RE: [ActiveDir] Win2k group
Addusers.exe from the resource kit will dump from one local machine and import into another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: Thursday, June 10, 2004 10:10 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Win2k group How do I copy/move local user groups from one win2k server to another? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Sysprep and workstation images
I don't exactly remember what I wrote when I replied to this elsewhere, so forgive me if I already told you this: Try setting a compliant password in the image, and then putting Whatever has to go in the AdminPassword key to prompt the user. If this doesn't work, I would suggest engineering an inhouse password set tool, and runonce'ing it on HKLM. Make it fullscreen, always on top, the whole deal, have y something about how the university is into secure computing and they only sell secure computers at the annual bake sale and yak yak yak. The ADSI API should throw some ugly COMException if the user's input is nonconformant, but, otherwise you could implement your own version of the password policy with regular expressions. --Brian -Original Message- From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] Sent: Thu 6/10/2004 2:52 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] OT: Sysprep and workstation images (Man, Tony's gonna get really mad at me for being so continuously off-topic. :-) But this is my "List full of really smart people", so I keep coming to you guys for non-AD-specific stuff that I can't figure out.) Scenario: I work for a major university, and each fall we offer Back-to-School sales of pre-configured hardware for our incoming students. For the truckload sale each year, a CFI image is offered to the university community on both laptops and desktops that are sold at the annual back to school sale. The images are developed for recent Dell and IBM product lines, and are based on the vendor's OEM image of Windows XP, with university-specific applications pre-installed and patched with the latest security updates. This year, there is a strong push in the university IT community to have an additional layer of security-related configuration. We would like to see our hard drive images include secure Administrator password policies implemented and enforced, while still offering the end-user a simple, user-friendly "out of the box" experience during mini-Setup through a re-sealing process using Sysprep. A late-in-the-game attempt last year to combine such policies with the Sysprep process produced a less than viable, not user-friendly experience, which was ultimately scrapped. Consequently, last year's back-to-school images were built with only optional Administrator passwords. (Unfortunately, our back-to-school Sysprep image needs to be ready before XPSP2 will be released to market.) The key question here is: Is it possible to create an image that mandates an Administrator password and employs MS's strong password rules? Further, is it possible to have these settings maintained after running Sysprep to ensure that anyone buying a machine with that image would have the same "mini-Setup" experience as a person buying an OEM (non-University-imaged) machine, with the one key difference being that the imaged machine required a strong Admin password during setup? One solution that was suggested (*waves to Brian Desmond*) was the one that should be the most obvious: set a password policy in the Local Security Policy that will get burned in and persist syspreps. This works to a point; for accounts other than the actual Administrator account, you can force this using the Local Password Policy. However, for the Administrator account itself, the person setting up the machine has the option of cancelling out and never obeying the "order" to create a new, strong password. Am I missing something blindingly obvious? * Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email, destroy all copies of the original message, and repent! Repent! Any views expressed in this email message, well-informed and intellectually unassailable as they may be, are those of the individual sender except where the sender specifically states them to be the views of Student Financial Services. List info : htt
[ActiveDir] Win2k group
How do I copy/move local user groups from one win2k server to another? This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
Re: [ActiveDir] Security
More Details Win2k Servers 1 Root Server with another one for redundancy, 1 ISA Server, 1 Server for Teacher Data, 1 Server for Student Data Win2003 Servers 1 for Office Staff And the fun begins, Well the biggest problem I am faced with is that the users (Students) ON the network are constantly trying to break in or crash the Servers, They are relentless somehow yesterday (I have no idea how) they had managed to add accounts to the Domain Admin Group, the Schema Admins and the Enterprise Admins. The accounts they have added have been removed but again today I encountered two new instances of users being added to the Domain Admin group. I am following this as closely as I can checking the groups every 10 15 minutes but that becomes very tedious and a real pain in the ...so I was wondering if I could be notified of such things happening rather than have to find out the hard way. I did the GPO thing of Restricting Groups and I restricted the mentioned groups but I am pretty sure I shouldn't have done that as now all my Admin groups are Restricted(Domain Admins, Schema Admins, Enterprise Admins) I just want to make it a few more weeks until the end of the School year so I can rebuild the entire network with new servers etc. ,(I inherited it about a month ago). Any help or insight or just thoughts on the whole situation is appreciated Thanks to everyone, Aaron Visser > From: "Passo, Larry" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Thu, 10 Jun 2004 20:37:24 -0700 > To: <[EMAIL PROTECTED]> > Subject: RE: [ActiveDir] Security > > I'm curious, do you have any more details? > > -Original Message- > From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 2:47 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > > don't use the Restricted Groups feature on domain groups, especially > domain admins. This has caused various issues for companies and thus > they've backed away from this approach. However, using restricted > groups on member servers and clients works well. > > \Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry > Sent: Donnerstag, 10. Juni 2004 19:38 > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Security > > If you want to make sure that no one is added to the group you could > make the group a Restricted Group via a GPO. > > If you want to know when a user is added to the group, you could use a > GPO to turn on auditing of "Account Management" but then you would have > to search the audit logs of all of the DCs in the domain to find the > activity. > > Or you could write a script that looked at the group membership and > compared it with a pre-determined list. Then execute the script on a > schedule of your choice. > > -Original Message- > From: Aaron Visser [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 10, 2004 9:51 AM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Security > > I need to know when the Domain Admin Group has a user added to it or at > least have that operation audited, is there anyway to perform this with > GPO > or something built into win2k server. > > Thanks, > Aaron Visser > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
I'm curious, do you have any more details? -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 2:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of "Account Management" but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Phone list
How about this instead of pipen it to a file, put it to an xml/html file? http://www.jsiinc.com/subo/tip7300/rh7340.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Thursday, June 10, 2004 8:54 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Phone list I talked our web developers into moving the phone list from sql to AD. They are asking me for any resources I have to get them started. For example the user and contact schema. They are also looking for any good sites to get them started pulling from AD. Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Preventing a DC from authenticating users
if your test clients are all win2k/xp, you could also use the "NT4emulator" registry key on the server to prevent the machine from accepting the kerboros auth. protocol => win2k/xp clients will search for other DCs that allow kerb.auth. (check MS Q298713) initially the key was added to prevent the PDC overload issue during migration, but it sounds like this would be valuable for your tests without disturbing other things (I'm simply unsure what other things would seize to work if netlogon is turned off - I could imagine that you could also no longer logon via TS...?) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Donnerstag, 10. Juni 2004 03:28 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Preventing a DC from authenticating users True - would work. But, why not just shut off netlogon? Seems to be about the easiest way to be sure that it's not going to answer requests for authN. Rick Kingslan MCSE, MCSA, MCT, CISSP Microsoft MVP: Windows Server / Directory Services Windows Server / Rights Management Windows Security (Affiliate) Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, June 09, 2004 1:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Preventing a DC from authenticating users Why not create a dummy site, and move the DC into it? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Tuesday, June 08, 2004 4:06 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Preventing a DC from authenticating users I want to stop a specific DC from authenticating users as part of a test. The server also provides DNS for the clients, so I don't want to shut down the box during the test - I just want it to be 'invisible' to clients looking for a DC for the duration of the test (a couple of days max). Is 'net stop netlogon' and deleting the appropriate GC and LDAP SRV records a reasonable way to go about this ? Will this prevent replication? Any other ideas to accomplish this ? Thanks! Dave Fugleberg List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Tony, as just mentioned in my other post, this is not an IM topic, as this is about visibility of backlinks (which are not influenced by the IM). Backlinks are only visible on DCs, which host the naming context of the object with the forward link (i.e. for directReports this would be those, which host the NC for the user's who are being managed) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Donnerstag, 10. Juni 2004 13:23 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain Post in hasterepent at leisure I've said "member" (more than once) below when I should have said "manager". -- Original Message -- Wrom: DXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTNHGSWZ Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 05:48:33 -0400 Mmmh. I believe this is where the Infrastructure Master comes into the picture. I'm a bit rusty, but here goes. The IM is responsible for maintaining references from objects in it's own domain to objects in other domains. We know that member (forward) and directReports (backward) are examples of linked attributes. We also know that only the member attribute value is replicated between GCs. This makes sense, because when you query for the directReports the value is calculated on-the-fly. Back to the IM. The IM periodically updates the references (using phantom records in the directory database) and replicates any changes to DCs in its domain. This is the process that allows you to see, e.g. local group memberships, directReports, etc. that contain values from other domains. So there there will be a delay between the time that you create the forward/backward link and the time that you will be able to query the directReports value (if the values are DNs from a different domain). I'm not sure how often the IM cycles (I seem to remember 8 hours, but I could well be wrong). You may have to simply wait. Let us know what happens. In the meantime, some of the list gurus may be able to offer a better explanation? Also, ensure that your IM is not on a GC as this may prevent you from seeing the directReports entries from the other domain. Of course if all the DCs in the domain are also GCs this will not be an issue. Tony -- Original Message -- Wrom: LPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFM Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 11:17:13 +0200 Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the "titi.com" domain to see the "usertiti" user and I connect the DC of the "toto.titi.com" domain to see the "usertoto" user. Is it so because "toto.titi.com" is a sub-domain of "titi.com" ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sen
