RE: [ActiveDir] easiest way to move Distribution Lists across dom ains. hoping for quick response ;)
When migrating objects between domains in the same forest, remember that you always need to migrate the closed sets. E.g. let's say the following situation exists: user-global group1-global group2. Ik you want to migrate global group 2 to another domain and retain memberships you must also migrate global group 1 AND the user! Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of CoCoKola Sent: maandag 1 november 2004 05:41 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] easiest way to move Distribution Lists across domains. hoping for quick response ;) Group Membership Is Not Maintained for Nested Groups Group membership within other groups is not maintained for interforest migrations We would need to retain nested groups if they exist, although I do not know yet if these DL's contain nested groups, or if that is even possible. On Sun, 31 Oct 2004 22:25:56 -0600, Brian Desmond [EMAIL PROTECTED] wrote: ADMT should work too. Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of CoCoKola Sent: Sunday, October 31, 2004 10:18 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] easiest way to move Distribution Lists across domains. hoping for quick response ;) I hope this is on-topic ;) Domain A is AD 2000 mixed mode, soon to be native mode (exchange 5.5 box to be retired soon.) Domain B is AD 2000 Native mode. Domain A has an OU with 100's of distribution lists Users in Domain B are unable to update Distribution Lists after upgrading to XP office 2003. simple solution: move the DLs to Domain B which contains the user accounts that need to modify the DL. Side note: We've been working with Microsoft on this issue.. long story I'll omit. Now, the question: What is the easiest way to move DLs from one domain to another? Possible options: Movetree.exe Create a VBscript to enumerate and re-create the object in domain B. I'm not sure the feasibility. Has anyone done this previously? Pointers, Gotchas? Any assistance is appreciated in advance! Rob List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP authorization problem
If you had local connection (same subnet) connection to a DC and DNS then I can't think of any reason why your problem would occur It's also strange that the DHCP server was serving to its own subnet and not to others. I would just it put it down to a 'one off' and wouldn't be too concerned. If you could do a switch bounce again and test it then fine. Out of interest, what else runs on the DHCP server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: 02 November 2004 00:47 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem 1. Yes. 2. Yes. 3. Cisco 3640 and 2620s, with a 4006 core switch doing Layer 3 routing. 4. Cleanup on the configs, code updates, additional security; stuff like that. We went over the configs this AM and everything looked fine, and once I restarted DHCP, all the subnets got addresses just fine. 5. Yes. I check that one regularly. :-) I don't even mind that the DHCP server unauthorized, but it would have been nice if it could reauthorize, or at least show me something that indicated it had unauthorized. When I looked in the MMC, it gave me an option to unauthorize, so I assumed (I know) it was still authorized. Made a stupid mistake, though; I didn't check the system log when I realized we had a problem. Would have found it much faster. Is the unauthorizing when DC comms go down behavior by design? ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, November 01, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem A few question completely firing in different directions but may lead to a cause :- 1) I take it your routers are relaying DHCP, not agents? 2) Is there a local DC in the same subnet as the DHCP server? 3) What are the routers? I've seen different routers play games with DHCP relays. 4) What was the maintenance? 5) Are all your DCs running clean on DCDIAGS ( I know I always ask that question, but identifies obvious config issues at times) Rob From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Mon 01/11/2004 21:23 To: [EMAIL PROTECTED] Subject: [ActiveDir] DHCP authorization problem I had an odd one over the weekend. We did some network maintenance that included a core switch bounce. Down for about 5 minutes. We found out this morning that DHCP wasn't working on any subnets except for the one that the DHCP server was on. We had made switch and router code and config changes, so we looked to that as a solution, but with no success. I remembered something from a while back where I had a similar problem and restarted the DHCP service. This corrected the issue. Apparently, the DHCP server had lost authorization from AD when the core switch went down. Event ID 1059; The DHCP service failed to see a directory server for authorization. I would have expected it to reauthorize once connectivity was restored, however. But it didn't. I had to restart the service manually. Is this normal? I would expect that DHCP authorization would be able to recover from a short loss of connectivity. Any pointers to a way to prevent this from happening again? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == = Scanned for virus infection by Messagelabs == = List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] User export/import
Hi, I would like to know what would be the best way to export and reimport users and group from a DC to another. The source DC is the one that is in our LAN and the second one is in a test lab. They both must have the same accounts and groups but, they are not connected in any way and the configuration differ from one to the other (ip range is not the same). IIRC I saw a VBS script that could export users and groups in a file then allow the reimport process... but this is a long time ago, so I may not recall correctly. So what you guys would do to achieve this goal? BTW, I tried to backup the system state and restore it to the other DC, but the DC froze after the reboot... I don't know if this could be caused because of the configuration diff. Thanks! M.Bruyere List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User export/import
