RE: [ActiveDir] AD in NATed environments
That's fugly if I've ever seen it. How many boxes are actually affected? This would require some serious white board time to figure out and a *good* network engineer, but what about bypassing NAT for the exposed systems? The issue as it stands right nowis that the remote DC's are registered with addresses that aren't exposed to the local DC's - what's the real impact of fixing that? At the bare minimum, you should be able to add static routes to the side which is receiving the NAT'ed addresses, in order to allow traffic to pass correctly. After that, you should be able to work your cleanup magic. I'd also suggest repeated beatings for the offenders... Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Saturday, June 05, 2004 10:10 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD in NATed environments last time I looked at replication of DCs in a NATed network, I was rather disappointed - basically this is was no-no. Simply due to name-resolution of the DCs (i.e. the IP-Address of a DC on one side of the NAT is not what it should be on the other side of the NAT etc.). wondering how other folks work around this, if you just happen to fall into one of these environments...? Trying to change the network is a major undertaking, which could take months or even years in larger companies - so mostly this is not an option. So do you - not use DDNS and manually register DCs on DNS servers (differently per DNS server, depending on which side of NAT...)? - use DDNS and work around the issues in other ways? - setup special DNS zones in some magic way that solves all the issues? - other ideas? I heard this is not supported by MS anyways - but I'd be open to any solution... Thanks, Guido
RE: [ActiveDir] install software on OU
It has to be rolled into an MSI. Its possible to do using one of the MSI Packaging applications, one of which (WinInstall Lite I think) is included on the server CD. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Dan Boghici [mailto:[EMAIL PROTECTED] Sent: Saturday, June 05, 2004 8:35 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] install software on OU Hello I need to install some software to all computers in my OU, I go to Group Policy regarding that OU and try to assign the software package that I want to install but when I browse for the packet I can not find it in the network because the only option on file extension is .msi and some other thing that I m not interested. Lets take some software for example yahoo messenger 6 and is .exe file. Is there any other possibility to install exe applications on my domain? I really dont wanna go to every user s computer. Thanks Dan
[ActiveDir] Question on collapsing Forests
Dear List Members, First let me preface my remarks by telling you that I appreciate your diligence to monitor this list and your quick contributions to various problems. The information is invaluable at times as it comes from the real world. I have to collapse 5 Forests, each with a single domain, into one new empty root that will end up with five child domains. The mountain of literature I need to read is overwhelming. However, I have a simple question as I begin to scheme out my step-by-step plan. I believe the answer to this is No, it's just too simple., however, I ask it anyway. If one of my domains (a Forest root domain) is Windows 2000, and my new pristine empty root Windows 2003 native mode Forest is in place, can I simply upgrade the Windows 2000 Forest to Windows 2003 and at the same time tell it, Hey, you're now a Child Domain in this DNS namespace in this new empty Forest root? I'd appreciate your comments. Thanks. RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on collapsing Forests
Simple answer: no You can't take an existing tree and simply move it to a different forest with the native tools. There are several third party tools that could help simplify the process. -Original Message- From: Rocky Habeeb [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 7:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on collapsing Forests Dear List Members, First let me preface my remarks by telling you that I appreciate your diligence to monitor this list and your quick contributions to various problems. The information is invaluable at times as it comes from the real world. I have to collapse 5 Forests, each with a single domain, into one new empty root that will end up with five child domains. The mountain of literature I need to read is overwhelming. However, I have a simple question as I begin to scheme out my step-by-step plan. I believe the answer to this is No, it's just too simple., however, I ask it anyway. If one of my domains (a Forest root domain) is Windows 2000, and my new pristine empty root Windows 2003 native mode Forest is in place, can I simply upgrade the Windows 2000 Forest to Windows 2003 and at the same time tell it, Hey, you're now a Child Domain in this DNS namespace in this new empty Forest root? I'd appreciate your comments. Thanks. RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on collapsing Forests
Doesn't have to be a 3rd party tool - ADMT 2.0 would be an option to consider. -- Original Message -- Wrom: ZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTW Reply-To: [EMAIL PROTECTED] Date: Mon, 7 Jun 2004 08:02:06 -0700 Simple answer: no You can't take an existing tree and simply move it to a different forest with the native tools. There are several third party tools that could help simplify the process. -Original Message- Wrom: FAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRE Sent: Monday, June 07, 2004 7:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on collapsing Forests Dear List Members, First let me preface my remarks by telling you that I appreciate your diligence to monitor this list and your quick contributions to various problems. The information is invaluable at times as it comes from the real world. I have to collapse 5 Forests, each with a single domain, into one new empty root that will end up with five child domains. The mountain of literature I need to read is overwhelming. However, I have a simple question as I begin to scheme out my step-by-step plan. I believe the answer to this is No, it's just too simple., however, I ask it anyway. If one of my domains (a Forest root domain) is Windows 2000, and my new pristine empty root Windows 2003 native mode Forest is in place, can I simply upgrade the Windows 2000 Forest to Windows 2003 and at the same time tell it, Hey, you're now a Child Domain in this DNS namespace in this new empty Forest root? I'd appreciate your comments. Thanks. RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Question on login issues
