RE: [ActiveDir] Replication issues
1. What do you think your replication latency is supposed to be based upon your knowledge of your topology and your link configurations? This isn't something you have to guess at. Look at your DC placement and your replication topology and it will tell you the exact theoretical max replication period you have. 2. What do you want it to be? 30-60 minutes would be a time frame for replication that means you changed the default link settings. The default it 180 minutes per link (hop). This can be reduced to as low as 15 minutes without change notification and if you enable change notification it can go down to seconds (based on how busy the bridge heads between the sites are). As a rule, people don't generally set up change notification across a WAN [1]. 30-60 minutes could mean that you have 2-4 hops to get to the site with 15 minute delays or it could be you have 1-2 hops with 30 minute delays or it could be 1-2 hops with 15 minute delays with lots of DCs in each site and it taking 15 minutes to get to the proper outgoing bridgehead for each site.Lots of valid reasons for the timing, you need to understand what your theretical maxes could be and then decide if you are outside of that. If outside of that the first thing I woulddo is look at my DRA Pending Queue on my servers in the replication pathto make sure it waszeroing out every replication period. [2] One thing I saw below I wanted to speak about... The out of band password force back to the PDC has been in W2K since RTM at least. It will get that password back immediately unless the PDC is really busy or otherwise unavailable (down, net down, PacMan on the ethernet line eating all of the packets, etc). Now after all of this I will say you should NOT have to worry about changing passwords at the specific site. Assuming the PDC is available to that site, you should be able to change a password anywhere on any DC and that password will get back to the DC. Then the client should be able to log on ANYWHERE. What SHOULD happen is that the local DC should realize, hey this password isn't correct and will do what is called a PDC Chaining to ask the PDC what if the password specified is in fact ok [3]. Assuming the password is ok, the PDC will say, that is fine and let the user log on. This functionality has been in Windows all the way back in NT. Without it, life in large companies would be miserable. Now there has beenchange in the functionality since2K RTM to fix what I consider a design flaw / bug in this process. I can't recall when that exactly went in for 2K (SP3?) but was in K3 RC1;I have written previously about this fix on this list. Basically the issue was if the user needed to change the password on the next logon and the PDC chaining event occurred, the logon would succeed and client would be told to display the change password dialogue. The user would respond and use the "old password" of the password they just used to logon. Since that password wasn't yet at the local DC that was handling this change password request the local DC would say that the old password was incorrect and reject the change. I have already speculated in previous posts to this list about what was happening. Basically it was fixed by sending back key information to the remote DC during a PDC Chaining operation that brought that DC up to date for some critical authentication information so that it did indeed have the latest password information for that user. So all of that to say, that unless you have horrendous network connectivity, you should not have to set passwords on specific DCs if you are up to the current patch levels of Windows 2000 or on Windows 2003 for your domain controllers. joe [1] There are exceptions here so I am not looking for people to email say, we are and here'e why... There are a couple of special cases where I do it as well - to keep exchange in a good mood. The exceptions make the rule and show the beauty of the flexibility of the system. [2] Keep in mind there was a bug in a hotfix or two between SP2-3 that caused this queue to not have good values. It would increment sometimes and exit without remembering to decrement. Very unusual as it will look almost like you queue isn't clearing. In this case, you can pull out repadmin /queue or my adqueueloop to look at the actual queue and verify what it is doing. This is fixed in SP4 and actually one of the 4 new hotfixes that just came out also corrects it (obviously the bin with that code was replaced in one of the fixes and it has all of the previous fixes in it as well). So if you are at the minimum you should be for these last three crits, your counters should be working ok. [3] The DCs realize that they may not have the latest password and go ask the "master" for verification. This is one of the "big" functions of the PDC, being "master" of the passwords. It may not have the current right password, but it
[ActiveDir] blocking user access to terminal services via group policy
I'm having a hard time figuring out the best way to block terminal service access by user using group policy- is this something that can be addressed by a user configuration setting or is this an issue better handled on the terminal server- i.e. granting or denying 'log on locally' rights? I'm just getting started implementing GPOs so forgive me if this seems simple. Zach smime.p7s Description: S/MIME cryptographic signature
RE: [ActiveDir] blocking user access to terminal services via group policy
I think it would be better if you just clear the "Allow Logon to Terminal Service" attributes for all your users. Then you will come back andenable this attribute for any specific user you want to grant the right to. It's cleaner than trying to do this server-by-server. The problem with this, however, is that you will have to ALWAYS remember to clear this attribute from any new user account you create. You can get snippets of codes to clear and set "Allow Logon to Terminal Service" from MS Script Center http://www.microsoft.com/technet/community/scriptcenter/default.mspx Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Zach HusebySent: Wed 4/28/2004 7:45 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] blocking user access to terminal services via group policy I'm having a hard time figuring out the best way to block terminal service access by user using group policy- is this something that can be addressed by a user configuration setting or is this an issue better handled on the terminal server- i.e. granting or denying 'log on locally' rights? I'm just getting started implementing GPOs so forgive me if this seems simple. Zach
[ActiveDir] question about optimization?
