RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt
Hi SAP last year has published a reviewed version of their schema extension. They renamed uid to SAP-uid. That schema version is SAP Active Directory Schema Extension Script for EP 5.0 rev 3.6.7/94301. We run it in production without any problems. Mail me directly if you need a copy. Bart -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Thursday, August 05, 2004 02:20 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Ken: Do you recall which version of the SAP portal it was that made the schema changes? I'm asking since we are testing the SAP portal against AD in our lab with our SAP folks. I know that the initial version that they came to us with required a schema change (version 5?) and before we got it set up they came back with the newer version that supposedly did not require a change. IIRC that was version 6. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Well side by side we see: MS UID dn: CN=uid,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: uid adminDisplayName: uid adminDescription: A user ID. attributeId: 0.9.2342.19200300.100.1.1 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: FALSE systemOnly: FALSE searchFlags: 8 schemaIdGuid:: oPywC4ken0KQGhQTiU2fWQ== attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw== showInAdvancedViewOnly: FALSE systemFlags: 0 SAP UID dn: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com changetype: add adminDisplayName: uid attributeID: 1.2.840.113556.1.4.7000.233.28688.28684.8.464850.1724825.154498.1299246. 15 attributeSyntax: 2.5.5.4 cn: uid instanceType: 4 isSingleValued: TRUE lDAPDisplayName: uid distinguishedName: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC= com objectClass: attributeSchema objectGUID:: f1Sz+++ZY0eIH7t1mStJIA== oMSyntax: 20 name: uid schemaIDGUID:: Qy93MDGWsEqRfKr837RfzA== showInAdvancedViewOnly: TRUE The main diffs being O attributeSyntax/omsyntax - ci unicode string for MS, ci string for SAP - SAP shouldn't have an issue unless someone uses some multibytes in the uid. O schemaIDGuid - shouldn't be an issue unless there are property sets involved for security O attributeID - if SAP uses the ldapdisplayname in class definitions instead of the attributeIDs they should be ok. O MS is multi-valued, SAP is single valued - This could be painful if using ADSI due to the difference in how it handles mv versus sv, but if using LDAP this shouldn't be too bad, just would only use the first value in the attribute. Definitely there are points that could cause pain but wouldn't expect it would be overly difficult for SAP to correct and use the MS definition versus theirs. Unless they use UID as a unique identifier within the database in which case the multi-value could cause some serious key issues. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Thanks Joe, I saw that (rare for me lately). Just curious if SAP and Active Directory could play well together or not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt I would expect it would really dork it up pretty well... However there are two compensating things. 1. SAP shouldn't have done this. Ok so that isn't really a compensating factor but they really shouldn't have! 2. He already said that they aren't using it so breaking SAP doesn't matter. Now for the part I don't know: how do I fix it? The SAP portal was tested, but was back-burned indefinately, so I don't have to worry about breaking it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Anyone have the impact that would have on SAP application by chance? Just curious really. Don't have SAP handy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:51 PM To: [EMAIL PROTECTED] Cc: 'Eric Fleischman' Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 upgrade attempt Great, you have to love that! ~Eric
[ActiveDir] Kerberos question
Title: Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility? The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
[ActiveDir] OT: Exchange 5.5 to 2003 upgrade/migration
So I may be inheriting a new network that needs to do the 5.5 on NT4 to 2003 on 2003 shuffle. Your basic Google search returns any number of resources, obviously; but what does my favourite group of smart people have to say? Recommended Books/FAQs/Blogs/Sites that will make me not want to kill myselfquite as much? * Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] krbtgt error when joining OS X client
See if any of this helps as far as getting an AD computer account: 3. Join the Machine to Active Directory Open the finder and browse to /Applications/Utilities and open Directory Access. If the lock in the lower left corner is in the locked position, click on it and enter the appropriate credentials. Click Active Directory and click Configure you should then be able to enter your forest name in the Active Directory Forest box, enter your AD domain in the Active Directory Domain box, and finally the name of the computer account you want to use in the Computer ID box. Click the Hide Advanced Options box and unless you will absolutely need to authenticate users from multiple domains, then clear the checkbox. If the machine is a laptop, make sure to cache local accounts (You may also want to do this for desktop users who do not have network home directories.). You can also choose to allow AD groups administrative rights to the mac. By default this is set to Domain Enterprise admins. When finished with all your options click the Bind button. You will be prompted for an account with permissions to add computers to the domain. When entering your account ID, do not prefix it with the netbios name of your domain, the sAMAccountName alone will bind. The default ldap computer account location is in the CN=Computers area off the root default domain NC. You can change this by adding a fully distinguished path to the Container or OU of your choice. The machine will go through 5 steps and hopefully bind successfully. Go back to the Directory Access application and click the Authentication tab at the top. Under search click Custom Path and click Add. A box will pop up and display the Active Directory connector you just added click Add, click Apply. If you have successfully bound and added the AD connector to your authentication path, then you can log off and attempt to login using the sAMAccountname of an Active Directory user. Troubleshooting AD AuthenticationIf you have any issues, enable remote login in the Sharing section of System Preferences and use another machine to SSH into the Mac. If you are using a windows box to SSH there is a free application called putty that you can use, just google for it. After ssh'ing into the box with an admin user account, enter the command: sudo killall -USR1 DirectoryService this command puts the lookupd daemon in debug logging mode, then type: tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlug this tells your shell to read the tail end of the log file and print any new entries to STDOUT. Now attempt to login to the machine, and your SSH machine will capture what is going on with the AD Plugin. Kevin Gent Pearson Digital Learning -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Noah EigerSent: Wednesday, August 04, 2004 12:10 PMTo: Active Directory ListSubject: [ActiveDir] krbtgt error when joining OS X client Good morning (at least where I am): I spent yesterday at a client trying to get some Mac OS X 10.3.4 clients to play nice with the enterprise AD. After trying many combinations of settings during the binding phase, we gave up: the Mac could not bind to the DC. The Macs system log showed this for every attempt at binding: /System/Library/Frameworks/Kerberos.framework/Servers/CCacheServer.app/Contents/MacOS/CCacheServer: Starting up. Aug 3 15:12:50 localhost DirectoryService[211]: Active Directory DS Plugin: Could not determine site for closest DC! The DC showed this in the security error log: "The description for Event ID (675) in Source (Security) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: username, username, krbtgt/AB.bigbiz.NET, 0x0, 0x19, 139.27.76.198." (names and addresses changed) I can get more detailed about the configuration we were attempting if you think that would help. I have limited experience in an enterprise of this size (worldwide, with several hundred sites). The forest/domain structure did not seem to use child domains. So, the forest name was mo.largeco.net and the domain was ab.bigbiz.net. Any thoughts definitely appreciated. nme
[ActiveDir] How do you determine if information about an object is replicted?
