RE: [ActiveDir] Kerberos error

[Eric Fleischman]

Note the error code: KDC_ERR_S_PRINCIPAL_UNKNOWN

 

Did you request the ticket properly?

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Chris Flesher
Sent: Friday, July 30, 2004 3:30
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Kerberos
error



 



I'm trying to get pass-thru authentication to work with an
external Kerberos realm. I am getting this error. I think I have things set up
right, but I've been known to fudge things. Does anyone know what this might
mean? 





 





Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date:  7/30/2004
Time:  3:28:19 PM
User:  N/A
Computer: KWAME-TURE
Description:
A Kerberos Error Message was received:
 on logon session 
 Client Time: 15:49:18. 11/7/2004 Z
 Server Time: 20:28:19. 7/30/2004 Z
 Error Code: 0x7  KDC_ERR_S_PRINCIPAL_UNKNOWN
 Extended Error: 
 Client Realm: NSCBETA.UCHICAGO.EDU
 Client Name: cflesher
 Server Realm: NSCBETA.UCHICAGO.EDU
 Server Name: krbtgt/UCHICAGO.LOCAL
 Target Name: krbtgt/[EMAIL PROTECTED]
 Error Text: UNKNOWN_SERVER
 File: 9
 Line: ab8
 Error Data is in record data.





 





For more information, see Help and Support Center
at http://go.microsoft.com/fwlink/events.asp.





 



Chris Flesher

The University
 of Chicago

NSIT/DCS

1-773-834-8477



 

RE: [ActiveDir] [OT] NTFS Read-only Status

[Michael B. Smith]

It was Molly Brown’s posts that led
me to believe it was possible. To wit:

 

http://www.osronline.com/lists_archive/ntfsd/thread1636.html
(message 7 in thread)

 

and others by her…

 

Dan Lovinger (danlo) also has a number of
posts on the topic and says it’s documented in the “IFS Kit”
(and while I can presume what IFS means,  I’m certainly not up to
writing a filesystem for this purpose).

 

I guess it’s just over my head and
not generally available at this time.

 

I’m not well enough connected to bug
the folks you mention.

 

Thanks for your reply.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 6:25
PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] NTFS
Read-only Status



 

This one had me poking around as this
would be interesting functionality. I found one hit in the newsgroups from a
Molly Brown (mollybro) saying it is possible and a one liner in MSDN around I/O
Subsystem enhancements . 

 

"NTFS will now mount
read-only on an underlying read-only volume. If the volume requires a log
restart or a Chkdsk, the mount will fail."

 

That would seem to mean to me that it will
do it automatically if the volume itself is somehow read only through the
hardware versus failing to mount at all.  

 

 

Otherwise I  looked at the
obvious candidates for doing that like fsutil and mountvol and see nothing. The
root api that I am aware of is SetVolumeMountPoint and it doesn't have way to
specify optional params like that... 

 

http://msdn.microsoft.com/library/default.asp?url="">

 

 

Possibly there is something in
the Shadow Copy API which MS is hiding from normal people at the moment,
you have to be an ISV (and under NDA) to see them or alternatively, there might
be something in the DeviceIoControl function that could be leveraged. I will
admit to not messing around in that area at all. Might be a good question to
send to Solomon or Russinovich... 

 

 

  joe

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Michael B. Smith
Sent: Friday, July 23, 2004 3:44
PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] [OT] NTFS
Read-only Status



I've tried this on other groups, and it is not A/D related.
But you guys know so much...





 





I want a way to mount an NTFS volume read-only. I want a
magic command like "mode e: read-only". :-)





 





It is clear to me (and I've found references) that this is
supported with NTFS (Windows XP and above), but I cannot figure out/find out
how to set it.





 





Any ideas?





 





Thanks,





Michael

RE: [ActiveDir] Question about replication connection objects

[David Adner]

The reason why I moved an  CO was because it had a
CO to DC1, but DC1 didn't have one for it; instead, DC2 did.  While this
appeared to be ok, FRS seemed to be having some issues as a backlog kept
building up.  As soon as I moved the CO so it matched between two DC's and
restarted FRS, it started working again.

As to why it was like this in the first place, I'm not entirely sure.  There
wasn't a preferred BH, nor were any of the objects manually created.  I
deleted the CO and let the KCC recreate it, but it kept re-establishing a
link to the 3rd DC. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Sunday, August 01, 2004 19:28
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] Question about replication connection objects
> 
> Hmmm, interesting idea. Looking at the attribs on a 
> connection object this should be ok though you might confuse 
> something if you moved from a DC of one domain to a DC of 
> another domain...
> 
> The attribute to look at to determine if the KCC is managing 
> the object or not is the options attribute. If it a system 
> generated connected option&1=1.
> If it is manually created option&1=0. 
> 
> You really shouldn't have to manually muck with them too much 
> though. If you are looking to load balance connections look 
> at ADLB. It will load balance for K3 and 2K, just read the 
> instructions on the caveats. 
> 
>   joe
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
> Sent: Tuesday, July 20, 2004 1:43 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Question about replication connection objects
> 
> I know if I modify an  connection 
> object, it gets renamed to its GUID and takes on the behavior 
> of a manually created CO (meaning the KCC will no longer 
> automatically maintain it).
> 
> What if I move an  CO between DC's?  
> The name doesn't get renamed, but does that mean it stayed 
> automatic or is it now in effect manual?  If it's the latter, 
> how can I determine if it's behaving like a manual CO?  Is 
> there some attribute to look for?
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] outlook / gc client discovery

[joe]

You could say indirectly it is DNS aware... DsGetDcName() simply calls out
to DNS for the site records that the client thinks it is a member of. :o)

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Sunday, August 01, 2004 9:13 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

I hadn't read this thread until just a few minutes ago. (Last week was
really busy.) :-)

But at least for OL2003 RTM, the complete process goes like this:

1) If "DS Server" registry key set, use that GC
2) If "Closest GC" registry key set, call UseDsGetDcName()
3) If fast network adapter, get DS Referral from home Exchange server
4) If slow network adapter, attempt connect with GC in MAPI profile
5) Connect to DSProxy from home Exchange server

As was pointed out before, the process varies between versions of Outlook
(and even service packs). But, to the best of my knowledge, Outlook has
never been DNS aware (insofar as finding DC/GCs).

All that being said, I'm a BIG believer in using cached mode with OL2003, in
terms of improving the user experience, except when the OAB is really large
and changes often cause the full OAB to be d/l'ed. Even then, there are
registry changes that can make it "OK".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 8:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Excellent, further proof.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
Smith
Sent: Sunday, August 01, 2004 8:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

It gets the closest DC by using UseDsGetDcName().

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 6:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Barring a network trace disproving it I would agree. Setting the outlook
client to use closest *should* fall back and use what the client considers
closest, going to the Exchange server and asking at that point would be
silly and I don't actually believe Exchange has that functionality. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, July 26, 2004 12:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Hmmm,
I never really thought about how Outlook decides what's the "closest"
GC. I'm going to make a complete WAG and say that DSPROXY is not used, and
outlook does a DNS lookup for GCs relying on IP subnet sorting to get the
"closest".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Saturday, July 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Ken, thanks for the post reply on this one.

Was wondering further if you had any information on this relating to the
actual mechanics of this.  My understanding has been that OL 2002 has no
concept of site awareness

given this what i am struggling to understand is  how the OL2000
'advertises' it site membership given this registry change.  seems there are
a number of possibilities here -

-  is the clients interaction with DSPROXY modified ? or
- the interaction with DSproxy is actually 'disabled' and OL falls back
somehow to a client based DNS lookup ??

TIA

GT
- Original Message -
From: "Ken Cornetet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 23, 2004 8:34 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


Outlook 2002

http://support.microsoft.com/default.aspx?scid=kb;en-us;319206&Product=o
l2002

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Friday, July 23, 2004 1:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Dear all, thanks all for your positive views on this issue.

first up i apologise for not chiming in the last week - been away at
customer site ! - esp given it was me that opened up the item.

my further research into this seems to indicate that GC discovery process
seems to vary across versions of Outlook - and specfically Outlook 2003
seems to introduce new processes ??

Would Ken be happy to confirm his version of Outlook - and required reg mods
to support local GC discovery with centralised Exchange servers ? -

I think i have referenced the "closestGC" reg value but am not sure if this
is it

TIA

GT


- Original Message -
From: "Mulnick, Al" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 19, 2004 8:25 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


> Ken, that is a great response. Thanks for taking the time.
>
> I can see your logic now. :)
>
> Al
>
> -Original Message-
>

RE: [ActiveDir] home directory modifications

[joe]

LOL.

Too many more scripts up there and I will have to close down joeware and
just start selling tupperware at that URL...

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 21, 2004 5:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] home directory modifications

Do so - at your peril, Sir!
 
and, while you are at it, don't tell Joe :)
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Mulnick, Al
Sent: Wed 7/21/2004 2:31 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] home directory modifications



If option two doesn't do it, this might be a good starting point (Deji's
option 2)
http://tinyurl.com/5jne3

The code here assumes you already have the userdn.  That's easy enough to
get if they're all in the same ou.  If not, modify Deji's script -- it'll be
faster.
Once you bind to the user object, read the homedrive attribute, parse it
(split is a pretty good function for this) and then read it back into the
variable you want and update the user object with the vars you want.

Cool scripts Deji!!  I'm going to have to start crawling that site a bit
more :)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 21, 2004 5:14 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] home directory modifications

Depending on how brave you are, one of these MAY help you.

http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=35
http://www.akomolafe.com/DesktopModules/ViewDocument.aspx?DocumentID=26


Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of James Payne
Sent: Wed 7/21/2004 12:30 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] home directory modifications







I have about 200 users setup to connect h: to \\goofy\home\username.  I am
moving the data on \\goofy\home\ to \\mickey\home\.  Is there a script
laying around somewhere that would allow me to change this path in
everyone's profile at once?  It should would beat doing this manually for
every user.

Thanks again for any help you guys can provide.

James

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] outlook / gc client discovery

[Michael B. Smith]

I hadn't read this thread until just a few minutes ago. (Last week was
really busy.) :-)

But at least for OL2003 RTM, the complete process goes like this:

1) If "DS Server" registry key set, use that GC
2) If "Closest GC" registry key set, call UseDsGetDcName()
3) If fast network adapter, get DS Referral from home Exchange server
4) If slow network adapter, attempt connect with GC in MAPI profile
5) Connect to DSProxy from home Exchange server

As was pointed out before, the process varies between versions of
Outlook (and even service packs). But, to the best of my knowledge,
Outlook has never been DNS aware (insofar as finding DC/GCs).

All that being said, I'm a BIG believer in using cached mode with
OL2003, in terms of improving the user experience, except when the OAB
is really large and changes often cause the full OAB to be d/l'ed. Even
then, there are registry changes that can make it "OK".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 8:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Excellent, further proof.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B.
Smith
Sent: Sunday, August 01, 2004 8:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

It gets the closest DC by using UseDsGetDcName().

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 6:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Barring a network trace disproving it I would agree. Setting the outlook
client to use closest *should* fall back and use what the client
considers
closest, going to the Exchange server and asking at that point would be
silly and I don't actually believe Exchange has that functionality. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, July 26, 2004 12:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Hmmm,
I never really thought about how Outlook decides what's the "closest"
GC. I'm going to make a complete WAG and say that DSPROXY is not used,
and
outlook does a DNS lookup for GCs relying on IP subnet sorting to get
the
"closest".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Saturday, July 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Ken, thanks for the post reply on this one.

Was wondering further if you had any information on this relating to the
actual mechanics of this.  My understanding has been that OL 2002 has no
concept of site awareness

given this what i am struggling to understand is  how the OL2000
'advertises' it site membership given this registry change.  seems there
are
a number of possibilities here -

-  is the clients interaction with DSPROXY modified ? or
- the interaction with DSproxy is actually 'disabled' and OL falls back
somehow to a client based DNS lookup ??

TIA

GT
- Original Message -
From: "Ken Cornetet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 23, 2004 8:34 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


Outlook 2002

http://support.microsoft.com/default.aspx?scid=kb;en-us;319206&Product=o
l2002

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Friday, July 23, 2004 1:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Dear all, thanks all for your positive views on this issue.

first up i apologise for not chiming in the last week - been away at
customer site ! - esp given it was me that opened up the item.

my further research into this seems to indicate that GC discovery
process
seems to vary across versions of Outlook - and specfically Outlook 2003
seems to introduce new processes ??

Would Ken be happy to confirm his version of Outlook - and required reg
mods
to support local GC discovery with centralised Exchange servers ? -

I think i have referenced the "closestGC" reg value but am not sure if
this
is it

TIA

GT


- Original Message -
From: "Mulnick, Al" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 19, 2004 8:25 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


> Ken, that is a great response. Thanks for taking the time.
>
> I can see your logic now. :)
>
> Al
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
> Sent: Monday, July 19, 2004 3:16 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] outlook / gc client discovery
>
> Well, as you (and Joe) pointed out, a WAN link slow enough to give a 
> bad user experience with name resolution will also yield poor message 
> performance.
>
> Obviously, the be

RE: [ActiveDir] AD and WINS

[joe]

Yep exactly. I was actually asked once by some folks from MS what I would
say if they removed WINS support from their clients. I told them I wouldn't
say anything, I would laugh my butt off at them for doing something so short
sighted without understanding their user base or their own applications. 

MS has a bad case of the left hand and right hand syndrome. I say this
pretty regularly, they try to run like they are a small company and they
aren't anymore. So the communication is hurting and unless you happen to
know the person or someone who knows the person who wrote something, it can
be difficult to get an answer to something. Couple that with people making
all sorts of assumptions on how some other product they are dependent on or
has dependencies on them works and you see all sorts of fun things that make
you bang your head. The missing communication for instance between Exchange
and AD teams is a great thing to focus on. I also like running into the Dev
guys saying at special conferences, wow, you guys should have told someone
about that when in fact the "you guys" had been trying to tell PSS or
someone else for ages and kept getting it punted back out as not being worth
being forwarded up the chain to Dev. There have been several occasions where
I have had to jump up and down shouting at some PSS person to escalate a
problem and they didn't want to because they didn't know enough to think it
should be. They don't seem to want to bother Dev with some of this stuff and
I can understand that too if from the Dev side they tend to get pounded if
they ask questions about something they don't understand. So you get poor to
no turnover of new tech info from Dev to PSS, PSS doesn't want to look
stupid and get yelled at by Dev for asking questions they probably should
know and would if there was proper documentation and hand over so PSS in
turn is leery to pass on things the customers come up with that aren't right
and you are right back at the beginning again when you sit in front of the
dev guys and they go, wow, you should float that info up when you find it...