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
you may not be using a GC query, but the directReports backlink is still read from the same linktable on a DC when it is also a GC. in your scenario, the DC used to lookup the "titi.com" user must have been a GC and the other one a normal DC. This has nothing to do with the domain hierarchy. See my previous post on this topic for more details. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Solange Desseignes Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the "titi.com" domain to see the "usertiti" user and I connect the DC of the "toto.titi.com" domain to see the "usertoto" user. Is it so because "toto.titi.com" is a sub-domain of "titi.com" ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
first of all, if "titi.com" and "toto.titi.com" are real names, then I'd switch jobs - this would drive me crazy ;-) Rgd. adding the directReports to the PAS: that would be nice, but isn't possible for the backlinks of linked attribute-pairs - this is the case here for the directReports attribute => it is not a replicated attribute at all (neither cross domain nor within the same domain), as only forward links (here the manager attribute) get replicated between DC/GCs. Instead, the backlink attributes are processed locally on each DC when it receives the forward-link (e.g. a user object's manager attribute) and creates the link between the two respective AD objects via an entry in the local link table on the DC/GC. However, the forward-link will only replicate to DCs hosting the respective naming context. And for attributes (even forward links), which are also in the PAS (configured to replicate to the GC), this means that the information is also replicated to GCs from another domain(s), hosting a read-only partition of the source domain (of an object with a forward link). And the GCs will then again create the respective backlink locally, when making the entry in the linktable, even for cross-domain links. For the given manager/directReport example this means that a user's manager attribute is only replicated to DCs of the same domain and to GCs in the forest - and that only these machines populate the respective "directReports" attribute (backlink) for a user who is a manager of this other user. As such, you won't see cross-domain directReports information on a DC of a manager's domain, if this DC is not a GC. So here, the DC for "titi.com" used to lookup the directReports attribute "usertiti" must have been a GC, while the DC of "toto.titi.com" used to lookup the directReports attribute "usertoto" must have been just a normal DC. This is not to be confused with Phantom Records (which are updated via the Infrastructure Master): as the directReports attribute is not the replicated attribute, it is also not updated or replicated as a phantom record via the IM. However, phantom records are created on non-GC DCs to replicate the manager-attribute (forward-link) to other DCs, if e.g. a user's manager-attribute is linked to a user-object outside the own domain. As Dean perfectly described, the IM is then responsible to sync changes to the linked object over time (renames, deletes etc.), but it would not update any backlinks. As a sidenote on the replication of the manager/directReports links you should realize, that if you do leverage these accross domains in a forest and you accidentally delete a manager (with direct-reports in various domains) whom you must then authoritatively restore in AD, the links to the manager's directReports are NOT recovered with the manager... (same issue as with memberships in Universal Groups or Domain Local groups in other Domains of the forest) \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy Andersson Sent: Donnerstag, 10. Juni 2004 11:17 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Replication of linked attributes between domain and sub-domain If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedi
RE: [ActiveDir] Security
don't use the Restricted Groups feature on domain groups, especially domain admins. This has caused various issues for companies and thus they've backed away from this approach. However, using restricted groups on member servers and clients works well. \Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Passo, Larry Sent: Donnerstag, 10. Juni 2004 19:38 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Security If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of "Account Management" but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
you have different options when you're trying to implement the exact same namespace in a physically separated lab, or when you want to integrate your lab into the production network, choosing a different domain name. For the first option you can go the "clone DC" or "grab DC" method as described in other posts, but when you want to use a different namespace, it's a little more complicated, especially - as you noted yourself, when you want to grab the security settings as well. If Win2003, you could still do a domain/forest rename after you've cloned/grabbed the DCs from production, but that's still a lot of work. We've decided to go down the scripting/programming path to copy & translate the ACLs of one AD forest to another to build lab-environments (only OU permissions). Yes, it is rather tedious, but it can be done - see MSDN "IADsAccessControlEntry Property Methods". /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Donnerstag, 10. Juni 2004 17:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD "structure" and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
We have some homegrown stuff that monitors specified groups and sends an email nightly if anything changes. Been doing that for quite sometime. An example of one easy approach is at http://www.winnetmag.com/WindowsScripting/Article/ArticleID/38400/38400. html Sure you can audit it with built in auditing, dump the logs and scrape out the info you need. Also have seen examples of WMI sinks to monitor in real time -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Aaron Visser Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to purge Domain based MSMQ
>From my MSMQ friend to me.. 1. A queue will only get empty if he actually writes a program that empties it. He should investigate why his program is not receiving all messages out of the queue. 2. If he wants to empty out the old messages but keep the queue, he can either receive the messages normally (which will also delete them), or he can purge them using Computer Management, or he can purge them programmatically. He can search the KB for "MSMQ local admin API" to find the API used to purge. 3. If he really wants to delete old queues, assuming that they're public queues, there are standard API calls for locating queues based on certain criteria (including creation date, if I recall correctly). Once a queue is located, it can be deleted programmatically. For more info, see http://msdn.microsoft.com/library/en-us/cpref/html/frlrfSystemMessagingM essageQueueClassGetPublicQueuesByCategoryTopic.asp (.NET) or http://msdn.microsoft.com/library/en-us/msmq/msmq_ref_query_5usl.asp (COM object) -- there is an equivalent for the C++ API as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Abhishek Sharma Sent: Thursday, June 10, 2004 10:33 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Script to purge Domain based MSMQ Hi All, I am using a Content Management System which uses MSMQ for publishing to targets. I am facing a problem whereby the queue doesn't get empty and many times there are queues which are 3 months old. I want to write a script for purging the domain MSMQ for queues older then 2 weeks. Any help will be appreciated. The details are as follows: 1. The queue is domain based and public. 2. The name of the queue is tridion_cm_pub. 3. The queue is transactional. Let me know if more details are required. -- thanks, Best regards, Abhishek Sharma | Network Architect | netdecisions Mumbai Software Development Centre 6th Flr, MET Building, Gen. A.K.Vaidya Chowk Bandra Reclamation, Bandra (W), Mumbai 400050. INDIA t Direct - +91 22 2644 0534, Board - +91 22 2644 - Extn: 534. f +91 22 2655 8048 Email : [EMAIL PROTECTED] Website: www.netdecisions.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
It works well, we have done it. We took a DC from our root domain, plus DCs from two of the (four) child domains. If you have multiple domains, I would suggest that make sure your DCs are GC servers before you take them offline. This caused us a few difficulties when we tried to make the server a GC after-the-fact, as it complained that it did not have up-to-date about the other two domains that we did not take offline. When we get time, I would like to do it again, using virtual servers. I think that would provide a bit more flexibility... Tyson. Tyson Leslie Senior Network Analyst Colt Engineering Corporation (403) 258-8153 [EMAIL PROTECTED] -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD "structure" and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: Sysprep and workstation images
(Man, Tony's gonna get really mad at me for being so continuously off-topic. :-) But this is my "List full of really smart people", so I keep coming to you guys for non-AD-specific stuff that I can't figure out.) Scenario: I work for a major university, and each fall we offer Back-to-School sales of pre-configured hardware for our incoming students. For the truckload sale each year, a CFI image is offered to the university community on both laptops and desktops that are sold at the annual back to school sale. The images are developed for recent Dell and IBM product lines, and are based on the vendor's OEM image of Windows XP, with university-specific applications pre-installed and patched with the latest security updates. This year, there is a strong push in the university IT community to have an additional layer of security-related configuration. We would like to see our hard drive images include secure Administrator password policies implemented and enforced, while still offering the end-user a simple, user-friendly "out of the box" experience during mini-Setup through a re-sealing process using Sysprep. A late-in-the-game attempt last year to combine such policies with the Sysprep process produced a less than viable, not user-friendly experience, which was ultimately scrapped. Consequently, last year's back-to-school images were built with only optional Administrator passwords. (Unfortunately, our back-to-school Sysprep image needs to be ready before XPSP2 will be released to market.) The key question here is: Is it possible to create an image that mandates an Administrator password and employs MS's strong password rules? Further, is it possible to have these settings maintained after running Sysprep to ensure that anyone buying a machine with that image would have the same "mini-Setup" experience as a person buying an OEM (non-University-imaged) machine, with the one key difference being that the imaged machine required a strong Admin password during setup? One solution that was suggested (*waves to Brian Desmond*) was the one that should be the most obvious: set a password policy in the Local Security Policy that will get burned in and persist syspreps. This works to a point; for accounts other than the actual Administrator account, you can force this using the Local Password Policy. However, for the Administrator account itself, the person setting up the machine has the option of cancelling out and never obeying the "order" to create a new, strong password. Am I missing something blindingly obvious? * Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email, destroy all copies of the original message, and repent! Repent! Any views expressed in this email message, well-informed and intellectually unassailable as they may be, are those of the individual sender except where the sender specifically states them to be the views of Student Financial Services. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Phone list
As someone pointed out to me off-list - you probably don't need to
specify the domain in both formats, it's just a habit of mine that
seemed to resolve some issues for me a while back, but I don't remember
why I do it now.