Win2K active directory I have a user (1) who has to login 2-3 times before his drive mappings show up. He can access the network fine, but his mappings seem to have a mind of their own. Anyone seen this? John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 10:07 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Question on collapsing Forests Doesn't have to be a 3rd party tool - ADMT 2.0 would be an option to consider. -- Original Message -- Wrom: ZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTW Reply-To: [EMAIL PROTECTED] Date: Mon, 7 Jun 2004 08:02:06 -0700 Simple answer: no You can't take an existing tree and simply move it to a different forest with the native tools. There are several third party tools that could help simplify the process. -Original Message- Wrom: FAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRE Sent: Monday, June 07, 2004 7:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on collapsing Forests Dear List Members, First let me preface my remarks by telling you that I appreciate your diligence to monitor this list and your quick contributions to various problems. The information is invaluable at times as it comes from the real world. I have to collapse 5 Forests, each with a single domain, into one new empty root that will end up with five child domains. The mountain of literature I need to read is overwhelming. However, I have a simple question as I begin to scheme out my step-by-step plan. I believe the answer to this is No, it's just too simple., however, I ask it anyway. If one of my domains (a Forest root domain) is Windows 2000, and my new pristine empty root Windows 2003 native mode Forest is in place, can I simply upgrade the Windows 2000 Forest to Windows 2003 and at the same time tell it, Hey, you're now a Child Domain in this DNS namespace in this new empty Forest root? I'd appreciate your comments. Thanks. RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on login issues
What are you using to map his drives? Vbscript? Kix? Other? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Monday, June 07, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on login issues Win2K active directory I have a user (1) who has to login 2-3 times before his drive mappings show up. He can access the network fine, but his mappings seem to have a mind of their own. Anyone seen this? John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 10:07 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Question on collapsing Forests Doesn't have to be a 3rd party tool - ADMT 2.0 would be an option to consider. -- Original Message -- Wrom: ZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTW Reply-To: [EMAIL PROTECTED] Date: Mon, 7 Jun 2004 08:02:06 -0700 Simple answer: no You can't take an existing tree and simply move it to a different forest with the native tools. There are several third party tools that could help simplify the process. -Original Message- Wrom: FAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRE Sent: Monday, June 07, 2004 7:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on collapsing Forests Dear List Members, First let me preface my remarks by telling you that I appreciate your diligence to monitor this list and your quick contributions to various problems. The information is invaluable at times as it comes from the real world. I have to collapse 5 Forests, each with a single domain, into one new empty root that will end up with five child domains. The mountain of literature I need to read is overwhelming. However, I have a simple question as I begin to scheme out my step-by-step plan. I believe the answer to this is No, it's just too simple., however, I ask it anyway. If one of my domains (a Forest root domain) is Windows 2000, and my new pristine empty root Windows 2003 native mode Forest is in place, can I simply upgrade the Windows 2000 Forest to Windows 2003 and at the same time tell it, Hey, you're now a Child Domain in this DNS namespace in this new empty Forest root? I'd appreciate your comments. Thanks. RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Question on login issues
Have your scripts been replicated to all the dc's? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, June 07, 2004 2:06 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Question on login issues What are you using to map his drives? Vbscript? Kix? Other? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Monday, June 07, 2004 11:23 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on login issues Win2K active directory I have a user (1) who has to login 2-3 times before his drive mappings show up. He can access the network fine, but his mappings seem to have a mind of their own. Anyone seen this? John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] Be excellent to each other ---End of Line--- -Original Message- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 10:07 AM To: [EMAIL PROTECTED] Subject:RE: [ActiveDir] Question on collapsing Forests Doesn't have to be a 3rd party tool - ADMT 2.0 would be an option to consider. -- Original Message -- Wrom: ZUNNYCGPKYLEJGDGVCJVTLBXFGGMEPYOQKEDOTW Reply-To: [EMAIL PROTECTED] Date: Mon, 7 Jun 2004 08:02:06 -0700 Simple answer: no You can't take an existing tree and simply move it to a different forest with the native tools. There are several third party tools that could help simplify the process. -Original Message- Wrom: FAOBUZXUWLSZLKBRNVWWCUFPEGAUTFJMVRE Sent: Monday, June 07, 