I believe LDIFDE will allow you to achieve this. http://support.microsoft.com/kb/q237677/ Its available on the Windows 200x Server CD Iain -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 02 November 2004 13:15 To: [EMAIL PROTECTED] Subject: [ActiveDir] User export/import Hi, I would like to know what would be the best way to export and reimport users and group from a DC to another. The source DC is the one that is in our LAN and the second one is in a test lab. They both must have the same accounts and groups but, they are not connected in any way and the configuration differ from one to the other (ip range is not the same). IIRC I saw a VBS script that could export users and groups in a file then allow the reimport process... but this is a long time ago, so I may not recall correctly. So what you guys would do to achieve this goal? BTW, I tried to backup the system state and restore it to the other DC, but the DC froze after the reboot... I don't know if this could be caused because of the configuration diff. Thanks! M.Bruyere List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message in error, please notify us by telephone +44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it. All communications, including telephone calls and electronic messages to and from the Hampshire Constabulary may be subject to monitoring. Replies to this email may be seen by employees other than the intended recipient. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] login scripts
Have you been able to connect to the file shares using the UNC path names from the XP workstations? Can you run the scripts manually? How many 2K3 domain controllers? Any chance the scripts have not replicated to the netlogon share of all of them yet? Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Mulnick, Al [EMAIL PROTECTED]To: [EMAIL PROTECTED] Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: RE: [ActiveDir] login scripts tivedir.org 11/01/2004 04:42 PM EST Please respond to ActiveDir What did you find in the logging? Have you enabled logging to see what's happening at logon? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jordan Arendt Sent: Monday, November 01, 2004 3:36 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] login scripts We've recently upgraded from NT 4 to 2K3. Our logon scripts have stoppped running on clients. Logon scripts are specified in ADUC in the profile tab of each user. When I logon to my XP machine the scripts do not run. When I logon to a server through RDP, they do run. I was thinking GPO, but only the default domain policy is currently applied, and it is applied to both the servers OU and the OU my PC is in. I've looked at the following: http://support.microsoft.com/default.aspx?scid=kb;en-us;329709 (this is not the case, my netlogon shares point to the correct place) and http://support.microsoft.com/default.aspx?scid=kb;en-us;302104 I made the suggested changes, to no avail. Anyone have any suggestions? Thanks in Advance. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] locked out
Hi Rodney Lockoutstatus.exe is part of the 2003 resource kit (and I would assume the 2000 resource kit as well) although it can be downloaded separately from Microsoft. I did a search on google for lockoutstatus.exe to get it. We saw pretty much the same thing about 3 months ago and it turned out to be a new flavor of a popular internet worm that Symantec was unable to detect. There have since been several other variations. In our case we audit for logon failures, lockoutstatus gave us the DC to check, the audit log showed several failures for a handful of accounts at a set time all coming from one ip address and that ip had wintaskx and payload both running - the viral infections. Good luck tracking down the culprit. If you do get it and you need a bulk unlock script: ' Open the file system object - allows connections into the file system Set fso = CreateObject(Scripting.FileSystemObject) set fso2 = CreateObject(Scripting.FileSystemObject) ' Opens a file for reading lock = 0 set myreadfyle = fso.opentextfile(c:\ntuserlist.txt) ' Sets up a loop. This will read every line in the text file and perform operations until the last line of the text file set myfile2 = fso2.opentextfile(c:\lockedaccounts.txt,2) While Not myreadfyle.AtEndOfStream ' Read the line, splitting it at the commas for reading. The split command looks for the value in brackets (,) and ' splits the line there. It will become an array now. the value dnarray(0) will be column one from the csv. ' dnarray(1) is then column two. strusername = myreadfyle.readline strdomain = hq ' dnarray = split(fyleline,,,-1,1) ' This line echos the values to a message box on the screen. Again, values in the s are absolute, values ' outside the s are variables, and the is used to append the different value sets together into one line. ' wscript.echo The first value is dnarray(0) The second value is dnarray(1) ' ends the while statement - while end. In VBS while end will fail, in dotnet it works. set objuser=getobject(WinNT:// strdomain / strUsername) if objuser.IsAccountLocked= True then myfile2.writeline strusername objuser.isaccountlocked=false objuser.setinfo lock = lock + 1 ' wscript.echo strusername unlocked else ' wscript.echo strusername not locked end if WEND wscript.echo lock accounts unlocked - see c:\lockedaccounts.txt for a list of usernames myreadfyle.close You will need to pre-create the ntuserlist.txt file with a full list of your users, and a blank file called lockedaccounts.txt on the root of drive C for logging the locked accounts. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Rodney Gardiner [EMAIL PROTECTED]To: [EMAIL PROTECTED] m.au cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] locked out [EMAIL PROTECTED] tivedir.org 11/02/2004 09:16 AM ZE11 Please respond to ActiveDir Just curious as to where this lockedoutstatus.exe is kept? Rodney _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy White Sent: Tuesday, 2 November 2004 7:31 AM To: [EMAIL PROTECTED] Subject: RE:
RE: [ActiveDir] User export/import
