Re: [ActiveDir] unable to generate ssl cert
Can you elaborate on the sentence: " But a few days ago, I had to reinstall my AD & exchange server due to AD crash. After that, I was unable to generate ssl cert." Was the Certificate Server installed prior or after that event? I assume you installed an Enterprise CA - please correct me if I am wrong. You should check the permissions on the "web server" template...Do authenticated users have read and enroll? If you need to troubleshoot it more - I would need to see a few things , one of which is the following: certutil.exe -view -restrict requestid=XX > request.txt Where XX == the request ID of the failed (due to access denied) request. -steve - Original Message - From: Lara Adianto To: [EMAIL PROTECTED] Sent: Monday, August 23, 2004 3:45 AM Subject: [ActiveDir] unable to generate ssl cert Hello, I have a problem of generating SSL cert for owa 2003 form based authentication.My environment is as follows:PC A --> acts as DC, domain=example.comPC B --> where ms exchange 2003 and cert authority is installed, configured to be the member of domain=example.com I have tested OWA without form-based auth and now would like to enable form based authentication. I followed the steps outlined in http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html, but I was unable to generate the SSL cert with the following error logged in event viewer:"Certificate Services denied request 4 because Access is denied. 0x80070005 (WIN32: 5). The request was for C=xx, S=xxx, L=xxx, O=xxx, OU=xx, CN=xxx.xx.x. Additional information: Denied by Policy Module I have googled and followed the instruction from this site: http://support.microsoft.com/default.aspx?scid=kb;en-us;281271 but the problem persists ! The only step I was unsure is from the instruction is:"Set permissions on the applicable certificate templates to allow users in the child domain to enroll. (NOTE: You must be logged onto the root domain with domain administrator rights.). I'm not sure which template's permission that I should modify and anyway, I'm unable to set any modification to the permission (I have permission to view only which is weird because I logged in as administrator !). This is strange ! I was able to generate cert and have form-based authentication working before. But a few days ago, I had to reinstall my AD & exchange server due to AD crash. After that, I was unable to generate ssl cert. I really have no idea why ssl cert generation which was working before now failed...Any idea guys how to trace the source of problem ? Thanks ! La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!?Win 1 of 4,000 free domain names from Yahoo! Enter now.
[ActiveDir] Justice for Victims of Agent Orange
This mail do not contain technical issue, I write this message to appeal to all member's generosity. Please visit and sign your signature at: http://www.petitiononline.com/AOVN/ "AGENT ORANGE, THE CHEMICAL, has killed, is still killing, and causing great suffering to over three million people in Vietnam. PLEASE HELP THEM BY SIGNING THIS PETITION. We welcome and support the Civil Action brought by the Vietnam Association of Victims of Agent Orange/Dioxin, and three Vietnamese victims. The documents have been submitted to a court in New York, on behalf of all affected by the chemicals used by the American Forces in their War on Vietnam. This will be the first ever such action by Vietnamese victims of Agent Orange in any court of law. We call upon the U.S. President, Government and the Chemical Companies named as defendants in the documents, to accept their responsibilities for the damage caused by their actions and products, and to pay full compensation to the vict" Thank you. ___ M a i A n h T u a n Networking and system service - Information technology center - Electricity of Vietnam. ' 84-4-9741910 (ext 672) + [EMAIL PROTECTED] - MCSA on Microsoft Windows Server 2003 - MCSE on Microsoft Windows 2000 - MCDBA on Microsoft SQL Server 2000
RE: [ActiveDir] By design or configurable ?
I have been able to reproduce the behavior in both our test and production forests on several DCs. GPO has been applied a while ago, boxes have been rebooted more than once and RSoP shows the right settings. More than that, when I look at c:\windows\security\templates\policies\gpt1.inf (which contains the settings pulled from DC's GPO, I see line like this: MACHINE\System\CurrentControlSet\Control\LSA\CrashOnAuditFail=4,0 and the registry has CrashOnAuditFail set to 0 (disabled). void *Guy; (you guys are contagious ;) ) On Tue, 2004-08-24 at 00:05, Mulnick, Al wrote: > Sounds like the feature isn't working as expected if the box continues to > work until reboot. It's also possible it was triggered prior to the GPO > being applied, but you'd have to repro to know IMHO. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Monday, August 23, 2004 5:01 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > Right, but this feature was turned off in GPO, so the box was not supposed > to crash. > And how would you explain the working replication (with full security > logs) till the box is rebooted manually and only then enters the "crashed" > state ? > > We indeed have a policy for keeping 3 months of security logs and meanwhile > it takes between one to two weeks to fill the logs, but this is a new forest > and users keep arriving, so eventually we will need to implement a more > serious approach. > > Guy > > On Mon, 2004-08-23 at 23:37, Mulnick, Al wrote: > > > > http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/ > > deploy > > guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/ > > all/de > > ployguide/en-us/46686.asp?frame=true > > > > This link is the documented behavior. Sounds like that is what you're > > getting. I think there may be some misnaming involved in that it > > should actually restart if it says "crashondump" but whatever. > > > > As for your situation, I know in some environments, 128mb wouldn't > > last two hours. A process to collect the data at the end of the day > > would be too late. That's what makes me suggest other methods. IMHO, > > there's a balance between collecting the data and self-configured > > denial of service. The key is to figure out how important that logging > > data is. If it's important, such as in regulatory environments, then > > that indicates you really should have a process of collecting that > > data whenever it's written to the logs or very soon after. If for > > security reasons, you have to stop service if unable to log security > > events, then so be it. Just make sure you never run into that > > situation, right? If you have that requirement, but don't prevent > > your systems from ever running into that situation, then it is by default > acceptable to have occasional DoS events. > > > > Your system did crash when it was full. Normal operations failed to > > continue and the LSA stopped for that particular DC. It's a testament > > to your architecture if the users never noticed :) > > > > Al > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Monday, August 23, 2004 4:24 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] By design or configurable ? > > > > > > Interesting... > > > > I have "Audit: Shutdown system immediately if unable to log security > audits" > > set to disabled and security log size configured to 128Mb (DCs > > GPO) > > > > We are keeping 3 months back of security logs, hence the GPO is > > configured not to override the security logs. DCs have a scheduled > > task that pops up once a day and archives/clears the security logs - > > not the state of the art solution, but does the work without > > purchasing any additional software. I would love to give MOM a try, > > but we already have OpenView in place, so I'll be checking with OvO people > if the security logs can be handled by OvO. > > > > So in this configuration, if booted with full security logs, I > > experience the same behavior as CrashOnAuditFail set to 2 (box in > > crashed mode) - verified that by adding peer DC to builtin > > Administrators group and the replication resumed. > > > > Am I missing something or this is not the desired behavior when the DC > > is configured not to crash on audit ? > > > > Thanks, > > Guy > > > > > > On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: > > > I suppose in theory, setting it to crash on full is also a security > > > risk since it could be used to cause a denial of service. > > > > > > I'd guess that if you have something that siphons off the logs on > > > submit event, then it could be a workable solution. I'd have to say > > > I'm not impressed with a lot of the tools currently out there that > > > do this due to the overhead they place
Re: [ActiveDir] By design or configurable ?