2004 7:49 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Question on collapsing Forests Dear List Members, First let me preface my remarks by telling you that I appreciate your diligence to monitor this list and your quick contributions to various problems. The information is invaluable at times as it comes from the real world. I have to collapse 5 Forests, each with a single domain, into one new empty root that will end up with five child domains. The mountain of literature I need to read is overwhelming. However, I have a simple question as I begin to scheme out my step-by-step plan. I believe the answer to this is No, it's just too simple., however, I ask it anyway. If one of my domains (a Forest root domain) is Windows 2000, and my new pristine empty root Windows 2003 native mode Forest is in place, can I simply upgrade the Windows 2000 Forest to Windows 2003 and at the same time tell it, Hey, you're now a Child Domain in this DNS namespace in this new empty Forest root? I'd appreciate your comments. Thanks. RH - Rocky Habeeb Microsoft Systems Administrator - James W. Sewall Company Old Town, Maine - 207.827.4456 habr @ jws.com www.jws.com - List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] creating a new site in AD (Server 2003)
I want to create a new site within my AD (Server 2003)to help guide particular subnet clients to closeby servers. While I have done this before when our forest was Windows 2000, the current Active Directory Sites and Services GUI seems to be throwing me for a "chicken and egg" loop: 1) while creating a new site "D", it asks to identify an existing site link. I have two: one that defines the main site A with remote site B; and one that defines the main site A with remote site C. Neither seem to be correct but I MUST pick one to continue. 2) If I try to create a new site link(must pick two)that would describe the new connection, I can't since the new site doesn't exist yet! I must be missing something very simple. This shouldn't be a difficult task. Thanks for any help! Mike Thommes
RE: RE: [ActiveDir] Exchange and Server 2003 Management
Let's answer both in one message. When I say Exchange won't see the SFU attributes, I'm saying it won't display the attributes in the dsa.msc. That's because you need a dll to help render it. It's an extension to the MMC and while the extensions are still there in the directory, you can't render them if your client doesn't know how to or even if they should. As for Exchange, I can tell you that 2000 users will run on a machine that size with plenty of YMMV disclaimers. Consider that Email is highly volatile in nature. It's random read/write I/O and predictability is a tough nut to crack with something that has so many variables (or users however you want to call them). If your user profile for Exchange is light and all MAPI and you're not using any other applications that need proc or disk or network, then those servers may be plenty (certainly for the FE server it is more likely that's enough horsepower). If your users are medium users and you add other applications that compete, you may not have enough power. You'll need to figure out the user profile and expected concurrent usage patterns and amount of data etc to figure out if it's enough. If you use multiple client types, such as IMAP/POP or OWA or OMA/AS then your usage patterns change and you'll adjust the horsepower from there. Several hardware vendors have Exchange sizers to help with sizing. They're generally pretty decent although I've never seen one cut it close :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Doug Long Sent: Saturday, June 05, 2004 1:41 PM To: [EMAIL PROTECTED] Subject: Re: RE: [ActiveDir] Exchange and Server 2003 Management Sensitivity: Confidential Well, at time of posting, I only had one DC...but I have loaded another one up since. (I will be blowing this setup away atleast once before it goes production). And I do believe I have enough power for exchange. About 4000 users main DC-- 2x2.8GHz Xeons, 2GB ram 3 exchange servers-- 2x2.8Ghz Xeons, 4GB ram (one front-end, and two backends) I hope that is enough anyways. Please let me know if it isnt, before I make a huge mistake. From: joe [EMAIL PROTECTED] Date: 2004/06/05 Sat AM 01:55:32 EDT To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Exchange and Server 2003 Management Yep yep yep. On top of that, if when you say you have one DC you mean you have only one DC for the domain, you need at least another DC for redundancy. And depending on how many procs you have in the Exchange Boxes (and actual usage) and in the DC you may need more just for Exchange. Would rather nip the whole Well I had one DC in my domain and it blew up, how do I get things running again? post later on. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, June 04, 2004 5:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Exchange and Server 2003 Management That's totally expected. In order to install the internet services snap-in, you do that through the control panel | add/remove programs | windows components. It's not installed by default. Note that it's not a best practice to use ESM tools on a DC although you can do this. The Exchange servers shouldn't see the Unix attributes since SFU is not installed on those servers. AL _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, June 04, 2004 4:25 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange and Server 2003 Management What in the world. I have one DC running in 2003 native mode AD with SFU 3.5 installed on it. Two back-end Exchange 2003 servers (Server 2003), and one front-end Exchange 2003 server (Server 2003). On my first test (installing everything on one machine: Server 2003+Exchange 2003+ SFU 3.5), everything showed up in ADUC. UNIX attributes and 2003+ Exchange attributes. Well, now in my current setup, I can't get both in ADUC. From the DC, the only extended attributes I see are the UNIX attributes. From the Exchange Servers, the only extended attributes I see are exchange attributes (regardless if I use the adminpak ADUC, or the Exchange ADUC). I tried to install the exchange management tools on the DC but get an error saying that Internet Information Services Snap-in is not present or disabled. Why in the world would the snap-in not me there? I cant find it to download seperately for 2003 (only XP). What in the world am I doing wrong? What is the correct way to get all the attributes showing in the same management console? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Exchange 2000 upgrade woes