(Resend as I did not see this hit the list yesterday) This is a learning question. Nothing is broken but I would like to know where some information is located. How can I tell and where do I go to find out what information is replicated in Active Directory at the DNS zone level itself. For example, if you create a new zone in AD, all the contents of the zone are replicated, all the information under the Start of Authority Tab is replicated, but the contents of the Zone Transfer tab are not. I guess what I'm really asking for is where is the list of all the objects that are replicated using AD located? In searching MSDN, I looked though the schema definitions but did not see a field indicating if it was replicated or not. I know that when a DNS zone is Active Directory Integrated, if you go into ADUC (or other methods) under System\MicrosoftDNS you see the replicated zone files and dnsnode information. But as far as I can see, the actual properties of the zone are not shown, just the contents. Thanks! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] urgent help needed
After i forced demotion of the DC changing the property from LanmanNT to ServerNT, i can't access AD (obviously)...but i have left a lot of files and stuff from the previous install of AD...how do i get rid of all that junk? can i just delete everything? i don't think i can...i have files in the folder c:\winnt\system32, and a lot of other places... Thanks -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 10:16 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Install a UPS that will allow your machine to automatically shut down gracefully in the event of a power failure... You might also use an app like VMWare or Virtual PC to create a second DC that you run for a few hours a week or something like that... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** Is there any way i can avoid a failure because of a power loss? i read in the microsoft documentation that power failure can cause that the database file can't be read, is deleted or corrupted... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange 5.5 to 2003 upgrade/migration
http://www.microsoft.com/technet/prodtechnol/exchange/default.mspx is a pretty good place to start. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Thursday, August 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 5.5 to 2003 upgrade/migration So I may be inheriting a new network that needs to do the 5.5 on NT4 to 2003 on 2003 shuffle. Your basic Google search returns any number of resources, obviously; but what does my favourite group of smart people have to say? Recommended Books/FAQs/Blogs/Sites that will make me not want to kill myselfquite as much? * Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT? - showacls usage?
I'm also pretty pleased with the new xcacls.vbs. http://www.microsoft.com/downloads/details.aspx?FamilyID=0ad33a24-0616-473c-b103-c35bc2820bdaDisplayLang=en From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of René de HaasSent: Thursday, August 05, 2004 8:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] OT? - "showacls" usage? Try dumpacl/dumpsec, you will like it. And it's free.. Hth Rene -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Thursday, August 05, 2004 2:35 PMTo: Active Directory Mailing List (E-mail)Subject: [ActiveDir] OT? - "showacls" usage? Hi, In trying to diagnose an issue that came up yesterday, I am trying to use the showacls.exe from the 2003 server reskit. It seems that it will only produce output for directories, not individual files. Has anyone else experienced this behavior? (Any other recommended tools to capture the ACE's?)TIA! Mike Thommes ***The information in this e-mail is confidential and intended solely for the individual or entity to whom it is addressed. If you have received this e-mail in error, please notify the sender by return e-mail, delete this e-mail, and refrain from any disclosure or action based on the information.***
[ActiveDir] Slightly OT Possible AD - Exchange issue
All, After migrating to Windows 2003 from NT4 we are now migrating from Exchange 5.5 to Exchange 2003 however we are having a couple of "strange" issues which did not occur in the lab...After scavenging the web and finding nothing will try here as it could be AD related. When I click on the Primary Windows NT account\Select an existing account in Exchange 5.5 I get the following error: Either a required impersonation level was not provided, or the provided impersonation level is invalid. We have a fairly high security group policies in place and to possibly subvert this issue I added Administrators and Authenticated Users to the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a Client After Authentication attribute of the Default Domain Controllers Baseline security policy we have, rebooted the server...still seem to have the issue however. Was wondering if anyone has seen or heard of this issue as it is bugging the hell out of me...users are able to access their e-mails. Have seen in a post that SERVICES should be added as well however when I do this I get an Event ID 1202 error and run the following syntax from the command prompt: FIND /I Cannot find %SYSTEMROOT%\Security\Logs\winlogon.log which returns SERVICES so I remove it and the Event ID "goes away". If anyone has any ideas I would be greatful. James Blair
RE: [ActiveDir] urgent help needed
what happens if i reinstall AD over the previous files? will they be overwritten? or will that cause more errors? -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 11:59 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Personally, on this machine, after all this trouble, I'd back up the critical data that I wanted to keep, verify that the backup of that data could be restored to another location, wipe the machine and reinstall from scratch. Faster, easier, and more dependable than trying to clean up the wreckage... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Alicia Szerenyi [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 7:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed After i forced demotion of the DC changing the property from LanmanNT to ServerNT, i can't access AD (obviously)...but i have left a lot of files and stuff from the previous install of AD...how do i get rid of all that junk? can i just delete everything? i don't think i can...i have files in the folder c:\winnt\system32, and a lot of other places... Thanks -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 10:16 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Install a UPS that will allow your machine to automatically shut down gracefully in the event of a power failure... You might also use an app like VMWare or Virtual PC to create a second DC that you run for a few hours a week or something like that... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** Is there any way i can avoid a failure because of a power loss? i read in the microsoft documentation that power failure can cause that the database file can't be read, is deleted or corrupted... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos question
Title: Kerberos question I would contact the vendor. They should know. There should be nothing extra you have to do to support kerberos on your dc as the support is already there, that is the primary authentication mechanism now. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:08 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:04 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
[ActiveDir] OT? - showacls usage?
Hi, In trying to diagnose an issue that came up yesterday, I am trying to use the showacls.exe from the 2003 server reskit. It seems that it will only produce output for directories, not individual files. Has anyone else experienced this behavior? (Any other recommended tools to capture the ACE's?)TIA! Mike Thommes
RE: [ActiveDir] urgent help needed
Another note is that a DC is only a DC it should not under any circumstances have any DATA that is critical on it.. If you need to recover the server you need to follow the kb at MS about recovery of a failed DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Thursday, August 05, 2004 11:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed what happens if i reinstall AD over the previous files? will they be overwritten? or will that cause more errors? -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 11:59 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Personally, on this machine, after all this trouble, I'd back up the critical data that I wanted to keep, verify that the backup of that data could be restored to another location, wipe the machine and reinstall from scratch. Faster, easier, and more dependable than trying to clean up the wreckage... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Alicia Szerenyi [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 7:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed After i forced demotion of the DC changing the property from LanmanNT to ServerNT, i can't access AD (obviously)...but i have left a lot of files and stuff from the previous install of AD...how do i get rid of all that junk? can i just delete everything? i don't think i can...i have files in the folder c:\winnt\system32, and a lot of other places... Thanks -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 10:16 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Install a UPS that will allow your machine to automatically shut down gracefully in the event of a power failure... You might also use an app like VMWare or Virtual PC to create a second DC that you run for a few hours a week or something like that... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** Is there any way i can avoid a failure because of a power loss? i read in the microsoft documentation that power failure can cause that the database file can't be read, is deleted or corrupted... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] urgent help needed
This is why I indicated you should promote it and demote it and then you are back at square one and can start the promo back into a useable domain. There are all sorts of things in the file system and registry handled when you do a proper demotion. jeo -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Thursday, August 05, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed After i forced demotion of the DC changing the property from LanmanNT to ServerNT, i can't access AD (obviously)...but i have left a lot of files and stuff from the previous install of AD...how do i get rid of all that junk? can i just delete everything? i don't think i can...i have files in the folder c:\winnt\system32, and a lot of other places... Thanks -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 10:16 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Install a UPS that will allow your machine to automatically shut down gracefully in the event of a power failure... You might also use an app like VMWare or Virtual PC to create a second DC that you run for a few hours a week or something like that... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** Is there any way i can avoid a failure because of a power loss? i read in the microsoft documentation that power failure can cause that the database file can't be read, is deleted or corrupted... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] default containers
Title: default containers Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? Mark Creamer
RE: [ActiveDir] Exceeding the LDAP Look Through Limit