You can use ldifde for this purpose... see MS site for all the syntax and examples. It's very simple to do and will get you users, OUs, etc. Another way is to bring another DC into your production domain, DCPROMO it, remove it from the domain and then seize all the FSMO roles using NTDSUTIL. You will of course then need to clean the removed server object from your domain via NTDSUTIL. This way you get all the domain info easily. Or as you say... do a backup and restore. The other DC should be the same hardware or you will have all sorts of driver/compat' issues. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: 02 November 2004 13:15 To: [EMAIL PROTECTED] Subject: [ActiveDir] User export/import Hi, I would like to know what would be the best way to export and reimport users and group from a DC to another. The source DC is the one that is in our LAN and the second one is in a test lab. They both must have the same accounts and groups but, they are not connected in any way and the configuration differ from one to the other (ip range is not the same). IIRC I saw a VBS script that could export users and groups in a file then allow the reimport process... but this is a long time ago, so I may not recall correctly. So what you guys would do to achieve this goal? BTW, I tried to backup the system state and restore it to the other DC, but the DC froze after the reboot... I don't know if this could be caused because of the configuration diff. Thanks! M.Bruyere List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DHCP authorization problem
I'm going to test it again by yanking the ethernet cable after hours and seeing if the same problem returns. I'm still not convinced there isn't a core switch config or code issue. I have seen this happen before; that's why I knew to bounce the service. We're going to keep looking at it. The only other thing running on that box is WINS... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, November 02, 2004 1:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem If you had local connection (same subnet) connection to a DC and DNS then I can't think of any reason why your problem would occur It's also strange that the DHCP server was serving to its own subnet and not to others. I would just it put it down to a 'one off' and wouldn't be too concerned. If you could do a switch bounce again and test it then fine. Out of interest, what else runs on the DHCP server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: 02 November 2004 00:47 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem 1. Yes. 2. Yes. 3. Cisco 3640 and 2620s, with a 4006 core switch doing Layer 3 routing. 4. Cleanup on the configs, code updates, additional security; stuff like that. We went over the configs this AM and everything looked fine, and once I restarted DHCP, all the subnets got addresses just fine. 5. Yes. I check that one regularly. :-) I don't even mind that the DHCP server unauthorized, but it would have been nice if it could reauthorize, or at least show me something that indicated it had unauthorized. When I looked in the MMC, it gave me an option to unauthorize, so I assumed (I know) it was still authorized. Made a stupid mistake, though; I didn't check the system log when I realized we had a problem. Would have found it much faster. Is the unauthorizing when DC comms go down behavior by design? ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, November 01, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem A few question completely firing in different directions but may lead to a cause :- 1) I take it your routers are relaying DHCP, not agents? 2) Is there a local DC in the same subnet as the DHCP server? 3) What are the routers? I've seen different routers play games with DHCP relays. 4) What was the maintenance? 5) Are all your DCs running clean on DCDIAGS ( I know I always ask that question, but identifies obvious config issues at times) Rob From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Mon 01/11/2004 21:23 To: [EMAIL PROTECTED] Subject: [ActiveDir] DHCP authorization problem I had an odd one over the weekend. We did some network maintenance that included a core switch bounce. Down for about 5 minutes. We found out this morning that DHCP wasn't working on any subnets except for the one that the DHCP server was on. We had made switch and router code and config changes, so we looked to that as a solution, but with no success. I remembered something from a while back where I had a similar problem and restarted the DHCP service. This corrected the issue. Apparently, the DHCP server had lost authorization from AD when the core switch went down. Event ID 1059; The DHCP service failed to see a directory server for authorization. I would have expected it to reauthorize once connectivity was restored, however. But it didn't. I had to restart the service manually. Is this normal? I would expect that DHCP authorization would be able to recover from a short loss of connectivity. Any pointers to a way to prevent this from happening again? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == = Scanned for virus infection by Messagelabs == = List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive:
RE: [ActiveDir] Write Cache Enabled
http://www.webopedia.com/TERM/d/disk_cache.html is a reference for what it is. Disk cache is a very dangerous thing when it comes to JET DB technology. The reason is that if the disk device loses power, or corrupts before it can commit to media, then you lose that bit of data likely corrupting the db. If the db is not so far gone that it can't replicate, your problems get worse. You should see SAN implementations of DC's and the conversations it generates ;) On-disk caching is a way for vendors to squeeze a little more speed out of the platters. Consider two 15K scsi drives. One provides 10us write commit time (for example) while the other provides 2us write commit time. The difference? Cache. If you can commit to cache vs. the platter, it's much much faster as you buffer the writes until the platter is in an optimal position to write to media. Great for applications that are random r/w types with heavy or equal write signatures i.e. file and print applications or presentation applications. JET db technology can be very disk IO intensive. That's because it's a two-phase commit database technology; a good one too. But as