Afternoon, everyone. I did an in-place upgrade of my Exchange 5.5 box this weekend and brought it up to 2000. For the most part, everything is looking hunky-dory, with one really heinous exception. I have a web application written in PHP (don't ask, I had no say in the matter), that uses the Exchange box as an SMTP relay to send email notifications, Forgot your password? reminders, and the like. Worked fine (for the most part) under 5.5, but after the 2000 upgrade it just plain -stopped working-. I have tried playing around with the Relay settings on the Virtual SMTP server, up to and including configuring it as a wide open Hey, SPAM-mers, over here! relay, to no avail. I've enabled logging in the admin$\system32\LogFiles, as well as set the Diagnostic Logging under %SERVERNAME%\Diagnostic Logging\MSExchangeTransport\SMTPProtocol to Maximum. When I go to the web app and force a Sorry, email's not working error, I get the following entry in the SMTPSVC1 folder on the Exchange server: 2004-06-07 18:12:32 %IP-ADDRESS-OF-WEB-SERVER% localhost.localdomain SMTPSVC1 HELO 250 2004-06-07 18:12:32 %IP-ADDRESS-OF-WEB-SERVER% localhost.localdomain SMTPSVC1 QUIT 240 I see NOTHING in the Event Viewer logs, despite seeing any number of entries to the effect of: IP Address w.x.y.z did not authenticate before attempting to send ...from what I assume are SPAM-mers looking for an open relay. If anyone has any server configuration ideas that they can offer, I'd really appreciate it. Or if someone is a PHP-head (I'm entirely not one) who wouldn't mind looking at some code, contact me off-list. Thanks all! (No, not Al - though his posts are always informative - All!) * Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email, destroy all copies of the original message, and repent! Repent! Any views expressed in this email message, well-informed and intellectually unassailable as they may be, are those of the individual sender except where the sender specifically states them to be the views of Student Financial Services. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange 2000 upgrade woes
LOL. Been a while for PHP, but I'd be happy to have a look off-list. However, I did note two things: 1) Are you really sending a Sorry, email's not working through email? :) 2) You have a relay restriction that could be on the connector if you have one. You can set the relay restriction to allow relay from a particular machine if you want to. Your error looks like that may be the problem. Have you seen: http://support.microsoft.com/?id=294736 http://support.microsoft.com/?id=260973 http://support.microsoft.com/?id=293800 already? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Monday, June 07, 2004 2:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 2000 upgrade woes Afternoon, everyone. I did an in-place upgrade of my Exchange 5.5 box this weekend and brought it up to 2000. For the most part, everything is looking hunky-dory, with one really heinous exception. I have a web application written in PHP (don't ask, I had no say in the matter), that uses the Exchange box as an SMTP relay to send email notifications, Forgot your password? reminders, and the like. Worked fine (for the most part) under 5.5, but after the 2000 upgrade it just plain -stopped working-. I have tried playing around with the Relay settings on the Virtual SMTP server, up to and including configuring it as a wide open Hey, SPAM-mers, over here! relay, to no avail. I've enabled logging in the admin$\system32\LogFiles, as well as set the Diagnostic Logging under %SERVERNAME%\Diagnostic Logging\MSExchangeTransport\SMTPProtocol to Maximum. When I go to the web app and force a Sorry, email's not working error, I get the following entry in the SMTPSVC1 folder on the Exchange server: 2004-06-07 18:12:32 %IP-ADDRESS-OF-WEB-SERVER% localhost.localdomain SMTPSVC1 HELO 250 2004-06-07 18:12:32 %IP-ADDRESS-OF-WEB-SERVER% localhost.localdomain SMTPSVC1 QUIT 240 I see NOTHING in the Event Viewer logs, despite seeing any number of entries to the effect of: IP Address w.x.y.z did not authenticate before attempting to send ...from what I assume are SPAM-mers looking for an open relay. If anyone has any server configuration ideas that they can offer, I'd really appreciate it. Or if someone is a PHP-head (I'm entirely not one) who wouldn't mind looking at some code, contact me off-list. Thanks all! (No, not Al - though his posts are always informative - All!) * Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email, destroy all copies of the original message, and repent! Repent! Any views expressed in this email message, well-informed and intellectually unassailable as they may be, are those of the individual sender except where the sender specifically states them to be the views of Student Financial Services. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Best Practice: DNS settings