Ah yeah, I "duh"ed there for a second. Of course ffl. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, August 02, 2004 1:55 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit Change domain functional mode to forest functional mode. This is a forest functional dependency. Gotta think of our GCs. I just looked, and yes this error would throw an admin limit exceeded error, so it makes sense that this is the problem given problem description, although trace would confirm. My quick read of this section tells me that the server-returned frame should have a dsid in it that will let me be 100% sure. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, August 02, 2004 12:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit So irregardless of how you hit it if you hit~850 Non-LV values on an object you have hit the ceiling? ~1300 in 2K3 Domain Functional Mode... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, August 02, 2004 1:18 PMTo: joe; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit IIRC, the limits are one in the same really. Its a subtle point as to how we work under the hood that is exposing this. ~Eric From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 02, 2004 11:12 AMTo: Eric Fleischman; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit ~Eric is there any public documentation on #1? Obviously max values on an attribute of an object is documented (I think it is anyway), but I don't recall seeing anything for max values on an object. joe From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Monday, August 02, 2004 3:58 AMTo: Eric Fleischman; joe; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit Oh, I didnt read below joes post. I should have. So there are two possible things youre hitting here: 1) You are hitting the max # of values on the obj (as joe was eluding too) 2) You are exceeding an admin limit as a result of a write of a huge attribute (for example, max size of an ldap operation) If you could, take a sniff of the network operation and share the trace with us so we can see the exact frames being submitted and the reply from the DSA. We would know for sure what limit youre hitting that way. joes guess is a good one (and probably right), but its not 100% clear to me thats what you are actually hitting. Its worth being sure before we conclude anything. ~Eric From: Eric Fleischman Sent: Monday, August 02, 2004 2:54 AMTo: 'joe'; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit Putting me on CC is the way to get me to notice it faster. It hits a search folder that I watch that way. In w2k we had a non-linked value limit of ~850 values. In 2k03 that moved to ~1300. Since we can have interop, we need to make sure we dont break 2k when you introduce 2k03 so you dont get the new ~1300 limit until you increase forest functional level to at least 1. Error you get on 2k when you exceed ~850 is JET_errRecordTooBig (-1026 if I remember correctly).On 2k03 if you exceed ~850 pre-forest functional level increase you get JET_errRecordTooBigForBackwardCompatibility, then if you increase forest functional level and try to exceed ~1300 I believe you get JET_errRecordTooBig again. ~Eric From: joe [mailto:[EMAIL PROTECTED] Sent: Sunday, August 01, 2004 5:43 PMTo: [EMAIL PROTECTED]Cc: Eric FleischmanSubject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit Ah, I was chatting with ~Eric on this exact issue previously about adding too many attributes to a single multivalued attribute. Once I hit the limit (around 850 or so attributes on 2K) I couldn't add any new attributes to anything, only modify existing We never went anywhere on that discussion and I am curious why this happens. Since ~Eric hasn't responded to this I am guessing he lost the thread so I am going to do the Bat~Eric Call... CARTE BLANCHE! joe :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve BrashearSent: Friday, July 23, 2004 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Exceeding the LDAP Look Through Limit Ok, he created one user-defined ou , and added an object in that container.Next, he opened ADSI edit , and added attributes for that object. For example he has 3 attributes, and added 300 values for each attributes. If he adds more than this values, the limit exceeded message appears: I received following error message - "The Administrative limit for this request was exceeded" -OS is win2k server sp4 Thanks for your help! Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Thursday, July 22,
RE: [ActiveDir] Kerberos question
Title: Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility? The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question Joe, I was pretty sure that was the case, but I wanted to make sure. Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 05, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I would contact the vendor. They should know. There should be nothing extra you have to do to support kerberos on your dc as the support is already there, that is the primary authentication mechanism now. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] urgent help needed
i already recovered the DC, but since i demoted it by changing the registry property, i can't access AD...i want to eliminate any trash that might be left...or reinstall AD over it to start again from the begining...and then maybe uninstall properly... -Mensaje original- De: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 12:21 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Another note is that a DC is only a DC it should not under any circumstances have any DATA that is critical on it.. If you need to recover the server you need to follow the kb at MS about recovery of a failed DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Thursday, August 05, 2004 11:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed what happens if i reinstall AD over the previous files? will they be overwritten? or will that cause more errors? -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 11:59 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Personally, on this machine, after all this trouble, I'd back up the critical data that I wanted to keep, verify that the backup of that data could be restored to another location, wipe the machine and reinstall from scratch. Faster, easier, and more dependable than trying to clean up the wreckage... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Alicia Szerenyi [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 7:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed After i forced demotion of the DC changing the property from LanmanNT to ServerNT, i can't access AD (obviously)...but i have left a lot of files and stuff from the previous install of AD...how do i get rid of all that junk? can i just delete everything? i don't think i can...i have files in the folder c:\winnt\system32, and a lot of other places... Thanks -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 10:16 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Install a UPS that will allow your machine to automatically shut down gracefully in the event of a power failure... You might also use an app like VMWare or Virtual PC to create a second DC that you run for a few hours a week or something like that... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** Is there any way i can avoid a failure because of a power loss? i read in the microsoft documentation that power failure can cause that the database file can't be read, is deleted or corrupted... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Slightly OT Possible AD - Exchange issue
No real clue, but perhaps some tips for further investigation: Does the problem occur with all versions of the 5.5 Admin program? Use SP4 version if in doubt. Is there any difference if you run the 5.5. Admin program on NT platform compared to W2K? If the accounts are already in AD, how many do you have (just wondering if the 5.5 Admin program maybe has problems coping with high volumes)? Tony -- Original Message -- Wrom: YXOEAIJJPHSCRTNHGSWZIDREXCAXZOWCONEUQZAA Reply-To: [EMAIL PROTECTED] Date: Thu, 5 Aug 2004 22:30:19 +1000 All, After migrating to Windows 2003 from NT4 we are now migrating from Exchange 5.5 to Exchange 2003 however we are having a couple of strange issues which did not occur in the lab...After scavenging the web and finding nothing will try here as it could be AD related. When I click on the Primary Windows NT account\Select an existing account in Exchange 5.5 I get the following error: Either a required impersonation level was not provided, or the provided impersonation level is invalid. We have a fairly high security group policies in place and to possibly subvert this issue I added Administrators and Authenticated Users to the Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Impersonate a Client After Authentication attribute of the Default Domain Controllers Baseline security policy we have, rebooted the server...still seem to have the issue however. Was wondering if anyone has seen or heard of this issue as it is bugging the hell out of me...users are able to access their e-mails. Have seen in a post that SERVICES should be added as well however when I do this I get an Event ID 1202 error and run the following syntax from the command prompt: FIND /I Cannot find %SYSTEMROOT%\Security\Logs\winlogon.log which returns SERVICES so I remove it and the Event ID goes away. If anyone has any ideas I would be greatful. James Blair Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] urgent help needed
Yep. Problem is, especially in small environments, there are times when a DC is also the file server or it runs other services. Getting a small business to pay for an additional server is sometimes problematic. The high eggs-to-basket ratio is often accepted in relation to the costs. Thus the need for good backups with tested restores and a decent UPS... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Carr, Jonathan (OFT) [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed Another note is that a DC is only a DC it should not under any circumstances have any DATA that is critical on it.. If you need to recover the server you need to follow the kb at MS about recovery of a failed DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Thursday, August 05, 2004 11:09 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed what happens if i reinstall AD over the previous files? will they be overwritten? or will that cause more errors? -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 11:59 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Personally, on this machine, after all this trouble, I'd back up the critical data that I wanted to keep, verify that the backup of that data could be restored to another location, wipe the machine and reinstall from scratch. Faster, easier, and more dependable than trying to clean up the wreckage... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: Alicia Szerenyi [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 7:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed After i forced demotion of the DC changing the property from LanmanNT to ServerNT, i can't access AD (obviously)...but i have left a lot of files and stuff from the previous install of AD...how do i get rid of all that junk? can i just delete everything? i don't think i can...i have files in the folder c:\winnt\system32, and a lot of other places... Thanks -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 10:16 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Install a UPS that will allow your machine to automatically shut down gracefully in the event of a power failure... You might also use an app like VMWare or Virtual PC to create a second DC that you run for a few hours a week or something like that... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** Is there any way i can avoid a failure because of a power loss? i read in the microsoft documentation that power failure can cause that the database file can't be read, is deleted or corrupted... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] urgent help needed