Guy, If you're using MIT Kerberos on the other end of that trust you probably need to call PSS and ask them for the following hotfix... http://support.microsoft.com/default.aspx?scid=kb;en-us;825081 WindowsXP-KB825081-x86-ENU.exe While you have them on the phone, you may as well ask them for the patch that will correct an RDP issue too! couldn't find the article...but here's the filename... WindowsXP-KB842308-x86-ENU.exe <-XP version, there's also a 2003 version... respond to let us know if it works hth! -Mark Guy Teverovsky wrote: I was too lazy to tell the long story that made me speculate about TGTs, so I'll try to explain the reason for asking: We have 2 W2K3 forests with Kerberos transitive trust. Forest corp.com has 3 child domains respectively: emea.company.com amer.company.com ap.company.com Second forest (ad.devision.company.com) has no children. We have users migrating from NT domains to one of the corp AD child domains (emea\amer\ap). After the migration, when users logon to XP computers in ad.division.company.com domain with EMEA\username cached credentials and than reconnect to the network, sometimes (after they work for a while) they get a popup in system tray saying something like "XP needs your credentials". Usually this would be caused by changing the user password from another machine or account lockout replicated from another DC, but in our case this is the only machine the user logs on to and there are no account lockouts. When the same user logs on with UPN ([EMAIL PROTECTED]), we have not yet seen this to repeat itself. So I was wondering whether UPN logons enable caching of TGTs and sAMAccountName logons are different in some way from UPN logons. Hope I managed to be clear enough ;) Cheers, Guy I don't know if the kerberos ticket is cached or not. (I suspect not.) When a machine reconnects to the network and you attempt to access a network resource, the resource will ask for you ticket. If you don't have one, or if it is out of date, the client will request a new kerberos ticket and then be authenticated to the resource. Denny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Friday, August 20, 2004 8:48 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] By design or configurable ? In my environment, when W2K3 DC boots with security logs full, the replication from that DC stops till the security log is cleared and the box is rebooted. The interesting thing is that after the security logs become full (while the box is online) the replication continues to work till the box is rebooted with full log. So the question is whether this can be prevented (we do have a routine which takes care of security logs archiving, but it failed on one of the DCs and I would like to prevent the replication from breaking again). And another OT question: When logging on to XP with cached credentials, is the Kerberos ticket cached too ? And if yes, what happens when the ticket expires and the box is reconnected to the network: will it seamlessly try to renew the ticked ? Thanks, Guy -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] By design or configurable ?
Sounds like the feature isn't working as expected if the box continues to work until reboot. It's also possible it was triggered prior to the GPO being applied, but you'd have to repro to know IMHO. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, August 23, 2004 5:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Right, but this feature was turned off in GPO, so the box was not supposed to crash. And how would you explain the working replication (with full security logs) till the box is rebooted manually and only then enters the "crashed" state ? We indeed have a policy for keeping 3 months of security logs and meanwhile it takes between one to two weeks to fill the logs, but this is a new forest and users keep arriving, so eventually we will need to implement a more serious approach. Guy On Mon, 2004-08-23 at 23:37, Mulnick, Al wrote: > > http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/ > deploy > guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/ > all/de > ployguide/en-us/46686.asp?frame=true > > This link is the documented behavior. Sounds like that is what you're > getting. I think there may be some misnaming involved in that it > should actually restart if it says "crashondump" but whatever. > > As for your situation, I know in some environments, 128mb wouldn't > last two hours. A process to collect the data at the end of the day > would be too late. That's what makes me suggest other methods. IMHO, > there's a balance between collecting the data and self-configured > denial of service. The key is to figure out how important that logging > data is. If it's important, such as in regulatory environments, then > that indicates you really should have a process of collecting that > data whenever it's written to the logs or very soon after. If for > security reasons, you have to stop service if unable to log security > events, then so be it. Just make sure you never run into that > situation, right? If you have that requirement, but don't prevent > your systems from ever running into that situation, then it is by default acceptable to have occasional DoS events. > > Your system did crash when it was full. Normal operations failed to > continue and the LSA stopped for that particular DC. It's a testament > to your architecture if the users never noticed :) > > Al > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > Sent: Monday, August 23, 2004 4:24 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > > Interesting... > > I have "Audit: Shutdown system immediately if unable to log security audits" > set to disabled and security log size configured to 128Mb (DCs > GPO) > > We are keeping 3 months back of security logs, hence the GPO is > configured not to override the security logs. DCs have a scheduled > task that pops up once a day and archives/clears the security logs - > not the state of the art solution, but does the work without > purchasing any additional software. I would love to give MOM a try, > but we already have OpenView in place, so I'll be checking with OvO people if the security logs can be handled by OvO. > > So in this configuration, if booted with full security logs, I > experience the same behavior as CrashOnAuditFail set to 2 (box in > crashed mode) - verified that by adding peer DC to builtin > Administrators group and the replication resumed. > > Am I missing something or this is not the desired behavior when the DC > is configured not to crash on audit ? > > Thanks, > Guy > > > On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: > > I suppose in theory, setting it to crash on full is also a security > > risk since it could be used to cause a denial of service. > > > > I'd guess that if you have something that siphons off the logs on > > submit event, then it could be a workable solution. I'd have to say > > I'm not impressed with a lot of the tools currently out there that > > do this due to the overhead they place on the machine, but it could > > be done. MOM Server is a good way to get this done IIRC. > > > > I'm guessing that's what you had in mind, Rick? Something that > > clears it as it is written, vs a timed deal? > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, > > Rick > > Sent: Monday, August 23, 2004 9:02 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] By design or configurable ? > > > > I have had the same problem, but setting the logs to overwrite is > > bad system administration. IF a person attempt to break passwords, > > thy can just flood the server with requests and eventually the log will clear. > > The best solution is to have the logs cleared by a script or third > > party utility
RE: [ActiveDir] By design or configurable ?