OK, so to make sure I'm understanding you Roger, desired changes would be Root Domain: If DC1, DC2 and DC3 are all Root domain DCs, make DC1's DNS servers DC2 and DC3. Make DC2's DNS servers DC1 and DC3, etc to prevent islanding Subdomains: same for each of those (no more cross-domain server in DNS settings). Probably convoluted logic, but my thought was that if the server couldn't find itself then at least it would next go to the root domain server, which would have delegations to other servers for that subdomain. On the last point, it's contiguous. The setup is like domain.com (empty root), sub1.domain.com, sub2.domain.com and sub3.comain.com. Given that, should I adjust my forwarding? Finally, should each domain have secondary zones for the other domains (root and subs)? Thanks again! mc -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings Answers are inline: -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Best Practice: DNS settings I have 1 root domain and 3 subdomains. There are 3 domain controllers in each of the 4 domains. My question is whether I have DNS set up right: 1. All DCs are running AD-integrated DNS 2. Each of the 3 root servers uses only itself for a primary DNS server, and another root DNS server for its secondary RDSThis generally leads to creating the island DC issue - where the DC's can lose each other. I find it much safer to point DC's to different DC's for DNS in all cases. There is supposedly a fix in Win2k3 for this issue, but I still don't like to do it. 3. Each of the subdomain servers has itself as a primary DNS, and one of the root servers as secondary RDSAgain - see the statement above. Strikes me that you'd want to point to DC's within the same domain, not cross domains, whenever possible. 4. On the root domain DNS, there are delegations set up for each subdomain, with a record for each server hosting that domain RDSThat's pretty clean - no reason to change that. 5. Each subdomain's DNS server has a forwarder to the root domain servers, and the root domain DNS servers have a forwarder to our own Internet DNS servers in our DMZ RDSI find that multiple layers of forwarding gets, well, ugly. I've seen a number of weird issues with that process over the years. You don't mention whether this is a contiguous namespace or not. Some of this also depends on if its an empty root or a domain containing resources and users. Are there any flaws to this design that someone can point out to me? Or is it OK? Thanks, as always... Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Best Practice: DNS settings
I would set up a secondary zone for the root on every DC - this simplifies a lot of replication issues. We have recently gone to a forest integrated zone for the root to avoid zone transfer security issues and that seems to be working very well for us. Regards; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] |-+-- | | Creamer, Mark| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/07/2004 04:16 PM AST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Best Practice: DNS settings | --| OK, so to make sure I'm understanding you Roger, desired changes would be Root Domain: If DC1, DC2 and DC3 are all Root domain DCs, make DC1's DNS servers DC2 and DC3. Make DC2's DNS servers DC1 and DC3, etc to prevent islanding Subdomains: same for each of those (no more cross-domain server in DNS settings). Probably convoluted logic, but my thought was that if the server couldn't find itself then at least it would next go to the root domain server, which would have delegations to other servers for that subdomain. On the last point, it's contiguous. The setup is like domain.com (empty root), sub1.domain.com, sub2.domain.com and sub3.comain.com. Given that, should I adjust my forwarding? Finally, should each domain have secondary zones for the other domains (root and subs)? Thanks again! mc -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings Answers are inline: -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Best Practice: DNS settings I have 1 root domain and 3 subdomains. There are 3 domain controllers in each of the 4 domains. My question is whether I have DNS set up right: 1. All DCs are running AD-integrated DNS 2. Each of the 3 root servers uses only itself for a primary DNS server, and another root DNS server for its secondary RDSThis generally leads to creating the island DC issue - where the DC's can lose each other. I find it much safer to point DC's to different DC's for DNS in all cases. There is supposedly a fix in Win2k3 for this issue, but I still don't like to do it. 3. Each of the subdomain servers has itself as a primary DNS, and one of the root servers as secondary RDSAgain - see the statement above. Strikes me that you'd want to point to DC's within the same domain, not cross domains, whenever possible. 4. On the root domain DNS, there are delegations set up for each subdomain, with a record for each server hosting that domain RDSThat's pretty clean - no reason to change that. 5. Each subdomain's DNS server has a forwarder to the root domain servers, and the root domain DNS servers have a forwarder to our own Internet DNS servers in our DMZ RDSI find that multiple layers of forwarding gets, well, ugly. I've seen a number of weird issues with that process over the years. You don't mention whether this is a contiguous namespace or not. Some of this also depends on if its an empty root or a domain containing resources and users. Are there any flaws to this design that someone can point out to me? Or is it OK? Thanks, as always... Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
[ActiveDir] Very OT
Hi, I have a devloper who wrote a vb exe(not a service) that runs on start up on an AD DC and stays in memory in the backround. My question is, is there anyway to monitor if this process has stopped? Perhaps with a perl script. Since its not a service, I don't really know how to do this. Also, it doesn't log anything to the event log. i couldn't find anything on my perl groups and you guys seem pretty knowldgable on scripting so i just thought i'd take a shot in the dark and post here. thanks and my apologies for the way OT. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Best Practice: DNS settings