Paul
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cotter, Paul M.
Sent: Thursday, June 10, 2004 1:58 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD Phone list
Looks like he's setting the connection string to something
inappropriate:
strConn = "Active Directory Provider"
objConn.Open strConn
Should read more like:
strConn = "LDAP://mydomain.com/DC=mydomain,DC=com";
objConn.Open strConn , strUserName , strPassword , 0
Paul
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Thursday, June 10, 2004 12:59 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD Phone list
Here is his current code and error:
___
The error 0x80004005 Unspecified Error occurs when I try to query for
various items. I've added "otherphone" to this code as an example. The
error occurs on line 18: "objRS.Open strSQL, objConn, 1, 1".
strSearchString = "Firstname Lastname"
Dim objConn, strSQL, objRS, strConn
Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS = Server.CreateObject("ADODB.Recordset")
objConn.Provider = "ADsDSOObject"
strConn = "Active Directory Provider"
objConn.Open strConn
strSQL = "SELECT givenname, sn, telephonenumber, otherphone "
', mobile, facsimilyTelephoneNumber, pager strSQL = strSQL & "FROM
'LDAP://DOMAIN.COM' "
strSQL = strSQL & "WHERE objectClass = 'user' "
strSQL = strSQL & "AND (givenName = '*" & strSearchString & "*' OR sn =
'*"
& strSearchString & "*' OR displayName = '*" & strSearchString & "*') "
strSQL = strSQL & "ORDER BY sn"
objRS.Open strSQL, objConn, 1, 1
While NOT objRS.EOF AND NOT objRS.BOF
strFirstName = objRS("givenname").value strLastName =
objRS("sn").value If objRS("telephonenumber").value = "" OR
IsNull(objRS("telephonenumber").value) Then
strFullTelephoneNumber = ""
Else
strFullTelephoneNumber = objRS("telephonenumber").value End If If
join(objRS("otherphone").value) = "" OR
IsNull(join(objRS("otherphone").value)) Then
strExtension = ""
Else
strExtension = join(objRS("otherphone").value) End If
Response.Write("" & strFirstName & " " & strLastName & "")
Response.Write("Phone Number: " & strFullTelephoneNumber &
"")
Response.Write("")
objRS.MoveNext
Wend
objRS.close
objConn.close
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
===
Important:
This electronic mail message and any attached files contain information
intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any
viewing, copying, disclosure or distribution of this information may be
subject to legal restriction or sanction. Please notify the sender, by
electronic mail or telephone, of any unintended recipients and delete
the original message without making any copies.
===
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
===
Important:
This electronic mail message and any attached files contain information
intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distribution of this information may be subject to
legal restriction or sanction. Please notify the sender, by electronic
mail or telephone, of any unintended recipients and delete the original
message without making any copies.
===
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Phone list
0x80004005 is 99.9% of the time caused by permissions issues.
Make sure that its running under a user context with enough permissions
to execute the querey.
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.
> -Original Message-
> From: Jason Benway [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 10, 2004 1:59 PM
> To: '[EMAIL PROTECTED]'
> Subject: RE: [ActiveDir] AD Phone list
>
> Here is his current code and error:
>
> ___
>
> The error 0x80004005 Unspecified Error occurs when I try to query for
> various items. I've added "otherphone" to this code as an
> example. The error
> occurs on line 18: "objRS.Open strSQL, objConn, 1, 1".
>
> --
> --
>
>
> strSearchString = "Firstname Lastname"
>
> Dim objConn, strSQL, objRS, strConn
> Set objConn = Server.CreateObject("ADODB.Connection")
> Set objRS = Server.CreateObject("ADODB.Recordset")
> objConn.Provider = "ADsDSOObject"
> strConn = "Active Directory Provider"
> objConn.Open strConn
> strSQL = "SELECT givenname, sn, telephonenumber, otherphone "
> ', mobile, facsimilyTelephoneNumber, pager
> strSQL = strSQL & "FROM 'LDAP://DOMAIN.COM' "
> strSQL = strSQL & "WHERE objectClass = 'user' "
> strSQL = strSQL & "AND (givenName = '*" & strSearchString &
> "*' OR sn = '*"
> & strSearchString & "*' OR displayName = '*" &
> strSearchString & "*') "
> strSQL = strSQL & "ORDER BY sn"
> objRS.Open strSQL, objConn, 1, 1
>
> While NOT objRS.EOF AND NOT objRS.BOF
>
> strFirstName = objRS("givenname").value
> strLastName = objRS("sn").value
> If objRS("telephonenumber").value = "" OR
> IsNull(objRS("telephonenumber").value) Then
> strFullTelephoneNumber = ""
> Else
> strFullTelephoneNumber = objRS("telephonenumber").value
> End If
> If join(objRS("otherphone").value) = "" OR
> IsNull(join(objRS("otherphone").value)) Then
> strExtension = ""
> Else
> strExtension = join(objRS("otherphone").value)
> End If
>
> Response.Write("" & strFirstName & " " & strLastName & "")
> Response.Write("Phone Number: " & strFullTelephoneNumber
> & "")
> Response.Write("")
> objRS.MoveNext
> Wend
>
> objRS.close
> objConn.close
> List info : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Phone list
Looks like he's setting the connection string to something
inappropriate:
strConn = "Active Directory Provider"
objConn.Open strConn
Should read more like:
strConn = "LDAP://mydomain.com/DC=mydomain,DC=com";
objConn.Open strConn , strUserName , strPassword , 0
Paul
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Thursday, June 10, 2004 12:59 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD Phone list
Here is his current code and error:
___
The error 0x80004005 Unspecified Error occurs when I try to query for
various items. I've added "otherphone" to this code as an example. The
error occurs on line 18: "objRS.Open strSQL, objConn, 1, 1".
strSearchString = "Firstname Lastname"
Dim objConn, strSQL, objRS, strConn
Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS = Server.CreateObject("ADODB.Recordset")
objConn.Provider = "ADsDSOObject"
strConn = "Active Directory Provider"
objConn.Open strConn
strSQL = "SELECT givenname, sn, telephonenumber, otherphone "
', mobile, facsimilyTelephoneNumber, pager strSQL = strSQL & "FROM
'LDAP://DOMAIN.COM' "
strSQL = strSQL & "WHERE objectClass = 'user' "
strSQL = strSQL & "AND (givenName = '*" & strSearchString & "*' OR sn =
'*"
& strSearchString & "*' OR displayName = '*" & strSearchString & "*') "
strSQL = strSQL & "ORDER BY sn"
objRS.Open strSQL, objConn, 1, 1
While NOT objRS.EOF AND NOT objRS.BOF
strFirstName = objRS("givenname").value strLastName =
objRS("sn").value If objRS("telephonenumber").value = "" OR
IsNull(objRS("telephonenumber").value) Then
strFullTelephoneNumber = ""
Else
strFullTelephoneNumber = objRS("telephonenumber").value End If If
join(objRS("otherphone").value) = "" OR
IsNull(join(objRS("otherphone").value)) Then
strExtension = ""
Else
strExtension = join(objRS("otherphone").value) End If
Response.Write("" & strFirstName & " " & strLastName & "")
Response.Write("Phone Number: " & strFullTelephoneNumber &
"")
Response.Write("")
objRS.MoveNext
Wend
objRS.close
objConn.close
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
===
Important:
This electronic mail message and any attached files contain information
intended for the exclusive use of the individual or entity to whom it is
addressed and may contain information that is proprietary, privileged,
confidential and/or exempt from disclosure under applicable law. If you
are not the intended recipient, you are hereby notified that any viewing,
copying, disclosure or distribution of this information may be subject to
legal restriction or sanction. Please notify the sender, by electronic
mail or telephone, of any unintended recipients and delete the original
message without making any copies.