ok, great... thanks -Mensaje original- De: joe [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 12:18 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed This is why I indicated you should promote it and demote it and then you are back at square one and can start the promo back into a useable domain. There are all sorts of things in the file system and registry handled when you do a proper demotion. jeo -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alicia Szerenyi Sent: Thursday, August 05, 2004 10:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] urgent help needed After i forced demotion of the DC changing the property from LanmanNT to ServerNT, i can't access AD (obviously)...but i have left a lot of files and stuff from the previous install of AD...how do i get rid of all that junk? can i just delete everything? i don't think i can...i have files in the folder c:\winnt\system32, and a lot of other places... Thanks -Mensaje original- De: Charlie Kaiser [mailto:[EMAIL PROTECTED] Enviado el: jueves, 05 de agosto de 2004 10:16 Para: [EMAIL PROTECTED] Asunto: RE: [ActiveDir] urgent help needed Install a UPS that will allow your machine to automatically shut down gracefully in the event of a power failure... You might also use an app like VMWare or Virtual PC to create a second DC that you run for a few hours a week or something like that... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** Is there any way i can avoid a failure because of a power loss? i read in the microsoft documentation that power failure can cause that the database file can't be read, is deleted or corrupted... List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] default containers
Title: default containers I dont think there is anyway to change the default location when adding a computer through the joining computers GUI. If you are using a tool, most of them offer the ability to specify an alternate location. You could of course pre-create machine accounts in the OU you want them to be placed in. Alternately, you could write a script that utilizes WMI, for example, that monitors the computers container and moves objects after they are created to your selected destination. -Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, August 05, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] default containers Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? Mark Creamer
RE: [ActiveDir] default containers
Title: default containers In a FFL 2003 Active Directory you can modify the default path. RedirCMP is the CMD (http://support.microsoft.com/default.aspx?scid=kb;en-us;324949). Otherwise, you'd want a process or a script to do it for you. Netdom is one such tool that can put it in particular OU's with relatively little trouble. Haven't seen it work on older than W2K workstations though (2.0 and lateris the OU aware version; Only 1.8 and lower work on NT 4 supposedly; got weary looking) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Thursday, August 05, 2004 11:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] default containers Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? Mark Creamer
Re: [ActiveDir] default containers
with w2k3 Domain: Redirecting the users and computers containers in Windows Server 2003 domains http://support.microsoft.com/default.aspx?scid=kb;en-us;324949 Creamer, Mark wrote: Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? ***Mark Creamer* -- John Singler List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] default containers
Title: default containers Create the machine accounts in the destination container(s) prior to joining the domain. There is another method with scripted unattended installs that would allow you to specify the container. James Borris [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, August 05, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] default containers Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? Mark Creamer
RE: [ActiveDir] default containers
Title: default containers Yep, this can fairly easily be configured to be handled with say a web page so you can proxy the process so people don't have to have rights to create machine accounts or do any join they want to. This also allows you to have business logic rules behind it so you can determine the names that are used and you have simple logging as to who did it and when. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James BorrisSent: Thursday, August 05, 2004 11:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] default containers Create the machine accounts in the destination container(s) prior to joining the domain. There is another method with scripted unattended installs that would allow you to specify the container. James Borris [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Thursday, August 05, 2004 10:21 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] default containers Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? Mark Creamer
RE: [ActiveDir] default containers
Title: default containers Of course if you have a Windows 2003 Domain Mode domain you could use the redircmp hack. Note that Exchange 2000 domainprep (and who knows what else) expect some objects to be created in the native default locations (I think groups in the case of E2K). Most of the time you can work around any problems the redircmp or redirusr hacks may cause. -Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Thursday, August 05, 2004 8:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] default containers I dont think there is anyway to change the default location when adding a computer through the joining computers GUI. If you are using a tool, most of them offer the ability to specify an alternate location. You could of course pre-create machine accounts in the OU you want them to be placed in. Alternately, you could write a script that utilizes WMI, for example, that monitors the computers container and moves objects after they are created to your selected destination. -Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, August 05, 2004 8:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] default containers Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? Mark Creamer
RE: [ActiveDir] default containers
Title: default containers Thanks all for the responses Were 2000 presently, so Ill look at the scripted or pre-create options. Thanks again mc From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 11:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] default containers If you are using Windows 2003 AD you can use redircmp to change the default computers container targeted by the legacy join calls. The more robust method though, is to script the join. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, August 05, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] default containers Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? Mark Creamer
RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt
Unfortunately, I don't know, and the SAP guy who installed it doesn't remember either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Wednesday, August 04, 2004 7:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Ken: Do you recall which version of the SAP portal it was that made the schema changes? I'm asking since we are testing the SAP portal against AD in our lab with our SAP folks. I know that the initial version that they came to us with required a schema change (version 5?) and before we got it set up they came back with the newer version that supposedly did not require a change. IIRC that was version 6. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Well side by side we see: MS UID dn: CN=uid,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: uid adminDisplayName: uid adminDescription: A user ID. attributeId: 0.9.2342.19200300.100.1.1 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: FALSE systemOnly: FALSE searchFlags: 8 schemaIdGuid:: oPywC4ken0KQGhQTiU2fWQ== attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw== showInAdvancedViewOnly: FALSE systemFlags: 0 SAP UID dn: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com changetype: add adminDisplayName: uid attributeID: 1.2.840.113556.1.4.7000.233.28688.28684.8.464850.1724825.154498.1299246. 15 attributeSyntax: 2.5.5.4 cn: uid instanceType: 4 isSingleValued: TRUE lDAPDisplayName: uid distinguishedName: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC= com objectClass: attributeSchema objectGUID:: f1Sz+++ZY0eIH7t1mStJIA== oMSyntax: 20 name: uid schemaIDGUID:: Qy93MDGWsEqRfKr837RfzA== showInAdvancedViewOnly: TRUE The main diffs being O attributeSyntax/omsyntax - ci unicode string for MS, ci string for SAP - SAP shouldn't have an issue unless someone uses some multibytes in the uid. O schemaIDGuid - shouldn't be an issue unless there are property sets involved for security O attributeID - if SAP uses the ldapdisplayname in class definitions instead of the attributeIDs they should be ok. O MS is multi-valued, SAP is single valued - This could be painful if using ADSI due to the difference in how it handles mv versus sv, but if using LDAP this shouldn't be too bad, just would only use the first value in the attribute. Definitely there are points that could cause pain but wouldn't expect it would be overly difficult for SAP to correct and use the MS definition versus theirs. Unless they use UID as a unique identifier within the database in which case the multi-value could cause some serious key issues. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Thanks Joe, I saw that (rare for me lately). Just curious if SAP and Active Directory could play well together or not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt I would expect it would really dork it up pretty well... However there are two compensating things. 1. SAP shouldn't have done this. Ok so that isn't really a compensating factor but they really shouldn't have! 2. He already said that they aren't using it so breaking SAP doesn't matter. Now for the part I don't know: how do I fix it? The SAP portal was tested, but was back-burned indefinately, so I don't have to worry about breaking it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Anyone have the impact that would have on SAP application by chance? Just curious really. Don't have SAP handy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:51 PM To: [EMAIL PROTECTED] Cc: 'Eric Fleischman' Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 upgrade attempt Great, you have to love that! ~Eric have them fix their sheet! Here is a little article about defuncting attribs/classes so you can learn about it http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/d isab
RE: [ActiveDir] Kerberos question
Title: Message Your local liquor store is a good place to start, followed by the drug store for a few gallons of Maalox. Kerberos interoperability is a pain. It is possible, but you will have to do LOTS of research. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 8:04 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 11:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 10:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility? The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:08 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:04 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 2:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006)An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 11:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 10:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility? The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:08 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected?