I have this setup for a forest root with 2 child domains and the _msdcs zone (esp. in a W2K domain environment) is a must for replication since it uses it to find the forest-wide locator records. Preferably I would only make secondaries of the _msdcs.forestname.com on the other child domain controllers. No need to replicate the entire forest root domain to the other (child/ secondary) DNS servers especially when these would be forwarding to the root DNS servers Now remember to do this, you would have to delete and recreate the subdomains as zones e.g. _msdcs.forestname.com, _tcp.forestname.com etc. and of course one forestname zone. In essence, you would end up with 5 zones under your forest root with all aliases, A, NS records and the other 7 delegations for your forest's zone, underscore zones and child domains Of course, some assumptions here are ADI zones, secure updates etc. However, I would do this at a later date once you have resolved your current setup issues. Original Message Follows From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] CC: [EMAIL PROTECTED],[EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings Date: Mon, 7 Jun 2004 16:26:10 -0400 I would set up a secondary zone for the root on every DC - this simplifies a lot of replication issues. We have recently gone to a forest integrated zone for the root to avoid zone transfer security issues and that seems to be working very well for us. Regards; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] |-+-- | | Creamer, Mark| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/07/2004 04:16 PM AST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Best Practice: DNS settings | --| OK, so to make sure I'm understanding you Roger, desired changes would be Root Domain: If DC1, DC2 and DC3 are all Root domain DCs, make DC1's DNS servers DC2 and DC3. Make DC2's DNS servers DC1 and DC3, etc to prevent islanding Subdomains: same for each of those (no more cross-domain server in DNS settings). Probably convoluted logic, but my thought was that if the server couldn't find itself then at least it would next go to the root domain server, which would have delegations to other servers for that subdomain. On the last point, it's contiguous. The setup is like domain.com (empty root), sub1.domain.com, sub2.domain.com and sub3.comain.com. Given that, should I adjust my forwarding? Finally, should each domain have secondary zones for the other domains (root and subs)? Thanks again! mc -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings Answers are inline: -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Best Practice: DNS settings I have 1 root domain and 3 subdomains. There are 3 domain controllers in each of the 4 domains. My question is whether I have DNS set up right: 1. All DCs are running AD-integrated DNS 2. Each of the 3 root servers uses only itself for a primary DNS server, and another root DNS server for its secondary RDSThis generally leads to creating the island DC issue - where the DC's can lose each other. I find it much safer to point DC's to different DC's for DNS in all cases. There is supposedly a fix in Win2k3 for this issue, but I still don't like to do it. 3. Each of the subdomain servers
RE: [ActiveDir] Very OT
Haven't tried it, but this looks like it might be a way http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/ win32_perfrawdata_perfproc_thread.asp?frame=true You'd want to monitor thread state on a regular interval. Another option might be to use the scheduler or re-write the code to alert if it encounters an error. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, June 07, 2004 4:35 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Very OT Hi, I have a devloper who wrote a vb exe(not a service) that runs on start up on an AD DC and stays in memory in the backround. My question is, is there anyway to monitor if this process has stopped? Perhaps with a perl script. Since its not a service, I don't really know how to do this. Also, it doesn't log anything to the event log. i couldn't find anything on my perl groups and you guys seem pretty knowldgable on scripting so i just thought i'd take a shot in the dark and post here. thanks and my apologies for the way OT. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] creating a new site in AD (Server 2003)
This was the behavior in Win2K as well. You need to select one of the existing site links when you create the new site D. You can just pick one.Then create your new site link and picksites A and D to be in it. Finally, go to the properties of the site link you picked while creating Site D and remove site D from it. Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Thommes, Michael M.Sent: Monday, June 07, 2004 1:12 PMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] creating a new site in AD (Server 2003) I want to create a new site within my AD (Server 2003)to help guide particular subnet clients to closeby servers. While I have done this before when our forest was Windows 2000, the current Active Directory Sites and Services GUI seems to be throwing me for a "chicken and egg" loop: 1) while creating a new site "D", it asks to identify an existing site link. I have two: one that defines the main site A with remote site B; and one that defines the main site A with remote site C. Neither seem to be correct but I MUST pick one to continue. 2) If I try to create a new site link(must pick two)that would describe the new connection, I can't since the new site doesn't exist yet! I must be missing something very simple. This shouldn't be a difficult task. Thanks for any help! Mike Thommes
RE: [ActiveDir] creating a new site in AD (Server 2003)
Hi David, That's what I ended up doing. The new site is now created, subnetted, DCs moved to it, and replication is humming along great! 8-) Thanks! Mike Thommes -Original Message-From: Fugleberg, David A [mailto:[EMAIL PROTECTED]Sent: Monday, June 07, 2004 4:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] creating a new site in AD (Server 2003) This was the behavior in Win2K as well. You need to select one of the existing site links when you create the new site D. You can just pick one.Then create your new site link and picksites A and D to be in it. Finally, go to the properties of the site link you picked while creating Site D and remove site D from it. Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Thommes, Michael M.Sent: Monday, June 07, 2004 1:12 PMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] creating a new site in AD (Server 2003) I want to create a new site within my AD (Server 2003)to help guide particular subnet clients to closeby servers. While I have done this before when our forest was Windows 2000, the current Active Directory Sites and Services GUI seems to be throwing me for a "chicken and egg" loop: 1) while creating a new site "D", it asks to identify an existing site link. I have two: one that defines the main site A with remote site B; and one that defines the main site A with remote site C. Neither seem to be correct but I MUST pick one to continue. 2) If I try to create a new site link(must pick two)that would describe the new connection, I can't since the new site doesn't exist yet! I must be missing something very simple. This shouldn't be a difficult task. Thanks for any help! Mike Thommes