===
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Debate over 'split horizon' DNS
I think it was the KISS method at the time it was deployed. Probably made more sense to leave it since it was working. I would have most likely. ;) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Thursday, June 10, 2004 2:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Seems someone doesn't follow the KISS method :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 11:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS It' 6000+ users/workstations spread across Canada.They (network support) Have a process where addresses are assigned and Zone Files for A records are updated on a regular basis. Users request a new Workstation or Server Address from a centralized IP address management group, it is assigned from an IP Address management system which creates the zone files, which are then uploaded to the BIND servers on a predetermined schedule. They have been doing it for so long that it is a well established and pretty much error free process. That was one of the major reasons for staying with BIND. The only exception to the A record management is the DC/GC A records associated with the _msdcs zone. These are handled dynamically by the DC/GCs to the BIND servers hosting the Dynamic Zones for service records just like all the other records for these zones. I must admit I was sceptical at first, but it has proven to be very solid. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS They manually enter a records? You are certainly the exception to most of the implementations I've seen where data input error was a big issue and name resolution was chaotic. It turned out that delegating the zones and even zone transfers was much cleaner and easier to implement for those folks. Just out of curiosity, this is a fairly large implementation with lots of servers and workstations in the Active Directory that you have right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Having Successfully Integrated W2K3 AD with BIND DNS at our public Internet DNS Name, I can say I can be done without much pain. I choose to go with Bind for all the DNS work rather on the internal network than delegate the _srv record zones to Win/AD DNS. Our environment does not use dynamic addressing, and a network Infrastructure group is responsible for managing IP addressing and DNS. The have a well established BIND infrastructure, and they continue to manage all host A level records, which are manually entered. The Service Record Zones are delegated to a specific set of BIND DNS servers that do nothing but handle the Dynamic registration for _msdcs _sites _tcp and _udp. I found this configuration more stable and easier to troubleshoot than trying to get Windows DNS and Bind to play nicely together. Some things to watch out for - Make sure you consider the SOA parameters carefully, particularly the refresh time, and make sure you use/properly configure the notify option on your zones for slaves. The actual zones are small, and on some later versions of bind incremental Transfer is an option. Lock down you BIND security using ACLs to control who can update the SRV zones and Who can get Zone Transfers. On the Windows side, what you we see is a failure (netlogon) to register domain level A records at the DNS root (AD forest root) as this is currently registered to our web server. We get regular dns authentication errors as DCs try to authenticate to the Bind servers for secure updates, but they move on and try non secure updates and everything works fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 8:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Bitter experience? Perhaps not bitter, but having seen (and tried) many attempts to integrate Active Directory with BIND, I would say that is not the way you want to go if you want a stable environment. It's not that it can't be done, it's that it's not a good idea in most situations I've seen where you try to directly integrate Active Directory into existing BIND zones. Better to delegate a zone to Active Directory and work on ways to modify the UPN alias'. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Mackenzie Sent: Thursday, June 10, 2004 5:42 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Debate over 'split horizon' DNS
RE: [ActiveDir] AD Phone list
His error comes from the strSQL building he's doing (mostly :)
Here's a modified version that works in my environment based on the code you
presented. The wscript.echo command is just to put the data on the screen.
I also didn't spend any time with the attributes she was looking for such as
telephone etc. You'll need to put that back in there into the search and
continue from there.
strSearchString = "Firstname Lastname"
Dim objConn, strSQL, objRS, strConn
Set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
'Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS = CreateObject("ADODB.Recordset")
'objConn.Provider = "ADsDSOObject"
strConn = "Active Directory Provider"
objConn.Open strConn
'strSQL = "SELECT givenname, sn, telephonenumber, otherphone " ', mobile,
facsimilyTelephoneNumber, pager
strSQL = "SELECT AdsPath, cn FROM 'LDAP://DC=domain,DC=com' WHERE
objectCategory='person' AND objectClass='user' AND sn = '*'"
'strSQL = strSQL & "FROM 'LDAP://dc=domain, dc=COM' "
'strSQL = strSQL & "WHERE objectClass = 'user' "
'strSQL = strSQL & "AND (givenName = '*" & strSearchString & "*' OR sn = '*"
& strSearchString & "*' OR displayName = '*" & strSearchString & "*') "
'strSQL = strSQL & "ORDER BY sn"
wscript.echo strSQL
objRS.Open strSQL, objConn , 1, 1
'recordset.Open Source, ActiveConnection, CursorType, LockType, Options
While NOT objRS.EOF AND NOT objRS.BOF
wscript.echo "in the while not loop"
'strFirstName = objRS("givenname").value
'strLastName = objRS("sn").value
wscript.echo objRS("ADsPath").value
wscript.echo objRS("cn").value
wscript.echo("" & strFirstName & " " & strLastName & "")
wscript.echo("")
objRS.MoveNext
Wend
objRS.close
objConn.close
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Thursday, June 10, 2004 1:59 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD Phone list
Here is his current code and error:
___
The error 0x80004005 Unspecified Error occurs when I try to query for
various items. I've added "otherphone" to this code as an example. The error
occurs on line 18: "objRS.Open strSQL, objConn, 1, 1".
strSearchString = "Firstname Lastname"
Dim objConn, strSQL, objRS, strConn
Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS = Server.CreateObject("ADODB.Recordset")
objConn.Provider = "ADsDSOObject"
strConn = "Active Directory Provider"
objConn.Open strConn
strSQL = "SELECT givenname, sn, telephonenumber, otherphone "
', mobile, facsimilyTelephoneNumber, pager strSQL = strSQL & "FROM
'LDAP://DOMAIN.COM' "
strSQL = strSQL & "WHERE objectClass = 'user' "
strSQL = strSQL & "AND (givenName = '*" & strSearchString & "*' OR sn = '*"
& strSearchString & "*' OR displayName = '*" & strSearchString & "*') "
strSQL = strSQL & "ORDER BY sn"
objRS.Open strSQL, objConn, 1, 1
While NOT objRS.EOF AND NOT objRS.BOF
strFirstName = objRS("givenname").value strLastName = objRS("sn").value
If objRS("telephonenumber").value = "" OR
IsNull(objRS("telephonenumber").value) Then
strFullTelephoneNumber = ""
Else
strFullTelephoneNumber = objRS("telephonenumber").value End If If
join(objRS("otherphone").value) = "" OR
IsNull(join(objRS("otherphone").value)) Then
strExtension = ""
Else
strExtension = join(objRS("otherphone").value) End If
Response.Write("" & strFirstName & " " & strLastName & "")
Response.Write("Phone Number: " & strFullTelephoneNumber & "")
Response.Write("")
objRS.MoveNext
Wend
objRS.close
objConn.close
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Non DR migration of AD
If you simply want: Same users\groups Same OU structure Same GPO's I highly suggest you look at GPMC (group policy mgmt console) scripts... CreateEnvironmentFromXML.wsf CreateXMLFromEnvironment.wsf -steve - Original Message - From: "Glenn Corbett" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 10, 2004 7:59 AM Subject: [ActiveDir] Non DR migration of AD > All, > > We are in the process of constructing a Lab to mimic the production AD > system as closely as possible. Doing a full DR into this environment is > certainly an option, however we have been looking into simply migrating the > AD "structure" and using this as a test bed to cleanup AD (OU's, objects, > permissions, policies etc). > > Is anyone aware of tools or procedures to get the major AD configuration > components into a lab using an approach that can be scripted / automated ? > (we may want to do this every few months or so). For example, we have used > LDIFDE to extract the OU structure, users and groups and re-imported these > into the test lab. By and large this has worked very well (took some > tweaking of the LDIFDE commands to resolve some constraint violations etc), > however items such as OU security and policies is causing a bit more of a > headache. > > Any thoughts ? > > TIA > > Glenn > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Debate over 'split horizon' DNS
Seems someone doesn't follow the KISS method :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 11:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS It' 6000+ users/workstations spread across Canada.They (network support) Have a process where addresses are assigned and Zone Files for A records are updated on a regular basis. Users request a new Workstation or Server Address from a centralized IP address management group, it is assigned from an IP Address management system which creates the zone files, which are then uploaded to the BIND servers on a predetermined schedule. They have been doing it for so long that it is a well established and pretty much error free process. That was one of the major reasons for staying with BIND. The only exception to the A record management is the DC/GC A records associated with the _msdcs zone. These are handled dynamically by the DC/GCs to the BIND servers hosting the Dynamic Zones for service records just like all the other records for these zones. I must admit I was sceptical at first, but it has proven to be very solid. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 10:51 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS They manually enter a records? You are certainly the exception to most of the implementations I've seen where data input error was a big issue and name resolution was chaotic. It turned out that delegating the zones and even zone transfers was much cleaner and easier to implement for those folks. Just out of curiosity, this is a fairly large implementation with lots of servers and workstations in the Active Directory that you have right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Having Successfully Integrated W2K3 AD with BIND DNS at our public Internet DNS Name, I can say I can be done without much pain. I choose to go with Bind for all the DNS work rather on the internal network than delegate the _srv record zones to Win/AD DNS. Our environment does not use dynamic addressing, and a network Infrastructure group is responsible for managing IP addressing and DNS. The have a well established BIND infrastructure, and they continue to manage all host A level records, which are manually entered. The Service Record Zones are delegated to a specific set of BIND DNS servers that do nothing but handle the Dynamic registration for _msdcs _sites _tcp and _udp. I found this configuration more stable and easier to troubleshoot than trying to get Windows DNS and Bind to play nicely together. Some things to watch out for - Make sure you consider the SOA parameters carefully, particularly the refresh time, and make sure you use/properly configure the notify option on your zones for slaves. The actual zones are small, and on some later versions of bind incremental Transfer is an option. Lock down you BIND security using ACLs to control who can update the SRV zones and Who can get Zone Transfers. On the Windows side, what you we see is a failure (netlogon) to register domain level A records at the DNS root (AD forest root) as this is currently registered to our web server. We get regular dns authentication errors as DCs try to authenticate to the Bind servers for secure updates, but they move on and try non secure updates and everything works fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 8:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Bitter experience? Perhaps not bitter, but having seen (and tried) many attempts to integrate Active Directory with BIND, I would say that is not the way you want to go if you want a stable environment. It's not that it can't be done, it's that it's not a good idea in most situations I've seen where you try to directly integrate Active Directory into existing BIND zones. Better to delegate a zone to Active Directory and work on ways to modify the UPN alias'. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Mackenzie Sent: Thursday, June 10, 2004 5:42 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Debate over 'split horizon' DNS Folks, I'm looking for input to a debate we're having over whether or not to root our campus Active Directory at gla.ac.uk (which is our public internet persona) or at some other point such as ad.gla.ac.uk (which creates a pseudo department in local terms) or gla.ac.uk.local. The public DNS will stay with Bind (for ever!). The merit of paralleling ou
RE: [ActiveDir] AD Phone list
Here is his current code and error:
___
The error 0x80004005 Unspecified Error occurs when I try to query for
various items. I've added "otherphone" to this code as an example. The error
occurs on line 18: "objRS.Open strSQL, objConn, 1, 1".
strSearchString = "Firstname Lastname"
Dim objConn, strSQL, objRS, strConn
Set objConn = Server.CreateObject("ADODB.Connection")
Set objRS = Server.CreateObject("ADODB.Recordset")
objConn.Provider = "ADsDSOObject"
strConn = "Active Directory Provider"
objConn.Open strConn
strSQL = "SELECT givenname, sn, telephonenumber, otherphone "
', mobile, facsimilyTelephoneNumber, pager
strSQL = strSQL & "FROM 'LDAP://DOMAIN.COM' "
strSQL = strSQL & "WHERE objectClass = 'user' "
strSQL = strSQL & "AND (givenName = '*" & strSearchString & "*' OR sn = '*"
& strSearchString & "*' OR displayName = '*" & strSearchString & "*') "
strSQL = strSQL & "ORDER BY sn"
objRS.Open strSQL, objConn, 1, 1
While NOT objRS.EOF AND NOT objRS.BOF
strFirstName = objRS("givenname").value
strLastName = objRS("sn").value
If objRS("telephonenumber").value = "" OR
IsNull(objRS("telephonenumber").value) Then
strFullTelephoneNumber = ""
Else
strFullTelephoneNumber = objRS("telephonenumber").value
End If
If join(objRS("otherphone").value) = "" OR
IsNull(join(objRS("otherphone").value)) Then
strExtension = ""
Else
strExtension = join(objRS("otherphone").value)
End If
Response.Write("" & strFirstName & " " & strLastName & "")
Response.Write("Phone Number: " & strFullTelephoneNumber & "")
Response.Write("")
objRS.MoveNext
Wend
objRS.close
objConn.close
List info : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Phone list
Classic ASP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Thursday, June 10, 2004 11:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Phone list What development platform are they working with? Classic ASP, .NET, something else? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Thursday, June 10, 2004 10:54 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Phone list I talked our web developers into moving the phone list from sql to AD. They are asking me for any resources I have to get them started. For example the user and contact schema. They are also looking for any good sites to get them started pulling from AD. Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Security
If you want to make sure that no one is added to the group you could make the group a Restricted Group via a GPO. If you want to know when a user is added to the group, you could use a GPO to turn on auditing of "Account Management" but then you would have to search the audit logs of all of the DCs in the domain to find the activity. Or you could write a script that looked at the group membership and compared it with a pre-determined list. Then execute the script on a schedule of your choice. -Original Message- From: Aaron Visser [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:51 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Security I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Security
I need to know when the Domain Admin Group has a user added to it or at least have that operation audited, is there anyway to perform this with GPO or something built into win2k server. Thanks, Aaron Visser List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
This situation holds a lot of promise for DCs running on virtual servers. I know it's come up on the list before, and we have done some testing but haven't rolled it into production yet. Basically, build a DC on a virtual server; you can set it up with replication latency and other "abnormal" settings for DR purposes as an added benefit. At any point, you can shut down the virtual DC, copy the disk image to an alternate location (lab), and bring up both the original virtual DC in the production environment as well as the virtual DC in the lab environment. You'll still have to do some cleanup and role seizing in the lab, but from the production environment's standpoint all that happened was a DC shutdown and restarted. Hunter -Original Message- From: Passo, Larry [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD "structure" and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Phone list
What development platform are they working with? Classic ASP, .NET, something else? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Thursday, June 10, 2004 10:54 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] AD Phone list I talked our web developers into moving the phone list from sql to AD. They are asking me for any resources I have to get them started. For example the user and contact schema. They are also looking for any good sites to get them started pulling from AD. Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
But then you should clean up your production AD to remove mention of the DC that isn't there anymore. http://support.microsoft.com/?id=216498 -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Thursday, June 10, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Non DR migration of AD Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD "structure" and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Non DR migration of AD
Bring up a new DC.. Take it off the production domain and into the lab... Seize the roles? You will have to do some clean up but it's the easiest way if it's not going to be linked to your production domain. Rob -Original Message- From: Glenn Corbett [mailto:[EMAIL PROTECTED] Sent: 10 June 2004 16:00 To: [EMAIL PROTECTED] Subject: [ActiveDir] Non DR migration of AD All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD "structure" and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Non DR migration of AD
All, We are in the process of constructing a Lab to mimic the production AD system as closely as possible. Doing a full DR into this environment is certainly an option, however we have been looking into simply migrating the AD "structure" and using this as a test bed to cleanup AD (OU's, objects, permissions, policies etc). Is anyone aware of tools or procedures to get the major AD configuration components into a lab using an approach that can be scripted / automated ? (we may want to do this every few months or so). For example, we have used LDIFDE to extract the OU structure, users and groups and re-imported these into the test lab. By and large this has worked very well (took some tweaking of the LDIFDE commands to resolve some constraint violations etc), however items such as OU security and policies is causing a bit more of a headache. Any thoughts ? TIA Glenn List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD Phone list
I talked our web developers into moving the phone list from sql to AD. They are asking me for any resources I have to get them started. For example the user and contact schema. They are also looking for any good sites to get them started pulling from AD. Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Debate over 'split horizon' DNS
They manually enter a records? You are certainly the exception to most of the implementations I've seen where data input error was a big issue and name resolution was chaotic. It turned out that delegating the zones and even zone transfers was much cleaner and easier to implement for those folks. Just out of curiosity, this is a fairly large implementation with lots of servers and workstations in the Active Directory that you have right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 10, 2004 9:37 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Having Successfully Integrated W2K3 AD with BIND DNS at our public Internet DNS Name, I can say I can be done without much pain. I choose to go with Bind for all the DNS work rather on the internal network than delegate the _srv record zones to Win/AD DNS. Our environment does not use dynamic addressing, and a network Infrastructure group is responsible for managing IP addressing and DNS. The have a well established BIND infrastructure, and they continue to manage all host A level records, which are manually entered. The Service Record Zones are delegated to a specific set of BIND DNS servers that do nothing but handle the Dynamic registration for _msdcs _sites _tcp and _udp. I found this configuration more stable and easier to troubleshoot than trying to get Windows DNS and Bind to play nicely together. Some things to watch out for - Make sure you consider the SOA parameters carefully, particularly the refresh time, and make sure you use/properly configure the notify option on your zones for slaves. The actual zones are small, and on some later versions of bind incremental Transfer is an option. Lock down you BIND security using ACLs to control who can update the SRV zones and Who can get Zone Transfers. On the Windows side, what you we see is a failure (netlogon) to register domain level A records at the DNS root (AD forest root) as this is currently registered to our web server. We get regular dns authentication errors as DCs try to authenticate to the Bind servers for secure updates, but they move on and try non secure updates and everything works fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 8:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Bitter experience? Perhaps not bitter, but having seen (and tried) many attempts to integrate Active Directory with BIND, I would say that is not the way you want to go if you want a stable environment. It's not that it can't be done, it's that it's not a good idea in most situations I've seen where you try to directly integrate Active Directory into existing BIND zones. Better to delegate a zone to Active Directory and work on ways to modify the UPN alias'. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Mackenzie Sent: Thursday, June 10, 2004 5:42 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Debate over 'split horizon' DNS Folks, I'm looking for input to a debate we're having over whether or not to root our campus Active Directory at gla.ac.uk (which is our public internet persona) or at some other point such as ad.gla.ac.uk (which creates a pseudo department in local terms) or gla.ac.uk.local. The public DNS will stay with Bind (for ever!). The merit of paralleling our long established DNS structure is that everyone is familiar with it and the 'names' that come out automatically such as [EMAIL PROTECTED] are immediately known by the customers. There is no need to grapple (and many do) with ugly oddities that a different root produces. But there may be, down the track hard reasons not to do this. Anyone with bitter experience either way? Regards, Roger Mackenzie (Glasgow University, Scotland for the record) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Compaq Servers