RE: [ActiveDir] Kerberos question
Title: Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5
RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt
Thanks for checking. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Thursday, August 05, 2004 10:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Unfortunately, I don't know, and the SAP guy who installed it doesn't remember either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane Sent: Wednesday, August 04, 2004 7:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Ken: Do you recall which version of the SAP portal it was that made the schema changes? I'm asking since we are testing the SAP portal against AD in our lab with our SAP folks. I know that the initial version that they came to us with required a schema change (version 5?) and before we got it set up they came back with the newer version that supposedly did not require a change. IIRC that was version 6. Diane -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Well side by side we see: MS UID dn: CN=uid,CN=Schema,CN=Configuration,DC=X changetype: ntdsSchemaAdd objectClass: attributeSchema ldapDisplayName: uid adminDisplayName: uid adminDescription: A user ID. attributeId: 0.9.2342.19200300.100.1.1 attributeSyntax: 2.5.5.12 omSyntax: 64 isSingleValued: FALSE systemOnly: FALSE searchFlags: 8 schemaIdGuid:: oPywC4ken0KQGhQTiU2fWQ== attributeSecurityGuid:: Qi+6WaJ50BGQIADAT8LTzw== showInAdvancedViewOnly: FALSE systemFlags: 0 SAP UID dn: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com changetype: add adminDisplayName: uid attributeID: 1.2.840.113556.1.4.7000.233.28688.28684.8.464850.1724825.154498.1299246. 15 attributeSyntax: 2.5.5.4 cn: uid instanceType: 4 isSingleValued: TRUE lDAPDisplayName: uid distinguishedName: CN=uid,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC=com objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=adstest,DC=kimball,DC= com objectClass: attributeSchema objectGUID:: f1Sz+++ZY0eIH7t1mStJIA== oMSyntax: 20 name: uid schemaIDGUID:: Qy93MDGWsEqRfKr837RfzA== showInAdvancedViewOnly: TRUE The main diffs being O attributeSyntax/omsyntax - ci unicode string for MS, ci string for SAP - SAP shouldn't have an issue unless someone uses some multibytes in the uid. O schemaIDGuid - shouldn't be an issue unless there are property sets involved for security O attributeID - if SAP uses the ldapdisplayname in class definitions instead of the attributeIDs they should be ok. O MS is multi-valued, SAP is single valued - This could be painful if using ADSI due to the difference in how it handles mv versus sv, but if using LDAP this shouldn't be too bad, just would only use the first value in the attribute. Definitely there are points that could cause pain but wouldn't expect it would be overly difficult for SAP to correct and use the MS definition versus theirs. Unless they use UID as a unique identifier within the database in which case the multi-value could cause some serious key issues. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 3:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Thanks Joe, I saw that (rare for me lately). Just curious if SAP and Active Directory could play well together or not. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 3:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt I would expect it would really dork it up pretty well... However there are two compensating things. 1. SAP shouldn't have done this. Ok so that isn't really a compensating factor but they really shouldn't have! 2. He already said that they aren't using it so breaking SAP doesn't matter. Now for the part I don't know: how do I fix it? The SAP portal was tested, but was back-burned indefinately, so I don't have to worry about breaking it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, August 04, 2004 2:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Schema Gurus needed - SAP has buggered my 2003 up grade attempt Anyone have the impact that would have on SAP application by chance? Just curious really. Don't have SAP handy. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 04, 2004 12:51 PM To: [EMAIL PROTECTED] Cc: 'Eric Fleischman' Subject: RE: [ActiveDir] Schema Gurus
RE: [ActiveDir] Kerberos question
Title: Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 2:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006)An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 11:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 10:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question I am looking that up now Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app
[ActiveDir] Unlock user account in mass
Title: Kerberos question What is the easiest way to unlock multiple user accounts in Active Directory? Random accounts locked up today and I need a way to unlock them without having to go user by user. Is there a tool or script already written? Any help would be appreciated. Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I am looking that up now Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Re: [ActiveDir] Unlock user account in mass
Hi Robert I have two scripts we used a few weeks ago when we had this problem. They were written based on some of Robbie Allens scripting in his Tuna Book. (See attached file: bulkunlock3.vbs)(See attached file: collect nt usernames.vbs) Create a file on the root of drive C called ntuserlist.txt and a second file called lockedaccounts.txt. Edit both scripts to change the domain name from DOMAINNAME to whatever your domain is. Run the Collect NT usernames script - this will put up a done message box when it finishes and provide a list of all users in your domain. Run the bulkunlock3 which will read the list and unlock any locked accounts. The list of accounts that were unlocked will show up in lockedaccounts.txt while a message box will be provided with the number of accounts unlocked. Regards; James R. Day National Parks Service - AD Core Team (202) 354-1464 Fax (202) 371-1549 [EMAIL PROTECTED] Robert N. Leali [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: [ActiveDir] Unlock user account in mass tivedir.org 08/05/2004 03:42 PM EST Please respond to ActiveDir What is the easiest way to unlock multiple user accounts in Active Directory? Random accounts locked up today and I need a way to unlock them without having to go user by user. Is there a tool or script already written? Any help would be appreciated. Robert From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I am looking that up now Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category:Account Logon Event ID: 675 Date:8/5/2004 Time: 3:15:59 PM User:NT AUTHORITY\SYSTEM Computer:KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code:0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and where authentication is failing. I think the
[ActiveDir] Extremely weird issue
Title: Kerberos question I have encountered a very weird issue at this client. The situation is as follows (i will do my best to try not to confuse anyone). Client has an AD domain. AD domain is 2003 based. Forest level: 2003 native. Domain level - 2003 native. There is a few policies that are being applied. Some of them are applied at the domain level, and some are applied at an OU level. Being tested are 2 workstations. One of them has a clean build of Windows 2000 Pro, service pack 4. The other one, is also W2K Pr0 SP4, but it is a custom client image. This image does not have any special application, but it does have a few registry patches/entries applied to it, although from what i have seen, its not distructive. Here is the problem: When the both machines, in the same OU start up, the client image machine gets stuck during applicaiton of one of the domain wide policies (before logon screen even appears, so it is computer policy that is being processed). It will sit on this stuck stage, while Processing Policy A is displayed. After 1.5 - 2 minutes the logon screen appears and all is well. The clean build machine starts up with no delay. Now here is the interesting bit: IF i unlink domain policy A, then the machine simply gets stuck on policy B. If i unlink B and A, it will stuck on policy C. If i Unlink A,B and C, it will get stuck on policy D (which applies at OU level). None of these policies are complex, in fact A B and C only have 2- 3 entires in them. Plus, the clean build machine has no delays. Another note - while in stuck stage, the HDD of the machine goes like crazy! I have turned on UserEnvLogging, and i have a Severity B ticket open with Microsoft, in fact i am on the phone with them now (have been for about 4 hours). I have USERENV.LOG dumps if anyone is interested, i even found something of interest there and i have pointed it out to MS support guy as well. So far, nothing. The client needs this resolved asap, we need to find what in the build is causing this problem. Redesigning the image is not an option as client spend years developing it. If anyone has seen anything like this, i would greatly greatly appreciate your help!