Kerb tickets have a lifetime, but not sure that's your issue necessarily. How's your name resolution working? Anything in the event logs when this occurs? Especially the security logs on the clients/dc's/resources being accessed? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, August 23, 2004 4:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? I was too lazy to tell the long story that made me speculate about TGTs, so I'll try to explain the reason for asking: We have 2 W2K3 forests with Kerberos transitive trust. Forest corp.com has 3 child domains respectively: emea.company.com amer.company.com ap.company.com Second forest (ad.devision.company.com) has no children. We have users migrating from NT domains to one of the corp AD child domains (emea\amer\ap). After the migration, when users logon to XP computers in ad.division.company.com domain with EMEA\username cached credentials and than reconnect to the network, sometimes (after they work for a while) they get a popup in system tray saying something like "XP needs your credentials". Usually this would be caused by changing the user password from another machine or account lockout replicated from another DC, but in our case this is the only machine the user logs on to and there are no account lockouts. When the same user logs on with UPN ([EMAIL PROTECTED]), we have not yet seen this to repeat itself. So I was wondering whether UPN logons enable caching of TGTs and sAMAccountName logons are different in some way from UPN logons. Hope I managed to be clear enough ;) Cheers, Guy > I don't know if the kerberos ticket is cached or not. (I suspect > not.) When a machine reconnects to the network and you attempt to > access a network resource, the resource will ask for you ticket. If > you don't have one, or if it is out of date, the client will request a > new kerberos ticket and then be authenticated to the resource. > > Denny > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Friday, August 20, 2004 8:48 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] By design or configurable ? > > > > > > In my environment, when W2K3 DC boots with security logs full, the > > replication from that DC stops till the security log is cleared and > > the box is rebooted. > > The interesting thing is that after the security logs become full > > (while the box is online) the replication continues to work till the > > box is rebooted with full log. > > > > So the question is whether this can be prevented (we do have a > > routine which takes care of security logs archiving, but it failed > > on one of the DCs and I would like to prevent the replication from > > breaking again). > > > > And another OT question: > > When logging on to XP with cached credentials, is the Kerberos > > ticket cached too ? And if yes, what happens when the ticket expires > > and the box is reconnected to the network: will it seamlessly try to > > renew the ticked ? > > > > Thanks, > > Guy > > > > -- > > Smith & Wesson - the original point and click interface > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] By design or configurable ?
Right, but this feature was turned off in GPO, so the box was not supposed to crash. And how would you explain the working replication (with full security logs) till the box is rebooted manually and only then enters the "crashed" state ? We indeed have a policy for keeping 3 months of security logs and meanwhile it takes between one to two weeks to fill the logs, but this is a new forest and users keep arriving, so eventually we will need to implement a more serious approach. Guy On Mon, 2004-08-23 at 23:37, Mulnick, Al wrote: > http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy > guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de > ployguide/en-us/46686.asp?frame=true > > This link is the documented behavior. Sounds like that is what you're > getting. I think there may be some misnaming involved in that it should > actually restart if it says "crashondump" but whatever. > > As for your situation, I know in some environments, 128mb wouldn't last two > hours. A process to collect the data at the end of the day would be too > late. That's what makes me suggest other methods. IMHO, there's a balance > between collecting the data and self-configured denial of service. The key > is to figure out how important that logging data is. If it's important, > such as in regulatory environments, then that indicates you really should > have a process of collecting that data whenever it's written to the logs or > very soon after. If for security reasons, you have to stop service if > unable to log security events, then so be it. Just make sure you never run > into that situation, right? If you have that requirement, but don't prevent > your systems from ever running into that situation, then it is by default > acceptable to have occasional DoS events. > > Your system did crash when it was full. Normal operations failed to > continue and the LSA stopped for that particular DC. It's a testament to > your architecture if the users never noticed :) > > Al > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Monday, August 23, 2004 4:24 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > > Interesting... > > I have "Audit: Shutdown system immediately if unable to log security audits" > set to disabled and security log size configured to 128Mb (DCs > GPO) > > We are keeping 3 months back of security logs, hence the GPO is configured > not to override the security logs. DCs have a scheduled task that pops up > once a day and archives/clears the security logs - not the state of the art > solution, but does the work without purchasing any additional software. I > would love to give MOM a try, but we already have OpenView in place, so I'll > be checking with OvO people if the security logs can be handled by OvO. > > So in this configuration, if booted with full security logs, I experience > the same behavior as CrashOnAuditFail set to 2 (box in crashed mode) - > verified that by adding peer DC to builtin Administrators group and the > replication resumed. > > Am I missing something or this is not the desired behavior when the DC is > configured not to crash on audit ? > > Thanks, > Guy > > > On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: > > I suppose in theory, setting it to crash on full is also a security > > risk since it could be used to cause a denial of service. > > > > I'd guess that if you have something that siphons off the logs on > > submit event, then it could be a workable solution. I'd have to say > > I'm not impressed with a lot of the tools currently out there that do > > this due to the overhead they place on the machine, but it could be > > done. MOM Server is a good way to get this done IIRC. > > > > I'm guessing that's what you had in mind, Rick? Something that clears > > it as it is written, vs a timed deal? > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick > > Sent: Monday, August 23, 2004 9:02 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] By design or configurable ? > > > > I have had the same problem, but setting the logs to overwrite is bad > > system administration. IF a person attempt to break passwords, thy can > > just flood the server with requests and eventually the log will clear. > > The best solution is to have the logs cleared by a script or third > > party utility to clear and archive the logs every night. > > > > > > > > Rick Gasper > > Manager, Network Services > > King's College > > 133 N. River St > > Wilkes-Barre PA 18711 > > PH: 570-208-5845 > > Fax: 570-208-6072 > > Cell: 570-760-0335 > > [EMAIL PROTECTED] > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. > > Sent: Monday, August 23, 2004 6:48 AM > > To: [EMAIL PROTECTED] > > Subject: R
RE: [ActiveDir] By design or configurable ?