Hi, I am trying to decide how to optimize our current network to increase data access speed. We have 30 employees and 1 w2k server handling AD and all other network services, file , data storage and 2 good sized databases. Would moving the AD and network services to a new server give me the results Im looking for? Also we are using a cisco 1721 router. Thanks to all who respond! Patrick
RE: [ActiveDir] blocking user access to terminal services viagroup policy
Hi, when you are using windows 2003 as terminal server, there is the way of ading users or groups to the local group on the TS server, which is called RemoteDesktopUsers. You can add members to this group by using the restricted group policy in a domain You can simulate this on win 2000, when you configure an explicit domain group for access via RDP (use the terminal services configuration console for modifying the rdp connection permission). In the USer properties in active directory, you simply enable or disable the general access to ALL TerminalServers by removing the allow logon to terminal server on the terminal services profile tab. Hope that helps regards Volker regards I think it would be better if you just clear the Allow Logon to Terminal Service attributes for all your users. Then you will come back and enable this attribute for any specific user you want to grant the right to. It's cleaner than trying to do this server-by-server. The problem with this, however, is that you will have to ALWAYS remember to clear this attribute from any new user account you create. You can get snippets of codes to clear and set Allow Logon to Terminal Service from MS Script Center http://www.microsoft.com/technet/community/scriptcenter/default.mspx Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Zach Huseby Sent: Wed 4/28/2004 7:45 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] blocking user access to terminal services via group policy I'm having a hard time figuring out the best way to block terminal service access by user using group policy- is this something that can be addressed by a user configuration setting or is this an issue better handled on the terminal server- i.e. granting or denying 'log on locally' rights? I'm just getting started implementing GPOs so forgive me if this seems simple. Zach List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Active Directory and Other LDAP Integration
All, we are in search of the elusive single sign-on... We are designing/testing pieces of what may become a multi-platform authentication strategy. We've begun with the authentication integration with IBM's Websphere. While we've been successful in its integration (having Websphere on a Linux box authenticate to AD); we have a dilemma with how the DN is created...specifically the CN. The CN appears to default to be the same as the 'Display Name'. With this being the case, a user logging into Websphere's Portal would need to login with what would appear to them as yet another ID using their 'First' and 'Last' names. And that's assuming that our naming standards are intact and haven't had to account for identical names. A way around this appears to have the users logon name and 'Name' [CN] fields be identical. We would then add the Display Name column to ADUC and other such AD management tools for our sanity of management. Enforcing/ensuring this setting would not be difficult for us as we use Aelita Enterprise Directory Manager, so we would just create a validation/enforcement rule as well as ensure automatic policy validation. My questions are: Has anyone else run into this problem? Is this really a problem or just what I'm simply supposed to do. Are there other problems that might arise from this change in procedure? What kind of success have people had in having other platforms and LDAP'able' applications authenticate to AD? TIA, Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] question about optimization?
Pat- What sort of issues are you experiencing? How do you define slow data access? --Brian -Original Message- From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wed 4/28/2004 10:31 AM To: Active Directory Cc: Subject: [ActiveDir] question about optimization? Hi, I am trying to decide how to optimize our current network to increase data access speed. We have 30 employees and 1 w2k server handling AD and all other network services, file , data storage and 2 good sized databases. Would moving the AD and network services to a new server give me the results Im looking for? Also we are using a cisco 1721 router. Thanks to all who respond! Patrick winmail.dat
RE: [ActiveDir] question about optimization?