RE: [ActiveDir] OT: Exchange 5.5 to 2003 upgrade/migration
Laura, We have recently gone through this procedure and it is not as painful as you would expect...The ADMT (Active Directory Migration Tool) is the way to go if you the target domain is going to be in native mode and if you Google ADMT NT 4.0 - 2003 migration you get all sorts of information, heres a bit to start you off. http://support.microsoft.com/default.aspx?kbid=325851product=winsvr2003 http://www.microsoft.com/technet/community/columns/profwin/pw0402.mspx http://www.computerperformance.co.uk/exchange2003/exchange_2003_ADMT.htm http://techupdate.zdnet.com/techupdate/stories/main/Migrating_Windows_NT_to_ Windows_Server_2003.html If however you are like us and are not able to goto native mode you can do an NT4 - 2003 upgrade which is a fairly painless procedure: http://support.microsoft.com/default.aspx?kbid=326209product=winsvr2003 The Exchange part is pretty interesting however and you can do an in-place upgrade utilising an AD connector...: One Option: http://techrepublic.com.com/5100-6268_11-5268995-2.html Another: http://www.microsoft.com/downloads/details.aspx?FamilyId=77B6D819-C7B3-42D1- 8FBB-FE6339FFA1EDdisplaylang=en Some Ideas: http://www.experts-exchange.com/Networking/Email_Groupware/Exchange_Server/Q _20801908.html This should keep you out of trouble I can give you more info specific to not using ADMT if you wish. James -Original Message- From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] Sent: Friday, 6 August 2004 12:18 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 5.5 to 2003 upgrade/migration So I may be inheriting a new network that needs to do the 5.5 on NT4 to 2003 on 2003 shuffle. Your basic Google search returns any number of resources, obviously; but what does my favourite group of smart people have to say? Recommended Books/FAQs/Blogs/Sites that will make me not want to kill myselfquite as much? * Laura E. Hunter MCT, MCSE: Security, MVP - Windows Networking Senior IT Specialist University of Pennsylvania List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Kerberos question
Title: Kerberos question Pre-Authentication is a security measure to prevent a client from calling to the KDC and getting a response back that it can work on cracking to break the encryption. The client has to prove who it is before it gets anything useful basically... You can disable pre-auth for an account through the ADUC GUI by looking at the Account Tab and looking specifically at account options then Do not Require Kerberos preauthentication... It is a bit in userAccountControl, specifically 0x40. I would say disable it to test to see if it then works, but I wouldn't leave it configured that way. It is just a method to make sure everything else is ok. Pre-Auth is not the default for any of the kerberos implementations EXCEPT for the MS implementation from what I recall. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 2:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006)An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 11:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 10:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question I think we have a miscom
RE: [ActiveDir] How do you determine if information about an object is replicted?
I saw your previous post, just didn't get a chance to hit it yet. The answer, if I understand the question, is the schema. Whether an attribute replicates or not is controlled by a bit in the systemFlags attribute. Bit 1 to be exact... So if you want to look at your AD and find out all attributes that don't replicate you do the following Adfind -schema -bit -f systemflags:AND:=1 ldapdisplayname In my main test forest which is 2K3 Native (brand new not 2K upgrade) with 2K3 installed (brand new not 2K upgrade) I get about or so non-replicating attributes. If I filter out backlinks (exercise for the class why you don't have to replicate back links...) with the following query Adfind -schema -bit -f (systemflags:AND:=1)(!(linkid:AND:=1)) ldapdisplayname I get 31 attributes and they are below... In the meanwhile, settings for DNS that don't get replicated are probably kept in the registry or some config file for DNS. joe [Thu 08/05/2004 18:39:11.21] F:\DEV\cpp\NetSessAdfind -schema -bit -f (systemflags:AND:=1)(!(linkid:AND:=1)) ldapdisplayname AdFind V01.17.00cpp Joe Richards ([EMAIL PROTECTED]) May 2004 Transformed Filter: (systemflags:1.2.840.113556.1.4.803:=1)(!(linkid:1.2.840.113556.1.4.803:=1) ) Using server: 2k3dc01.joe.com Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com dn:CN=Last-Logoff,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: lastLogoff dn:CN=Last-Logon,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: lastLogon dn:CN=Bad-Password-Time,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: badPasswordTime dn:CN=Bad-Pwd-Count,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: badPwdCount dn:CN=Logon-Count,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: logonCount dn:CN=Repl-Property-Meta-Data,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: replPropertyMetaData dn:CN=Repl-UpToDate-Vector,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: replUpToDateVector dn:CN=Reps-From,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: repsFrom dn:CN=Reps-To,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: repsTo dn:CN=RID-Next-RID,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: rIDNextRID dn:CN=RID-Previous-Allocation-Pool,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: rIDPreviousAllocationPool dn:CN=Schema-Update,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: schemaUpdate dn:CN=Modified-Count,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: modifiedCount dn:CN=Server-State,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: serverState dn:CN=ms-DS-Cached-Membership,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: msDS-Cached-Membership dn:CN=ms-DS-Cached-Membership-Time-Stamp,CN=Schema,CN=Configuration,DC=joe,D C=com lDAPDisplayName: msDS-Cached-Membership-Time-Stamp dn:CN=Sub-Refs,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: subRefs dn:CN=ms-DS-ExecuteScriptPassword,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: msDS-ExecuteScriptPassword dn:CN=DS-Core-Propagation-Data,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: dSCorePropagationData dn:CN=Obj-Dist-Name,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: distinguishedName dn:CN=Object-Guid,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: objectGUID dn:CN=ms-DS-ReplicationEpoch,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: msDS-ReplicationEpoch dn:CN=ms-DS-Retired-Repl-NC-Signatures,CN=Schema,CN=Configuration,DC=joe,DC= com lDAPDisplayName: msDS-RetiredReplNCSignatures dn:CN=USN-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: uSNChanged dn:CN=USN-Created,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: uSNCreated dn:CN=Partial-Attribute-Deletion-List,CN=Schema,CN=Configuration,DC=joe,DC=c om lDAPDisplayName: partialAttributeDeletionList dn:CN=Partial-Attribute-Set,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: partialAttributeSet dn:CN=USN-Last-Obj-Rem,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: uSNLastObjRem dn:CN=Pek-List,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: pekList dn:CN=When-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: whenChanged dn:CN=Prefix-Map,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: prefixMap 31 Objects returned [Thu 08/05/2004 18:39:15.40] F:\DEV\cpp\NetSess -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: Thursday, August 05, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How do you determine if information about an object is replicted? (Resend as I did not see this hit the list yesterday) This is a learning question. Nothing is broken but I would like to know where some information is located. How can I tell and where do I go to find out what information is replicated in Active Directory at the DNS zone level itself. For
RE: [ActiveDir] AD Backup - Sort of
That much is true. :o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, August 04, 2004 3:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Backup - Sort of At least they threw you a boneKeeping with the Windows 2003 initiative that everything that can be done in the GUI should be available via command line, a command line version of the tool that contains all of the same features is included as well. From: joe [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 12:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Backup - Sort of [INBOUND RULES] From,Michael B. Smith, SENDTO, Deleted Items Grr! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, August 04, 2004 1:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Backup - Sort of Admodify rocks. I use it even more than I use adfind. :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Wednesday, August 04, 2004 1:52 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Backup - Sort of Ted- I just saw this post: http://blogs.msdn.com/exchange/archive/2004/08/04/208045.aspx I haven't played with either version of ADModify, so I can't comment on whether it's easier than LDIFDE or script to do bulk mods. Maybe you can check it out in all of your spare time and report back :-) Hunter From: Strand, Ted [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 04, 2004 5:04 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD Backup - Sort of Thanks for the suggestions Al, I will admit that it really makes me nervous to change replication on AD since (knock on wood) it is working so well. I have done testing in the lab for a couple of weeks now and I think I have it all worked out, I just want to feel comfortable knowing that I can take an export and be able to put the data back in from the export file. This was so easy in Exchange 5.5 you would think AD would offer similar features. -Ted- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, August 03, 2004 3:54 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] AD Backup - Sort of A popular way to do what you discuss is to change replication parameters during the upgrade. Basically, have the ADC talk to an Active Directory isolated server, check for errors and then bring it back into the replication cycle. Another alternative I've seen work is to take a DC off-line during the upgrade. I've seen some introduce a new one first and then bring it off-line during the upgrade. After the all clear, it's then removed from the domain else brought back on-line. The first option is much better as it offers you a chance to check it out prior to moving forward. The second option works if you can flatten all DC's but the one with the good data, in essence creating a hot backup. I suppose you could just mark all the records authoritative and then reintroduce it, but I've never seen a successful ADC deployment that didn't spend a lot of time in the lab getting it right. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Strand, Ted Sent: Tuesday, August 03, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] AD Backup - Sort of I am about to turn on a connection agreement for my first AD connector. I have backed up the exchange directory and also exported the directory to csv for recovery. I would like to do the same thing with the AD data to have a roll-back plan if the CA does something I didn't expect. I have played with LDIFDE and the CSV equivalent, and although I have been able to export with both, I have not been able to import back in to change the data. Are there any other (preferably free) methods to capture this ad data, and then reuse it to undo changes? I would hate to have to do an authoritative restore from tape to fix any issues. Thanks -Ted Strand- List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] How do you determine if information about an object is replicted?
Perfect. Exactly what I wanted to know. I'm off to run the adfind tool in my test forest and see the results. Thanks for the information. Cheers On Thu, 5 Aug 2004 18:41:22 -0400, joe [EMAIL PROTECTED] wrote: I saw your previous post, just didn't get a chance to hit it yet. The answer, if I understand the question, is the schema. Whether an attribute replicates or not is controlled by a bit in the systemFlags attribute. Bit 1 to be exact... So if you want to look at your AD and find out all attributes that don't replicate you do the following Adfind -schema -bit -f systemflags:AND:=1 ldapdisplayname In my main test forest which is 2K3 Native (brand new not 2K upgrade) with 2K3 installed (brand new not 2K upgrade) I get about or so non-replicating attributes. If I filter out backlinks (exercise for the class why you don't have to replicate back links...) with the following query Adfind -schema -bit -f (systemflags:AND:=1)(!(linkid:AND:=1)) ldapdisplayname I get 31 attributes and they are below... In the meanwhile, settings for DNS that don't get replicated are probably kept in the registry or some config file for DNS. joe [Thu 08/05/2004 18:39:11.21] F:\DEV\cpp\NetSessAdfind -schema -bit -f (systemflags:AND:=1)(!(linkid:AND:=1)) ldapdisplayname AdFind V01.17.00cpp Joe Richards ([EMAIL PROTECTED]) May 2004 Transformed Filter: (systemflags:1.2.840.113556.1.4.803:=1)(!(linkid:1.2.840.113556.1.4.803:=1) ) Using server: 2k3dc01.joe.com Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com dn:CN=Last-Logoff,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: lastLogoff dn:CN=Last-Logon,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: lastLogon dn:CN=Bad-Password-Time,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: badPasswordTime dn:CN=Bad-Pwd-Count,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: badPwdCount dn:CN=Logon-Count,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: logonCount dn:CN=Repl-Property-Meta-Data,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: replPropertyMetaData dn:CN=Repl-UpToDate-Vector,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: replUpToDateVector dn:CN=Reps-From,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: repsFrom dn:CN=Reps-To,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: repsTo dn:CN=RID-Next-RID,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: rIDNextRID dn:CN=RID-Previous-Allocation-Pool,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: rIDPreviousAllocationPool dn:CN=Schema-Update,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: schemaUpdate dn:CN=Modified-Count,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: modifiedCount dn:CN=Server-State,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: serverState dn:CN=ms-DS-Cached-Membership,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: msDS-Cached-Membership dn:CN=ms-DS-Cached-Membership-Time-Stamp,CN=Schema,CN=Configuration,DC=joe,D C=com lDAPDisplayName: msDS-Cached-Membership-Time-Stamp dn:CN=Sub-Refs,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: subRefs dn:CN=ms-DS-ExecuteScriptPassword,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: msDS-ExecuteScriptPassword dn:CN=DS-Core-Propagation-Data,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: dSCorePropagationData dn:CN=Obj-Dist-Name,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: distinguishedName dn:CN=Object-Guid,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: objectGUID dn:CN=ms-DS-ReplicationEpoch,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: msDS-ReplicationEpoch dn:CN=ms-DS-Retired-Repl-NC-Signatures,CN=Schema,CN=Configuration,DC=joe,DC= com lDAPDisplayName: msDS-RetiredReplNCSignatures dn:CN=USN-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: uSNChanged dn:CN=USN-Created,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: uSNCreated dn:CN=Partial-Attribute-Deletion-List,CN=Schema,CN=Configuration,DC=joe,DC=c om lDAPDisplayName: partialAttributeDeletionList dn:CN=Partial-Attribute-Set,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: partialAttributeSet dn:CN=USN-Last-Obj-Rem,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: uSNLastObjRem dn:CN=Pek-List,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: pekList dn:CN=When-Changed,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: whenChanged dn:CN=Prefix-Map,CN=Schema,CN=Configuration,DC=joe,DC=com lDAPDisplayName: prefixMap 31 Objects returned [Thu 08/05/2004 18:39:15.40] F:\DEV\cpp\NetSess -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: Thursday, August 05, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] How do
RE: [ActiveDir] default containers
What I do here is put up a web interface to a script that does the pre-creation in the background. I have 2 flavors. One is for the Helpdesk Admins. They log into the website, type in a computer name, type in the name of the computer's owner, pick the site/location of the owner (from a drop-down) list and hit Submit. The script then create the computer account, put it in the associate OU, and ACL the computer object, giving the specified user the ability to join THAT computer to the Domain. The other flavor is for a QA domain where people reimage computers daily. The QA guy logs in, the login process takes the guy's name/location. The QA guys types in a computer name and the script goes and create/ACL the computer in the relevant OU, giving the QA guy the rights to join it to the Domain. I can share the code with you offline, but you have to promise not to tell, you-know-who :) Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Thu 8/5/2004 9:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] default containers Thanks all for the responses - We're 2000 presently, so I'll look at the scripted or pre-create options. Thanks again mc From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, August 05, 2004 11:58 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] default containers If you are using Windows 2003 AD you can use redircmp to change the default computers container targeted by the legacy join calls. The more robust method though, is to script the join. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, August 05, 2004 11:21 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] default containers Is there a way to change the default location for a computer when it gets added to the domain to be a specific OU, rather than the Computers container? Or would this have to be done by scripting the add computer process? Mark Creamer List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Extracting information for Event Logs
Title: Message Good morning everyone, I've been asked to extract some information from our RAS server to see who has been dialling in over a certain period of time. The RAS server is an NT4 server. When I connect to it and have a look at the "Security" event logs I can see the entry: Failure Audit 05/08/2004 10:47:53PM Security Logon/Logoff This can be exported to a text file, however I need to extract the user name from the log entry - is this possible? Regards, Andrew P.S -- have a good weekend!!!