I was too lazy to tell the long story that made me speculate about TGTs, so I'll try to explain the reason for asking: We have 2 W2K3 forests with Kerberos transitive trust. Forest corp.com has 3 child domains respectively: emea.company.com amer.company.com ap.company.com Second forest (ad.devision.company.com) has no children. We have users migrating from NT domains to one of the corp AD child domains (emea\amer\ap). After the migration, when users logon to XP computers in ad.division.company.com domain with EMEA\username cached credentials and than reconnect to the network, sometimes (after they work for a while) they get a popup in system tray saying something like "XP needs your credentials". Usually this would be caused by changing the user password from another machine or account lockout replicated from another DC, but in our case this is the only machine the user logs on to and there are no account lockouts. When the same user logs on with UPN ([EMAIL PROTECTED]), we have not yet seen this to repeat itself. So I was wondering whether UPN logons enable caching of TGTs and sAMAccountName logons are different in some way from UPN logons. Hope I managed to be clear enough ;) Cheers, Guy > I don't know if the kerberos ticket is cached or not. (I suspect not.) > When a machine reconnects to the network and you attempt to access a > network resource, the resource will ask for you ticket. If you don't > have one, or if it is out of date, the client will request a new > kerberos ticket and then be authenticated to the resource. > > Denny > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Friday, August 20, 2004 8:48 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] By design or configurable ? > > > > > > In my environment, when W2K3 DC boots with security logs full, the > > replication from that DC stops till the security log is > > cleared and the > > box is rebooted. > > The interesting thing is that after the security logs become > > full (while > > the box is online) the replication continues to work till the box is > > rebooted with full log. > > > > So the question is whether this can be prevented (we do have a routine > > which takes care of security logs archiving, but it failed on > > one of the > > DCs and I would like to prevent the replication from breaking again). > > > > And another OT question: > > When logging on to XP with cached credentials, is the Kerberos ticket > > cached too ? And if yes, what happens when the ticket expires and the > > box is reconnected to the network: will it seamlessly try to renew the > > ticked ? > > > > Thanks, > > Guy > > > > -- > > Smith & Wesson - the original point and click interface > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Smith & Wesson - the original point and click interface List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] By design or configurable ?
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/deploy guide/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/all/de ployguide/en-us/46686.asp?frame=true This link is the documented behavior. Sounds like that is what you're getting. I think there may be some misnaming involved in that it should actually restart if it says "crashondump" but whatever. As for your situation, I know in some environments, 128mb wouldn't last two hours. A process to collect the data at the end of the day would be too late. That's what makes me suggest other methods. IMHO, there's a balance between collecting the data and self-configured denial of service. The key is to figure out how important that logging data is. If it's important, such as in regulatory environments, then that indicates you really should have a process of collecting that data whenever it's written to the logs or very soon after. If for security reasons, you have to stop service if unable to log security events, then so be it. Just make sure you never run into that situation, right? If you have that requirement, but don't prevent your systems from ever running into that situation, then it is by default acceptable to have occasional DoS events. Your system did crash when it was full. Normal operations failed to continue and the LSA stopped for that particular DC. It's a testament to your architecture if the users never noticed :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Monday, August 23, 2004 4:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Interesting... I have "Audit: Shutdown system immediately if unable to log security audits" set to disabled and security log size configured to 128Mb (DCs GPO) We are keeping 3 months back of security logs, hence the GPO is configured not to override the security logs. DCs have a scheduled task that pops up once a day and archives/clears the security logs - not the state of the art solution, but does the work without purchasing any additional software. I would love to give MOM a try, but we already have OpenView in place, so I'll be checking with OvO people if the security logs can be handled by OvO. So in this configuration, if booted with full security logs, I experience the same behavior as CrashOnAuditFail set to 2 (box in crashed mode) - verified that by adding peer DC to builtin Administrators group and the replication resumed. Am I missing something or this is not the desired behavior when the DC is configured not to crash on audit ? Thanks, Guy On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: > I suppose in theory, setting it to crash on full is also a security > risk since it could be used to cause a denial of service. > > I'd guess that if you have something that siphons off the logs on > submit event, then it could be a workable solution. I'd have to say > I'm not impressed with a lot of the tools currently out there that do > this due to the overhead they place on the machine, but it could be > done. MOM Server is a good way to get this done IIRC. > > I'm guessing that's what you had in mind, Rick? Something that clears > it as it is written, vs a timed deal? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick > Sent: Monday, August 23, 2004 9:02 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > I have had the same problem, but setting the logs to overwrite is bad > system administration. IF a person attempt to break passwords, thy can > just flood the server with requests and eventually the log will clear. > The best solution is to have the logs cleared by a script or third > party utility to clear and archive the logs every night. > > > > Rick Gasper > Manager, Network Services > King's College > 133 N. River St > Wilkes-Barre PA 18711 > PH: 570-208-5845 > Fax: 570-208-6072 > Cell: 570-760-0335 > [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. > Sent: Monday, August 23, 2004 6:48 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > Guy, > > One way to avoid the problems of a full security log is to set the > logs to overwrite as needed. You can set this via group policy. > > I don't know if the kerberos ticket is cached or not. (I suspect > not.) When a machine reconnects to the network and you attempt to > access a network resource, the resource will ask for you ticket. If > you don't have one, or if it is out of date, the client will request a > new kerberos ticket and then be authenticated to the resource. > > Denny > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Friday, August 20, 2004 8:48 PM > > To: [EMAIL PR
RE: [ActiveDir] By design or configurable ?