  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Sunday, August 01, 2004 8:45 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

They've fully admitted that Exchange requires WINS. :-)

http://support.microsoft.com/default.aspx?scid=837391

I didn't hunt them down, but I've read other KBs that talk about other
features that require WINS.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 8:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

Yeah I would take that bet too... Sucker bet on Brian's part. :oP

I am one of the bemoaners on this. Doubt it will get changed, despite
evidence to the contrary (say Exchange for instance) MS wants to think that
WINS isn't required anymore so being dead tech shouldn't be updated. 

However, to possibly jinx this to go the right way I will say... There is no
chance whatsoever that Microsoft will ever fix it so WINS Administration can
be delegated. They just aren't bright enough to pull it off... On top of
that, they will never ever make it so you can disable registration of
records on specific WINS Servers and make them only read-only or allow
admins only to make registrations (say through NETSH or WINSCL) or say that
only certain machines are allowed to update their records there. 

:o)

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, July 22, 2004 3:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I'll take that bet :-)

Many have bemoaned the fact that you can't delegate WINS administration or
that there is no equivalent of DnsAdmins for WINS. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 22, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I'm betting there's a control access right (aka extended right) you can
delegate this group on your server OUs to manage WINS. No evidence, but, I'm
inclined to believe there is such a thing. Look at the Server Ops
delegations.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 
-Original Message-
From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

You can make a Global security group in the AD called Wins Admins and then
add the group to the local administrators group of the WINS servers either
manually or via a GPO.  Then all you have to do is populate the AD group
with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Thursday, July 22, 2004 11:13 AM
To:

RE: [ActiveDir] W2K3 with W2K2

[joe]

WITO... I have heard of that before... I think I lived it for a while. I
called it an exercise in teaching a manufacturer how little they actually
know about their computing environment. :oP

Now after that walk down memory lane I will beat on you for a bit.

Running a K3 in a 2K domain is fine, doesn't even have to hold the roles.
Once you domain prep the domain you will have some SIDS in your AD that
aren't resolving because the principals don't exist. It is good to make the
K3 the PDC holder so those get created. Not required though.

On the PDC/BDC concept, as it partially applied in NT4, there are no
read-only DCs (aka BDCs) currently in 2K/K3[1]. There is scuttlebutt that
that could possibly change but it doesn't matter. As it applies conceptually
where you have a domain master for things then yes you have PDCs and BDCs.
The roles can be split up so you don't have one specific server that is
responsible for all of the roles but that is a pretty hokey thing to do in
my opinion and I don't see the real benefits of it. It was just a stunt to
avoid the one important DC concept for PR and in fact, that one important DC
concept is still there though you can water it down by putting it on several
DCs. The idea is if you lose the machines holding those roles though, you
will feel some impact. Usually when someone tells me there is no more
PDC/BDC concept and that all DCs are equal I tell them to move all roles in
a domain to one machine and then shut it off for a few months without moving
roles. Then come back and tell me how it worked out ofr them. 


  joe


[1] And actually there were no readonly DCs in NT4, only DCs that didn't
allow you to make certain changes on them. There were still changes being
written to those machines mastered locally, they just weren't replicated
items - last logon, bad password count, etc. 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, July 21, 2004 5:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] W2K3 with W2K2

Let's agree that there is no PDC/BDC concept. Now, if all you want to do is
get your Domain ready for when you will eventually move to 2003, then you
should just run the adprep /forestprep and adprep /domainprep in your domain
and wait. IF you want to get a win2K3 DC into the Domain now, then there is
this concept called WITO (hello, Joe :)). It's the "Walk In, Take Over"
principle. The Win2K3 will have to get the roles, at least the PDCE and the
Domain Naming master roles, otherwise your domain will not function
correctly, and many of the benefits of a Win2K3 Domain will NOT be available
to you. I have been able to get a win2K3 DC to install successfully into a
test domain without transferring the roles or upgrading the DC that
originally has these roles, but what I've heard and read is that is not
something you want to do in a production environment.
 
The people who taught me that (and wrote the book on that) are on this list.
They may be able to explain further.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jacob Stabl
Sent: Wed 7/21/2004 1:19 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] W2K3 with W2K2



I know this issue has been talked about before but searching through some
old post in my inbox I didn't find the exact answer I was looking for.

Is there a problem in joining a Window 2003 server as the BDC of in a
Windows 2000 network?  Will there be any problems or unavailable features?
I don't want Windows 2003 to take over the domain.  Reason for doing this is
so next year if I decide to upgrade the domain to Windows 2003 it will be
easier, I just move roles and such to that server.  In my simple mind this
all makes sense.  Any suggestions?

Thanks

--
Jacob Stabl
Network Engineer
Plain Local Schools
http://eagle.stark.k12.oh.us
Work: 330.492.3500 x.383
Cell: 330.495.7243

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD and WINS

[Michael B. Smith]

They've fully admitted that Exchange requires WINS. :-)

http://support.microsoft.com/default.aspx?scid=837391

I didn't hunt them down, but I've read other KBs that talk about other
features that require WINS.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 8:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

Yeah I would take that bet too... Sucker bet on Brian's part. :oP

I am one of the bemoaners on this. Doubt it will get changed, despite
evidence to the contrary (say Exchange for instance) MS wants to think
that
WINS isn't required anymore so being dead tech shouldn't be updated. 

However, to possibly jinx this to go the right way I will say... There
is no
chance whatsoever that Microsoft will ever fix it so WINS Administration
can
be delegated. They just aren't bright enough to pull it off... On top of
that, they will never ever make it so you can disable registration of
records on specific WINS Servers and make them only read-only or allow
admins only to make registrations (say through NETSH or WINSCL) or say
that
only certain machines are allowed to update their records there. 

:o)

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, July 22, 2004 3:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I'll take that bet :-)

Many have bemoaned the fact that you can't delegate WINS administration
or
that there is no equivalent of DnsAdmins for WINS. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 22, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I'm betting there's a control access right (aka extended right) you can
delegate this group on your server OUs to manage WINS. No evidence, but,
I'm
inclined to believe there is such a thing. Look at the Server Ops
delegations.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 
-Original Message-
From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

You can make a Global security group in the AD called Wins Admins and
then
add the group to the local administrators group of the WINS servers
either
manually or via a GPO.  Then all you have to do is populate the AD group
with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford,
Robert
Sent: Thursday, July 22, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where
WINS is
running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers,
how
do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



***
 The contents of this communication are intended only for the addressee
and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed
by
it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whi

RE: [ActiveDir] outlook / gc client discovery

[joe]

Excellent, further proof.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith
Sent: Sunday, August 01, 2004 8:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

It gets the closest DC by using UseDsGetDcName().

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 6:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Barring a network trace disproving it I would agree. Setting the outlook
client to use closest *should* fall back and use what the client considers
closest, going to the Exchange server and asking at that point would be
silly and I don't actually believe Exchange has that functionality. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, July 26, 2004 12:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Hmmm,
I never really thought about how Outlook decides what's the "closest"
GC. I'm going to make a complete WAG and say that DSPROXY is not used, and
outlook does a DNS lookup for GCs relying on IP subnet sorting to get the
"closest".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Saturday, July 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Ken, thanks for the post reply on this one.

Was wondering further if you had any information on this relating to the
actual mechanics of this.  My understanding has been that OL 2002 has no
concept of site awareness

given this what i am struggling to understand is  how the OL2000
'advertises' it site membership given this registry change.  seems there are
a number of possibilities here -

-  is the clients interaction with DSPROXY modified ? or
- the interaction with DSproxy is actually 'disabled' and OL falls back
somehow to a client based DNS lookup ??

TIA

GT
- Original Message -
From: "Ken Cornetet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 23, 2004 8:34 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


Outlook 2002

http://support.microsoft.com/default.aspx?scid=kb;en-us;319206&Product=o
l2002

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Friday, July 23, 2004 1:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Dear all, thanks all for your positive views on this issue.

first up i apologise for not chiming in the last week - been away at
customer site ! - esp given it was me that opened up the item.

my further research into this seems to indicate that GC discovery process
seems to vary across versions of Outlook - and specfically Outlook 2003
seems to introduce new processes ??

Would Ken be happy to confirm his version of Outlook - and required reg mods
to support local GC discovery with centralised Exchange servers ? -

I think i have referenced the "closestGC" reg value but am not sure if this
is it

TIA

GT


- Original Message -
From: "Mulnick, Al" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 19, 2004 8:25 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


> Ken, that is a great response. Thanks for taking the time.
>
> I can see your logic now. :)
>
> Al
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
> Sent: Monday, July 19, 2004 3:16 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] outlook / gc client discovery
>
> Well, as you (and Joe) pointed out, a WAN link slow enough to give a 
> bad user experience with name resolution will also yield poor message 
> performance.
>
> Obviously, the best solution is to put an Exchange server at the 
> location. Unfortunately, many of our smaller locations are simply 
> unwilling to foot the bill for an Exchange server (and associated 
> trappings).
>
> So, we are left with the task of making things better for the users
without
> spending money. The only thing we can do for free is to make their DC 
> a
GC.
> This speeds up name resolution. We can't speed up messaging 
> performance,
so
> we simply coach the effected users to not send large attachments, and 
> tell others to not send them large attachments. We also show users how

> to use Outlook in off-line mode. We were hoping
that
> OL2003's cached mode would help, but it seems to add as many problems 
> as
it
> fixes (more experimentation is in the works...).
>
> Like most other things, it is a trade-off. Our AD is fairly static - 
> just adding/deleting users here and there, group membership changed 
> now and again. We looked at the GC replication traffic, and decided 
> that it didn't look like a problem.
>
> This seems to work well for us, but obviously everyone's mileage may 
> vary.
I
> can eas

RE: [ActiveDir] AD and WINS

[joe]

Yeah I would take that bet too... Sucker bet on Brian's part. :oP

I am one of the bemoaners on this. Doubt it will get changed, despite
evidence to the contrary (say Exchange for instance) MS wants to think that
WINS isn't required anymore so being dead tech shouldn't be updated. 

However, to possibly jinx this to go the right way I will say... There is no
chance whatsoever that Microsoft will ever fix it so WINS Administration can
be delegated. They just aren't bright enough to pull it off... On top of
that, they will never ever make it so you can disable registration of
records on specific WINS Servers and make them only read-only or allow
admins only to make registrations (say through NETSH or WINSCL) or say that
only certain machines are allowed to update their records there. 

:o)

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Thursday, July 22, 2004 3:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I'll take that bet :-)

Many have bemoaned the fact that you can't delegate WINS administration or
that there is no equivalent of DnsAdmins for WINS. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, July 22, 2004 11:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I'm betting there's a control access right (aka extended right) you can
delegate this group on your server OUs to manage WINS. No evidence, but, I'm
inclined to believe there is such a thing. Look at the Server Ops
delegations.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
 
v: 773.534.0034 x135
f: 773.534.0035
 
 
-Original Message-
From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 10:50 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

You can make a Global security group in the AD called Wins Admins and then
add the group to the local administrators group of the WINS servers either
manually or via a GPO.  Then all you have to do is populate the AD group
with the users..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert
Sent: Thursday, July 22, 2004 11:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS

I think Server op will do it.

-Original Message-
From: Depp, Dennis M. [mailto:[EMAIL PROTECTED]
Sent: 22 July 2004 16:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD and WINS


I believe access to WINS requires local admin access.   To allow them to
administer WINS, they will have to be a local admin on the box where WINS is
running.

Denny

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario
Sent: Thursday, July 22, 2004 10:51 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] AD and WINS

Is there a way to restrict access to WINS like DNS in Server 2003?

For Example, if we want the DNS admins to Administer the Wins servers, how
do you go about give them access just to WINS administration?

Any help would be appreciate it!

Thanks,
Mario



***
 The contents of this communication are intended only for the addressee and
may contain confidential and/or privileged material. If you are not the
intended recipient, please do not read, copy, use or disclose this
communication and notify the sender.  Opinions, conclusions and other
information in this communication that do not relate to the official
business of my company shall be understood as neither given nor endorsed by
it.  

*** 


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and the information it contains are confidential and may be
privileged. If you have received this e-mail in error please notify the
sender immediately and delete the material from any computer. Unless you
are the intended recipient, you should not copy this e-mail for any
purpose, or disclose its contents to any other person. 
The MCPS-PRS Alliance is not responsible for the completeness or
accuracy of this communication as it has been transmitted over a public
network. Whilst the MCPS-PRS Alliance monitors all communications for
potential viruses, we accept no responsibility for any loss or damage
caused by this e-mail and the information it contains.
It is the recipient's responsibility to scan this e-mail and any
attachments for viruses. Any 
e-mails sent to and from the MCPS-PRS Alliance servers may be monitored
for quality control and other purposes.

The MCPS-PRS 

RE: [ActiveDir] Question about replication connection objects

[joe]

Hmmm, interesting idea. Looking at the attribs on a connection object this
should be ok though you might confuse something if you moved from a DC of
one domain to a DC of another domain...

The attribute to look at to determine if the KCC is managing the object or
not is the options attribute. If it a system generated connected option&1=1.
If it is manually created option&1=0. 

You really shouldn't have to manually muck with them too much though. If you
are looking to load balance connections look at ADLB. It will load balance
for K3 and 2K, just read the instructions on the caveats. 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Tuesday, July 20, 2004 1:43 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Question about replication connection objects

I know if I modify an  connection object, it gets
renamed to its GUID and takes on the behavior of a manually created CO
(meaning the KCC will no longer automatically maintain it).

What if I move an  CO between DC's?  The name
doesn't get renamed, but does that mean it stayed automatic or is it now in
effect manual?  If it's the latter, how can I determine if it's behaving
like a manual CO?  Is there some attribute to look for?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Renaming The Admin Account

[joe]

Hey Guido, I should I have read this before responding...

Note my post. I am not entirely positive you can actually really hide the
built-in admin account from people. Non-built-in accounts this stuff would
work for obviously as long as the adminSDHolder functionality was kept in
mind.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, July 22, 2004 4:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account

Rocky - this thread is actually quite incredible - you're wandering from
user and group names and object types to NTFS permission and nesting objects
into groups, over to discussing SIDs and friendly names, and now you're
talking about the visibility of memberships of groups in AD ;-)

Also, I don't know about your domain, but I never knew that there was an
account called "Domain Admin" - by default, you should only have an
"Administrator" account that is member of the "Domain Admins" group (and if
this is the root, it would also be member of the "Enterprise Admins" and
"Schema Admins" group)...  Besides the Best Practise of renaming the default
Adminstrator account (not group), it's also a good practise to take it out
of the Schema Admins group (this group should be empty until you want to
change anything in the schema - will prevent accidental schema extensions,
e.g. by some crappy program or script)


So, I'm not sure which is the part that's really most painful to you, but I
guess you mainly want to hide any hints to the default Admin account in your
domain as otherwise renaming them doesn't make any sense to you - is that
about right? 