RE: [ActiveDir] Extracting information for Event Logs
Try eventcombMT.exe, part of secops: http://www.microsoft.com/downloads/details.aspx?displaylang=enFamilyID=9989D 151-5C55-4BD3-A9D2-B95A15C73E92 Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Caple, Andrew Sent: Thu 8/5/2004 5:31 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extracting information for Event Logs Good morning everyone, I've been asked to extract some information from our RAS server to see who has been dialling in over a certain period of time. The RAS server is an NT4 server. When I connect to it and have a look at the Security event logs I can see the entry: Failure Audit05/08/200410:47:53PMSecurity Logon/Logoff This can be exported to a text file, however I need to extract the user name from the log entry - is this possible? Regards, Andrew P.S -- have a good weekend!!! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unlock user account in mass
Don't you think that there's a bigger issue that needs to be tackled first? What is causing this? I'd make sure auditing is turned on for your domains ecurity policy and start looking at failure records on your DCs. That aside, ADModify.Net can probably do this. --Brian -Original Message- From: Robert N. Leali [mailto:[EMAIL PROTECTED] Sent: Thu 8/5/2004 3:42 PM To: [EMAIL PROTECTED] Cc: Subject: [ActiveDir] Unlock user account in mass What is the easiest way to unlock multiple user accounts in Active Directory? Random accounts locked up today and I need a way to unlock them without having to go user by user. Is there a tool or script already written? Any help would be appreciated. Robert _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I am looking that up now Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question This stands out Pre-authentication failed: _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category:Account Logon Event ID: 675 Date:8/5/2004 Time: 3:15:59 PM User:NT AUTHORITY\SYSTEM Computer:KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code:0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and where authentication is failing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE:
Re: [ActiveDir] krbtgt error when joining OS X client
Title: Re: [ActiveDir] krbtgt error when joining OS X client Hmmm, These directions look strangely familiar ; ) Dont forget to set your timeserver...It is THE most common error. If you have set the Mac to have a Domain Controller as the time server and you still have errors then you should check the DNS settings, Brent From: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Date: Thu, 5 Aug 2004 10:39:15 -0400 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] krbtgt error when joining OS X client See if any of this helps as far as getting an AD computer account: 3. Join the Machine to Active Directory Open the finder and browse to /Applications/Utilities and open Directory Access. If the lock in the lower left corner is in the locked position, click on it and enter the appropriate credentials. Click Active Directory and click Configure you should then be able to enter your forest name in the Active Directory Forest box, enter your AD domain in the Active Directory Domain box, and finally the name of the computer account you want to use in the Computer ID box. Click the Hide Advanced Options box and unless you will absolutely need to authenticate users from multiple domains, then clear the checkbox. If the machine is a laptop, make sure to cache local accounts (You may also want to do this for desktop users who do not have network home directories.). You can also choose to allow AD groups administrative rights to the mac. By default this is set to Domain Enterprise admins. When finished with all your options click the Bind button. You will be prompted for an account with permissions to add computers to the domain. When entering your account ID, do not prefix it with the netbios name of your domain, the sAMAccountName alone will bind. The default ldap computer account location is in the CN=Computers area off the root default domain NC. You can change this by adding a fully distinguished path to the Container or OU of your choice. The machine will go through 5 steps and hopefully bind successfully. Go back to the Directory Access application and click the Authentication tab at the top. Under search click Custom Path and click Add. A box will pop up and display the Active Directory connector you just added click Add, click Apply. If you have successfully bound and added the AD connector to your authentication path, then you can log off and attempt to login using the sAMAccountname of an Active Directory user. Troubleshooting AD Authentication If you have any issues, enable remote login in the Sharing section of System Preferences and use another machine to SSH into the Mac. If you are using a windows box to SSH there is a free application called putty that you can use, just google for it. After ssh'ing into the box with an admin user account, enter the command: sudo killall -USR1 DirectoryService this command puts the lookupd daemon in debug logging mode, then type: tail -f /Library/Logs/DirectoryService/DirectoryService.debug.log | grep ADPlug this tells your shell to read the tail end of the log file and print any new entries to STDOUT. Now attempt to login to the machine, and your SSH machine will capture what is going on with the AD Plugin. Kevin Gent Pearson Digital Learning -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Noah Eiger Sent: Wednesday, August 04, 2004 12:10 PM To: Active Directory List Subject: [ActiveDir] krbtgt error when joining OS X client Good morning (at least where I am): I spent yesterday at a client trying to get some Mac OS X 10.3.4 clients to play nice with the enterprise AD. After trying many combinations of settings during the binding phase, we gave up: the Mac could not bind to the DC. The Macs system log showed this for every attempt at binding: /System/Library/Frameworks/Kerberos.framework/Servers/CCacheServer.app/Contents/MacOS/CCacheServer: Starting up. Aug 3 15:12:50 localhost DirectoryService[211]: Active Directory DS Plugin: Could not determine site for closest DC! The DC showed this in the security error log: The description for Event ID (675) in Source (Security) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. The following information is part of the event: username, username, krbtgt/AB.bigbiz.NET, 0x0, 0x19, 139.27.76.198. (names and addresses changed) I can get more detailed about the configuration we were attempting if you think that would help. I have limited experience in an enterprise of this size (worldwide, with several hundred sites). The forest/domain structure did not seem to use child domains. So, the forest name was mo.largeco.net and the domain was ab.bigbiz.net. Any thoughts definitely appreciated. nme
RE: [ActiveDir] Kerberos question
Title: Kerberos question I got it, there is a shared secret ticket key that was set wrong. (bad documentation). Thanks for everyones help From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I am looking that up now Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I