Interesting... I have "Audit: Shutdown system immediately if unable to log security audits" set to disabled and security log size configured to 128Mb (DCs GPO) We are keeping 3 months back of security logs, hence the GPO is configured not to override the security logs. DCs have a scheduled task that pops up once a day and archives/clears the security logs - not the state of the art solution, but does the work without purchasing any additional software. I would love to give MOM a try, but we already have OpenView in place, so I'll be checking with OvO people if the security logs can be handled by OvO. So in this configuration, if booted with full security logs, I experience the same behavior as CrashOnAuditFail set to 2 (box in crashed mode) - verified that by adding peer DC to builtin Administrators group and the replication resumed. Am I missing something or this is not the desired behavior when the DC is configured not to crash on audit ? Thanks, Guy On Mon, 2004-08-23 at 16:10, Mulnick, Al wrote: > I suppose in theory, setting it to crash on full is also a security risk > since it could be used to cause a denial of service. > > I'd guess that if you have something that siphons off the logs on submit > event, then it could be a workable solution. I'd have to say I'm not > impressed with a lot of the tools currently out there that do this due to > the overhead they place on the machine, but it could be done. MOM Server is > a good way to get this done IIRC. > > I'm guessing that's what you had in mind, Rick? Something that clears it as > it is written, vs a timed deal? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick > Sent: Monday, August 23, 2004 9:02 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > I have had the same problem, but setting the logs to overwrite is bad system > administration. IF a person attempt to break passwords, thy can just flood > the server with requests and eventually the log will clear. > The best solution is to have the logs cleared by a script or third party > utility to clear and archive the logs every night. > > > > Rick Gasper > Manager, Network Services > King's College > 133 N. River St > Wilkes-Barre PA 18711 > PH: 570-208-5845 > Fax: 570-208-6072 > Cell: 570-760-0335 > [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. > Sent: Monday, August 23, 2004 6:48 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] By design or configurable ? > > Guy, > > One way to avoid the problems of a full security log is to set the logs to > overwrite as needed. You can set this via group policy. > > I don't know if the kerberos ticket is cached or not. (I suspect not.) When > a machine reconnects to the network and you attempt to access a network > resource, the resource will ask for you ticket. If you don't have one, or > if it is out of date, the client will request a new kerberos ticket and then > be authenticated to the resource. > > Denny > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > > Teverovsky > > Sent: Friday, August 20, 2004 8:48 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] By design or configurable ? > > > > > > In my environment, when W2K3 DC boots with security logs full, the > > replication from that DC stops till the security log is cleared and > > the box is rebooted. > > The interesting thing is that after the security logs become full > > (while the box is online) the replication continues to work till the > > box is rebooted with full log. > > > > So the question is whether this can be prevented (we do have a routine > > which takes care of security logs archiving, but it failed on one of > > the DCs and I would like to prevent the replication from breaking > > again). > > > > And another OT question: > > When logging on to XP with cached credentials, is the Kerberos ticket > > cached too ? And if yes, what happens when the ticket expires and the > > box is reconnected to the network: will it seamlessly try to renew the > > ticked ? > > > > Thanks, > > Guy > > > > -- > > Smith & Wesson - the original point and click interface > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ: http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://ww
RE: [ActiveDir] Universal Group user population
Thanks Alan, This list is always good for a sanity check Todd -Original Message- From: Isham, Alan A [mailto:[EMAIL PROTECTED] Sent: Monday, August 23, 2004 12:10 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Universal Group user population I assume you are using ADUC to validate the group's membership. This is a feature of adminpak.msi version 2000. There is a KB article on this behavior with workarounds noted in adminpak.msi version 2003 including a reg hack. Here are the details that were sent to me by a peer. You cannot view a user's Universal Group membership in Windows Server 2003 Active Directory Users and Computers when Universal Groups do not reside in the local domain (833883) "When you use the Active Directory Users and Computers snap-in, and you click the Membership tab on the user's Properties dialog box to view the Universal Group membership for a specific user, only the universal groups that reside in the local domain are shown. If the user also belongs to universal groups that do not reside on the local domain, these universal groups do not appear in the Membership tab of the user's Properties dialog box, even when the non-local domain resides in the same forest and you are connected to a global catalog server in the local domain." A hotfix is available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, August 23, 2004 8:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Universal Group user population I have a Question about adding people to a Universal Group. I have some Admins that own a Universal Security Group, and have added users from a child domain to the group. When they look at the Universal Group members, they see the user is a member of the group. But when they look at the users properties, they notice that the members of tab doesn't list the users membership in the group. Accounts within the same domain show up. I have waited about two hours for replication latency before checking. So my question is, is this normal, and can someone from a parent domain add users from child domains to a universal group. Will it update the child domain Users members of attribute with the universal group membership? Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Universal Group user population
I assume you are using ADUC to validate the group's membership. This is a feature of adminpak.msi version 2000. There is a KB article on this behavior with workarounds noted in adminpak.msi version 2003 including a reg hack. Here are the details that were sent to me by a peer. You cannot view a user's Universal Group membership in Windows Server 2003 Active Directory Users and Computers when Universal Groups do not reside in the local domain (833883) "When you use the Active Directory Users and Computers snap-in, and you click the Membership tab on the user's Properties dialog box to view the Universal Group membership for a specific user, only the universal groups that reside in the local domain are shown. If the user also belongs to universal groups that do not reside on the local domain, these universal groups do not appear in the Membership tab of the user's Properties dialog box, even when the non-local domain resides in the same forest and you are connected to a global catalog server in the local domain." A hotfix is available. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT) Sent: Monday, August 23, 2004 8:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Universal Group user population I have a Question about adding people to a Universal Group. I have some Admins that own a Universal Security Group, and have added users from a child domain to the group. When they look at the Universal Group members, they see the user is a member of the group. But when they look at the users properties, they notice that the members of tab doesn't list the users membership in the group. Accounts within the same domain show up. I have waited about two hours for replication latency before checking. So my question is, is this normal, and can someone from a parent domain add users from child domains to a universal group. Will it update the child domain Users members of attribute with the universal group membership? Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Universal Group user population
I have a Question about adding people to a Universal Group. I have some Admins that own a Universal Security Group, and have added users from a child domain to the group. When they look at the Universal Group members, they see the user is a member of the group. But when they look at the users properties, they notice that the members of tab doesn't list the users membership in the group. Accounts within the same domain show up. I have waited about two hours for replication latency before checking. So my question is, is this normal, and can someone from a parent domain add users from child domains to a universal group. Will it update the child domain Users members of attribute with the universal group membership? Thanks, Todd List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook and Contact List
No, the address book is displayed in the address book dialog, usually located at the top right quadrant of the tool bars, and is represented as a book. The box next to it, a drop-down search used to quick-search the default address book. I am not aware of a way to display the address book in the left pane. It's a tool bar item and not a folder, and since only folders are displayed on the left hand side, I don't see this as an option. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mario Ohnewald Sent: Monday, August 23, 2004 9:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Outlook and Contact List > When you configure a new address book for Outlook, it is displayed by > the name you gave it. Do you mean the address book should be displayed on the left, where contacts, Inbox, Appointments, etc... are? > It is not going to be under the contacts address book which is a > special folder in your mail store. I think there is an expectation > that you would be able to click on the contacts folder and it would be > populated, but this is not the case. Ok. > If that's what you > want, then you either need to write custom code to redirect that > folder (not likely) else import the contacts into that folder. The > normal behavior however is to have it searchable from the address book > dialog box. It is normal to search it, but not to browse? Correct? Is it possible to let the address book apear on the left menu somehow? Thanks, Mario List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook and Contact List
> When you configure a new address book for Outlook, it is displayed by > the name you gave it. Do you mean the address book should be displayed on the left, where contacts, Inbox, Appointments, etc... are? > It is not going to be under the contacts address > book which is a special folder in your mail store. I think there is an > expectation that you would be able to click on the contacts folder and > it would be populated, but this is not the case. Ok. > If that's what you > want, then you either need to write custom code to redirect that folder > (not likely) else import the contacts into that folder. The normal > behavior however is to have it searchable from the address book dialog > box. It is normal to search it, but not to browse? Correct? Is it possible to let the address book apear on the left menu somehow? Thanks, Mario List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Outlook and Contact List
When you configure a new address book for Outlook, it is displayed by the name you gave it. It is not going to be under the contacts address book which is a special folder in your mail store. I think there is an expectation that you would be able to click on the contacts folder and it would be populated, but this is not the case. If that's what you want, then you either need to write custom code to redirect that folder (not likely) else import the contacts into that folder. The normal behavior however is to have it searchable from the address book dialog box. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mario Ohnewald Sent: Monday, August 23, 2004 9:15 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Outlook and Contact List Hello List! I guess this is a Outlook issue i need to solve. I have set up my LDAP Address book. I can search the contacts fine in Outlook v9.0 It auto completes the names when i compose a mail. However, when i click onto contacts in the left menu, i get nothing. My network tools show me that there is not traffic or query from the outlook client to the ldap server.How do i set up Outlook that it will display my adress book in contacts, too? My Search Query is: "ou=workers,dc=example.domain,dc=com" How can i tell outlook to use the LDAP Address book rather than the local one? Thanks a lot. Mario List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Outlook and Contact List
Hello List! I guess this is a Outlook issue i need to solve. I have set up my LDAP Address book. I can search the contacts fine in Outlook v9.0 It auto completes the names when i compose a mail. However, when i click onto contacts in the left menu, i get nothing. My network tools show me that there is not traffic or query from the outlook client to the ldap server.How do i set up Outlook that it will display my adress book in contacts, too? My Search Query is: "ou=workers,dc=example.domain,dc=com" How can i tell outlook to use the LDAP Address book rather than the local one? Thanks a lot. Mario List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] By design or configurable ?
