it. It would be nice to get a copy of whatever documentation that goes with the HF.Generally it is okay to put black electrical tape over the check engine light so it goes out... but sometimes not... ;-) -Stuart Fuller From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 8:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos event ID's 677 http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1DisplayLang=en Microsoft just published a Kerberos Troubleshooting White Paper... It is pretty good. Todd From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Saturday, April 03, 2004 4:22 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos event ID's 677 I just saw this post. Sorry, I would have replied sooner if I had noticed it. The good is that this is typically benign. If anything, I'd say we over-report this error. Typically this error is thrown because the client asked the server to talk a language that it could not. The client then said "ok how about this" and life is fine, but in the meantime the server tossed an event and scared the administrator. It's unfortunate that the error text isn't better. So, you can ignore the event. There is a QFE that should help suppress them. If you call the 800 support # and ask them to send you Q824905 that should suppress some of them. But again, this is benign, so I wouldn't sweat it. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, StuartSent: Thursday, April 01, 2004 10:12 AMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Kerberos event ID's 677 Has anyone else been seeing a plethora of "service ticket request failed" event ID 677 logs in their Security logs on their Windows 2000 SP4 DC's?? The failure code is "0xE" and the sources seem to beWindows 2003 member servers. I have queried our MS support and they told me to try a hot fix from KB 824905. Unfortunately, even through the hotfix is from November 2003, the KB article is not available on TechNet or on MS premier support web site. So in keeping with today's theme of missing documentation from Microsoft... anybody have more information on this article, hotfix, or this issue in general?? I would like to know what this hotfix is actually suppose to do before actually applyingon my test bench DC's. Thanks, Stuart Fuller
RE: [ActiveDir] Kerberos event ID's 677
Theres nothing really to speak of here. The QFE suppresses these errors. In your original note you had mentioned anybody have more information on this article, hotfix, or this issue in general. Thats what I think I gave you. I dont have a KB, it simply doesnt exist at this point. J Dont have any more than that Im afraid. You could try opening a support incident to see if our front line support teams have data to share, I dont know whats in their arsenal. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Monday, April 05, 2004 9:50 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Kerberos event ID's 677 ThanksTodd!! -that whitepaperis great. Eric... Thanks for the information. I thought it may be one of those check engine light warnings with no real world meaning. However, I am reluctant to apply the hotfix without more detailed information on what the issue is and how the HF fixes it. It would be nice to get a copy of whatever documentation that goes with the HF.Generally it is okay to put black electrical tape over the check engine light so it goes out... but sometimes not... ;-) -Stuart Fuller From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Monday, April 05, 2004 8:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos event ID's 677 http://www.microsoft.com/downloads/details.aspx?FamilyID=7dfeb015-6043-47db-8238-dc7af89c93f1DisplayLang=en Microsoft just published a Kerberos Troubleshooting White Paper... It is pretty good. Todd
From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Saturday, April 03, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos event ID's 677 I just saw this post. Sorry, I would have replied sooner if I had noticed it. The good is that this is typically benign. If anything, I'd say we over-report this error. Typically this error is thrown because the client asked the server to talk a language that it could not. The client then said ok how about this and life is fine, but in the meantime the server tossed an event and scared the administrator. It's unfortunate that the error text isn't better. So, you can ignore the event. There is a QFE that should help suppress them. If you call the 800 support # and ask them to send you Q824905 that should suppress some of them. But again, this is benign, so I wouldn't sweat it. ~Eric
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Thursday, April 01, 2004 10:12 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Kerberos event ID's 677 Has anyone else been seeing a plethora of service ticket request failed event ID 677 logs in their Security logs on their Windows 2000 SP4 DC's?? The failure code is 0xE and the sources seem to beWindows 2003 member servers. I have queried our MS support and they told me to try a hot fix from KB 824905. Unfortunately, even through the hotfix is from November 2003, the KB article is not available on TechNet or on MS premier support web site. So in keeping with today's theme of missing documentation from Microsoft... anybody have more information on this article, hotfix, or this issue in general?? I would like to know what this hotfix is actually suppose to do before actually applyingon my test bench DC's. Thanks, Stuart Fuller
RE: [ActiveDir] Move FSMO Roles Affect Permissions?