B. the complaints come from accessing the databases. We are a mortgage co. and have a large client and lead database, actually not that large yet, but it will be in the future. Anyway to pull all the clients up from the database can take several minutesI figured adding a server and moving some of the services to the new server would cut down on the access to the single server we have now and in turn increase network speed. Does this help? -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED]On Behalf Of Brian Desmond Sent: Wednesday, April 28, 2004 12:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? Pat- What sort of issues are you experiencing? How do you define slow data access? --Brian -Original Message- From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wed 4/28/2004 10:31 AM To: Active Directory Cc: Subject: [ActiveDir] question about optimization? Hi, I am trying to decide how to optimize our current network to increase data access speed. We have 30 employees and 1 w2k server handling AD and all other network services, file , data storage and 2 good sized databases. Would moving the AD and network services to a new server give me the results Im looking for? Also we are using a cisco 1721 router. Thanks to all who respond! Patrick attachment: winmail.dat
RE: [ActiveDir] question about optimization?
Roger, Thats being handled by the application developer and yes they are working on it and it becomes better, I was just asked to get as much speed out of our network as possible on my side of things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Wednesday, April 28, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? Well, as Brian Moran (one of the SQL MVP's) often says about 90% or more of SQL server optimization has to be done at the Application level, not the server level. Have you done any index optimizations? Query optimizations? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 1:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? B. the complaints come from accessing the databases. We are a mortgage co. and have a large client and lead database, actually not that large yet, but it will be in the future. Anyway to pull all the clients up from the database can take several minutesI figured adding a server and moving some of the services to the new server would cut down on the access to the single server we have now and in turn increase network speed. Does this help? -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED]On Behalf Of Brian Desmond Sent: Wednesday, April 28, 2004 12:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? Pat- What sort of issues are you experiencing? How do you define slow data access? --Brian -Original Message- From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wed 4/28/2004 10:31 AM To: Active Directory Cc: Subject: [ActiveDir] question about optimization? Hi, I am trying to decide how to optimize our current network to increase data access speed. We have 30 employees and 1 w2k server handling AD and all other network services, file , data storage and 2 good sized databases. Would moving the AD and network services to a new server give me the results Im looking for? Also we are using a cisco 1721 router. Thanks to all who respond! Patrick
RE: [ActiveDir] question about optimization?
On a 30 user LAN, I'd say that you're probably fine as is. You're going to want to check the obvious stuff - disk layout, memory utilization and ensuring that your network cards are set at fixed speeds rather than autosens. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 2:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] question about optimization? Roger, Thats being handled by the application developer and yes they are working on it and it becomes better, I was just asked to get as much speed out of our network as possible on my side of things. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger SeielstadSent: Wednesday, April 28, 2004 2:01 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] question about optimization? Well, as Brian Moran (one of the SQL MVP's) often says about 90% or more of SQL server optimization has to be done at the Application level, not the server level. Have you done any index optimizations? Query optimizations? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 1:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] question about optimization? B. the complaints come from accessing the databases. We are a mortgage co. and have a large client and lead database, actually not that large yet, but it will be in the future. Anyway to pull all the clients up from the database can take several minutesI figured adding a server and moving some of the services to the new server would cut down on the access to the single server we have now and in turn increase network speed. Does this help? -Original Message-From: Brian Desmond [mailto:[EMAIL PROTECTED]On Behalf Of Brian DesmondSent: Wednesday, April 28, 2004 12:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] question about optimization? Pat- What sort of issues are you experiencing? How do you define slow data access? --Brian -Original Message- From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wed 4/28/2004 10:31 AM To: Active Directory Cc: Subject: [ActiveDir] question about optimization? Hi, I am trying to decide how to optimize our current network to increase data access speed. We have 30 employees and 1 w2k server handling AD and all other network services, file , data storage and 2 good sized databases. Would moving the AD and network services to a new server give me the results Im looking for? Also we are using a cisco 1721 router. Thanks to all who respond! Patrick
RE: [ActiveDir] question about optimization?