I suppose in theory, setting it to crash on full is also a security risk since it could be used to cause a denial of service. I'd guess that if you have something that siphons off the logs on submit event, then it could be a workable solution. I'd have to say I'm not impressed with a lot of the tools currently out there that do this due to the overhead they place on the machine, but it could be done. MOM Server is a good way to get this done IIRC. I'm guessing that's what you had in mind, Rick? Something that clears it as it is written, vs a timed deal? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Monday, August 23, 2004 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? I have had the same problem, but setting the logs to overwrite is bad system administration. IF a person attempt to break passwords, thy can just flood the server with requests and eventually the log will clear. The best solution is to have the logs cleared by a script or third party utility to clear and archive the logs every night. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Monday, August 23, 2004 6:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Guy, One way to avoid the problems of a full security log is to set the logs to overwrite as needed. You can set this via group policy. I don't know if the kerberos ticket is cached or not. (I suspect not.) When a machine reconnects to the network and you attempt to access a network resource, the resource will ask for you ticket. If you don't have one, or if it is out of date, the client will request a new kerberos ticket and then be authenticated to the resource. Denny > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > Sent: Friday, August 20, 2004 8:48 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] By design or configurable ? > > > In my environment, when W2K3 DC boots with security logs full, the > replication from that DC stops till the security log is cleared and > the box is rebooted. > The interesting thing is that after the security logs become full > (while the box is online) the replication continues to work till the > box is rebooted with full log. > > So the question is whether this can be prevented (we do have a routine > which takes care of security logs archiving, but it failed on one of > the DCs and I would like to prevent the replication from breaking > again). > > And another OT question: > When logging on to XP with cached credentials, is the Kerberos ticket > cached too ? And if yes, what happens when the ticket expires and the > box is reconnected to the network: will it seamlessly try to renew the > ticked ? > > Thanks, > Guy > > -- > Smith & Wesson - the original point and click interface > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: File share and NTFS administrtive control rig hts
Sorry, the domain group Print Operators has local logon rights. A local group is local to the machine itself, but you are correct that there isn't enough information. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Friday, August 20, 2004 8:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: File share and NTFS administrtive control rig hts Ummaybe I'm missing the point here, but why does adding a group to the local Print Operators group imply that they have local logon to DC's ? (I'm presuming here that the F&P server is just that...a server and not a domain controller - mike didn't specify). Surely this group managing your F&P servers can be granted the rights they need to those servers without compromising the integrity of the domain controllers. Yes, you may need to up their level of rights on the F&P servers (such as Print Operators group), but you should be able to make that fly with your IT Security guys (the outsourced group essentially become an 'application administrator', where the application is F&P) - that doesn't make them domain admins. Additionally, using Group Policy and the Restricted Groups setting would allow your team to control who has elevated rights over the box without handing the whole thing to them to do what they please. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Saturday, 21 August 2004 2:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: File share and NTFS administrtive control rig hts Nothing's been done so far. We have a guy who's been trying to figure out how to make this happen. While I'm not sure what he's tried, he's flying the white flag and asking for help. I'm checking here for help. The fact that print operators can log onto DCs will likely not fly with our security group. Will tackle that problem once we nail down how to resolve the disconnect with share creation. We're ok with creating shares ourselves and then handing over to outsourcer to ACL, and so on. But outsourcer is requiring ability to create the shares without needing to wait for us. That's the main problem -- figuring out how to let them create shares without giving them the keys to the kingdom. We need to find a way to allow the outsourcer to be able to create shares without granting power users. Either the solution ends up being a bit ugly in that we have to get very granular with our level of delegation or we find that there is no solution and we need to grant power users. Neither decision will go over very well. But the preference would be for an ugly solution instead of granting power users. Thanks, Mike "Mulnick, Al" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent by:cc: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: File share and NTFS administrtive control rig hts tivedir.org 08/20/2004 10:15 AM Please respond to ActiveDir LOL. I can't comment on that last part without incriminating myself ;) I'm trying to understand what's been done so far that you're having trouble with. Any specifics there? As for a couple of thoughts: Local logon and rights to install drivers are just about required for the printer aspect. They'll need to log on, create the printer, install/update drivers, and then move on. That may sink the effort right there. By default, print operators can do this, but they can do so much more such as log onto domain controllers locally. Might not be what you want. For file permission, is it not an option that when you create the servers, you create a parent share and folder they have full control over and then let them work it out from there? What's the process that prevents that? -al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Baudino Sent: Friday, August 20, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: File share and NTFS administrtive control rights Sure thing. Can do. The outsourcer has been delegated the responsibility for managing file and print resources. Included in this is the need to create and ACL a share, ACL NTFS directory/file permissions and create/modify/delete print queues. We're most concerned that we don't grant access to our FNP servers that are unnecessarily higher than necessary. But we're also concerned that we don't need to create a many-step process to grant the outsourcer this level of access. We also don't want it to be anything domain-wide -- just our FNP servers. We would also prefer that the outsourcer did this work remotely instead of through remote control or RDP. In other words, our goal is also to eliminate, or at least restrict, local log
RE: [ActiveDir] By design or configurable ?