Title: Message Well, learn something new every day. I'll install Ultrasound -- however, my FRS event logs are clean. So I expect everything FRS-wise is OK. Thanks, Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, April 05, 2004 8:56 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Right, so combining threads a bit (I see Ulf replied as well). NTFRS and AD replication are different animals. Different engines, different code, different design goals. NTFRS replicates files on a disk. AD replication replicates objects in a directory. Heres where it gets confusing for most people: 0) When were talking about SYSVOL (which is an FRS replica set, aka the domain system volume) the replication topology (IE who replicates with who from an FRS perspective) mirrors the AD replication topology. So FRS respects the COs that AD creates for AD replication and uses that as its topology as well. 1) You can have FRS replication independent of that topologyaka an FRS replica set that is powering DFS. So people say so you can do that without AD, right? Well, no, you cant. We store certain critical objects about the FRS replica set, even when used with DFS, in AD. As such, even though youre using FRS that is not SYSVOL, you still need AD. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, April 05, 2004 8:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No slap coming from here... :-) As far as I understand it - REPLMON looks at AD replication.. that's not the same as replication of the contents of sysvol but I might be heading for a slap!! Jack -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: 05 April 2004 14:00To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Go ahead and slap me if I'm being stupid... FRS is responsible for replication yes? If replmon says that replication is successful, wouldn't that indicate FRS is ok? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, April 05, 2004 7:55 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Replmon doesn't monitor FRS. Ultrasound would need to be used for that. Event logs, Ultra sound and just anecdotal observations would need to be used for that. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Monday, April 05, 2004 7:34 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No FRS problems. I say that from event logs and the output from replmon... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Saturday, April 03, 2004 3:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange. The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesn't get SYSVOL properly, the rights added by the Exchange domain prep won't replicate to that dc and exchange won't start properly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. SmithSent: Saturday, April 03, 2004 1:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. I'm the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldn't log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There are no failures in the security log. I didn't take a network trace. L As soon as I restarted the service, a couple of dozen small companies suddenly found their telephone service wasn't answering calls and I had to resolve it, ASAP. I did that by throwing permissions at it. Since I wrote the original email, I've poured hours into investigation of this. As soon as the FSMO roles were moved (within 15 minutes), the mailbox service started generating warnings about not being to access certain log files. But it was 2.5 days later until it couldn't access the mailbox
[ActiveDir] AD Consultants
Before I start just to let you know I checked with Tony before sending this to the list. Does anyone know anyone companies in the North Eastern US area that does AD consulting and design? My CIO would like to bring in a consulting company to help us out with a global AD design for our company. If anyone has any suggestions or needs more infomation please email OFF the list. Any and all help is appreciated. Mike
RE: [ActiveDir] Move FSMO Roles Affect Permissions?
Title: Message Agreed. The logs go red real fast when things turn south. ;) You can run gpotool (support tool? I forget) to check if policies are consistent across DCs as well. Its a quick way to just snapshot SYSVOL and see if DCs are (fairly, keeping replication latency in mind) in sync. That said, not clear to me why you had failure when FSMO role was moved. I would agree with Joeyoud need to either schedule a service outage where we can collect the appropriate data during that time period or try and repro in the lab. Whichever you think is best is fine by me. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, April 05, 2004 12:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Well, learn something new every day. I'll install Ultrasound -- however, my FRS event logs are clean. So I expect everything FRS-wise is OK. Thanks, Michael From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, April 05, 2004 8:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Right, so combining threads a bit (I see Ulf replied as well). NTFRS and AD replication are different animals. Different engines, different code, different design goals. NTFRS replicates files on a disk. AD replication replicates objects in a directory. Heres where it gets confusing for most people: 0) When were talking about SYSVOL (which is an FRS replica set, aka the domain system volume) the replication topology (IE who replicates with who from an FRS perspective) mirrors the AD replication topology. So FRS respects the COs that AD creates for AD replication and uses that as its topology as well. 1) You can have FRS replication independent of that topologyaka an FRS replica set that is powering DFS. So people say so you can do that without AD, right? Well, no, you cant. We store certain critical objects about the FRS replica set, even when used with DFS, in AD. As such, even though youre using FRS that is not SYSVOL, you still need AD. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, April 05, 2004 8:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No slap coming from here... :-) As far as I understand it - REPLMON looks at AD replication.. that's not the same as replication of the contents of sysvol but I might be heading for a slap!! Jack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: 05 April 2004 14:00 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Go ahead and slap me if I'm being stupid... FRS is responsible for replication yes? If replmon says that replication is successful, wouldn't that indicate FRS is ok? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, April 05, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Replmon doesn't monitor FRS. Ultrasound would need to be used for that. Event logs, Ultra sound and just anecdotal observations would need to be used for that. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Monday, April 05, 2004 7:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? No FRS problems. I say that from event logs and the output from replmon... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Saturday, April 03, 2004 3:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Disclaimer: I know very little about Exchange. The first thing that comes to mind: do you have FRS problems? If you say no, what is your metric for saying that? I ask because if you dcpromo a new box in, and it doesn't get SYSVOL properly, the rights added by the Exchange domain prep won't replicate to that dc and exchange won't start properly. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Saturday, April 03, 2004 1:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Move FSMO Roles Affect Permissions? Thanks for your comments/questions. I had given up hope. J Nothing else changed. This is my production hosted Unity domain. I'm the enterprise admin; no one else has that password. Yes, the DC2 machine account had full mailbox access. The only errors in the event log were when the service suddenly couldn't log in anymore, the service began logging errors: An attempt to access the Exchange Private Store has failed: 8004011d. The MAPI subsystem returned the following error: You do not have permission to log on. There
[ActiveDir] Photos in Active Directory
Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/