RE: [ActiveDir] Best Practice: DNS settings
best practice is always relative. Having said that, I don't see a reason to create secondary zones in this scenario. With proper delegation, and forwarding, secondary becomes irrelevant - again in the given scenario. I concur with Roger, and would only add that IF your root servers are able to reach the internet Root Servers on their own, then remove the forwarding from them. Just let your child DNS servers forward to your Root DNS servers and let your Roots chase down the lookup for them. Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Mon 6/7/2004 1:26 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings I would set up a secondary zone for the root on every DC - this simplifies a lot of replication issues. We have recently gone to a forest integrated zone for the root to avoid zone transfer security issues and that seems to be working very well for us. Regards; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] |-+-- | | Creamer, Mark| | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 06/07/2004 04:16 PM AST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] Best Practice: DNS settings | --| OK, so to make sure I'm understanding you Roger, desired changes would be Root Domain: If DC1, DC2 and DC3 are all Root domain DCs, make DC1's DNS servers DC2 and DC3. Make DC2's DNS servers DC1 and DC3, etc to prevent islanding Subdomains: same for each of those (no more cross-domain server in DNS settings). Probably convoluted logic, but my thought was that if the server couldn't find itself then at least it would next go to the root domain server, which would have delegations to other servers for that subdomain. On the last point, it's contiguous. The setup is like domain.com (empty root), sub1.domain.com, sub2.domain.com and sub3.comain.com. Given that, should I adjust my forwarding? Finally, should each domain have secondary zones for the other domains (root and subs)? Thanks again! mc -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Best Practice: DNS settings Answers are inline: -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Monday, June 07, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Best Practice: DNS settings I have 1 root domain and 3 subdomains. There are 3 domain controllers in each of the 4 domains. My question is whether I have DNS set up right: 1. All DCs are running AD-integrated DNS 2. Each of the 3 root servers uses only itself for a primary DNS server, and another root DNS server for its secondary RDSThis generally leads to creating the island DC issue - where the DC's can lose each other. I find it much safer to point DC's to different DC's for DNS in all cases. There is supposedly a fix in Win2k3 for this issue, but I still don't like to do it. 3. Each of the subdomain servers has itself as a primary DNS, and one of the root servers as secondary RDSAgain - see the statement above. Strikes me that you'd want to point to DC's within the same domain, not cross domains, whenever possible. 4. On the root domain DNS, there are delegations set up for each subdomain, with a record for each server hosting that domain RDSThat's pretty clean - no reason to change that. 5. Each subdomain's DNS server has a forwarder to the root domain servers, and the root domain DNS servers have a forwarder to our own Internet DNS servers in our DMZ RDSI find
[ActiveDir] Cisco web auth
Group, I have an interesting problem. We are looking at upgrading the way we use our VPN capabilities. Cisco has a new web-application that you can log into using a certificate and domain user account, which means that you have to have both a corporate certificate (on the computer) and a domain user account to access the network. The problem resides in where you type in your user name (CN) and it translates that into Domain\First Last name. I do not see a way to change this, but there is a UID= function that looks like a user name could be placed. So, has anyone run into this problem or is there a way where you can write into AD a UID=username function? Thanks, S List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Setting Desktop Settings via Group Policy
Hi all, I need to push out a standard desktop to all users in my company. I found where to set up the Active Desktop and the like, but I can't find where to set things like background color and pattern. I remember in the good ol' days (under NT4) you could set these things up (or at least I thought I remembered). Thanks in Advance, Raymond McClinnis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Setting Desktop Settings via Group Policy
Sadly, Raymond - most things of that ilk (background, colors, icon placement, etc.) are held in the profile of the user and are not affected by current GP settings. However, that doesn't mean that you CAN'T set them via GP, it does mean in most cases that you will be: 1. Writing custom .ADM files 2. Tattooing the registry But it can be done. Me, I'd stick with a mandatory profile with permissions set to 'Everyone' and let it apply, then let each user 'own' it (change it back to a local or roaming) and then use GP to lock it down. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Monday, June 07, 2004 6:47 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Setting Desktop Settings via Group Policy Hi all, I need to push out a standard desktop to all users in my company. I found where to set up the Active Desktop and the like, but I can't find where to set things like background color and pattern. I remember in the good ol' days (under NT4) you could set these things up (or at least I thought I remembered). Thanks in Advance, Raymond McClinnis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Setting Desktop Settings via Group Policy