I have had the same problem, but setting the logs to overwrite is bad system administration. IF a person attempt to break passwords, thy can just flood the server with requests and eventually the log will clear. The best solution is to have the logs cleared by a script or third party utility to clear and archive the logs every night. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Depp, Dennis M. Sent: Monday, August 23, 2004 6:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] By design or configurable ? Guy, One way to avoid the problems of a full security log is to set the logs to overwrite as needed. You can set this via group policy. I don't know if the kerberos ticket is cached or not. (I suspect not.) When a machine reconnects to the network and you attempt to access a network resource, the resource will ask for you ticket. If you don't have one, or if it is out of date, the client will request a new kerberos ticket and then be authenticated to the resource. Denny > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > Sent: Friday, August 20, 2004 8:48 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] By design or configurable ? > > > In my environment, when W2K3 DC boots with security logs full, the > replication from that DC stops till the security log is > cleared and the > box is rebooted. > The interesting thing is that after the security logs become > full (while > the box is online) the replication continues to work till the box is > rebooted with full log. > > So the question is whether this can be prevented (we do have a routine > which takes care of security logs archiving, but it failed on > one of the > DCs and I would like to prevent the replication from breaking again). > > And another OT question: > When logging on to XP with cached credentials, is the Kerberos ticket > cached too ? And if yes, what happens when the ticket expires and the > box is reconnected to the network: will it seamlessly try to renew the > ticked ? > > Thanks, > Guy > > -- > Smith & Wesson - the original point and click interface > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RID master problem or...?
Dcdiag even :O) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: 23 August 2004 12:09 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RID master problem or...? Let’s take this a step at a time… 1) Save off the event logs, clear them and then bounce the box… lets start from a clean base if possible. Re-run the dcpromo. BR Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Esteban Sonofthesun Sent: 23 August 2004 11:52 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RID master problem or...? Hi Robert, I'm openning ADUC from server. 1) I checked RID Master is available. (it is the RID master, there is no other DC on this domain) 2) i attached the dcdiag file. Thanks for your interest. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com === Scanned for virus infection by Messagelabs === === Email security provided by Modrus using MessageLabs Email Security www.modrus.com === === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] RID master problem or...?
Let’s take this a step at a time… 1) Save off the event logs, clear them and then bounce the box… lets start from a clean base if possible. Re-run the dcpromo. BR Rob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Esteban Sonofthesun Sent: 23 August 2004 11:52 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RID master problem or...? Hi Robert, I'm openning ADUC from server. 1) I checked RID Master is available. (it is the RID master, there is no other DC on this domain) 2) i attached the dcdiag file. Thanks for your interest. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com === Scanned for virus infection by Messagelabs ===
RE: [ActiveDir] RID master problem or...?
Hi Robert, I'm openning ADUC from server. 1) I checked RID Master is available. (it is the RID master, there is no other DC on this domain) 2) i attached the dcdiag file. Thanks for your interest.__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com DC Diagnosis Performing initial setup: * Verifing that the local machine ntserver, is a DC. * Connecting to directory service on server ntserver. * Collecting site info. * Identifying all servers. * Found 4 DC(s). Testing 1 of them. Done gathering initial info. Doing initial non skippeable tests Testing server: Default-First-Site-Name\NTSERVER Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check . NTSERVER passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\NTSERVER Starting test: Replications * Replications Check [Replications Check,NTSERVER] A recent replication attempt failed: From EX_pak2 to NTSERVER Naming Context: CN=Schema,CN=Configuration,DC=pak,DC=info The replication generated an error (8524): Win32 Error 8524 The failure occurred at 2004-08-20 14:54.47. The last success occurred at 2003-09-18 18:12.59. 8051 failures have occurred since the last success. The guid-based DNS name d13d4211-36e1-4f95-903c-a1cc5912c367._msdcs.pak.info is not registered on one or more DNS servers. [EX_pak2] DsBind() failed with error 1722, Win32 Error 1722. [Replications Check,NTSERVER] A recent replication attempt failed: From EX2pak to NTSERVER Naming Context: CN=Schema,CN=Configuration,DC=pak,DC=info The replication generated an error (8524): Win32 Error 8524 The failure occurred at 2004-08-20 14:54.50. The last success occurred at 2003-10-16 11:48.47. 7379 failures have occurred since the last success. The guid-based DNS name a84dad48-3f52-49e9-a2bc-051e28fa43a8._msdcs.pak.info is not registered on one or more DNS servers. [EX2pak] DsBind() failed with error 1722, Win32 Error 1722. [Replications Check,NTSERVER] A recent replication attempt failed: From EX_pak2 to NTSERVER Naming Context: CN=Configuration,DC=pak,DC=info The replication generated an error (8524): Win32 Error 8524 The failure occurred at 2004-08-20 14:54.41. The last success occurred at 2003-09-18 18:20.05. 8051 failures have occurred since the last success. The guid-based DNS name d13d4211-36e1-4f95-903c-a1cc5912c367._msdcs.pak.info is not registered on one or more DNS servers. [Replications Check,NTSERVER] A recent replication attempt failed: From EX2pak to NTSERVER Naming Context: CN=Configuration,DC=pak,DC=info The replication generated an error (8524): Win32 Error 8524 The failure occurred at 2004-08-20 14:54.44. The last success occurred at 2003-10-16 12:05.19. 7379 failures have occurred since the last success. The guid-based DNS name a84dad48-3f52-49e9-a2bc-051e28fa43a8._msdcs.pak.info is not registered on one or more DNS servers. [Replications Check,NTSERVER] A recent replication attempt failed: From EX_pak2 to NTSERVER Naming Context: DC=pak,DC=info The replication generated an error (8524): Win32 Error 8524 The failure occurred at 2004-08-20 14:54.35. The last success occurred at 2003-09-18 18:15.02. 8052 failures have occurred since the last success. The guid-based DNS name d13d4211-36e1-4f95-903c-a1cc5912c367._msdcs.pak.info is not registered on one or more DNS servers. [Replications Check,NTSERVER] A recent replication attempt failed: From EX2pak to NTSERVER Naming Context: DC=pak,DC=info The replication generated an error (8524): Win32 Error 8524 The failure occurred at 2004-08-20 14:54.38. The last success occurred at 2003-10-16 12:04.33. 7379 failures have occurred since the last success. The guid-based DNS name a84dad48-3f52-49e9-a2bc-051e28fa43a8._msdcs.pak.info is not registered on one or more DNS servers. . NTSERVER passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions Check for CN=Schema,CN=
RE: [ActiveDir] By design or configurable ?