I think Deji already covered very well on how you shouldn't set ACLs for any
user-account directly - you'll merely do so via groups and the account that
has access to the (non-homeshare) resource won't be visible by looking at
the ACLs of the machine. This includes administrative accounts. 


And if people see a group on an ACL (e.g. Domain Admins), you don't want
them to be able to lookup who is a Domain Admin by checking the
group-membership of that group - right again?

This can also be resolved by setting the appropriate permissions on the
respective AD OU which contains the groups (or any other objects) which you
don't want your users to view.  E.g. move your administrative accounts and
the Domain Admins group to a separate OU in your domain and then remove the
Read permissions for Authenticated Users on that OU - this will hinder them
to browse to that OU and so they can't even try to open the group to see the
content.  You could also work with permissions on the groups themselves, but
that's more and unnessesary work.  If you don't even want your users to see
the "special" OU, then you'll have to work with the List Object permission.

LIST OBJECT is not active or visible in the ACL Editor by default. To
activate (for whole AD forest) change the DSHeuristics property on the
Directory Service object (cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration,dc=ForestRootDomain) to 001. The first two
bits impact the ANR searching in AD, so don't change them without knowing
what you want them to be.

BTW, it's much easier to implement the strategy of a "special" OU (e.g.
"Domain Operations"), when you have separate accounts for administrative
users - i.e. they have another "normal" account for eMail etc.  All
adminsitrative accounts should be in this special OU.


And thanks for the flowers in your previous mails - I'll send some of them
to Deano ;-)


Cheers,
Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: Thursday, July 22, 2004 9:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account

Okay,

First off, yes the club's expensive.  And rightly so, but, do you know what
joe wanted to come to my little shop and point out to me exactly what I
already know (which is "exactly how much I don't know already.")?  "Now >HE<
was expensive.  Serves him right for getting fired. ;-O.  No wait.  He
didn't get fired.  Some of the |stupidest| people in the world (notice the
absolute symbol) just let him walk!  I'm telling you, that was about as
smart as the Russians selling us Alaska for 7 million.  I could not believe
that.  How smart do you have to be?  Not as smart as joe, that much I know.

Now, let me show you how much I don't know. ( I can explain why that is
someday, if it comes to that).  When I click (on my W2K boxes in my mixed
mode W2K domain) on My Network Places > Entire Network > Directory >
DNSDomainName it opens up my AD and everybody can see all the OUs.  If I
click on my Microsoft_Groups (OU which houses the native groups) I see every
group.  If I click on Domain Admins, I see the members.  The same with all
the other groups.  How do I hide the memberships of these native MS groups?

Thanks Deji (and all youse other guys!)

RH
_

RE: [ActiveDir] Renaming The Admin Account

[joe]

Heh, this thread is killing me. :oP
 
As mentioned by the others, use the domain admins group, 
not any specific domain admin user. The actual built in administrator account on 
the domain really shouldn't be used. In fact best practices say set the password 
on that object to some password/phrase > 15 characters (or > 25 or > 
40, etc) with insane mix of special characters and upper/lower case and numbers 
that isn't possible to memorize and then test it to make sure it actually works 
and THEN place that password in an envelope and give it to someone in the IT org 
high enough up the chain that it would be painful to get it back. Then the 
standard is if you do get it back, you change that password following the same 
rules again that same day. It should be the key under your matt that you use 
only in dire emergencies. You should actually go years without logging into that 
account. You should do daily monitoring of the last Logon and password last set 
values to make sure someone isn't holding out on you, that is just a script that 
does the dump and compares. 
 
I think the overall drift of this whole thing has been, how 
do I prevent people from knowing my built-in administrator ID... If that is it, 
I am not entirely sure it can be done. You can do things like specially ACL the 
admin groups so that the group memberships can't be enumerated keeping in mind 
that the groups you are talking about are Admin groups so AdminSDHolder 
functionality comes into play so you will have to modify the adminSDHolder 
object's perms. You would also have to block the users from viewing the actual 
user accounts as well (think memberof) and again, think AdminSDHolder. You 
would also probably prevent anonymous resolution of SIDS. The thing that kills 
all of this however is how do you stop non-anonymous resolution of SIDS. I am 
not entirely sure this is possible and the built-in administrator ID has a known 
SID so as long as they can get the domain SID (multiple methods) they can get 
the administrator ID name. You can and could block someone from doing an LDAP 
lookup pretty easily, but if they use the system API calls to resolve a SID I 
believe that all gets handled by the localsystem account and I am not about to 
tell anyone to remove localsystem access to anything in their AD even if it were 
actually worked and prevented the system from seeing something (which I doubt it 
would). 
 
So the act of getting secure shouldn't be, how do I hide my 
admin ID, it should be, how do I make the password so secure that even if 
someone does know the ID they don't have a chance of using the account... That 
means using a seriously strong password and not using the ID so that methods 
that depend on it being used are foiled (think trojans or sniffing of some older 
type authentication traffic, etc).
 
Also to say it one more time, ACL to groups, do not ACL to 
users. No good can come of ACLing to users. 
 
 
   joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky 
HabeebSent: Thursday, July 22, 2004 1:32 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Renaming The 
Admin Account

Deji,
 
You 
know I love you (and Tony, and Guido, and Robbie and Gil, and Roger and of 
course joe, and all the other heavyweights), but, we're not confused on the 
accounts and their memberships.  I just feel it's important to have the 
Domain Admin (the individual) as Full Control on everything.  As such, its 
pointless to rename him because he can be seen.
 
However, you might just convince me to try it if you will tell me how to 
keep Users from viewing membership in AD of the Microsoft native groups, like 
Domain Administrators. ;-)
 
That 
might be enough for me to try it.
 
RH
 
_
 
 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Deji 
  AkomolafeSent: Thursday, July 22, 2004 12:10 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Renaming The 
  Admin Account
  
  If you just remember the 
  principle "put users in group, assign permission to group", then you'll 
  remember that neither JohnDoe nor Administrator should show up anywhere in 
  your ACL enumeration Rather, you ACL will look something like 
  this:
   
  Computername\AdministratorS - 
  F
  System - F
  etc, etc.
   
  You will NOT need to add the following to 
  the ACL:
  ComputerName\Administrator (notice the 
  missing "S")
  Domain Admins
  Domain\Administrator
   
  Why? First, because by adding 
  Computername\AdministratorS in the first example, you have essentially taken 
  care of the three in second example. "Domain\Administrator" is a member of "Domain 
  Admins", which is a member of Computername\AdministratorS. Likewise, "ComputerName\Administrator" is a member of "Computername\AdministratorS".
   
  Then your fear about your users knowing 
  the name of your Domain Admin account becomes non-existent (although this 
  should have been of no concern 

RE: [ActiveDir] outlook / gc client discovery

[Michael B. Smith]

It gets the closest DC by using UseDsGetDcName().

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 6:34 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Barring a network trace disproving it I would agree. Setting the outlook
client to use closest *should* fall back and use what the client
considers
closest, going to the Exchange server and asking at that point would be
silly and I don't actually believe Exchange has that functionality. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, July 26, 2004 12:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Hmmm,
I never really thought about how Outlook decides what's the "closest"
GC. I'm going to make a complete WAG and say that DSPROXY is not used,
and
outlook does a DNS lookup for GCs relying on IP subnet sorting to get
the
"closest".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Saturday, July 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Ken, thanks for the post reply on this one.

Was wondering further if you had any information on this relating to the
actual mechanics of this.  My understanding has been that OL 2002 has no
concept of site awareness

given this what i am struggling to understand is  how the OL2000
'advertises' it site membership given this registry change.  seems there
are
a number of possibilities here -

-  is the clients interaction with DSPROXY modified ? or
- the interaction with DSproxy is actually 'disabled' and OL falls back
somehow to a client based DNS lookup ??

TIA

GT
- Original Message -
From: "Ken Cornetet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 23, 2004 8:34 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


Outlook 2002

http://support.microsoft.com/default.aspx?scid=kb;en-us;319206&Product=o
l2002

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Friday, July 23, 2004 1:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Dear all, thanks all for your positive views on this issue.

first up i apologise for not chiming in the last week - been away at
customer site ! - esp given it was me that opened up the item.

my further research into this seems to indicate that GC discovery
process seems to vary across versions of Outlook - and specfically
Outlook 2003 seems to introduce new processes ??

Would Ken be happy to confirm his version of Outlook - and required reg
mods to support local GC discovery with centralised Exchange servers ? -

I think i have referenced the "closestGC" reg value but am not sure if
this is it

TIA

GT


- Original Message - 
From: "Mulnick, Al" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 19, 2004 8:25 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


> Ken, that is a great response. Thanks for taking the time.
>
> I can see your logic now. :)
>
> Al
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
> Sent: Monday, July 19, 2004 3:16 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] outlook / gc client discovery
>
> Well, as you (and Joe) pointed out, a WAN link slow enough to give a 
> bad user experience with name resolution will also yield poor message 
> performance.
>
> Obviously, the best solution is to put an Exchange server at the 
> location. Unfortunately, many of our smaller locations are simply 
> unwilling to foot the bill for an Exchange server (and associated 
> trappings).
>
> So, we are left with the task of making things better for the users
without
> spending money. The only thing we can do for free is to make their DC 
> a
GC.
> This speeds up name resolution. We can't speed up messaging 
> performance,
so
> we simply coach the effected users to not send large attachments, and 
> tell others to not send them large attachments. We also show users how

> to use Outlook in off-line mode. We were hoping
that
> OL2003's cached mode would help, but it seems to add as many problems 
> as
it
> fixes (more experimentation is in the works...).
>
> Like most other things, it is a trade-off. Our AD is fairly static - 
> just adding/deleting users here and there, group membership changed 
> now and again. We looked at the GC replication traffic, and decided 
> that it didn't look like a problem.
>
> This seems to work well for us, but obviously everyone's mileage may 
> vary.
I
> can easily see how GC replication would be a problem for large 
> organizations' WANs.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Monday, July 19, 2004 1:44 PM
> To: [EMAIL PROTECTED]

RE: [ActiveDir] Renaming The Admin Account

[joe]

I would disagree with this. Several of the last worms that I had to deal
with were doing lookups against the SAM to find out what to attack. In fact
MUMU was enumerating the administrators group and attacking all local ids in
that group specifically. Luckily they weren't attacking anything but what
was local so the domains stayed up. Had the worm been going after all
security principals I would hate to have seen how hard that would have hit
the domain infrastructure. As it were, it was only a matter of hitting the
couple of domain admin IDs on the DCs and that only when they were
specifically attacked directly. 

Renaming things that have the name owner and administrator are good because
there are specific worms/viruses that attack those names but I wouldn't do
it for any security reason. It would be for system resources, if the name
doesn't exist it is quicker for the system to say, doesn't exist, go away,
versus having to go and actually check the password and go through lockout
process when that limit gets hit, etc. 


  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, July 22, 2004 1:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account

You could argue that. But, if you consider the fact that most hackwares and
viruses/trojans that carry their own account/password dictionaries don't do
SID enumeration, you'd understand the significance of renaming the accounts.
Because they don't do SID enumeration/translation, these hackwares are
useless against your infrastructure because they just go through looking for
accounts named "Administrator" or "admin" or "root" and similar. If they
don't find one, they move on.
 
Unless you are a direct target of concentrated hack/crack attempts, it's not
common for SID translation to be done.
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rocky Habeeb
Sent: Thu 7/22/2004 8:53 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Renaming The Admin Account



Right!
My point exactly!
So if your policy is to include the Domain Admin in NTFS permissions,
there's no point in renaming your Domain Admin account.

Thanks Tony.

RH





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tony Murray
Sent: Thursday, July 22, 2004 11:25 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Renaming The Admin Account


The admin tools resolve the SID to the friendly name for you.  In other
words, you're not actually working with the friendly names when viewing or
assigning permissions, but this is how it appears to you.

Tony
-- Original Message --
Wrom: KJVZCMHVIBGDADRZFSQHYUCDDJBLV
Reply-To: [EMAIL PROTECTED]
Date:  Thu, 22 Jul 2004 10:25:14 -0400

People,

OK, I know you guys are the Experts and I know MS says, rename it, but tell
me the answer to these questions please.  Let's say you run NTFS permissions
on your local PCs.  Lets say your standards are (for EVERY FILE/FOLDER
OBJECT ON THE PC):
Full Control for Local Admin, Domain Admin and System.
Modify for Everyone (At least where it is not a security risk).
[1]  What is displayed locally to the User (for Admin accounts) when they
look at NTFS permissions on their file/folder objects?
[2]  What do you as the Admin select in the ACL, when you set new
permissions for file/folder objects?

Thanks

RH
-
Rocky Habeeb
Microsoft Systems Administrator
-
James W. Sewall Company
Old Town, Maine
-
207.827.4456
habr @ jws.com
www.jws.com
-


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/







Sent via the WebMail system at mail.activedir.org




List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
Li

RE: [ActiveDir] OT: local admin groups members

[joe]

Title: RE: [ActiveDir] Summer Maintenance



Note that only works from the server command line that you 
want to check... my lg tool will work across the network
 
lg \\server\administrators
 
Get lg at www.joeware.net
 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Seyboldt, 
VolkerSent: Friday, July 23, 2004 2:51 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] OT: local admin 
groups members

you can use the command "net localgroup administrators" 

This will list all members.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. 
Team EITCSent: Friday, July 23, 2004 1:40 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] OT: local admin 
groups members


 
Is there an automated way or a script 
anyone knows about that I could run to get a list of all the members for each 
servers local administrators group.  

RE: [ActiveDir] Customize Group Permissions

[joe]

Title: Customize Group Permissions



Re: the built in admin account not being removed... It does 
this because you aren't supposed to be able to remove that user from that group, 
not anything the GPO is trying to do. I have seen occasions where the system is 
trying to apply this (i.e. remove the administrator from admins group) and the 
system eventually pukes out with Out of Resources. 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J 
Contr InDyne/Enterprise ITSent: Thursday, July 22, 2004 3:56 
PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Customize Group Permissions

One thing to be really careful of though.  It will 
replace the contents of the local group.  The only exception to this is the 
default local Admin account in the local Administrators group.  That 
account will stay.  If you are using software, like SMS, that generates 
it's own local admin account be sure that it is getting left 
in.
 
Dave
 
-- David J. 
PerdueMCSE 2000, MCSE NT, MCSA, MCP+I Network Security Engineer, 
InDyne Inc Comm: (805) 
606-4597    DSN: 276-4597 [EMAIL PROTECTED]-- 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
DesmondSent: Thursday, July 22, 2004 11:18 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Customize Group 
Permissions


Yes, 
this is possible. Check out restricted groups in group policy. 