Have you checked any of the performance stats on the server? In particular, if CPU, disk I/O and NIC traffic are all within reasonable levels (you'll have to determine what's "reasonable" for you)then I doubt you will gain enough to make the investment ina new server (hardware, migration time/costs etc) worth it. If those three stats are looking okay, then I doubt there's much "network speed" to be gained this way. The biggest boost will come, as Roger said,from properly indexed tables and well constructed queries that utilize those indices. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT DepartmentSent: Wednesday, April 28, 2004 1:20 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] question about optimization? Roger, Thats being handled by the application developer and yes they are working on it and it becomes better, I was just asked to get as much speed out of our network as possible on my side of things. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger SeielstadSent: Wednesday, April 28, 2004 2:01 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] question about optimization? Well, as Brian Moran (one of the SQL MVP's) often says about 90% or more of SQL server optimization has to be done at the Application level, not the server level. Have you done any index optimizations? Query optimizations? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 1:11 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] question about optimization? B. the complaints come from accessing the databases. We are a mortgage co. and have a large client and lead database, actually not that large yet, but it will be in the future. Anyway to pull all the clients up from the database can take several minutesI figured adding a server and moving some of the services to the new server would cut down on the access to the single server we have now and in turn increase network speed. Does this help? -Original Message-From: Brian Desmond [mailto:[EMAIL PROTECTED]On Behalf Of Brian DesmondSent: Wednesday, April 28, 2004 12:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] question about optimization? Pat- What sort of issues are you experiencing? How do you define slow data access? --Brian -Original Message- From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wed 4/28/2004 10:31 AM To: Active Directory Cc: Subject: [ActiveDir] question about optimization? Hi, I am trying to decide how to optimize our current network to increase data access speed. We have 30 employees and 1 w2k server handling AD and all other network services, file , data storage and 2 good sized databases. Would moving the AD and network services to a new server give me the results Im looking for? Also we are using a cisco 1721 router. Thanks to all who respond! Patrick === Important: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. ===
RE: [ActiveDir] question about optimization?
Ok will do, thank you guys! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Cotter, Paul M. Sent: Wednesday, April 28, 2004 2:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? Have you checked any of the performance stats on the server? In particular, if CPU, disk I/O and NIC traffic are all within reasonable levels (you'll have to determine what's reasonable for you)then I doubt you will gain enough to make the investment ina new server (hardware, migration time/costs etc) worth it. If those three stats are looking okay, then I doubt there's much network speed to be gained this way. The biggest boost will come, as Roger said,from properly indexed tables and well constructed queries that utilize those indices. Paul From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick - IT Department Sent: Wednesday, April 28, 2004 1:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? Roger, Thats being handled by the application developer and yes they are working on it and it becomes better, I was just asked to get as much speed out of our network as possible on my side of things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Roger Seielstad Sent: Wednesday, April 28, 2004 2:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? Well, as Brian Moran (one of the SQL MVP's) often says about 90% or more of SQL server optimization has to be done at the Application level, not the server level. Have you done any index optimizations? Query optimizations? -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 1:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? B. the complaints come from accessing the databases. We are a mortgage co. and have a large client and lead database, actually not that large yet, but it will be in the future. Anyway to pull all the clients up from the database can take several minutesI figured adding a server and moving some of the services to the new server would cut down on the access to the single server we have now and in turn increase network speed. Does this help? -Original Message- From: Brian Desmond [mailto:[EMAIL PROTECTED]On Behalf Of Brian Desmond Sent: Wednesday, April 28, 2004 12:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question about optimization? Pat- What sort of issues are you experiencing? How do you define slow data access? --Brian -Original Message- From: Patrick - IT Department [mailto:[EMAIL PROTECTED] Sent: Wed 4/28/2004 10:31 AM To: Active Directory Cc: Subject: [ActiveDir] question about optimization? Hi, I am trying to decide how to optimize our current network to increase data access speed. We have 30 employees and 1 w2k server handling AD and all other network services, file , data storage and 2 good sized databases. Would moving the AD and network services to a new server give me the results Im looking for? Also we are using a cisco 1721 router. Thanks to all who respond! Patrick === Important: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. ===