you scale the database you tend to have more disk activity as more and more transactions take place. Microsoft has gotten quite good at figuring out what works and what doesn't and one thing they've learned is when to use JET DB technology; a typical JET db deployment is likely to be more read-intensive than it is write intensive. A good application for JET technology is something that has at least a 2.5 or 3:1 read/write signature. The more read-intensive, the more likely that JET technology will be a good fit. Sound like an application you're familiar with? LDAP is a read-intensive application by design and great read response is required to scale it successfully. Active Directory would be an example of a LDAP database that needs great read performance with some write performance. Some implementations of LDAP have adapted other db technology, such as DB2, Oracle, etc. to house their LDAP data stores. Microsoft chose their JET (JET Blue if I recall correctly, but don't quote me)engine. Since JET DB applications tend to be very read-intensive, the risk/reward of disk cache is not in your favor. Your better bet is to give the application the amount of spindles required to gain the IOPS needed to satisfy the performance needs of your application. In the case of Active Directory, separate the IO types to gain better performance (sequential IO on one set of dedicated spindles being your biggest performance booster) etc. Don't be fooled by the use of battery backup technology. It's not worth it and it usually comes on the array controllers only not on the disk device itself. The array controller battery backup is intended to protect against power failures when data is in the array cache, which of course is there to provide better performance. But the cache is considered flushed when the controller receives a successful commit response from the disk device. The disk device will send a positive response when you write to it's cache. It's at that point that you tend to be vulnerable to problems (i.e. corruption) for very little performance gain. Turn off the disk caching and you'll barely notice a difference if you've laid out your disk appropriately for your implementation. But you'll greatly reduce your risk. Microsoft knows what they're doing when they suggest you turn it off, trust me on that. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Monday, November 01, 2004 6:46 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Write Cache Enabled I keep getting an error on one of our DC's stating that Write Disk Cache is enabled and if there is a system failure data corruption may occur. I have informed that this should not be enabled on a DC. I checked out Tech Net on the various errors I receive in the Event Viewer and it states generally the error can be ignored and that there is a hotfix that you must call Microsoft for to stop the error appearing. http://support.microsoft.com/default.aspx?scid=kb;en-us;830051 I was also informed that taking off the option for Write Disk Cache would have a big impact on the system performance. I understand it would have an impact but did not think it would be as big as I am being told. I was just after clarification as to whether it should be enabled on a DC or not. Any help would be appreciated. It is an SCSI Controller with Adaptec System SCSI Disk Device. It is the disk device that has Write Cache Enabled on it under its properties. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, 2 November 2004 10:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out Rodney, this is a free download from ms under account management tools. Search under MS, you will find
RE: [ActiveDir] DHCP authorization problem
Charlie, is it possible that you were having problems at a lower level in the stack? DHCP should check every 60 minutes by default IIRC. If it loses connectivity, it should check every 5 minutes (default) for the AD. But I don't recall a limit on the number of retries and it sounds like authorization was fine since it was handing out addresses on it's local subnet. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Tuesday, November 02, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem I'm going to test it again by yanking the ethernet cable after hours and seeing if the same problem returns. I'm still not convinced there isn't a core switch config or code issue. I have seen this happen before; that's why I knew to bounce the service. We're going to keep looking at it. The only other thing running on that box is WINS... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, November 02, 2004 1:23 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem If you had local connection (same subnet) connection to a DC and DNS then I can't think of any reason why your problem would occur It's also strange that the DHCP server was serving to its own subnet and not to others. I would just it put it down to a 'one off' and wouldn't be too concerned. If you could do a switch bounce again and test it then fine. Out of interest, what else runs on the DHCP server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: 02 November 2004 00:47 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem 1. Yes. 2. Yes. 3. Cisco 3640 and 2620s, with a 4006 core switch doing Layer 3 routing. 4. Cleanup on the configs, code updates, additional security; stuff like that. We went over the configs this AM and everything looked fine, and once I restarted DHCP, all the subnets got addresses just fine. 5. Yes. I check that one regularly. :-) I don't even mind that the DHCP server unauthorized, but it would have been nice if it could reauthorize, or at least show me something that indicated it had unauthorized. When I looked in the MMC, it gave me an option to unauthorize, so I assumed (I know) it was still authorized. Made a stupid mistake, though; I didn't check the system log when I realized we had a problem. Would have found it much faster. Is the unauthorizing when DC comms go down behavior by design? ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Monday, November 01, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DHCP authorization problem A few question completely firing in different directions but may lead to a cause :- 1) I take it your routers are relaying DHCP, not agents? 