 

--Brian 
Desmond
[EMAIL PROTECTED]
Payton on the 
Web! Http://www.wpcp.org
 
v: 
773.534.0034 x135
f: 
773.534.0035
 
 




From: Jared 
Manhat [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 3:37 
PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Customize Group 
Permissions
 
I 
though I read somewhere in 
the MS 
Server 2003 Deployment Kit under Designing a Managed Environment that 
it was possible to modify to local pc's group permissions using GP. Has anyone 
heard of this?
What I'm trying to do is 
assign Install Printer Drivers to Power Users.
Thanks
Jared 
Manhat
Systems 
Administrator
Accutest 
Laboratories

RE: [ActiveDir] Duplicate user in Active Directory

[joe]

That is for helping find lingering objects... Is that what we think we have
here? How long ago was the object deleted? If it hasn't been longer than
tombstone lifetime for the object deleted, you have a replication issue, not
a lingering object issue Though if the problem persists (or has been
persistent) you could have both. :o)

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Friday, July 23, 2004 8:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Duplicate user in Active Directory


Joe's GCChk utility should help you track down the duplicate.

http://www.joeware.net/win32/

Tony
-- Original Message --
From: "Sanz de León, Juan Carlos"<[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Date:  Fri, 23 Jul 2004 10:20:43 +0200

Dear Gurus,
 
We have a forest with 4 domains.  I deleted a user in domain A.  Then I
created that same user in domain B.  .. and for some strange reason.. we
now have the user duplicated in our Global Catalog  When I search the
Global Catalog in domain A, I only see one user.  When I search the GC of
all other domains.. the user is duplicated.Exchange 2000 does not like
duplicates
 
How should I go about solving this problem?
 

Thanks in advance,
Juan Carlos Sanz
 
 

 



 





Sent via the WebMail system at mail.activedir.org


 
   

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exceeding the LDAP Look Through Limit

[joe]

Ah, I was chatting with ~Eric on this exact issue 
previously about adding too many attributes to a single multivalued attribute. 
Once I hit the limit (around 850 or so attributes on 2K) I couldn't add any new 
attributes to anything, only modify existing We never went anywhere on that 
discussion and I am curious why this happens. 
 
Since ~Eric hasn't responded to this I am guessing he lost 
the thread so I am going to do the Bat~Eric Call... 
 
 
CARTE BLANCHE!
 
   joe :o)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steve 
BrashearSent: Friday, July 23, 2004 9:13 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the 
LDAP Look Through Limit


Ok, he 
created one 
user-defined ou , and added an object in that container.Next, he opened ADSI 
edit , and added attributes for that object.  For example he has 3 
attributes, and added 300 values for each 
attributes.
 
If he adds more than 
this values, the limit exceeded message appears:  

I received 
following error message - "The Administrative limit for this request was 
exceeded" -OS is win2k server sp4
 
Thanks for your 
help!
 
Steve

 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric 
FleischmanSent: Thursday, July 
22, 2004 9:29 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the LDAP 
Look Through Limit
 
I could probably tell 
you which admin limit you’re exceeding if you tell me the OS version & 
service pack level.
 
Most admin limits are 
there to protect perf of the box & prevent against DoS attacks. Better than 
changing the limits would be to change the query to use LDAP RFC compliant ways 
to performing the action w/o changing lmits. For example, if the limit is # of 
objects returned per page, rather than using a huge page you’d do a paged 
search.
 
So the questions that 
would be of interest:
1)   
OS and 
service pack level
2)   
What is 
the action being performed (as an example, if this is a search, baseDN + scope + 
filter)
 
Thanks!
~Eric
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Steve 
BrashearSent: Thursday, July 
22, 2004 10:40 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Exceeding the LDAP 
Look Through Limit
 
I have a customer who has 
created an OU and populated it with objects that have many attributes.  He 
is now encountering this error:
 
"[LDAP: error code 11 - 
2024: SvcErr: DSID-02050AA0, problem 5008 (ADMIN_LIMIT_EXCEEDED), data 
-1026]; remaining name 
'cn=CN\=JPRAKASH\,CN\=Computers\,DC\=jupiter\,DC\=lan,ou=Subscriptions,dc=jupiter,dc=lan'"
 
Is there a maximum size 
limitation for user defined objects in AD?
Can that value be 
modified?
Where would one modify 
it?  Would it be in the LDAP policies/protocols 
configuration?
 
TIA!Steve
 
 

RE: [ActiveDir] outlook / gc client discovery

[joe]

Barring a network trace disproving it I would agree. Setting the outlook
client to use closest *should* fall back and use what the client  considers
closest, going to the Exchange server and asking at that point would be
silly and I don't actually believe Exchange has that functionality. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, July 26, 2004 12:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Hmmm,
I never really thought about how Outlook decides what's the "closest"
GC. I'm going to make a complete WAG and say that DSPROXY is not used, and
outlook does a DNS lookup for GCs relying on IP subnet sorting to get the
"closest".

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Saturday, July 24, 2004 12:14 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Ken, thanks for the post reply on this one.

Was wondering further if you had any information on this relating to the
actual mechanics of this.  My understanding has been that OL 2002 has no
concept of site awareness

given this what i am struggling to understand is  how the OL2000
'advertises' it site membership given this registry change.  seems there are
a number of possibilities here -

-  is the clients interaction with DSPROXY modified ? or
- the interaction with DSproxy is actually 'disabled' and OL falls back
somehow to a client based DNS lookup ??

TIA

GT
- Original Message -
From: "Ken Cornetet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 23, 2004 8:34 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


Outlook 2002

http://support.microsoft.com/default.aspx?scid=kb;en-us;319206&Product=o
l2002

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Friday, July 23, 2004 1:33 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] outlook / gc client discovery


Dear all, thanks all for your positive views on this issue.

first up i apologise for not chiming in the last week - been away at
customer site ! - esp given it was me that opened up the item.

my further research into this seems to indicate that GC discovery
process seems to vary across versions of Outlook - and specfically
Outlook 2003 seems to introduce new processes ??

Would Ken be happy to confirm his version of Outlook - and required reg
mods to support local GC discovery with centralised Exchange servers ? -

I think i have referenced the "closestGC" reg value but am not sure if
this is it

TIA

GT


- Original Message - 
From: "Mulnick, Al" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, July 19, 2004 8:25 PM
Subject: RE: [ActiveDir] outlook / gc client discovery


> Ken, that is a great response. Thanks for taking the time.
>
> I can see your logic now. :)
>
> Al
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
> Sent: Monday, July 19, 2004 3:16 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] outlook / gc client discovery
>
> Well, as you (and Joe) pointed out, a WAN link slow enough to give a 
> bad user experience with name resolution will also yield poor message 
> performance.
>
> Obviously, the best solution is to put an Exchange server at the 
> location. Unfortunately, many of our smaller locations are simply 
> unwilling to foot the bill for an Exchange server (and associated 
> trappings).
>
> So, we are left with the task of making things better for the users
without
> spending money. The only thing we can do for free is to make their DC 
> a
GC.
> This speeds up name resolution. We can't speed up messaging 
> performance,
so
> we simply coach the effected users to not send large attachments, and 
> tell others to not send them large attachments. We also show users how

> to use Outlook in off-line mode. We were hoping
that
> OL2003's cached mode would help, but it seems to add as many problems 
> as
it
> fixes (more experimentation is in the works...).
>
> Like most other things, it is a trade-off. Our AD is fairly static - 
> just adding/deleting users here and there, group membership changed 
> now and again. We looked at the GC replication traffic, and decided 
> that it didn't look like a problem.
>
> This seems to work well for us, but obviously everyone's mileage may 
> vary.
I
> can easily see how GC replication would be a problem for large 
> organizations' WANs.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
> Sent: Monday, July 19, 2004 1:44 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] outlook / gc client discovery
>
>
> Aside from cached mode, I think it's valuable to ask this: Is it ok 
> then
to
> have the user experience bad performance when it comes to message 
> content
as
> long as GAL resolution is good???

RE: [ActiveDir] outlook / gc client discovery

[joe]

Yep, true. Also when doing the syncing first thing in the morning you could
have quite a spike on your bandwidth utilization...

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, July 19, 2004 2:48 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

You're recommendations are solid, Joe, but I would use caution with the
cached mode OL2K3.  The problem you run into is kind of a self-induced
bandwidth outage with cached mode.  What I mean by that is that you end up
downloading all of your content to the local machine vs. just the headers
and deleting them over the wire.  The end result is that you end up moving
the message across the wire fewer times when not in cached mode, but often
at the expense of user experience.  I usually view cached mode as a
"slight-of-hand" trick to make the user feel good about themselves and make
their mailbox more usable.  The thinking being that if they didn't know it
was sent an hour ago, they won't miss it.

Should have waited to see your response before posting before.  I love a
good disagreement though and it's hard not to try and learn something from
it through asking questions.  I just flat couldn't wait ;) 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, July 19, 2004 2:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Never feel bad about disagreeing with me nor anyone. Debate is good, there
is no one that knows everything, I am positive I don't know everything. 

With a WAN link of 128k I would also expect you had to start making a
decision on whether or not you were just going to drop the Exchange Server
on the slow side of that link. Obviously it completely depends on how many
people and are there and what else they are doing across the WAN like for
instance lots of email (read tons of RPC traffic), running APPS, web
surfing, etc. 

Additionally a concern would be what OS is the GC because obviously there is
one there and what is the domain functional mode? If you have a lot of
universal groups across the forest and/or lots of domain changes unless you
are in K3 FF then considerable bandwidth could be eaten tyring to maintain
the GC state to be fairly close with the main GCs. 

Additionally if you are on 2K you have to be very considerate when making
schema changes that impact the PAS as 128k could result in a bad day (or
more likely bad several days) for someone making a PAS set change. In fact,
the intitial deployment to a Fortune 5 company I know of put a GC in every
site, once it was found out how Exchange really used GCs and learned how
hard a Schema Update was going to pound the environemnt the decision was
made to pull all of the GCs back out of the WAN sites and went from about
350-375 GCs to about 30-40. And even that made for a painful Schema update
though in great part it was due more to the indexing bugs at the time in
addition to the full sync of the GCs. At least in doing that pull back we
saw the fear go out of the eyes of the onsite MCS guys helping plan out the
schema update. 

Most likely, my recommendations to someone trying to do centralized Exchange
with WAN links at painful speeds like that unless it was only a couple of
people on the other side would be O2K3 with everything in full caching mode
or more likely, use OWA. Then depending on what is running locally and your
Uni group strategy you consider yanking the GC portion of the DC out of that
site and set the DC for ignoregcfailures. If you use Uni's for deny you
absolutely can't do this, but I can't stress enough how you shouldn't use
active Deny's at all, they are dangerous simply from the standpoint of
confusion let alone possible issues with GCs and such. Make sure people
don't get access through passive deny, i.e. never granted. Much safer and
easier to troubleshoot.


  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, July 19, 2004 10:41 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery

Ouch, I hate to disagree with Joe, but we've "been there, done that".
While it's true that the GC traffic volume pales in comparison to the
Exchange traffic, the important metric here is not the bandwidth usage, but
rather the end user experience. Your users will notice very pokey name
resolution and GAL lookups if they are hitting a GC across a WAN. A
T1 isn't bad, but a 128K link with moderately bad latency is absolutely
painful! 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 16, 2004 4:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] outlook / gc client discovery


I like to put this most simply as

Use the GCs for the clients that the Exchange Servers are using. If you have
an Exchange Server in your local site using a local GC

RE: [ActiveDir] [OT] NTFS Read-only Status

[joe]

This one had me poking around as this would be interesting 
functionality. I found one hit in the newsgroups from a Molly Brown (mollybro) 
saying it is possible and a one liner in MSDN around I/O Subsystem enhancements 
. 
 
"NTFS will now mount read-only 
on an underlying read-only volume. If the volume requires a log restart or a 
Chkdsk, the mount will fail."
 
That would seem to mean to me that it will do it 
automatically if the volume itself is somehow read only through the hardware 
versus failing to mount at all.  
 
 
Otherwise I  looked at 
the obvious candidates for doing that like fsutil and mountvol and see nothing. 
The root api that I am aware of is SetVolumeMountPoint and it doesn't have way 
to specify optional params like that... 
 
http://msdn.microsoft.com/library/default.asp?url="">
 
 
Possibly there is something in the Shadow Copy API 
which MS is hiding from normal people at the moment, you have to be an ISV (and 
under NDA) to see them or alternatively, there might be something in the 
DeviceIoControl function that could be leveraged. I will admit to not messing 
around in that area at all. Might be a good question to send to Solomon or 
Russinovich... 
 
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael B. 
SmithSent: Friday, July 23, 2004 3:44 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] [OT] NTFS Read-only 
Status

I've tried this on 
other groups, and it is not A/D related. But you guys know so 
much...
 
I want a way to 
mount an NTFS volume read-only. I want a magic command like "mode e: read-only". 
:-)
 
It is clear to me 
(and I've found references) that this is supported with NTFS (Windows XP and 
above), but I cannot figure out/find out how to set it.
 
Any 
ideas?
 
Thanks,
Michael

RE: [ActiveDir] Attributes terminal services path

[Jeremy Waldrop]

There is a new version of the ADModify utility here.

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/ADModi
fy.NET.zip

It will let you set the TS properties and lots of other usefull info. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, August 01, 2004 5:22 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Attributes terminal services path

Well you can... It is just that the data is a binary blob and that is
non-trivial to manipulate in LDAP especially if the format of the binary
blob isn't documented. You can however export from one user object and
reimport the same into another without a terrible lot of trouble. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, July 26, 2004 5:09 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Attributes terminal services path


Olivier

You can't read (or create) Terminal Services properties using CSVDE or any
LDAP based tool.  

One option is to use the TScmd free tool:

http://www.systemtools.com/free_frame.htm

Alternatively, you can try the scripting method using IADsTSUserEx, as
described here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/te
rmserv/iadstsuserex.asp

Cheers
Tony


-- Original Message --
Wrom: DGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU
Reply-To: [EMAIL PROTECTED]
Date:  Mon, 26 Jul 2004 10:20:23 +0200

Hello,

I'm trying to create a csvde file to create my account in AD. Everything is
ok, but I can't find attributes for terminal service path.

How can I modify terminal service path by CSVDE ?

Thanks, 

Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA
Informatique http://www.sigma.fr
3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



This communication, together with any attachments, may contain information that is 
confidential, proprietary, legally privileged or otherwise exempt from disclosure.  If 
you are not the intended recipient of this communication, you are hereby notified that 
the distribution, reading, copying or other use of this communication and any 
attachment hereto is strictly prohibited.  If you have received this in error, please 
reply immediately to the sender and delete or destroy this communication.  Thank you 
for your cooperation.

RE: [ActiveDir] Attributes terminal services path

[joe]

Well you can... It is just that the data is a binary blob and that is
non-trivial to manipulate in LDAP especially if the format of the binary
blob isn't documented. You can however export from one user object and
reimport the same into another without a terrible lot of trouble. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, July 26, 2004 5:09 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Attributes terminal services path


Olivier

You can't read (or create) Terminal Services properties using CSVDE or any
LDAP based tool.  