RE: [ActiveDir] Active Directory and Other LDAP Integration
Eric - we basically did what you suggest...our CN, name, and sAMAccountName attributes are the same. WebSphere users can use their LAN ID and password. Since WebSphere also grabs the group membership info for the user when they log in, it can map this to the 'roles' in the J2EE application, so we get some authorization based on AD groups as well. We have very centrally-controlled account creation on all major systems, as Al suggested, which makes this fairly easy to swallow. As you pointed out, you can add columns in the GUI for last/first, but I find that I never look for users by scrolling through the list anyhow - it's either do a search, or use automation, so it really doesnt matter that the 'name' column shows the non-friendly fixed identifier we use as a login ID. Exchange 2000/Outlook use the display name in the GAL, so that's not a problem either. We actually did this in the first place because it eliminates the possibility of a name collision within a single container, regardless of how many of our users are placed there. The other benefits were a side-effect. Since you asked the question, I'm curious too - how many large enterprises (more that several thousand users at least) use the 'default' firstname lastname construction for their CN ? Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 10:43 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Active Directory and Other LDAP Integration All, we are in search of the elusive single sign-on... We are designing/testing pieces of what may become a multi-platform authentication strategy. We've begun with the authentication integration with IBM's Websphere. While we've been successful in its integration (having Websphere on a Linux box authenticate to AD); we have a dilemma with how the DN is created...specifically the CN. The CN appears to default to be the same as the 'Display Name'. With this being the case, a user logging into Websphere's Portal would need to login with what would appear to them as yet another ID using their 'First' and 'Last' names. And that's assuming that our naming standards are intact and haven't had to account for identical names. A way around this appears to have the users logon name and 'Name' [CN] fields be identical. We would then add the Display Name column to ADUC and other such AD management tools for our sanity of management. Enforcing/ensuring this setting would not be difficult for us as we use Aelita Enterprise Directory Manager, so we would just create a validation/enforcement rule as well as ensure automatic policy validation. My questions are: Has anyone else run into this problem? Is this really a problem or just what I'm simply supposed to do. Are there other problems that might arise from this change in procedure? What kind of success have people had in having other platforms and LDAP'able' applications authenticate to AD? TIA, Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory and Other LDAP Integration
Thanks all for the feedback. We are a very centralized shop as well (and seem to be on a company buying spree...). The Enterprise Security team really wants to make AD the strategic direction for authentication strategy as well part of a staged user provisioning and automation mechanism. I/We are about to undertake a massive leap in automation, business rule enforcement, and data integrity as it relates to the Windows Server Platform...roled into our fledgling AD migration. And I gotta say, VBScript is an admin's best friend. [mine anyway] Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Active Directory and Other LDAP Integration
Are you looking at MIIS as an account provisioning/automation tool? Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory and Other LDAP Integration Thanks all for the feedback. We are a very centralized shop as well (and seem to be on a company buying spree...). The Enterprise Security team really wants to make AD the strategic direction for authentication strategy as well part of a staged user provisioning and automation mechanism. I/We are about to undertake a massive leap in automation, business rule enforcement, and data integrity as it relates to the Windows Server Platform...roled into our fledgling AD migration. And I gotta say, VBScript is an admin's best friend. [mine anyway] Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Important: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication issues