2) Is there a local DC in the same subnet as the DHCP server? 3) What are the routers? I've seen different routers play games with DHCP relays. 4) What was the maintenance? 5) Are all your DCs running clean on DCDIAGS ( I know I always ask that question, but identifies obvious config issues at times) Rob From: [EMAIL PROTECTED] on behalf of Charlie Kaiser Sent: Mon 01/11/2004 21:23 To: [EMAIL PROTECTED] Subject: [ActiveDir] DHCP authorization problem I had an odd one over the weekend. We did some network maintenance that included a core switch bounce. Down for about 5 minutes. We found out this morning that DHCP wasn't working on any subnets except for the one that the DHCP server was on. We had made switch and router code and config changes, so we looked to that as a solution, but with no success. I remembered something from a while back where I had a similar problem and restarted the DHCP service. This corrected the issue. Apparently, the DHCP server had lost authorization from AD when the core switch went down. Event ID 1059; The DHCP service failed to see a directory server for authorization. I would have expected it to reauthorize once connectivity was restored, however. But it didn't. I had to restart the service manually. Is this normal? I would expect that DHCP authorization would be able to recover from a short loss of connectivity. Any pointers to a way to prevent this from happening again? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595
RE: [ActiveDir] User export/import
Hi, Thanks for the information... that's exactly the type of tool I was looking for... I didn't know that MS had such a tool. Many thanks! M.Bruyere -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoyé : Tuesday, November 02, 2004 8:25 AM À : [EMAIL PROTECTED] Objet : RE: [ActiveDir] User export/import I believe LDIFDE will allow you to achieve this. http://support.microsoft.com/kb/q237677/ Its available on the Windows 200x Server CD Iain List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] login scripts
What does your script look like? Have you considered running the logon scripts via GPO? http://www.ultratech-llc.com/KB/?File=LogonScripts.TXT http://www.ultratech-llc.com/KB/?File=GroupPol.TXT - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 1 Nov 2004 14:35:41 -0600, Jordan Arendt [EMAIL PROTECTED] wrote: We've recently upgraded from NT 4 to 2K3. Our logon scripts have stoppped running on clients. Logon scripts are specified in ADUC in the profile tab of each user. When I logon to my XP machine the scripts do not run. When I logon to a server through RDP, they do run. I was thinking GPO, but only the default domain policy is currently applied, and it is applied to both the servers OU and the OU my PC is in. I've looked at the following: http://support.microsoft.com/default.aspx?scid=kb;en-us;329709 (this is not the case, my netlogon shares point to the correct place) and http://support.microsoft.com/default.aspx?scid=kb;en-us;302104 I made the suggested changes, to no avail. Anyone have any suggestions? Thanks in Advance. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] locked out
Windows 2003 Resource Kit -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Monday, November 01, 2004 4:17 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out Just curious as to where this lockedoutstatus.exe is kept? Rodney _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy White Sent: Tuesday, 2 November 2004 7:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out This is probably caused by a virus. Use lockedoutstatus.exe to find out what where the lock outs are originating. Then check the event log of that DC to find out the perpetrating computer. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] locked out All gurus, Wonder if any of you have experienced this before. Suddently over the weekend, all domain accounts ( i mean all ) are locked out except the domain admin accounts. What could have caused this problem ? The only clue that I had is this is the week to change the summer time back but we had this done every year, had never had this issue before. Could this be a worm of some sort of virus. Looking into our security log it did not show me nything out of norm ( faild security , locked out has been turned on) Any suggestions will be appreciated. Regards, Sandy List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] OT: helpdesk software
I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: helpdesk software
How about Track-It! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, November 02, 2004 9:19 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: helpdesk software
Have a look at http://www.hornbill.com/ Should do everything you want. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: 02 November 2004 15:19 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: helpdesk software
Try bigWebDesk www.bigwebdesk.com Sonia Tapia -Original Message- From: Jason Benway [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 7:19 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: helpdesk software
Liberum is a nice, free alternative if open-source is an option, although production on the project has slowed quite a bit over these past few months the software is still very functional and does meet all of the requirements that you mentioned. http://www.liberum.org/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, November 02, 2004 10:19 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: helpdesk software
http://wm.quest.com/products/activerolesserver/ It used to be Enterprise Directory Manager. Nice stuff. David J. Perdue MCSE 2000, MCSE NT, MCSA, MCP+I Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, November 02, 2004 7:19 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: helpdesk software
What is the cost of that software package? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, November 02, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: helpdesk software Have a look at http://www.hornbill.com/ Should do everything you want. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: 02 November 2004 15:19 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] OT: helpdesk software