One option is to use the TScmd free tool:

http://www.systemtools.com/free_frame.htm

Alternatively, you can try the scripting method using IADsTSUserEx, as
described here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/te
rmserv/iadstsuserex.asp

Cheers
Tony


-- Original Message --
Wrom: DGVCJVTLBXFGGMEPYOQKEDOTWFAOBUZXU
Reply-To: [EMAIL PROTECTED]
Date:  Mon, 26 Jul 2004 10:20:23 +0200

Hello,

I'm trying to create a csvde file to create my account in AD. Everything is
ok, but I can't find attributes for terminal service path.

How can I modify terminal service path by CSVDE ?

Thanks, 

Olivier BATARD, Technicien système - Poste 1655 Gestion Interne SIGMA
Informatique http://www.sigma.fr
3 rue Newton, BP 4127, 44241 La Chapelle sur Erdre Cedex


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

 





Sent via the WebMail system at mail.activedir.org


 
   

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] group structure -universal groups

[joe]

I'm late but I agree with Guido and Tony here... If using Exchange, place
the users directly in the UG. It will make sure your expansion is done
correctly and it gets away from the whole nest this in that and then this
scenario. If you aren't using Exchange, try to stay away from Uni groups,
usually aren't necessary... 

  joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, July 27, 2004 7:25 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] group structure -universal groups

yes, for DLs this would definitely be an issue - in a multi-domain forest be
sure only to use UGs as DLs... (and DON'T nest GGs into the
UGs).   In a single domain forest it doesn't matter.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Tuesday, July 27, 2004 11:48 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] group structure -universal groups

Daniel

Well, one option would be to simply skip the Global Group part and add your
accounts directly to the UG.  

A problem with UGs in Windows 2000 AD was that they potentially created a
lot of replication traffic between GCs.  Any change to a UG membership would
result in the whole membership being replicated.  Windows 2003 AD offers
Linked Value Replication (LVR), which allows individual group membership
changes to be replicate, rather than the whole attribute.
This is clearly much more efficient and removes this limitation on the use
of UGs.

In any case, wouldn't having Global Groups nested in UGs cause a problem for
Distribution Groups expansion?  For example, how would a GC from DomainA
manage to successfully expand a distribution group that contains Global
Groups from DomainB?  

Tony  _  

From: Cariglia, Daniel [mailto:[EMAIL PROTECTED]
Sent: Montag, 26. Juli 2004 22:08
To: [EMAIL PROTECTED]
Subject: [ActiveDir] group structure -universal groups


Hello,
 
I have a question regarding group structure and administration
of such.  We run a multi-domain AD environment with basically an empty root
domain and 2 child domains where the users live.  The problem is if we
structure groups the way it is recommended (accounts into Global groups
which are then placed into Universal Groups which are then placed into
Domain Local groups in the domain where the resource lives and permissions
applied using the Domain local group.  
The problem is we prefer our distribution lists (universal
groups) to be managed/administered by the users/owner of the list.   All
distribution lists are composed of individual users presently (came from an
NT 4 domain) and if we follow the recommended group practices we will nest
the Global group(s) from both domains inside the Universal groups and remove
the individual users presently in them and effectively they will have the
same members, but when the owners try to modify the members through their
Outlook client they will only see the Global group(s) and not the members of
the group who will receive the messages sent to the distribution list.
Is
there a better way to administer permissions in a multi domain Active
Directory environment or do we set every owner of a distribution list up
with rights and a tool to manage the global groups effectively adding these
users to the Universal groups by nesting the global groups?   Any
feedback
is appreciated, thank you.
 
 


 





Sent via the WebMail system at mail.activedir.org


 
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] NTP server

[joe]

I was also thinking this was a familiar conversation... Thanks for that
Bob...

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Friday, July 23, 2004 2:21 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] NTP server

déjà vu`

-Original Message-
From: Free, Bob
Sent: Friday, February 13, 2004 11:25 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] NTP

Rimmerman, Russ  wrote:
> What's everyone syncing all their clocks up with? 

We have our own enterprise NTP servers, the forest root DCs synch to them.
Everything else in AD is in NT5DS mode and time flows down the domain
hierarchy. The [gag] remaining NT boxes, have W32time pointed to the AD DC's
and get time via SNTP.

> Do Win2k AD domain controllers automatically respond to SNTP requests?


Not sure exactly what you mean-

A] Yes they will serve time to a SNTP client, but, you don't want any SNTP
clients in your forest, they should all be in NT5DS mode. You want the time
to flow down the tree.

B] You can use ntpdate on a *NIX box or the W32 port of ntpdate to get a
quick picture of how everything is peering up in the forest, what stratum
the machines are in and how accurately they are keeping time.
W32Time won't answer all NTP requests but the ones in the SNTP spec work.

> We are currently
> running a firewall that acts as a NTP server for all our internal PCs 
> (Symantec Enterprise FW) and we're looking at switching to a NetScreen 
> firewall which does not.  We're trying to figure out where we should 
> redirect all our time requests to.  How are you doing it?

Where do your routers get their time? Cisco routers have very accurate
clocks according to our NTP guru, (he's very fussy and wants the Stratum
1 machines within a few ms of each other) A lot of people just synch their
DC to a core router that's synched to something like USNO or if running DNS
on *NIX, they run NTP on the DNS boxes.. Some people in simpler networks
just punch a hole for UDP 123 to their forest root PDCe and synch it
directly to the internet sources like USNO. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Thursday, July 22, 2004 5:24 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] NTP server


Where does everyone have their NTP services come from?  We are getting rid
of our current firewall which has NTP on it and everything is pointed to it
for NTP services.  Our new firewall won't have NTP built in, so we are going
to have to set up an internal NTP server for all our internal hosts to sync
to.  Do we put it in the DMZ or the internal network?  Or  does it matter?
Do we just install NTP on an existing Win2k server in our DMZ?  What is
everyone else doing for NTP?

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] cannot login into win2k server bec of domain controller problem

[joe]

Sounds like you have lost your DB, it is either rebuild or try the
unsupported reg hack of productionoptions\producttype. This has been
discussed in a couple of posts recently. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Lara Adianto
Sent: Wednesday, July 28, 2004 6:23 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] cannot login into win2k server bec of domain controller
problem

Hi,

I had this famous AD problem in my win2k server:

LSASS.EXE - System Error, security accounts manager initialization failed
because of the following error:
Directory Service cannot start. Error status 0xc2e1.
Please click OK to shutdown this system and reboot into directory services
restore mode, check the event log for more detailed information.

And as you can guess, I couldn't get into the win2k server's normal mode.
There are quite a number of sources on the net suggesting various ways to
get the server.
I've tried the following links:
- http://www.jsiinc.com/SUBF/Tip2500/rh2599.htm
-
http://support.microsoft.com/default.aspx?kbid=258062
- http://www.experts-exchange.com/Operating_Systems/
Win2000/Q_20809496.html

But none of them worked for me. I've even tried doing a lossy repair of AD
dbase using esentutl.
But I still couldn't get into normal mode.
Dcpromo surely doesn't work in drectory service restore mode.

What should I do ? I don't have a backup unfortunately. It was a test
machine, so I didn't have a thought at all to make backup (I should have
done
it..sigh)
This is not the first time I had this problem. I had the same problem a few
months ago, and I had to reinstall the win2k server...
It's the last option that I want to do now...

I wonder as well what caused this problem...
As far as I can remember, I did a configuration using ksetup (for cross
realm auth)...and so did I a few months ago before it failed.
Could ksetup cause the corruption ? Can I do ksetup in win2k server actually
?

Please help
lara

=


La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
-
Guy de Maupassant -





__
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
http://promotions.yahoo.com/new_mail 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: NAS and WSS

[joe]

Amen. The NAS solutions I have seen have been nothing but a pain in the
butt. They end up trying to emulate or you end up adding with additional
machines all of the functionality you are used to getting out of a basic
file server and it becomes more complex to deal with and probably more
expensive than simply spinning up the file server with a lot of disk in the
first place. Disk is getting cheaper and cheaper and you can buy some
awfully big disks that go into a server now.  

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Wednesday, July 28, 2004 9:19 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] OT: NAS and WSS

 
Personally, I have yet to see the value of a NAS device in many
organizations.  It's supposed to be cheap space for those low performance
applications such as file and print.  I can solve that so much more easily,
cheaply, and more completely without NAS.  If you need to provision TB of
data that is relatively static and doesn't have reliability concerns, NAS is
a cheaper way to provision it vs. SAN but compared to straight OS, it's
often cheaper and easier to use the straight OS out of the box since you'll
inevitably want some auditing solution (sarbox?) that NAS is going to have
more issues with. WSS may have solved this, but it's something to check.

Al


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Exchange and AD E-mails

[joe]

What is the error you get when trying to move the mailboxes 
into the old store? Can you move mailboxes out of that 
store?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Sunday, August 01, 2004 3:14 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and AD 
E-mails

No 
error logs on teh exchange server, and yes the NDR is that the mailbox doesn't 
exist. 
I created another mailbox store on the same server and 
I can create mailbox's there and send and recieve mail. 
Although I am unable to move mailboxes between the mail stores. 

 
thanks 

 
Mike 


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  joeSent: Sunday, August 01, 2004 9:40 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and 
  AD E-mails
  Scary, the AD object seems ok, the only thing that 
  sort of sticks out is in your textOREncodedAddress and proxyAddresses and that 
  is:
   
  >textEncodedORAddress: c=us;a= ;p=Rendition 
  Networ;o=Exchange;s=1234;>proxyAddresses: X400:c=us;a= ;p=Rendition 
  Networ;o=Exchange;s=1234;
  where the Rendition Networds is chopped off. I would 
  simply verify that is the same on your other mailbox enabled objects. I 
  haven't had an Org that long of a name that I have seen before so possibly 
  they chop it on purpose. Anyone else see something like 
  that?
   
  Do you have errors in your exchange 
  logs?
   
   
  What is the NDR that you are getting? Mailbox doesn't 
  exist?
   
    joe
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mike 
  HogenauerSent: Friday, July 30, 2004 5:04 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and 
  AD E-mails
  
  
  Yes I mean 
  mailbox enabled (My bad) 
  I cannot 
  send mail to the account and the mailbox does not show up in ESM. Although 
  when I delete the account it has a mailbox associated with it. 
  
  I have run 
  a rebuild of the RUS.  
   
  Here is 
  the Dump:
   
  dn:CN=1234,OU=Test 
  Accounts,DC=renditionnetworks,DC=com
  >homeMDB: 
  CN=Mailbox Store (AUSTIN),CN=First Storage 
  Group,CN=InformationStore,C
  N=AUSTIN,CN=Servers,CN=First 
  Administrative Group,CN=Administrative 
  Groups,CN=Re
  ndition 
  Networks,CN=Microsoft 
  Exchange,CN=Services,CN=Configuration,DC=rendition
  networks,DC=com
  >cn: 
  1234
  >displayName: 
  1234
  >mail: 
  [EMAIL PROTECTED]
  >givenName: 
  1234
  >instanceType: 
  4
  >legacyExchangeDN: 
  /o=Rendition Networks/ou=First Administrative 
  Group/cn=Recipi
  ents/cn=1234
  >distinguishedName: 
  CN=1234,OU=Test 
  Accounts,DC=renditionnetworks,DC=com
  >objectCategory: 
  CN=Person,CN=Schema,CN=Configuration,DC=renditionnetworks,DC=co
  m
  >objectClass: 
  top
  >objectClass: 
  person
  >objectClass: 
  organizationalPerson
  >objectClass: 
  user
  >objectGUID: 
  {2B7934AB-63B3-4976-88BE-EF5FE99E9DAB}
  >objectSid: 
  S-1-5-21-2068531175-665650586-2065370986-1723
  >primaryGroupID: 
  513
  >proxyAddresses: 
  smtp:[EMAIL PROTECTED]
  >proxyAddresses: 
  X400:c=us;a= ;p=Rendition 
  Networ;o=Exchange;s=1234;
  >proxyAddresses: 
  SMTP:[EMAIL PROTECTED]
  >name: 
  1234
  >sAMAccountName: 
  1234
  >sAMAccountType: 
  805306368
  >showInAddressBook: 
  CN=Default Global Address List,CN=All Global Address 
  Lists,C
  N=Address 
  Lists Container,CN=Rendition Networks,CN=Microsoft 
  Exchange,CN=Service
  s,CN=Configuration,DC=renditionnetworks,DC=com
  >showInAddressBook: 
  CN=All Users,CN=All Address Lists,CN=Address Lists 
  Container
  ,CN=Rendition 
  Networks,CN=Microsoft 
  Exchange,CN=Services,CN=Configuration,DC=ren
  ditionnetworks,DC=com
  >textEncodedORAddress: 
  c=us;a= ;p=Rendition Networ;o=Exchange;s=1234;
  >userAccountControl: 
  512
  >userPrincipalName: 
  [EMAIL PROTECTED]
  >uSNChanged: 
  2567831
  >uSNCreated: 
  2567823
  >whenChanged: 
  20040730203736.0Z
  >whenCreated: 
  20040730203626.0Z
  >homeMTA: 
  CN=Microsoft MTA,CN=AUSTIN,CN=Servers,CN=First Administrative 
  Group,CN=Administrative 
  Groups,CN=Rendition Networks,CN=Microsoft   xchange,CN=Services,CN=Configuration,DC=renditionnetworks,DC=com
  >msExchHomeServerName: 
  /o=Rendition Networks/ou=First Administrative 
  Group/cn=Co
  nfiguration/cn=Servers/cn=AUSTIN
  >msExchMailboxGuid: 
  {B695A373-868A-4C2D-BE9E-54DA145A7F7C}
  >msExchMailboxSecurityDescriptor: 
  {Security Descriptor}
  >mailNickname: 
  1234
  >mDBUseDefaults: 
  TRUE
  >msExchUserAccountControl: 
  0
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Friday, July 30, 2004 10:25 
  AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and AD 
  E-mails
   
  My first question is 
  probably not needed but I want to clear the 
  terminology...
   
  When you say mail 
  enabled do you really mean mailbox enabled? Mail enabled means the user object 
  has an external (to Exchange) email address sort of like a contact. A mailbox 
  enabled

RE: [ActiveDir] Is it possible ? deny domain admins create new user permission

[joe]

Title: Message



Anyone in Domain Admins can undo anything you do. Better to 
find a different way. Mark seems to have given a good recommendation. 

 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sanz de León, 
Juan CarlosSent: Thursday, July 29, 2004 7:15 AMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Is it possible ? 
deny domain admins create new user permission


Dear Gurus,
We are currently working on a project where we need to deny domain 
administrators the permission to "create new users".(and assign it to some other 
group) Is this technically possible ? Has anyone actually done it before ?
Thanks in advance for your help,
Juan Carlos Sanz


 

RE: [ActiveDir] [OT] CLI CreateMailBox/MailEnable/Clear Exch Attr Tool

[joe]

Title: RE: [ActiveDir] SpyWare



Well now you personally can!
 