I'm curious to verify if the password chaining thing was fixed in SP3 or SP4, as we are still experiencing that issue. Some of our domain controllers are on SP3 and some are on SP4. We set SP3 as a company-wide standard for Win2k, but some of our other divisions took it upon themselves to upgrade without telling us! At any rate, that is exactly the problem we are seeing! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, April 28, 2004 6:48 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Replication issues 1. What do you think your replication latency is supposed to be based upon your knowledge of your topology and your link configurations? This isn't something you have to guess at. Look at your DC placement and your replication topology and it will tell you the exact theoretical max replication period you have. 2. What do you want it to be? 30-60 minutes would be a time frame for replication that means you changed the default link settings. The default it 180 minutes per link (hop). This can be reduced to as low as 15 minutes without change notification and if you enable change notification it can go down to seconds (based on how busy the bridge heads between the sites are). As a rule, people don't generally set up change notification across a WAN [1]. 30-60 minutes could mean that you have 2-4 hops to get to the site with 15 minute delays or it could be you have 1-2 hops with 30 minute delays or it could be 1-2 hops with 15 minute delays with lots of DCs in each site and it taking 15 minutes to get to the proper outgoing bridgehead for each site.Lots of valid reasons for the timing, you need to understand what your theretical maxes could be and then decide if you are outside of that. If outside of that the first thing I woulddo is look at my DRA Pending Queue on my servers in the replication pathto make sure it waszeroing out every replication period. [2] One thing I saw below I wanted to speak about... The out of band password force back to the PDC has been in W2K since RTM at least. It will get that password back immediately unless the PDC is really busy or otherwise unavailable (down, net down, PacMan on the ethernet line eating all of the packets, etc). Now after all of this I will say you should NOT have to worry about changing passwords at the specific site. Assuming the PDC is available to that site, you should be able to change a password anywhere on any DC and that password will get back to the DC. Then the client should be able to log on ANYWHERE. What SHOULD happen is that the local DC should realize, hey this password isn't correct and will do what is called a PDC Chaining to ask the PDC what if the password specified is in fact ok [3]. Assuming the password is ok, the PDC will say, that is fine and let the user log on. This functionality has been in Windows all the way back in NT. Without it, life in large companies would be miserable. Now there has beenchange in the functionality since2K RTM to fix what I consider a design flaw / bug in this process. I can't recall when that exactly went in for 2K (SP3?) but was in K3 RC1;I have written previously about this fix on this list. Basically the issue was if the user needed to change the password on the next logon and the PDC chaining event occurred, the logon would succeed and client would be told to display the change password dialogue. The user would respond and use the "old password" of the password they just used to logon. Since that password wasn't yet at the local DC that was handling this change password request the local DC would say that the old password was incorrect and reject the change. I have already speculated in previous posts to this list about what was happening. Basically it was fixed by sending back key information to the remote DC during a PDC Chaining operation that brought that DC up to date for some critical authentication information so that it did indeed have the latest password information for that user. So all of that to say, that unless you have horrendous network connectivity, you should not have to set passwords on specific DCs if you are up to the current patch levels of Windows 2000 or on Windows 2003 for your domain controllers. joe [1] There are exceptions here so I am not looking for people to email say, we are and here'e why... There are a couple of special cases where I do it as well - to keep exchange in a good mood. The exceptions make the rule and show the beauty of the flexibility of the system. [2] Keep in mind there was a bug in a hotfix or two between SP2-3 that caused this queue to not have good values. It would increment sometimes and exit without remembering to decrement. Very unusual as it will look almost like you queue isn't clearing. In this case, you can pull out repadmin /queue or my adqueueloop to look at the actual queue and verify what it is doing. This is
RE: [ActiveDir] Replication issues
It will get that password back immediately unless the PDC is really busy or otherwise unavailable The way I'm reading this is that you are saying password change will trigger immediate replication to the PDCE. Iin my experience (which I don't have to describe to you :)), this is not the case. Also, I may be misreading you here, because, further now, you said: What SHOULD happen is that the local DC should realize, hey this password isn't correct and will do what is called a PDC Chaining to ask the PDC what if the password specified is in fact ok [3] This is the way it works, I agree here. Now, you also said: Assuming the PDC is available to that site, you should be able to change a password anywhere on any DC and that password will get back to the DC. This, too, is correct. However the problem is the time it takes for the password change to get back to the PDCE and then onward to the rest of the DC. Where neither the HelpDesk (wo reset the password) no the User (whose password was reset) is in the site where the PDCE is located, the length of time it takes for the password change to travel across the wire is usually unacceptble. This is the reason one wuld want to reset the password at a DC local to the User. This is also one of the reasonss for ALToos, especially the AcctInfo.dll part. Theoretically, there should be no need for these tools, but in reality, chaining did not work as designed. One DC would lock out a user's account, after the user's password had been reset on another DC, before the locking out DC learns about the reset. Lastly, I have come across canned recommendations from security consultants telling clients to enable AvoidPDConWAN registry key. I am sure some companies would have heeded that recommendation. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 4/28/2004 4:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication issues 1. What do you think your replication latency is supposed to be based upon your knowledge of your topology and your link configurations? This isn't something you have to guess at. Look at your DC placement and your replication topology and it will tell you the exact theoretical max replication period you have. 2. What do you want it to be? 30-60 minutes would be a time frame for replication that means you changed the default link settings. The default it 180 minutes per link (hop). This can be reduced to as low as 15 minutes without change notification and if you enable change notification it can go down to seconds (based on how busy the bridge heads between the sites are). As a rule, people don't generally set up change notification across a WAN [1]. 30-60 minutes could mean that you have 2-4 hops to get to the site with 15 minute delays or it could be you have 1-2 hops with 30 minute delays or it could be 1-2 hops with 15 minute delays with lots of DCs in each site and it taking 15 minutes to get to the proper outgoing bridgehead for each site. Lots of valid reasons for the timing, you need to understand what your theretical maxes could be and then decide if you are outside of that. If outside of that the first thing I would do is look at my DRA Pending Queue on my servers in the replication path to make sure it was zeroing out every replication period. [2] One thing I saw below I wanted to speak about... The out of band password force back to the PDC has been in W2K since RTM at least. It will get that password back immediately unless the PDC is really busy or otherwise unavailable (down, net down, PacMan on the ethernet line eating all of the packets, etc). Now after all of this I will say you should NOT have to worry about changing passwords at the specific site. Assuming the PDC is available to that site, you should be able to change a password anywhere on any DC and that password will get back to the DC. Then the client should be able to log on ANYWHERE. What SHOULD happen is that the local DC should realize, hey this password isn't correct and will do what is called a PDC Chaining to ask the PDC what if the password specified is in fact ok [3]. Assuming the password is ok, the PDC will say, that is fine and let the user log on. This functionality has been in Windows all the way back in NT. Without it, life in large companies would be miserable. Now there has been change in the functionality since 2K RTM to fix what I consider a design flaw / bug in this process. I can't recall when that exactly went in for 2K (SP3?) but was in K3 RC1; I have written previously about this fix on this list. Basically the issue was if the user needed to change the password on the next logon and the PDC chaining event occurred, the logon would succeed and client would be told to display
RE: [ActiveDir] Active Directory and Other LDAP Integration
No, MIIS is not being used. I don't believe that the Security Group reviewed the product. They are about to pilot/implement CA Enterprise Admin. Like MIIS, it has hooks into some of the major LDAPs and is supposed to be very scriptable. In fact, although they have an AD integration piece, the direct feed into AD violates part of my principle design for our AD infrastructure, which is to force all AD Object Change/Add/Moves to go through the Aelita EDM product to enforce business rules and data consistency. CA has stated the integration should be able to be done completely via scripted integration...we're about to find out. How are other companies doing directory services integration. How was that tied into an authentication strategy? Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com Cotter, Paul M. [EMAIL PROTECTED] To Sent by: [EMAIL PROTECTED] [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Active Directory 04/28/2004 05:27 and Other LDAP Integration PM Please respond to [EMAIL PROTECTED] tivedir.org Are you looking at MIIS as an account provisioning/automation tool? Paul -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Active Directory and Other LDAP Integration Thanks all for the feedback. We are a very centralized shop as well (and seem to be on a company buying spree...). The Enterprise Security team really wants to make AD the strategic direction for authentication strategy as well part of a staged user provisioning and automation mechanism. I/We are about to undertake a massive leap in automation, business rule enforcement, and data integrity as it relates to the Windows Server Platform...roled into our fledgling AD migration. And I gotta say, VBScript is an admin's best friend. [mine anyway] Eric Jones, Senior SE Intel Server Group (W) 336.424.3084 (M) 336.457.2591 www.vfc.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Important: This electronic mail message and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information that is proprietary, privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distribution of this information may be subject to legal restriction or sanction. Please notify the sender, by electronic mail or telephone, of any unintended recipients and delete the original message without making any copies. === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