We use RT ( http://www.bestpractical ). If you have some perl experience, it's fairly easy to extensively customize. Authentication can be done via active directory via ldap, with autocreation of user accounts, etc. The system is easily email driven, so emails can create,modify, and resolve tickets, etc. On Tue, 2 Nov 2004 10:18:40 -0500, Jason Benway [EMAIL PROTECTED] wrote: I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Windows 95\98 on Windows 2003 domain
Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: helpdesk software
I honestly can't remember give them a call (and then get plagued to the end of your days). Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: 02 November 2004 16:07 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: helpdesk software What is the cost of that software package? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, November 02, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: helpdesk software Have a look at http://www.hornbill.com/ Should do everything you want. Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: 02 November 2004 15:19 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: helpdesk software
I can also vouch for Liberum. I think the development has not moved much for a long time because the tool does all the things it's supposed to do beautifully. It meets all the criteria you mentioned in your request and it does so for free. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Michael Wassell Sent: Tue 11/2/2004 8:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: helpdesk software Liberum is a nice, free alternative if open-source is an option, although production on the project has slowed quite a bit over these past few months the software is still very functional and does meet all of the requirements that you mentioned. http://www.liberum.org/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, November 02, 2004 10:19 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OT: helpdesk software I'm looking into helpdesk software. I need integration into active directory, a web interface, and the biggest issue. I want to be able to use email to open and track the tickets. I want the user to be able to send an email to an internal email address, the tech replies to the email which gets sent back to the helpdesk app. The tech and the user can continue to use email to correspond back and forth. Each time the emails pass though the helpdesk software and the thread is tracked so it can be viewed in the helpdesk app. Anyone seen/use anything like this? Thanks,jb List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
How many Win95/98 clients are you talking about? Another question is: Why do you have Win95/98 clients at all? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
We have them for the same reason that everyone else does, economics. If they still perform their function and can access the network resources why spend the money to upgrade what isn't broken. I have someone looking for the number right now, but it was indicated that it might be as many as 300 but that is just a guess number, it could be more or less. We won't know for sure until I get the audit report out of SMS. Oh, most of those are at sites not located near me (central administrative group). Which makes things even more fun. -Original Message- From: Renouf, Phil [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain How many Win95/98 clients are you talking about? Another question is: Why do you have Win95/98 clients at all? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
I think there is more I have to do to get it work with AD though. Don't have I to make sure that the workstation is using NTLM2 authentication and SMB signing? (In which case I still might have to write off my Win95 boxes because I don't believe that they support either of those.) I really hope that I'm wrong, but then again if I'm right then they will all be forced to upgrade. I just need to make sure that I exhaust all resources before I go and tell someone the bad news about the 95 boxes. But I think that the script option might be the best approach. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Understandable, if it's not broke why fix it. Although you do need to live with the fact that it has less functionality within Active Directory (even with the DS Client) and is no longer supported by Microsoft. My rant ends here ;) For 300 clients you might just want to send out a pre and post-migration notice to all users (ie: have a piece of paper on their desk) that indicates for any Windows 95/98 users to type in the new domain name in the domain box. It's as easy as that to get a 95/98 box to log into a different domain, so if it comes down to it I would say a well written communication to the users should do the trick. If you are using SMS you could create a script that would update the registry to change the Domain that is listed in the Domain box and push that out on the night of migration. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:22 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We have them for the same reason that everyone else does, economics. If they still perform their function and can access the network resources why spend the money to upgrade what isn't broken. I have someone looking for the number right now, but it was indicated that it might be as many as 300 but that is just a guess number, it could be more or less. We won't know for sure until I get the audit report out of SMS. Oh, most of those are at sites not located near me (central administrative group). Which makes things even more fun. -Original Message- From: Renouf, Phil [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain How many Win95/98 clients are you talking about? Another question is: Why do you have Win95/98 clients at all? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exchange 2K3 Private Information Store Disappeared