Guy, One way to avoid the problems of a full security log is to set the logs to overwrite as needed. You can set this via group policy. I don't know if the kerberos ticket is cached or not. (I suspect not.) When a machine reconnects to the network and you attempt to access a network resource, the resource will ask for you ticket. If you don't have one, or if it is out of date, the client will request a new kerberos ticket and then be authenticated to the resource. Denny > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > Sent: Friday, August 20, 2004 8:48 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] By design or configurable ? > > > In my environment, when W2K3 DC boots with security logs full, the > replication from that DC stops till the security log is > cleared and the > box is rebooted. > The interesting thing is that after the security logs become > full (while > the box is online) the replication continues to work till the box is > rebooted with full log. > > So the question is whether this can be prevented (we do have a routine > which takes care of security logs archiving, but it failed on > one of the > DCs and I would like to prevent the replication from breaking again). > > And another OT question: > When logging on to XP with cached credentials, is the Kerberos ticket > cached too ? And if yes, what happens when the ticket expires and the > box is reconnected to the network: will it seamlessly try to renew the > ticked ? > > Thanks, > Guy > > -- > Smith & Wesson - the original point and click interface > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] unable to generate ssl cert
Hello, I have a problem of generating SSL cert for owa 2003 form based authentication.My environment is as follows:PC A --> acts as DC, domain=example.comPC B --> where ms exchange 2003 and cert authority is installed, configured to be the member of domain=example.com I have tested OWA without form-based auth and now would like to enable form based authentication. I followed the steps outlined in http://www.msexchange.org/tutorials/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html, but I was unable to generate the SSL cert with the following error logged in event viewer:"Certificate Services denied request 4 because Access is denied. 0x80070005 (WIN32: 5). The request was for C=xx, S=xxx, L=xxx, O=xxx, OU=xx, CN=xxx.xx.x. Additional information: Denied by Policy Module I have googled and followed the instruction from this site: http://support.microsoft.com/default.aspx?scid=kb;en-us;281271 but the problem persists ! The only step I was unsure is from the instruction is:"Set permissions on the applicable certificate templates to allow users in the child domain to enroll. (NOTE: You must be logged onto the root domain with domain administrator rights.). I'm not sure which template's permission that I should modify and anyway, I'm unable to set any modification to the permission (I have permission to view only which is weird because I logged in as administrator !). This is strange ! I was able to generate cert and have form-based authentication working before. But a few days ago, I had to reinstall my AD & exchange server due to AD crash. After that, I was unable to generate ssl cert. I really have no idea why ssl cert generation which was working before now failed...Any idea guys how to trace the source of problem ? Thanks ! La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit- Guy de Maupassant - Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now.
RE: [ActiveDir] RID master problem or...?
Where are you opening ADUC (AD Manager) from… the server or your desktop? I’m assuming you got in eventually by your second statement. 1) Open your ADUC console and right click on the domain name and select the operation masters menu item. The first tab should be the RID master. Is the server shown as the RID master available on your network? 2) If it is available then run dcdiag on the box. This can be found under the support folder on your server disk. When you have run it then paste the results back here so we can have al look. This is a starting point and will give something to work on. Rob. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Esteban Sonofthesun Sent: 23 August 2004 09:26 To: [EMAIL PROTECTED] Subject: [ActiveDir] RID master problem or...? Hi all, I have a problem on my AD. At my first try to open AD manager it gives : "Naming information cannot be located because: The specified domain either does not exist or could not be contacted." And then when i try to add an user to my database it gives : "Windows cannot create the object because: The directory service has exhausted the pool of relative identifiers. ..." From microsoft and google, i found WTIME problem and try to solve by this way but this solution didnot solve my problem. An then try the resolution below : 839879 Event ID 16650: The account-identifier allocator failed to initialize in: http://support.microsoft.com/?id=839879 But still the problem continues. What is your opinion? Thanks for yours answers in advance. Esteban __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com === Scanned for virus infection by Messagelabs ===
[ActiveDir] RID master problem or...?
Hi all, I have a problem on my AD. At my first try to open AD manager it gives : "Naming information cannot be located because:The specified domain either does not exist or could not be contacted." And then when i try to add an user to my database it gives : "Windows cannot create the object because:The directory service has exhausted the pool of relative identifiers. ..." From microsoft and google, i found WTIME problem and try to solve by this way but this solution didnot solve my problem. An then try the resolution below : 839879 Event ID 16650: The account-identifier allocator failed to initialize in: http://support.microsoft.com/?id=839879 But still the problem continues. What is your opinion? Thanks for yours answers in advance. Esteban__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] DFS on Domain Controllers
Title: DFS on Domain Controllers there's nothing wrong with what you're doing - DCs can host DFS roots perfectly well and can contain link targets which point to shares on any server in your infrastructure. The one thing that you need to be aware of in this respect is that whoever manages the link targets in the DFS root requires administrative rights on the DFS root server => if this is a DC, this means it has to be a domain admin... /Guido P.S: small correction from the previous answer to this post: SYSVOL share ARE handled by DFS - it's a special DFS root which exists on every DC. And the contents of SYSVOL is obviously replicated via FRS. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cary, MarkSent: Wednesday, August 18, 2004 11:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DFS on Domain Controllers I wasn't going to have any real files on the DCs just the DFS root and links the point to real shares on file servers. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce ClingamanSent: Wednesday, August 18, 2004 3:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] DFS on Domain Controllers The sysvol shares are not handled by dfs. You can put dfs roots on DCs but as a matter of policy it's not a good idea to have any file shares other than sysvol on a DC. But for a small network and limited resources... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cary, MarkSent: Wednesday, August 18, 2004 3:01 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] DFS on Domain Controllers Is it a bad idea to make DFS Root Targets on Domain Controllers? If I browse to my AD 2003 domain \\example.com I see the two folders: Netlogon & Sysvol. But if I browse to \\example.com\DFS-Root I see my Links which point to shares on file servers… \\example.com\DFS-Root\Acctg --> \\File-Server-1\Acctg\\example.com\DFS-Root\Eng --> \\File-Server-2\Engineering Thanks