Raymond, You may want to take a look at assigning a mandatory profile for your users... http://support.microsoft.com/default.aspx?scid=kb;en-us;307800sd=tech http://www.tweakxp.com/tweak1591.aspx Under group policy take a closer look at User Config-Administrative Templates in Group Policy you set thousands (slight exaggeration) of things in here for example a wallpaper can be set through: User Config-Administrative Templates-Desktop-Active Desktop The good old days just got better... James -Original Message- From: Raymond McClinnis [mailto:[EMAIL PROTECTED] Sent: Tuesday, 8 June 2004 9:47 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Setting Desktop Settings via Group Policy Hi all, I need to push out a standard desktop to all users in my company. I found where to set up the Active Desktop and the like, but I can't find where to set things like background color and pattern. I remember in the good ol' days (under NT4) you could set these things up (or at least I thought I remembered). Thanks in Advance, Raymond McClinnis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Very OT
Here is a (cheap hack) way: copy the text below to a script: ' set events = getobject(winmgmts:\\.).ExecNotificationQuery(select * from __instancedeletionevent within 2 where targetinstance isa 'win32_process' and targetinstance.name = 'notepad.exe') Do set NTevent = events.nextevent If Err 0 then msgbox it was not = to 0 else msgbox Notepad was closed exit do end if Loop ' Now start the script monitor.vbs Now start notepad. Wait for some random time.. close notepad.exe You should get a popup - change this to whatever action you deem necessary. For your situation you change notepad.exe to your app. Note that you can do this to a remote machine as well... substitute the machine name like so: (winmgmts:\\mymachine) This is a polling process so there is some minor overhead. -steve - Original Message - From: Mulnick, Al [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 07, 2004 1:53 PM Subject: RE: [ActiveDir] Very OT Haven't tried it, but this looks like it might be a way http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/ win32_perfrawdata_perfproc_thread.asp?frame=true You'd want to monitor thread state on a regular interval. Another option might be to use the scheduler or re-write the code to alert if it encounters an error. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, June 07, 2004 4:35 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Very OT Hi, I have a devloper who wrote a vb exe(not a service) that runs on start up on an AD DC and stays in memory in the backround. My question is, is there anyway to monitor if this process has stopped? Perhaps with a perl script. Since its not a service, I don't really know how to do this. Also, it doesn't log anything to the event log. i couldn't find anything on my perl groups and you guys seem pretty knowldgable on scripting so i just thought i'd take a shot in the dark and post here. thanks and my apologies for the way OT. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Identify STATIC records in AD DNS
Hi there, Does anyone know of a way to programmatically identify STATIC records within an AD integrated DNS zone? The DNS manager gui can show if a record has a timestamp or not, but with 100's of thousands of records you can't check them all. I've looked for a property I can search on using ADSI or WMI, but have not found anything consistent. The closest I found is the AD property dnsIsTombstoned. It appears to have 3 values: TRUE = Already tombstoned and will be replicated FALSE = Not tombstoned yet, but can be not set = Will not be scavenged. This is not 100% though, so I think I am missing something else. Thanks, Jef Kazimer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Design on a Highspeed Network considerations
We are doing an AD site design and I wanted to know some thoughts of the group here. Assumptions 1) Single forest, Single Domain 2) Highspeed Network links to sites, 10mb, 100mb and 1GB Available for AD/exchange 3) Centralized service provider/organization 4) Exchange 2003 SP1 5) 16000 users in 16 sites with above network speeds Design Questions 1) Do you centralize into 1 centralized site and back haul all network logon and exchange traffic to 1 site? 2) What are the base numbers of DC's / GC's you would need support this config (what are the metrics of dc gc logons/server/processor) 3) what is the typical traffic usage used during an xp network logon session? (DHCP, DNS, Kerberos TGT, and outlook 2002 mapi logon) Thoughts on pulling this off? Murray Wall, MCSE, B.Ed CCNA/DA Master ASE Messaging [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Identify STATIC records in AD DNS
Have you tried parsing the output of "dnscmd DNSServerName /ZonePrint ZoneName /Detail" ? Records without scavenging timestamp will have the following clue: "dwTimeStamp = 0 ([ 0: 0: 0] [ 1/ 1/1601])" HTH Sincerely,Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: JefSent: Mon 6/7/2004 6:44 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Identify STATIC records in AD DNS Hi there, Does anyone know of a way to programmatically identify STATIC records within an AD integrated DNS zone? The DNS manager gui can show if a record has a timestamp or not, but with 100's of thousands of records you can't check them all. I've looked for a property I can search on using ADSI or WMI, but have not found anything consistent. The closest I found is the AD property dnsIsTombstoned. It appears to have 3 values: TRUE = Already tombstoned and will be replicated FALSE = Not tombstoned yet, but can be not set = Will not be scavenged. This is not 100% though, so I think I am missing something else. Thanks, Jef Kazimer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/