I have written and published to the joeware site the tool 
called ExchMbx. This tool will
 
Mailbox Enable existing users - create 
mailbox.
 
MailEnable existing users, contacts, groups - sorry won't 
do query based groups yet, later versions will. It would had MS actually used 
CDOEXM for mail enabling the groups but they seemed to have forgotten about 
scripters and programmers yet again... So a later version of ExchMbx will try 
to avoid CDOEXM and do everything via straight LDAP and which means I have 
to work out the legacyExchangeDN uniqueness stuff. Not sure if it is possible to 
completely avoid cdoexm though, have to look closely at moving mailboxes... 

 
Move mailboxes - yes command line move 
mailbox!
 
Clear Exchange attribs - basically delete mailboxes, 
maildisable objects.
 
 
It is similar to admod in that you can pipe in the list of 
DN's from another program, so say you want to create mailboxes on Server5, 
Storage Group SG2, Mail Store DB3 for the first 100 users in the OU called 
newusers (and any subou's)  who don't already have 
mailboxes
 
adfind -b ou=newusers,ou=mail,dc=domain,dc=com -f 
"&(objectcategory=person)(objectclass=user)(!(homemdb=*))" -dsq | exchmbx 
-upto 100 -cr server5:sg2:db3 -cont
 
 
or say you want to move the mailboxes of all users with 
samaccountname starting with W to Server2, SG4, DB1...
 
 

adfind -b ou=mail,dc=domain,dc=com -f 
"&(objectcategory=person)(objectclass=user)(samaccountname=w*)(!(homemdb=*))" 
-dsq | exchmbx -move server2:sg4:db1 -cont 
-unsafe
 
 
Or you want to delete all mailboxes of all users and 
maildisables all of the objects in the OldUsers OU
 

adfind -b ou=newusers,ou=mail,dc=domain,dc=com -f 
"(objectclass=*)" -s one -dsq | exchmbx -clear 
-unsafe
 
 
Or if 
you just want to mail enable one contact but with text w/ uuencoding formatted 
email...
 
 
exchmbx -b 
cn=somecontact,ou=contacts,ou=mail,dc=domain,dc=com -me [EMAIL PROTECTED] 
-internetencoding 2228224
 
 
 
Download it from the free win32 tools page of www.joeware.net...
 
 
As 
usual, anyone finds issues with it or has suggestions, fire them my way. I 
whipped this up really quick because I was writing something about Exchange and 
how to do things and I never could say what I considered good things for command 
line options.
 
   joe
 
 
Here 
is the usage screen:
 
[Sun 08/01/2004 
14:11:19.48]F:\DEV\WebSites\Joeware\Current\win32\zips>exchmbx
 
ExchMbx V01.00.00cpp Joe Richards ([EMAIL PROTECTED]) 
August 2004
 
Usage: ExchMbx [switches]
 
  Switches: (designated by - or /)   
-h host    Host to use, use default LDAP server   
-b basedn  DN to do the work on. If basedn is not 
specified  
the program will read from stdin anything piped to 
it  
or if you want you can type the DNs there followed 
by  
a ctrl-z to terminate the pipe.   -elapsed   Display 
elapsed time in seconds   -cr MDB    Create Mailbox 
in MDB  - See Format Below for that value   -move MDB  
Move Mailbox to MDB  - See Format Below for that value   -me 
x  MailEnable object. If necessary x is 
targetaddress.   -clear Clear all email 
attribs.   -safety x  How many objects before safety kicks 
in. Default 10   -delim x   X specifies delimiter for 
MDB format. Default :   -fdelim x  X specified delimiter for 
file format. Default [TAB]   -unsafe    Don't have 
a safety, modify objects no matter how many.   -upto 
x    Process DNs until x successes have occurred.   
-cont  Continue with objects even if 
errors.   -internetencoding   This is the encoding type 
for mailenabled objects.
 
  MDB 
format   Format:  
(HomeMDBURL|Server:Storage Group:DataBase)
 
    This value can be 
specified either as a complete HomeMDB URL value    or if you 
don't know it or don't want to look it up you can specify    
the server, storage group, and data base and the tool will look 
up    the proper HomeMDB URL for you.
 
  Internet Encoding 
Format    Mail enabled objects can either follow the Internet 
Mail Service    settings for how mail is encoded for transfer 
out of the Exchange    system or you can specify specific 
values. This switch lets you    change that setting. The 
default value written to the mail enabled    objects is 
1310720 which is 'Use Internet Mail Service' settings.    See 
KB281740 for more info on the settings, here are some 
alternate    values at the time of this 
writing:  393216 MIME 
with Plain Text  917504 
MIME with HTML 1441792 MIME 
with Plain Text & HTML 
2228224 Plain Text / 
uuencode  131072 Plain 
Text / uuencode with Binhex
 
  
Notes:    This tool could be considered dangerous, it can 
quickly make some    serious changes to your directory and 
really mess up email.    I take no responsibility for you 
dorking up your email system.    The safety option will bail 
the whole operation if there    are more objects to 

RE: [ActiveDir] Exchange and AD E-mails

[Mike Hogenauer]

No 
error logs on teh exchange server, and yes the NDR is that the mailbox doesn't 
exist. 
I created another mailbox store on the same server and 
I can create mailbox's there and send and recieve mail. 
Although I am unable to move mailboxes between the mail stores. 

 
thanks 

 
Mike 


  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  joeSent: Sunday, August 01, 2004 9:40 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and 
  AD E-mails
  Scary, the AD object seems ok, the only thing that 
  sort of sticks out is in your textOREncodedAddress and proxyAddresses and that 
  is:
   
  >textEncodedORAddress: c=us;a= ;p=Rendition 
  Networ;o=Exchange;s=1234;>proxyAddresses: X400:c=us;a= ;p=Rendition 
  Networ;o=Exchange;s=1234;
  where the Rendition Networds is chopped off. I would 
  simply verify that is the same on your other mailbox enabled objects. I 
  haven't had an Org that long of a name that I have seen before so possibly 
  they chop it on purpose. Anyone else see something like 
  that?
   
  Do you have errors in your exchange 
  logs?
   
   
  What is the NDR that you are getting? Mailbox doesn't 
  exist?
   
    joe
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mike 
  HogenauerSent: Friday, July 30, 2004 5:04 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and 
  AD E-mails
  
  
  Yes I mean 
  mailbox enabled (My bad) 
  I cannot 
  send mail to the account and the mailbox does not show up in ESM. Although 
  when I delete the account it has a mailbox associated with it. 
  
  I have run 
  a rebuild of the RUS.  
   
  Here is 
  the Dump:
   
  dn:CN=1234,OU=Test 
  Accounts,DC=renditionnetworks,DC=com
  >homeMDB: 
  CN=Mailbox Store (AUSTIN),CN=First Storage 
  Group,CN=InformationStore,C
  N=AUSTIN,CN=Servers,CN=First 
  Administrative Group,CN=Administrative 
  Groups,CN=Re
  ndition 
  Networks,CN=Microsoft 
  Exchange,CN=Services,CN=Configuration,DC=rendition
  networks,DC=com
  >cn: 
  1234
  >displayName: 
  1234
  >mail: 
  [EMAIL PROTECTED]
  >givenName: 
  1234
  >instanceType: 
  4
  >legacyExchangeDN: 
  /o=Rendition Networks/ou=First Administrative 
  Group/cn=Recipi
  ents/cn=1234
  >distinguishedName: 
  CN=1234,OU=Test 
  Accounts,DC=renditionnetworks,DC=com
  >objectCategory: 
  CN=Person,CN=Schema,CN=Configuration,DC=renditionnetworks,DC=co
  m
  >objectClass: 
  top
  >objectClass: 
  person
  >objectClass: 
  organizationalPerson
  >objectClass: 
  user
  >objectGUID: 
  {2B7934AB-63B3-4976-88BE-EF5FE99E9DAB}
  >objectSid: 
  S-1-5-21-2068531175-665650586-2065370986-1723
  >primaryGroupID: 
  513
  >proxyAddresses: 
  smtp:[EMAIL PROTECTED]
  >proxyAddresses: 
  X400:c=us;a= ;p=Rendition 
  Networ;o=Exchange;s=1234;
  >proxyAddresses: 
  SMTP:[EMAIL PROTECTED]
  >name: 
  1234
  >sAMAccountName: 
  1234
  >sAMAccountType: 
  805306368
  >showInAddressBook: 
  CN=Default Global Address List,CN=All Global Address 
  Lists,C
  N=Address 
  Lists Container,CN=Rendition Networks,CN=Microsoft 
  Exchange,CN=Service
  s,CN=Configuration,DC=renditionnetworks,DC=com
  >showInAddressBook: 
  CN=All Users,CN=All Address Lists,CN=Address Lists 
  Container
  ,CN=Rendition 
  Networks,CN=Microsoft 
  Exchange,CN=Services,CN=Configuration,DC=ren
  ditionnetworks,DC=com
  >textEncodedORAddress: 
  c=us;a= ;p=Rendition Networ;o=Exchange;s=1234;
  >userAccountControl: 
  512
  >userPrincipalName: 
  [EMAIL PROTECTED]
  >uSNChanged: 
  2567831
  >uSNCreated: 
  2567823
  >whenChanged: 
  20040730203736.0Z
  >whenCreated: 
  20040730203626.0Z
  >homeMTA: 
  CN=Microsoft MTA,CN=AUSTIN,CN=Servers,CN=First Administrative 
  Group,CN=Administrative 
  Groups,CN=Rendition Networks,CN=Microsoft   xchange,CN=Services,CN=Configuration,DC=renditionnetworks,DC=com
  >msExchHomeServerName: 
  /o=Rendition Networks/ou=First Administrative 
  Group/cn=Co
  nfiguration/cn=Servers/cn=AUSTIN
  >msExchMailboxGuid: 
  {B695A373-868A-4C2D-BE9E-54DA145A7F7C}
  >msExchMailboxSecurityDescriptor: 
  {Security Descriptor}
  >mailNickname: 
  1234
  >mDBUseDefaults: 
  TRUE
  >msExchUserAccountControl: 
  0
   
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of joeSent: Friday, July 30, 2004 10:25 
  AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and AD 
  E-mails
   
  My first question is 
  probably not needed but I want to clear the 
  terminology...
   
  When you say mail 
  enabled do you really mean mailbox enabled? Mail enabled means the user object 
  has an external (to Exchange) email address sort of like a contact. A mailbox 
  enabled user is a user with a mailbox in the forest's Exchange Org. 
  
   
  If the ID is truly 
  mailbox enabled, can you send email to it? Do you get an NDR or does it appear 
  to get delivered? When you look at the store through the ESM do you see the 
  mailbox? 
   
  A dump of the user 
  object would be nice as

RE: [ActiveDir] AD replication from 5.5 using ADC

[joe]

Nope it doesn't do another mod. 

Your question about why it needs those perms is a good one. I made the same
gripes to MS about the requirements for the ADC install process.
Unfortunately it doesn't try to make the changes it needs to make, it just
looks at the groups it is in and if it isn't god it assumes it can't make
the changes in the config container it needs to make. I figure if enough
people chew out the Exchange Dev guys eventually they will get the picture. 

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Sunday, August 01, 2004 2:53 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] AD replication from 5.5 using ADC 

Dear all, thanks for the post replies on this one.

am still a little nervous about this !!!

on a different (but still related to ADC) tack, is anyone able to confirm
whether the ADC modifies the schema a second time if the schema has already
been modified using with the setup /forestprep

i suspect that it does not but then why does the process of ADC installation
require such a highly privileged account as one belonging to enterprise ??

GT


- Original Message -
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, August 01, 2004 6:01 PM
Subject: RE: [ActiveDir] AD replication from 5.5 using ADC


> A small correction... That KB article is actually 269843. Not sure why I
> remembered that one off hand except that I was deathly afraid when we
kicked
> in the ADC that this would happen and our DNs would change for all of our
> exchange enabled users which would have been a HUGE disaster for us. While
> it isn't the best practice, you can't stop it in a large company, many
> people working on LDAP apps would hard code specific DNs or do searches on
> the cn or name and this would have wiped out every one of those apps.
>
> The actual link to the KB is
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;269843
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, July 30, 2004 1:55 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] AD replication from 5.5 using ADC
>
> The process for modifying the CAs is the same for E2k3.  In our 5.5 to 2K3
> migration we had a bunch of undesirable special characters and group
> identifiers in the 5.5 display that the ADC would replicate to the AD cn
and
> name fields.  Following MSKB 269834 stopped the 5.5 display name from
> overwriting cn and name, and replicated the 5.5 displayname only to the AD
> displayname.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Friday, July 30, 2004 11:41 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] AD replication from 5.5 using ADC
>
> Al, the document i reference is titled "Understanding an Deploying
Exchange
> 2000 Active Directory Connector" - sourced from the given URL
>
> I am aware that this is for Ex2k ADC - but can find no similar document
for
> Ex2k3 ! so i have taken assumption this is not to far off !??
>
> your are perhaps right on "my expectation" - my initial view has been to
> replicate data only from the 5.5 where it is required  - by implication
the
> AD is the authoritative data source
>
> this is the rationale behind my endeavour to understand how to manage,
prior
> to what will likely be a big hit, the data that is brought into the
> directory from 5.5
>
> GT
>
>
>
> - Original Message -
> From: "Mulnick, Al" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, July 30, 2004 4:09 PM
> Subject: RE: [ActiveDir] AD replication from 5.5 using ADC
>
>
> > Graham, it sounds like you have different expectations of what the ADC
> does
> > for you. In the scenario you speak of, ADC is considering 5.5 to be
> > authoritative for several fields. If you have multiple sites (5.5 or
> Active
> > Directory) I suggest you get this worked out in some way to maintain
> > consistency both before as well as after you join the directories.
> >
> > On that note, since this is a directory join question, I think it's on
> topic
> > for this forum.
> >
> > If this is not something you want to have happen, you can modify the
> > behavior for several of the attributes but I was under the impression
> > that modifying the flags you mention is not the way it's done in 2003.
> > Just can't remember where I saw that at the moment. :)  I'll look if
> > it's applicable to your situation, but it's likely one of the docs on
> > http://www.microsoft.com/exchange/library
> >
> >
> > Finally, what document are you referencing so we can all see the same
> > information.  If it needs to be fixed, then we should submit that for
> > fixing.
> >
> > Al
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> > Sent: Friday, July 30, 2004 10:04 AM
> > To: [EMAIL PROTECTED]
> > Sub

Re: [ActiveDir] AD replication from 5.5 using ADC

[Graham Turner]

Dear all, thanks for the post replies on this one.

am still a little nervous about this !!!

on a different (but still related to ADC) tack, is anyone able to confirm
whether the ADC modifies the schema a second time if the schema has already
been modified using with the setup /forestprep

i suspect that it does not but then why does the process of ADC installation
require such a highly privileged account as one belonging to enterprise ??