Title: RE: [ActiveDir] OT: Compaq Servers Rick, I may have been a bit harsh...sorry bout that. We did encounter a similar issue with running SS 6.x on older hardware (like the 3xxx series, 5500, 8000's, G1 series etc), and yes, I blame HP squarely for this. What we basically did is pull the new driver kits out of the new SS and retrofit them into a modified version of the previous SS (using things like the SST - Smartstart scripting toolkit). All of our SS 6.x series boxes get recycled into CD-cases *grin*. The only real major components that require support during the basic Win2k / Win2k3 build is the RAID Controller, basic hardware and network interfaces, most of which is covered in the base Windows installation kit anyway. Additional support for the multitude of hardware components (ilo boards etc) is enabled by installing the appropiate Support Pack (NTSSP or whatever its currently called) AFTER windows is installed, and thats pretty much what our build does (and is essentially what SmartStart does under the covers anyway). Use the absolute minimum mods to get the system up and running appropiately, then install the Support Pack to get the rest of the functionality. Not 100% foolproof - HP introduced a driver mismatch between some versions of the RAID controller software / hardware combinations (the models escape me atm), which necessitated a forked build until we got the problem resolved. There will of course end up being an issue where HP depreciate support for older hardware types under the new operating systems, however we are hoping that the hardware has well and truly reached its use-by-date by then. The "canned" SmartStart however masks this to a large extent, and "forces" you down the path you described - buying newer hardware. My suggestion would be to look into the SSST (SmartStart Scripting Toolkit), and forego the "canned" SmartStart installation completely. The toolset basically allows the creation of a scripted build using essentially the same tools the canned install does. Adding additional hardware support is trivial, AND you arent subjected to the whims of HP marketing who may decide that your hardware is "too old" to support anymore - even though it still may be quite capable (and technically still supported from a driver prespective). Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, 10 June 2004 11:20 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Compaq Servers Huh. Well, clearly I'm doing something wrong, or don't have the build that you do, Glenn. There is no option to choose Win2k3, so the right drivers can't get installed. Is there something specific that you're doing, like installing as a Win2k and then upgrading the drivers after the fact? I guess I'm a bit confused now. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn CorbettSent: Wednesday, June 09, 2004 3:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Compaq Servers Rick, Im not quite sure what you mean by this. Sure, SmartStart version 6.x is only *really* useful for G3 based computers, but there isnt anything stopping you from using SmartStart 5.5x on older and newer hardware. We have a unified build (based on the 5.5x SmartStart) that will quite happily do builds on G1, G2, G3 (even the older PL1600, 5500s, 8000 based hardware) that supports Win 2k / Win 2k3. Its really not too difficult. Just dont use v6.0 (I know we dont). Glenn From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, 9 June 2004 11:02 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Compaq Servers Sadly, HP/Compaq flat pissed me off with orphaning all of my '2nd gen' systems to Windows 2000, unless I don't want to use SmartStart for anything other than coasters. So, I really have no need for the 6.0 stuff that they keep sending me that DOES support Windows Server 2003, but not my still quite useful but somewhat dinosaur-ish (according to HP/Compaq, I suppose) To me - dumb move. But, I'm sure that they had a great reason for it. Like, not having any interest in customers who weren't buying brand new machines for Windows Server 2003 Rick Kingslan MCSE, MCSA, MCT, CISSPMicrosoft MVP:Windows Server / Directory ServicesWindows Server / Rights ManagementWindows Security (Affiliate)Associate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzoneWebLog - www.msmvps.com/willhack4food From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kitchens Arthur ESent: Tuesday, June 08, 2004 9:38 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: Compaq Servers I believe RDP is free. The smartstart cd *is* free and you could build a master image with that then distribute/implement with any of the methods/tools previously mentioned in this thread. You can also get a 30
RE: [ActiveDir] OT: Compaq Servers
Ken, I guess its the definition of magic here *grin* Taking raid sets from one machine to another (with an already existing RAID set), mounting that new RAID set, performing some tasks, passing that raid set through a third machine, bringing it back to the original server (with changes applied), and rebooting the original machine, and still having it work was pretty impressive (esp since each of those three machines had different RAID controllers and different backplanes - single and dual channel). I've tried to do similar things with the Mylex controller series, but fell over at the first hurdle. Long story short, we had a service pack install go awry, and had to manually rollback the SP (rolling back files, undoing reg changes etc) but were unable to do it on the original server as it didnt boot anymore. Sure, a RAID volume can get corrupted, and I take your point that some of the lower level tools may not be available. I haven't been in a position in recent memory where I have needed something like that (but it might have been helpful). That all being said, I DO have a gripe with HP at the moment with the new 6400 series controllers and HP's lack of support for older hard drives (9/18gb especially). The 6400 controller recommends you *upgrade* the firmware, then *insists* you upgrade and halts at each boot until you do itproblem is, HP haven't released the appropriate firmware *sigh* Planned obsolesce I'm thinking. Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, 10 June 2004 4:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Compaq Servers I've played with the SmartArray controllers a lot, and they are not as flexible for doing off-the-wall stuff as the old NETraids were, at least with the standard tools (HP keeps promising me a boot floppy with some powerfull RAID magic, but nothing has materialized thus far...) Am I missing some other magic here? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Wednesday, June 09, 2004 4:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Compaq Servers Ken, " I know the Compaq RAID array isn't as flexible/forgiving as the old HP NETRaid, but I think as long as there are no other drives installed, this *might* work." Heh, you obviously haven't played too much with the Compaq/HP SmartArray controllers too much. We use them exclusively at my current employer, and some of the "funky" things we have been able to pull off with the SmartArray controllers would probably make your hair curl. As far as RAID controllers on the market atm, the SmartArray wins hands down in my book. Just for info, I have supported systems based on the Mylex DAC960, IBM ServRAID and DELL Perc (ugh) controllers as well. The only problem with doing the mirror-break mirror-rebuild-break cycle is the time required for the RAID to rebuild itself before you can break it again. On smaller 9gb drives this isn't a huge problem, but with the larger 146gb drives for example, the time taken for a raid rebuild is far exceeded by the time taken for say a scripted installation. For example a RAID rebuild on a SmartArray 6400 with 146gb drives can take upwards of an hour (depending on various factors). I can completely rebuild a server (including layered software such as SQL, Exchange) using a scripted install in less than 20 minutes. My $0.02 G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Wednesday, 9 June 2004 12:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Compaq Servers How about building your "gold" system, run sysprep, mirror the drive, then break the mirror (you are talking about systems with integrated RAID, right?) Then, use this gold disk as a master for each new system - insert master disk and blank disk, power up to raid config, rebuild mirror, remove master. Boot to os and answer the post-sysprep questions. Insert blank disk so the mirror can rebuild, or run RAID utility to reconfigure if you don't want mirroring. This is just theory, although I use a similar process to create new virtual servers under VMWare. I know the Compaq RAID array isn't as flexible/forgiving as the old HP NETRaid, but I think as long as there are no other drives installed, this *might* work. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, June 08, 2004 9:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Compaq Servers I've spied the RDP tool before and it does look like a quality system, but can't really warrant the £££. If I remember it was expensive. **drifts off to dreamland** Oh how I wish HP would provide me with a simple and free tool... Or a good old gui based front end to produce a script. **wakes to reality** Thud! -Original Message- From: [EMAIL PROTECTED]
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Return Receipt Your RE: [ActiveDir] Replication of linked attributes between document domain and sub-domain : was Ryan McDonald/bankersbank received by: at: 06/10/2004 10:19:42 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] strange thing...