GT


- Original Message - 
From: "joe" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Sunday, August 01, 2004 6:01 PM
Subject: RE: [ActiveDir] AD replication from 5.5 using ADC


> A small correction... That KB article is actually 269843. Not sure why I
> remembered that one off hand except that I was deathly afraid when we
kicked
> in the ADC that this would happen and our DNs would change for all of our
> exchange enabled users which would have been a HUGE disaster for us. While
> it isn't the best practice, you can't stop it in a large company, many
> people working on LDAP apps would hard code specific DNs or do searches on
> the cn or name and this would have wiped out every one of those apps.
>
> The actual link to the KB is
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;269843
>
>
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: Friday, July 30, 2004 1:55 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] AD replication from 5.5 using ADC
>
> The process for modifying the CAs is the same for E2k3.  In our 5.5 to 2K3
> migration we had a bunch of undesirable special characters and group
> identifiers in the 5.5 display that the ADC would replicate to the AD cn
and
> name fields.  Following MSKB 269834 stopped the 5.5 display name from
> overwriting cn and name, and replicated the 5.5 displayname only to the AD
> displayname.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Friday, July 30, 2004 11:41 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [ActiveDir] AD replication from 5.5 using ADC
>
> Al, the document i reference is titled "Understanding an Deploying
Exchange
> 2000 Active Directory Connector" - sourced from the given URL
>
> I am aware that this is for Ex2k ADC - but can find no similar document
for
> Ex2k3 ! so i have taken assumption this is not to far off !??
>
> your are perhaps right on "my expectation" - my initial view has been to
> replicate data only from the 5.5 where it is required  - by implication
the
> AD is the authoritative data source
>
> this is the rationale behind my endeavour to understand how to manage,
prior
> to what will likely be a big hit, the data that is brought into the
> directory from 5.5
>
> GT
>
>
>
> - Original Message -
> From: "Mulnick, Al" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Friday, July 30, 2004 4:09 PM
> Subject: RE: [ActiveDir] AD replication from 5.5 using ADC
>
>
> > Graham, it sounds like you have different expectations of what the ADC
> does
> > for you. In the scenario you speak of, ADC is considering 5.5 to be
> > authoritative for several fields. If you have multiple sites (5.5 or
> Active
> > Directory) I suggest you get this worked out in some way to maintain
> > consistency both before as well as after you join the directories.
> >
> > On that note, since this is a directory join question, I think it's on
> topic
> > for this forum.
> >
> > If this is not something you want to have happen, you can modify the
> > behavior for several of the attributes but I was under the impression
> > that modifying the flags you mention is not the way it's done in 2003.
> > Just can't remember where I saw that at the moment. :)  I'll look if
> > it's applicable to your situation, but it's likely one of the docs on
> > http://www.microsoft.com/exchange/library
> >
> >
> > Finally, what document are you referencing so we can all see the same
> > information.  If it needs to be fixed, then we should submit that for
> > fixing.
> >
> > Al
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> > Sent: Friday, July 30, 2004 10:04 AM
> > To: [EMAIL PROTECTED]
> > Subject: [ActiveDir] AD replication from 5.5 using ADC
> >
> > hopefully once again i am not charged with going too O/T with this
> > one,
> but
> > was looking to get a bit of further information on the potential
> > impact of
> a
> > replication from an exchange 5.5 server to a win2k AD
> >
> > it seems there is potential for the change of attributes already in
> > the AD if there is different data in the 5.5 directory.
> >
> > the most obvious of these seems to be the "display name" given its
> > prevalence in most directories, and likelihood (this is true in this
> specfic
> > case) of different convention being used between the directories;
> >
> > in 5.5 we have surname ^ firstname , whilst on 

RE: [ActiveDir] Exchange and AD E-mails

[Tony Murray]

The PRMD field is limited to a maximum of 16 
characters.  My guess is that in this case the value was derived 
automatically from the Exchange organization name.  Shouldn't be a problem, 
even with the space.  It just doesn't look pretty, which is something you 
can generally say about X.400 O/R names.
 
Tony


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Sonntag, 1. August 2004 18:40To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and AD 
E-mails

Scary, the AD object seems ok, the only thing that sort 
of sticks out is in your textOREncodedAddress and proxyAddresses and that 
is:
 
>textEncodedORAddress: c=us;a= ;p=Rendition 
Networ;o=Exchange;s=1234;>proxyAddresses: X400:c=us;a= ;p=Rendition 
Networ;o=Exchange;s=1234;
where the Rendition Networds is chopped off. I would 
simply verify that is the same on your other mailbox enabled objects. I haven't 
had an Org that long of a name that I have seen before so possibly they chop it 
on purpose. Anyone else see something like that?
 
Do you have errors in your exchange 
logs?
 
 
What is the NDR that you are getting? Mailbox doesn't 
exist?
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Friday, July 30, 2004 5:04 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and AD 
E-mails


Yes I mean 
mailbox enabled (My bad) 
I cannot 
send mail to the account and the mailbox does not show up in ESM. Although when 
I delete the account it has a mailbox associated with it. 

I have run a 
rebuild of the RUS.  
 
Here is the 
Dump:
 
dn:CN=1234,OU=Test 
Accounts,DC=renditionnetworks,DC=com
>homeMDB: 
CN=Mailbox Store (AUSTIN),CN=First Storage 
Group,CN=InformationStore,C
N=AUSTIN,CN=Servers,CN=First 
Administrative Group,CN=Administrative Groups,CN=Re
ndition 
Networks,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=rendition
networks,DC=com
>cn: 
1234
>displayName: 
1234
>mail: 
[EMAIL PROTECTED]
>givenName: 
1234
>instanceType: 
4
>legacyExchangeDN: 
/o=Rendition Networks/ou=First Administrative 
Group/cn=Recipi
ents/cn=1234
>distinguishedName: 
CN=1234,OU=Test 
Accounts,DC=renditionnetworks,DC=com
>objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=renditionnetworks,DC=co
m
>objectClass: 
top
>objectClass: 
person
>objectClass: 
organizationalPerson
>objectClass: 
user
>objectGUID: 
{2B7934AB-63B3-4976-88BE-EF5FE99E9DAB}
>objectSid: 
S-1-5-21-2068531175-665650586-2065370986-1723
>primaryGroupID: 
513
>proxyAddresses: 
smtp:[EMAIL PROTECTED]
>proxyAddresses: 
X400:c=us;a= ;p=Rendition Networ;o=Exchange;s=1234;
>proxyAddresses: 
SMTP:[EMAIL PROTECTED]
>name: 
1234
>sAMAccountName: 
1234
>sAMAccountType: 
805306368
>showInAddressBook: 
CN=Default Global Address List,CN=All Global Address 
Lists,C
N=Address 
Lists Container,CN=Rendition Networks,CN=Microsoft 
Exchange,CN=Service
s,CN=Configuration,DC=renditionnetworks,DC=com
>showInAddressBook: 
CN=All Users,CN=All Address Lists,CN=Address Lists 
Container
,CN=Rendition 
Networks,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=ren
ditionnetworks,DC=com
>textEncodedORAddress: 
c=us;a= ;p=Rendition Networ;o=Exchange;s=1234;
>userAccountControl: 
512
>userPrincipalName: 
[EMAIL PROTECTED]
>uSNChanged: 
2567831
>uSNCreated: 
2567823
>whenChanged: 
20040730203736.0Z
>whenCreated: 
20040730203626.0Z
>homeMTA: 
CN=Microsoft MTA,CN=AUSTIN,CN=Servers,CN=First Administrative 
Group,CN=Administrative 
Groups,CN=Rendition Networks,CN=Microsoft   xchange,CN=Services,CN=Configuration,DC=renditionnetworks,DC=com
>msExchHomeServerName: 
/o=Rendition Networks/ou=First Administrative 
Group/cn=Co
nfiguration/cn=Servers/cn=AUSTIN
>msExchMailboxGuid: 
{B695A373-868A-4C2D-BE9E-54DA145A7F7C}
>msExchMailboxSecurityDescriptor: 
{Security Descriptor}
>mailNickname: 
1234
>mDBUseDefaults: 
TRUE
>msExchUserAccountControl: 
0
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, July 30, 2004 10:25 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and AD 
E-mails
 
My first question is 
probably not needed but I want to clear the 
terminology...
 
When you say mail 
enabled do you really mean mailbox enabled? Mail enabled means the user object 
has an external (to Exchange) email address sort of like a contact. A mailbox 
enabled user is a user with a mailbox in the forest's Exchange Org. 

 
If the ID is truly 
mailbox enabled, can you send email to it? Do you get an NDR or does it appear 
to get delivered? When you look at the store through the ESM do you see the 
mailbox? 
 
A dump of the user 
object would be nice as that will show up any issues on the AD Object 
itself
 
adfind -gc -b "" -f 
samaccountname=userid
 
should be 
sufficient.
 
 
  
joe
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mike HogenauerSent: Friday, July 30, 2004 1:22 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exchange and AD 
E-mails
Not sure 
this is the correct forum for this but 

[ActiveDir] GC / dns registration

[Graham Turner]

Am reviewing the procedures for forest recovery from MS paper titled
"Windows 2000 forest recovery".

it does document an issue of DNS registration by child domain controllers of
records on a DNS server in the root domain.

could anyone explain further the requirement for GC wrt DNS registration.

Thanks

GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Extend AD

[joe]

Title: Extend AD



You should probably take a peek at
 
http://msdn.microsoft.com/library/default.asp?url="">
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gasper, 
RickSent: Friday, July 30, 2004 11:22 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Extend 
AD

Win 2003/exchange 2003 
I need to add the employee ID to the ADUC 
screens. Here is what I have 
done: I have enabled the employeeID 
through the schema manager. I am connected to the schema manager server. 
I have checked  the  "Allow this 
attribute to be shown in advanced view." 
It is not visible in ADUC whne I view advanced 

What else am I missing?   
Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre 
PA  18711 PH: 
570-208-5845 Fax: 570-208-6072 
Cell: 570-760-0335 [EMAIL PROTECTED] 

RE: [ActiveDir] urgent help needed

[joe]

I just reread this... I'm surprised Dean or ~Eric didn't respond to this. I
blew the value of producttype for an AD server, it is actually LanmanNT, not
WinNT. WinNT is what clients have set. 

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, July 30, 2004 11:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] urgent help needed

Are you sure the DIT file is gone? If so and you have no systemstate backups
and you don't have any other DCs for that domain your only choice is a
forced demotion of the DC. See the following KB

http://support.microsoft.com/default.aspx?kbid=332199


If I recall though you can't do that from single user mode so you will have
to do the following unsupported hack:

Go to the following registry value:

hklm\system\currentcontrolset\control\productoptions\producttype 

Change it from WinNT to ServerNT


After you do this, you will want to promote the DC into a fake domain and
demote it again so that it reconfigures everything properly on the machine. 


It is possible to create an empty DIT file but it will do nothing for you.
There is a huge difference between an empty DIT file and a properly built
DIT file with no user defined objects. The former is easy, the latter is
not. You have to repromote the DC to get it.


I will step up on the podium for a second...

1. Always have multiple DCs. 
2. If you can't follow number 1, have a systemstate backup that you know is
good and still always have multiple DCs.


I am wondering why you are so worried about rebuilding the DC, my guess is
that you have some other app or apps loaded. It really isn't good security
(or any security at all honestly) to run DCs as app servers. There are a
couple of infrastructure services that are generally ok to run, but as a
whole, don't run apps on DCs. 


  joe



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi
Sent: Friday, July 30, 2004 11:38 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] urgent help needed

Dennis, i appreciate you're help, but the solutions that are suggested in
the link you gave me wont't work...the last suggestion was to reinstall the
operating system, what i am trying not to do...

Does anybody have any idea how to solve my problem?

When i try to boot in normal mode there is an error message saying the
directory service can't be started...then, when i check the integrity of the
files with ntdsutil some errors occure, the last one being
"E:\winnt\ntds\ntds.dit file does not exist"...

it must be possible to create a new empty ntds.dit file...or any other
solution!!

Thank you
Alicia


-Mensaje original-
De: Depp, Dennis M. [mailto:[EMAIL PROTECTED] Enviado el: viernes, 30 de
julio de 2004 11:37
Para: [EMAIL PROTECTED]
Asunto: RE: [ActiveDir] urgent help needed


Alicia,

Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;265089,
senario 2.

Dennis   

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi
Sent: Friday, July 30, 2004 10:20 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] urgent help needed
Importance: High

Hello, 

> i am having trouble with active directory...the database file ntds.dit 
> was
erased because of a power failure we had some days ago. The active directory
was working perfectly until that day, and now windows 2000 won't start. The
only way we have to access the machine is through DS restore mode.
> 
> We can't uninstall AD because we are not on normal mode...and we don't
have a back up for that file.
> 
> Is there any way i can create a new empty database to start over? or 
> is
there a way to eliminate AD from the server without having to format the
drive and install windows 2000? 
> 
> Is it possible to create the ntds.dit file and any other needed? 
> Doesn't
AD have that functionality?
> 
> We need to have the server working again as soon as possible. We don´t
mind eliminating anything related to Active Directory, but we don't want to
format the drive and re-install de operating system again...
> 
> Please help me
> Thank you very much
> 
> 
> 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.

RE: [ActiveDir] AD replication from 5.5 using ADC

[joe]

A small correction... That KB article is actually 269843. Not sure why I
remembered that one off hand except that I was deathly afraid when we kicked
in the ADC that this would happen and our DNs would change for all of our
exchange enabled users which would have been a HUGE disaster for us. While
it isn't the best practice, you can't stop it in a large company, many
people working on LDAP apps would hard code specific DNs or do searches on
the cn or name and this would have wiped out every one of those apps. 

The actual link to the KB is 

http://support.microsoft.com/default.aspx?scid=kb;en-us;269843



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Friday, July 30, 2004 1:55 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD replication from 5.5 using ADC 

The process for modifying the CAs is the same for E2k3.  In our 5.5 to 2K3
migration we had a bunch of undesirable special characters and group
identifiers in the 5.5 display that the ADC would replicate to the AD cn and
name fields.  Following MSKB 269834 stopped the 5.5 display name from
overwriting cn and name, and replicated the 5.5 displayname only to the AD
displayname.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
Sent: Friday, July 30, 2004 11:41 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] AD replication from 5.5 using ADC 

Al, the document i reference is titled "Understanding an Deploying Exchange
2000 Active Directory Connector" - sourced from the given URL

I am aware that this is for Ex2k ADC - but can find no similar document for
Ex2k3 ! so i have taken assumption this is not to far off !??

your are perhaps right on "my expectation" - my initial view has been to
replicate data only from the 5.5 where it is required  - by implication the
AD is the authoritative data source

this is the rationale behind my endeavour to understand how to manage, prior
to what will likely be a big hit, the data that is brought into the
directory from 5.5

GT



- Original Message -
From: "Mulnick, Al" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, July 30, 2004 4:09 PM
Subject: RE: [ActiveDir] AD replication from 5.5 using ADC


> Graham, it sounds like you have different expectations of what the ADC
does
> for you. In the scenario you speak of, ADC is considering 5.5 to be 
> authoritative for several fields. If you have multiple sites (5.5 or
Active
> Directory) I suggest you get this worked out in some way to maintain 
> consistency both before as well as after you join the directories.
>
> On that note, since this is a directory join question, I think it's on
topic
> for this forum.
>
> If this is not something you want to have happen, you can modify the 
> behavior for several of the attributes but I was under the impression 
> that modifying the flags you mention is not the way it's done in 2003.  
> Just can't remember where I saw that at the moment. :)  I'll look if 
> it's applicable to your situation, but it's likely one of the docs on 
> http://www.microsoft.com/exchange/library
>
>
> Finally, what document are you referencing so we can all see the same 
> information.  If it needs to be fixed, then we should submit that for 
> fixing.
>
> Al
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner
> Sent: Friday, July 30, 2004 10:04 AM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] AD replication from 5.5 using ADC
>
> hopefully once again i am not charged with going too O/T with this 
> one,
but
> was looking to get a bit of further information on the potential 
> impact of
a
> replication from an exchange 5.5 server to a win2k AD
>
> it seems there is potential for the change of attributes already in 
> the AD if there is different data in the 5.5 directory.
>
> the most obvious of these seems to be the "display name" given its 
> prevalence in most directories, and likelihood (this is true in this
specfic
> case) of different convention being used between the directories;
>
> in 5.5 we have surname ^ firstname , whilst on AD we have the other 
> way round !
>
> i have reviewed the ADC documentation
>
> seems there are two ways we can acheive some sort of control -
>
> i. default adc policy where we can set globally certain attribute data 
> not to be replicated
>
> ii. 'connection agreement' policy which is manipulated using ADSI edit
>
> the latter seems preferable given scope for different CA configuration
>
> could anyone possibly explain what this actually does - the ADC doc's 
> reference quotes "Do not overwrite RDN with the Exchange 5.5 Alias 
> attribute."
>
> don't know if this is a typo but the alias in a 5.5 directory does not
look
> to relate to the display name as the technote seems to suggest
>
> does this ADC configuraton value relate ONLY to the replication of the 
> "display name" ??
>
> am i also right to say that

RE: [ActiveDir] Remote site slowdown weirdness

[joe]

This is a complete guess, but when you click My 
Computer it is doublechecking all of the drives so it is reaching out to 
all of the file shares. When it does that it is probably locking certain things 
up in the network stack or workstation service that can only be done serially. 

 
I would recommend a network trace of a machine while doing 
that to see what calls are going out and taking so long to be responded to. 

 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Friday, July 30, 2004 2:19 PMTo: 
'[EMAIL PROTECTED]'Subject: [ActiveDir] Remote site 
slowdown weirdness

We have a remote 
site connected to us with a 768k link.  Intermittently, when the users at 
the remote site double-click "My Computer", it takes 15-20 seconds or more for 
the drives to appear.  When it's happening, it takes them a long time to 
access drive letters back at our headquarters over the WAN.  We have tons 
of other sites connected this way, and have no issues.  The WAN link 
utilization is generally below 50% when this is occurring.  

 
If they disconnect 
all their network mapped drives, the problem magically goes away.  

 
Is there some 
settings in WinXP and 2K that may cause the OS to do all kinds of checking and 
searching whenever My Computer is launched that might slow them down?  
We've been troubleshooting this site problem for over 2 years now.  We also 
tried giving them their own local WINS server, and they have their own local DNS 
server running on their local domain controller.  There is about 50 users 
at the site.
 
Any 
ideas?

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

RE: [ActiveDir] Kerberos error

[joe]

I have never tried to set up a connection to an external 
kerberos realm but the thing that sticks out to me in that event is the 
disparity between the client and server time. Your client is showing that it is 
almost thanksgiving according to that... 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Chris 
FlesherSent: Friday, July 30, 2004 4:30 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Kerberos 
error

I'm trying to get 
pass-thru authentication to work with an external Kerberos realm. I am getting 
this error. I think I have things set up right, but I've been known to fudge 
things. Does anyone know what this might mean? 
 
Event Type: ErrorEvent 
Source: KerberosEvent Category: NoneEvent 
ID: 3Date:  7/30/2004Time:  3:28:19 
PMUser:  N/AComputer: KWAME-TUREDescription:A 
Kerberos Error Message was 
received: on logon session 
 Client Time: 15:49:18. 11/7/2004 Z Server Time: 
20:28:19. 7/30/2004 Z Error Code: 0x7  
KDC_ERR_S_PRINCIPAL_UNKNOWN Extended Error:  Client Realm: 
NSCBETA.UCHICAGO.EDU Client Name: cflesher Server Realm: 
NSCBETA.UCHICAGO.EDU Server Name: krbtgt/UCHICAGO.LOCAL Target 
Name: krbtgt/[EMAIL PROTECTED] Error 
Text: UNKNOWN_SERVER File: 9 Line: ab8 Error Data is 
in record data.
 
For more information, see Help and Support Center 
at http://go.microsoft.com/fwlink/events.asp.
 
Chris Flesher
The University of Chicago
NSIT/DCS
1-773-834-8477
 

RE: [ActiveDir] Exchange and AD E-mails

[joe]

Scary, the AD object seems ok, the only thing that sort 
of sticks out is in your textOREncodedAddress and proxyAddresses and that 
is:
 
>textEncodedORAddress: c=us;a= ;p=Rendition 
Networ;o=Exchange;s=1234;>proxyAddresses: X400:c=us;a= ;p=Rendition 
Networ;o=Exchange;s=1234;
where the Rendition Networds is chopped off. I would 
simply verify that is the same on your other mailbox enabled objects. I haven't 
had an Org that long of a name that I have seen before so possibly they chop it 
on purpose. Anyone else see something like that?
 
Do you have errors in your exchange 
logs?
 
 
What is the NDR that you are getting? Mailbox doesn't 
exist?
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Friday, July 30, 2004 5:04 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and AD 
E-mails


Yes I mean 
mailbox enabled (My bad) 
I cannot 
send mail to the account and the mailbox does not show up in ESM. Although when 
I delete the account it has a mailbox associated with it. 

I have run a 
rebuild of the RUS.  
 
Here is the 
Dump:
 
dn:CN=1234,OU=Test 
Accounts,DC=renditionnetworks,DC=com
>homeMDB: 
CN=Mailbox Store (AUSTIN),CN=First Storage 
Group,CN=InformationStore,C
N=AUSTIN,CN=Servers,CN=First 
Administrative Group,CN=Administrative Groups,CN=Re
ndition 
Networks,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=rendition
networks,DC=com
>cn: 
1234
>displayName: 
1234
>mail: 
[EMAIL PROTECTED]
>givenName: 
1234
>instanceType: 
4
>legacyExchangeDN: 
/o=Rendition Networks/ou=First Administrative 
Group/cn=Recipi
ents/cn=1234
>distinguishedName: 
CN=1234,OU=Test 
Accounts,DC=renditionnetworks,DC=com
>objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=renditionnetworks,DC=co
m
>objectClass: 
top
>objectClass: 
person
>objectClass: 
organizationalPerson
>objectClass: 
user
>objectGUID: 
{2B7934AB-63B3-4976-88BE-EF5FE99E9DAB}
>objectSid: 
S-1-5-21-2068531175-665650586-2065370986-1723
>primaryGroupID: 
513
>proxyAddresses: 
smtp:[EMAIL PROTECTED]
>proxyAddresses: 
X400:c=us;a= ;p=Rendition Networ;o=Exchange;s=1234;
>proxyAddresses: 
SMTP:[EMAIL PROTECTED]
>name: 
1234
>sAMAccountName: 
1234
>sAMAccountType: 
805306368
>showInAddressBook: 
CN=Default Global Address List,CN=All Global Address 
Lists,C
N=Address 
Lists Container,CN=Rendition Networks,CN=Microsoft 
Exchange,CN=Service
s,CN=Configuration,DC=renditionnetworks,DC=com
>showInAddressBook: 
CN=All Users,CN=All Address Lists,CN=Address Lists 
Container
,CN=Rendition 
Networks,CN=Microsoft 
Exchange,CN=Services,CN=Configuration,DC=ren
ditionnetworks,DC=com
>textEncodedORAddress: 
c=us;a= ;p=Rendition Networ;o=Exchange;s=1234;
>userAccountControl: 
512
>userPrincipalName: 
[EMAIL PROTECTED]
>uSNChanged: 
2567831
>uSNCreated: 
2567823
>whenChanged: 
20040730203736.0Z
>whenCreated: 
20040730203626.0Z
>homeMTA: 
CN=Microsoft MTA,CN=AUSTIN,CN=Servers,CN=First Administrative 
Group,CN=Administrative 
Groups,CN=Rendition Networks,CN=Microsoft   xchange,CN=Services,CN=Configuration,DC=renditionnetworks,DC=com
>msExchHomeServerName: 
/o=Rendition Networks/ou=First Administrative 
Group/cn=Co
nfiguration/cn=Servers/cn=AUSTIN
>msExchMailboxGuid: 
{B695A373-868A-4C2D-BE9E-54DA145A7F7C}
>msExchMailboxSecurityDescriptor: 
{Security Descriptor}
>mailNickname: 
1234
>mDBUseDefaults: 
TRUE
>msExchUserAccountControl: 
0
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, July 30, 2004 10:25 
AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exchange and AD 
E-mails
 
My first question is 
probably not needed but I want to clear the 
terminology...
 
When you say mail 
enabled do you really mean mailbox enabled? Mail enabled means the user object 
has an external (to Exchange) email address sort of like a contact. A mailbox 
enabled user is a user with a mailbox in the forest's Exchange Org. 

 
If the ID is truly 
mailbox enabled, can you send email to it? Do you get an NDR or does it appear 
to get delivered? When you look at the store through the ESM do you see the 
mailbox? 
 
A dump of the user 
object would be nice as that will show up any issues on the AD Object 
itself
 
adfind -gc -b "" -f 
samaccountname=userid
 
should be 
sufficient.
 
 
  
joe
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mike HogenauerSent: Friday, July 30, 2004 1:22 
PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Exchange and AD 
E-mails
Not sure 
this is the correct forum for this but here goes. 
I have a WIN 
2k single domain running Exchange 2K. 
 
Everything’s 
has been running fine until a few days ago. Now when I create a new mail enables 
user in AD. And try to log onto the account to setup the mapi mail profiles I 
get “cannot connect to the information Store” but when log on as myself or any 
other user that was already in the domain I have no problems connecting and 
viewing e-mail. (The only change was the Exchange SP3 security roll-up patch was 
applied a

RE: [ActiveDir] AutoDL

[joe]

Are you saying:

> This isn't an issue if we use "mail-enabled" security 
> groups across the board, but there are times when people 
> don't want the security group to show up in the address list.


Because you have them use outlook to manipulate the memberships?


Also AutoDL doesn't do security groups from what I was told by MS. I never
looked that close at it as soon as I saw I had to run SQL Server to use it.
The lack of sec group management is why they created the new tool called
AutoGroup which should eventually be incorporated into MIIS. I tried to get
a hold of that last year and the people working on it said it wouldn't be
ready for any external viewing even in beta until at least 4Q2004. 


  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana
Sent: Friday, July 30, 2004 5:05 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AutoDL

I'll look at cconnect...

I'm trying to get security on file shares under control.  I walked into a
"Domain Users - Full Control" environment, and it's been this way ever
since.  My solution is to be able to delegate the administration of every
share to it's owner and have them manage the groups.  We'll manage the
access lists.  This isn't an issue if we use "mail-enabled" security groups
across the board, but there are times when people don't want the security
group to show up in the address list.  The only way I can see us passing
that responsibility along is an AutoDL like tool.  That said, does anyone
have a good strategy like this in place?

-Alex 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, July 30, 2004 1:15 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AutoDL

AutoDL is one of those half-baked tools that usually comes from MS every
once a while. No worky. I believe the original thought process that gave
birth to AutoDL was terminated midway. CConnect is another one in the same
league. 
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Alex Fontana
Sent: Fri 7/30/2004 12:04 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] AutoDL


Doesn't the subject say it all???
 
Has anyone gotten AutoDL to work?  I have it all setup but when I load the
webpage the two bottom panes don't display; "Page Not Found".  I'm thinking
there is some sort of security misconfig or something, but documentation is
so scarce that I have no clue where to start.  The installation instructions
suck.  I'm a few more steps short of uninstalling completely and trying one
more time
 
If anyone has any good resources for AutoDL it's much appreciated...
 
-Alex
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Property to send a contact plain text/uuencode only

[joe]

Here is the KB article for the values.
 
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281740
 
 
 
 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Saturday, July 31, 2004 1:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Property to send a contact plain text/uuencode only


Exactly what I was looking for. Thanks.

  _  

From: [EMAIL PROTECTED] on behalf of
[EMAIL PROTECTED]
Sent: Fri 7/30/2004 5:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Property to send a contact plain text/uuencode only



Here is a piece of code from my MailEnable method on my Contact wrapper
class:

'set internetEncoding
'internetEncoding is based on the following:
'Use the settings from the Internet Mail Service 1310720
'Multipurpose Internet Mail Extensions (MIME) with Plain
Text393216
'MIME with Hypertext Markup Language (HTML)917504
'MIME with Plain Text and HTML1441792
'Plain Text/uuencode2228224
'Plain Text/uuencode with Binhex131072

entry.Properties("internetEncoding").Value = 1310720

It looks like plaintext/uuencode = 2228224

I can't remember where I got that list of values.  The above is a
snippet of .NET code, but you should be able to put together a script
based on this.  Note that the value is numeric, not a string.

Joe K.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Friday, July 30, 2004 4:22 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Property to send a contact plain text/uuencode only

Hey all,
I need to change the setting on 700 contacts to only send them email in
plain text/uuencode. I'm assuming it's a property for the contact in AD
but I can't find it. To manually change this it's in the properties of
the contact,+ under the email address, advanced, override internet mail
settings.

Does anyone know what the name of the property is?

Windows 2003 server, Exchange 2003.

As always, I appreciate the help.

Mike Newell
Information Systems Manager
OSI Systems Inc.



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information.  If you have
received it in error, please notify the sender immediately and delete the
original.  Any other use of the email by you is prohibited.


This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information.  If you have
received it in error, please notify the sender immediately and delete the
original.  Any other use of the email by you is prohibited.
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>