Hi, I did recheck that and the result is that the group is listed in there, and under the "local policy setting" there is no check in the box but there is one under the "effective policy setting" column So the problem should be elsewhere. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 2:50 PM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Go to one of your DCs, then run: Start...Programs...Administrative Tools...Local Security Policies Then under: Local Policies...User Rights Assigments What is the value for the "Add workstations to domain" user right? If the technician group is missing, then another GPO is overriding that setting. -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 11:19 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Hi, This user right has been set into the Default Domain Controller policy. I simply added the group "technician" in there. There was already administrators and domain admins in there. Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Passo, Larry Envoyé : Wednesday, June 09, 2004 11:04 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] strange thing... Do you have a GPO that is specifying that specific user right? You can check with GPRESULT.EXE -Original Message- From: Rutherford, Robert [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 7:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] strange thing... Just clarifying It appears that you are saying ... when you first designate the rights that members of the technician group can add wks to the domain and the next day they cannot? Are the rights still set on the next day as you defined them on the first day? Or are the reverting back? -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 09 June 2004 15:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] strange thing... Hi all, It's my first post here. I've been referred here and been told that you guys were the "real gurus" of AD. I have a strange thing happening and I would like to have your thoughts about it. Here is the situation, I created a group called "technicians" and I gave the user right "add station to the domain to it. I then added the technician group to the computers OU and set the following: List contents Read all properties Read permissions Create computer objects Delete computer objects The problem is that when I set these, everything works fine. But the next day when a tech (member of the technician group) tries to join a computer to the domain he has an access denied. To fix the issue temporarily, I gave the group the perms (create all childs object and delete all childs object). I tried to remove the inheritance of the perms on this ou but it didn't help. I can't see why this is happening. Thanks Michel Bruyere Network/systems administrator CompTIA A+, Network+ The quickest way to find something is to start looking for something else. :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and the information it contains are confidential and may be privileged. If you have received this e-mail in error please notify the sender immediately and delete the material from any computer. Unless you are the intended recipient, you should not copy this e-mail for any purpose, or disclose its contents to any other person. The MCPS-PRS Alliance is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Whilst the MCPS-PRS Alliance monitors all communications for potential viruses, we accept no responsibility for any loss or damage caused by this e-mail and the information it contains. It is the recipient's responsibility to scan this e-mail and any attachments for viruses. Any e-mails sent to and from the MCPS-PRS Alliance servers may be monitored for quality control and other purposes. The MCPS-PRS Alliance Limited is a limited company registered in England under company number 03444246 whose registered office is at c/o 29-33 Berners Street, London, W1T 3AB. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/
RE: [ActiveDir] Debate over 'split horizon' DNS
Having Successfully Integrated W2K3 AD with BIND DNS at our public Internet DNS Name, I can say I can be done without much pain. I choose to go with Bind for all the DNS work rather on the internal network than delegate the _srv record zones to Win/AD DNS. Our environment does not use dynamic addressing, and a network Infrastructure group is responsible for managing IP addressing and DNS. The have a well established BIND infrastructure, and they continue to manage all host A level records, which are manually entered. The Service Record Zones are delegated to a specific set of BIND DNS servers that do nothing but handle the Dynamic registration for _msdcs _sites _tcp and _udp. I found this configuration more stable and easier to troubleshoot than trying to get Windows DNS and Bind to play nicely together. Some things to watch out for - Make sure you consider the SOA parameters carefully, particularly the refresh time, and make sure you use/properly configure the notify option on your zones for slaves. The actual zones are small, and on some later versions of bind incremental Transfer is an option. Lock down you BIND security using ACLs to control who can update the SRV zones and Who can get Zone Transfers. On the Windows side, what you we see is a failure (netlogon) to register domain level A records at the DNS root (AD forest root) as this is currently registered to our web server. We get regular dns authentication errors as DCs try to authenticate to the Bind servers for secure updates, but they move on and try non secure updates and everything works fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, June 10, 2004 8:53 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Debate over 'split horizon' DNS Bitter experience? Perhaps not bitter, but having seen (and tried) many attempts to integrate Active Directory with BIND, I would say that is not the way you want to go if you want a stable environment. It's not that it can't be done, it's that it's not a good idea in most situations I've seen where you try to directly integrate Active Directory into existing BIND zones. Better to delegate a zone to Active Directory and work on ways to modify the UPN alias'. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Mackenzie Sent: Thursday, June 10, 2004 5:42 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Debate over 'split horizon' DNS Folks, I'm looking for input to a debate we're having over whether or not to root our campus Active Directory at gla.ac.uk (which is our public internet persona) or at some other point such as ad.gla.ac.uk (which creates a pseudo department in local terms) or gla.ac.uk.local. The public DNS will stay with Bind (for ever!). The merit of paralleling our long established DNS structure is that everyone is familiar with it and the 'names' that come out automatically such as [EMAIL PROTECTED] are immediately known by the customers. There is no need to grapple (and many do) with ugly oddities that a different root produces. But there may be, down the track hard reasons not to do this. Anyone with bitter experience either way? Regards, Roger Mackenzie (Glasgow University, Scotland for the record) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] question on gpresult.exe
Hey Daniel I'd just look at the dups.see if they are members of each other...or of another group that makes them members of each other... It can get pretty complicated Have fun, John |-+--> | | "Rodriguez, Daniel | | | [EPM/SRM]" | | | <[EMAIL PROTECTED]| | | rocess.com>| | | Sent by: | | | [EMAIL PROTECTED]| | | dir.org| | | | | | | | | 06/09/2004 07:51 PM| | | Please respond to ActiveDir| | | | |-+--> >--| | | | To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> | | cc: | | Subject: RE: [ActiveDir] question on gpresult.exe | >--| How would I go about and find out? By checking all groups? Hmm.. I will let you know. Anything else that you can think of or suggest would be very helpful. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 09, 2004 12:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] question on gpresult.exe Hi Daniel.. I'm wondering if you have some groups "double-nested" one is a member of the other, and the reverse also? We use group nesting a lot here, running a gpresult enumerates all groups, but i had no duplicates. John |-+--> | | "Rodriguez, Daniel | | | [EPM/SRM]" | | | <[EMAIL PROTECTED]| | | rocess.com>| | | Sent by: | | | [EMAIL PROTECTED]| | | dir.org| | | | | | | | | 06/09/2004 11:26 AM| | | Please respond to ActiveDir| | | | |-+--> >--| | | | To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> | | cc: | | Subject: RE: [ActiveDir] question on gpresult.exe | >--| Here you go; -- C:\WINNT>gpresult Microsoft (R) Windows (R) 2000 Operating System Group Policy Result tool Copyright (C) Microsoft Corp. 1981-1999 Created on Wednesday, June 09, 2004 at 10:31:53 AM Operating System Information: Operating System Type: Professional Operating System Version: 5.0.2195.Service Pack 4 Terminal Server Mode: Not supported ### User Group Policy results for: CN=DERODR,OU=Administrators,OU=Sherman,OU=Fisher Controls,DC=na,DC=emersonproc ess,DC=com Domain Name: EPM-NA Domain Type: Windows 2000 Site Name:SRM01-US Roaming profile: (None) Local profile:C:\Documents and Settings\derodr The user is a member of the following security groups: EPM-NA\Domain Users \Everyone BUILTIN\Administrators BUILTIN\Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users \LOCAL EPM-NA\USSRM-MAIL-ADMIN EPM-NA\ussrm-admins EPM-NA\USSRM-Toluca Users EPM-NA\Group Policy Creator Owners EPM-NA\USSRM-RealTime EPM-NA\USSRM-Soft_Support EPM-NA\USSRM-IS-USERS EPM-NA\USSRM-LGNIS EPM-NA\ussrm-users EPM-NA\USSRM-LGNIS EPM-NA\USSRM-Soft_Support EPM-NA\USSRM-Toluca Users EPM-NA\USSRM-IS-USERS EPM-NA\USSRM-MAIL-ADMIN EPM-NA\USSRM-RealTime EPM-NA\USMTN-ENG_
RE: [ActiveDir] Debate over 'split horizon' DNS
Bitter experience? Perhaps not bitter, but having seen (and tried) many attempts to integrate Active Directory with BIND, I would say that is not the way you want to go if you want a stable environment. It's not that it can't be done, it's that it's not a good idea in most situations I've seen where you try to directly integrate Active Directory into existing BIND zones. Better to delegate a zone to Active Directory and work on ways to modify the UPN alias'. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Mackenzie Sent: Thursday, June 10, 2004 5:42 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Debate over 'split horizon' DNS Folks, I'm looking for input to a debate we're having over whether or not to root our campus Active Directory at gla.ac.uk (which is our public internet persona) or at some other point such as ad.gla.ac.uk (which creates a pseudo department in local terms) or gla.ac.uk.local. The public DNS will stay with Bind (for ever!). The merit of paralleling our long established DNS structure is that everyone is familiar with it and the 'names' that come out automatically such as [EMAIL PROTECTED] are immediately known by the customers. There is no need to grapple (and many do) with ugly oddities that a different root produces. But there may be, down the track hard reasons not to do this. Anyone with bitter experience either way? Regards, Roger Mackenzie (Glasgow University, Scotland for the record) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Post in hasterepent at leisure I've said "member" (more than once) below when I should have said "manager". -- Original Message -- Wrom: DXRQBGJSNBOHMKHJYFMYXOEAIJJPHSCRTNHGSWZ Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 05:48:33 -0400 Mmmh. I believe this is where the Infrastructure Master comes into the picture. I'm a bit rusty, but here goes. The IM is responsible for maintaining references from objects in it's own domain to objects in other domains. We know that member (forward) and directReports (backward) are examples of linked attributes. We also know that only the member attribute value is replicated between GCs. This makes sense, because when you query for the directReports the value is calculated on-the-fly. Back to the IM. The IM periodically updates the references (using phantom records in the directory database) and replicates any changes to DCs in its domain. This is the process that allows you to see, e.g. local group memberships, directReports, etc. that contain values from other domains. So there there will be a delay between the time that you create the forward/backward link and the time that you will be able to query the directReports value (if the values are DNs from a different domain). I'm not sure how often the IM cycles (I seem to remember 8 hours, but I could well be wrong). You may have to simply wait. Let us know what happens. In the meantime, some of the list gurus may be able to offer a better explanation? Also, ensure that your IM is not on a GC as this may prevent you from seeing the directReports entries from the other domain. Of course if all the DCs in the domain are also GCs this will not be an issue. Tony -- Original Message -- Wrom: LPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFM Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 11:17:13 +0200 Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the "titi.com" domain to see the "usertiti" user and I connect the DC of the "toto.titi.com" domain to see the "usertoto" user. Is it so because "toto.titi.com" is a sub-domain of "titi.com" ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Mmmh. I believe this is where the Infrastructure Master comes into the picture. I'm a bit rusty, but here goes. The IM is responsible for maintaining references from objects in it's own domain to objects in other domains. We know that member (forward) and directReports (backward) are examples of linked attributes. We also know that only the member attribute value is replicated between GCs. This makes sense, because when you query for the directReports the value is calculated on-the-fly. Back to the IM. The IM periodically updates the references (using phantom records in the directory database) and replicates any changes to DCs in its domain. This is the process that allows you to see, e.g. local group memberships, directReports, etc. that contain values from other domains. So there there will be a delay between the time that you create the forward/backward link and the time that you will be able to query the directReports value (if the values are DNs from a different domain). I'm not sure how often the IM cycles (I seem to remember 8 hours, but I could well be wrong). You may have to simply wait. Let us know what happens. In the meantime, some of the list gurus may be able to offer a better explanation? Also, ensure that your IM is not on a GC as this may prevent you from seeing the directReports entries from the other domain. Of course if all the DCs in the domain are also GCs this will not be an issue. Tony -- Original Message -- Wrom: LPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBOHMKHJYFM Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 11:17:13 +0200 Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the "titi.com" domain to see the "usertiti" user and I connect the DC of the "toto.titi.com" domain to see the "usertoto" user. Is it so because "toto.titi.com" is a sub-domain of "titi.com" ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Debate over 'split horizon' DNS
Folks, I'm looking for input to a debate we're having over whether or not to root our campus Active Directory at gla.ac.uk (which is our public internet persona) or at some other point such as ad.gla.ac.uk (which creates a pseudo department in local terms) or gla.ac.uk.local. The public DNS will stay with Bind (for ever!). The merit of paralleling our long established DNS structure is that everyone is familiar with it and the 'names' that come out automatically such as [EMAIL PROTECTED] are immediately known by the customers. There is no need to grapple (and many do) with ugly oddities that a different root produces. But there may be, down the track hard reasons not to do this. Anyone with bitter experience either way? Regards, Roger Mackenzie (Glasgow University, Scotland for the record) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
If you really want/need it to be replicated to the GCs, you can use the Schema snap-in, and check the box in front of 'Replicate this attribute to the Global Catalog'. Regards, /Jimmy - Jimmy Andersson, Q Advice AB Principal Advisor Microsoft MVP - Directory Services -- www.qadvice.com -- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Thursday, June 10, 2004 11:04 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Replication of linked attributes between domain and sub-domain
Thanks Tony ! But, I don't query the Global Catalog but the whole directory itself. I connect the DC of the "titi.com" domain to see the "usertiti" user and I connect the DC of the "toto.titi.com" domain to see the "usertoto" user. Is it so because "toto.titi.com" is a sub-domain of "titi.com" ? -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] la part de Tony Murray Envoyé : jeudi 10 juin 2004 11:04 À : [EMAIL PROTECTED] Objet : Re: [ActiveDir] Replication of linked attributes between domain and sub-domain The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Replication of linked attributes between domain and sub-domain
The manager attribute is replicated between GCs as part of the Partial Attribute Set. The directReports attribute isn't. Whether you see it or not will depend on the domain of the DC you are querying. Tony -- Original Message -- Wrom: BLVLMHAALPTCXLYRWTQTIPWIGYOKSTTZRCLBDXRQBGJSNBO Reply-To: [EMAIL PROTECTED] Date: Thu, 10 Jun 2004 10:02:34 +0200 Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Replication of linked attributes between domain and sub-domain
Hi, I have a domain "titi.com" with a sub-domain "toto.titi.com", a user "usertiti" on "domain titi.com" and a user "usertoto" on "domain toto.titi.com". I set "usertiti" as manager of "usertoto" and "usertoto" as manager of "usertiti". When I look a the "usertoto" and "usertiti" entries in the directories, I have: - the manager attribute of "usertiti" is correctly set at "usertoto", - the directReports attribute of "usertiti" is correctly set at "usertoto", - the manager attribute of "usertoto" is correctly set at "usertiti", - but, the directReports attribute of "usertoto" is not correctly set at "usertiti" ! Why ? Is it normal or is it a replication problem ? Thanks in advance for your answers... Solange Desseignes List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