Okay, here's the scenario: Exchange Server 2003 (upgraded in June from 2K w/current SPs) has, over the past two weeks, begun allowing users to open other users mailboxes. Up until now, it was secure in that people had to assign delegates, but now it's pretty much wide open. Additionally, the Private Information Store shows *none* of the user logons or mailboxes. Two user mailboxes won't open (Cannot be found / Does not exist errors opening with Outlook). But .. all other users can open their mailboxes, send receive mail, use the global address book, and do pretty much anything they normally do with e-mail. From Active Directory Users Computers, we cannot add email accounts, nor can we make changes to existing users' Mailbox Rights from the Exchange Advanced tab within User Properties. Clicking the Mailbox Right button returns There is no such object on the server. Facility: Win32 ID no: c0072030 Microsoft Active Directory - Exchange Extension. As it stands, we're thinking there's little time left before this self-destructs. Things came to a halt yesterday afternoon, and after several hours of getting no answers from Microsoft, our Network Admin found that the Exchange Connector in AD Sites Services wasn't working, deleted re-created it, then restarted the three Global Catalog Servers, which got mail back up and limping along. Any ideas? Monte Barnett Network Specialist Burlington-Edison School District 491 N. Burlington Blvd Burlington, WA 98233 (360) 757-3344 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO SYSVOL permissions
Does anyone have info on the this hotfix? Thanks [EMAIL PROTECTED] 11/1/2004 12:31:44 PM This happens if someone connected to your GPO's and they were running XP SP2. There is a hotfix for this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Monday, November 01, 2004 2:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] GPO SYSVOL permissions Today for the first time I am receiving the following GPMC message when I click either Default Domain Policy or Default Domain Controllers Policy: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the permissions in SYSVOL to those in Active Directory, click OK The DC's are all Windows 2003. Any ideas why I am now getting this message? Nothing in the domain has changed anytime recently. Should I click OK as the message suggests? The message also includes a link to the following article: http://support.microsoft.com/default.aspx?scid=kb;en-us;828760 Thanks Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Why would they need NTLM2 authentication and SMB Signing? Is this something that Windows 2003 requires? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain I think there is more I have to do to get it work with AD though. Don't have I to make sure that the workstation is using NTLM2 authentication and SMB signing? (In which case I still might have to write off my Win95 boxes because I don't believe that they support either of those.) I really hope that I'm wrong, but then again if I'm right then they will all be forced to upgrade. I just need to make sure that I exhaust all resources before I go and tell someone the bad news about the 95 boxes. But I think that the script option might be the best approach. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info :
RE: [ActiveDir] Exchange 2K3 Private Information Store Disappeared
Do you have AV scanning the info stores at the file level? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Monte Barnett (Tech) Sent: Tuesday, November 02, 2004 12:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange 2K3 Private Information Store Disappeared Okay, here's the scenario: Exchange Server 2003 (upgraded in June from 2K w/current SPs) has, over the past two weeks, begun allowing users to open other users mailboxes. Up until now, it was secure in that people had to assign delegates, but now it's pretty much wide open. Additionally, the Private Information Store shows *none* of the user logons or mailboxes. Two user mailboxes won't open (Cannot be found / Does not exist errors opening with Outlook). But .. all other users can open their mailboxes, send receive mail, use the global address book, and do pretty much anything they normally do with e-mail. From Active Directory Users Computers, we cannot add email accounts, nor can we make changes to existing users' Mailbox Rights from the Exchange Advanced tab within User Properties. Clicking the Mailbox Right button returns There is no such object on the server. Facility: Win32 ID no: c0072030 Microsoft Active Directory - Exchange Extension. As it stands, we're thinking there's little time left before this self-destructs. Things came to a halt yesterday afternoon, and after several hours of getting no answers from Microsoft, our Network Admin found that the Exchange Connector in AD Sites Services wasn't working, deleted re-created it, then restarted the three Global Catalog Servers, which got mail back up and limping along. Any ideas? Monte Barnett Network Specialist Burlington-Edison School District 491 N. Burlington Blvd Burlington, WA 98233 (360) 757-3344 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exchange 2K3 Private Information Store Disappeare d
Sounds like some administrative issues are possible such as changes to rights, GPO's, etc. However, to start to rule things out, how about gathering dcdiag and netdiag reports for the GC's and the Exchange servers? To run dcdiag from a member server, you specify the DC you want it to collect. Also, what kind of topology are you using? W2k3 FFL? Mixed? Who has administrative access to change rights? I see three separate (possibly related, but separate issues anyway) issues: 1) wide-open rights are available to all users 2) missing mailboxes 3) unable to create new users To unravel all of that, it's necessary to know if this is native mode domains, native mode Exchange, Forest functional level, topology of the deployment (AD and Exchange) and which servers hold the AD and Exchange roles. Installed software on the DC's and Exchange servers would be a helpful item to know as well. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Monte Barnett (Tech) Sent: Tuesday, November 02, 2004 12:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Exchange 2K3 Private Information Store Disappeared Okay, here's the scenario: Exchange Server 2003 (upgraded in June from 2K w/current SPs) has, over the past two weeks, begun allowing users to open other users mailboxes. Up until now, it was secure in that people had to assign delegates, but now it's pretty much wide open. Additionally, the Private Information Store shows *none* of the user logons or mailboxes. Two user mailboxes won't open (Cannot be found / Does not exist errors opening with Outlook). But .. all other users can open their mailboxes, send receive mail, use the global address book, and do pretty much anything they normally do with e-mail. From Active Directory Users Computers, we cannot add email accounts, nor can we make changes to existing users' Mailbox Rights from the Exchange Advanced tab within User Properties. Clicking the Mailbox Right button returns There is no such object on the server. Facility: Win32 ID no: c0072030 Microsoft Active Directory - Exchange Extension. As it stands, we're thinking there's little time left before this self-destructs. Things came to a halt yesterday afternoon, and after several hours of getting no answers from Microsoft, our Network Admin found that the Exchange Connector in AD Sites Services wasn't working, deleted re-created it, then restarted the three Global Catalog Servers, which got mail back up and limping along. Any ideas? Monte Barnett Network Specialist Burlington-Edison School District 491 N. Burlington Blvd Burlington, WA 98233 (360) 757-3344 List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows 95\98 on Windows 2003 domain
Windows 2003 requires clients to support SMB signing and (quoting) signing of secure channel network traffic. To enable that on downlevel clients (Win9x or WinNT) you need to install the DS Client, although the recommended approach is to upgrade the OS. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Tuesday, November 02, 2004 12:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Why would they need NTLM2 authentication and SMB Signing? Is this something that Windows 2003 requires? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain I think there is more I have to do to get it work with AD though. Don't have I to make sure that the workstation is using NTLM2 authentication and SMB signing? (In which case I still might have to write off my Win95 boxes because I don't believe that they support either of those.) I really hope that I'm wrong, but then again if I'm right then they will all be forced to upgrade. I just need to make sure that I exhaust all resources before I go and tell someone the bad news about the 95 boxes. But I think that the script option might be the best approach. -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Ok, it was worth a shot. I have not heard of or seen any tool that will help you with this. The only thing I can think of it in your logon script have it copy a script to the 9x machine, modify the registry to RunOnce that script you just copied and have that script on next logon change the domain member ship If that is at all possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 12:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain Upgrading is not an option in this case. Politically its not allowed and technically its not that feasible either (there is an issue with the number of Exchange 5.5 environments that are going to be migrated into the new forest and how this is planned to be done). -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain You could potentially upgrade your NT Domain to a child domain of a AD forest. This would allow you to keep the netbios name at least for your network. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain We are doing a migration from an NT domain into child domain of new AD forest so we cannot keep the same netbios name. We also have a slight problem with our naming convention in that all of our DCs are going to have nine character names. Thanks, chuck -Original Message- From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 10:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Windows 95\98 on Windows 2003 domain If you build your Windows 2003 domain with the same netbios domain name they Win 9x won't care one way or another. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Tuesday, November 02, 2004 11:39 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Windows 95\98 on Windows 2003 domain Hey group, I'm trying to find an easy way to do a massive migration of Windows 95\98 workstation from an NT domain to a Windows 2003 AD domain, however the tools that I'm finding don't seem to function, don't exists, or after installation I can't seem to find a domain controller. Also, MS seems to have dropped the link to Q article 323466 which is supposed to have an updated DS client. If someone has already created some documentation on this process, it would be extremely helpful. Thanks, Charlie List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ:
[ActiveDir] Excel plugin for directory access
I haven't look at this but saw an email on it today... It is a Active Directory plugin for Excel 2003. This is not in any way related to joeware nor ADFind and I do not otherwise endorse or recommend, however I know some folks were looking for this capability so I thought I would let you know I ran into it so thought they may want to check it out. http://bink.nu/?ArticleID=2782 FYI, I am looking at the CSV options. I want to make sure that they are consistent across adfind, admod, and the up and coming adadd [1] joe [1]Yeah that is a stupid name I know but I have to stick with the convention or possibly wrap into admod which I may do just because of how bad that name is...
[ActiveDir] Rename local and global groups
Hello I´am looking for a possibility to rename local and global groups into a AD. Can anybody help me? THX Thomas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Excel plugin for directory access
I vote for putting add functionality in admod and not breaking it out as a separate tool. (you didn'tput AD deletions into a separate tool) Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, November 02, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Excel plugin for directory access I haven't look at this but saw an email on it today... It is a Active Directory plugin for Excel 2003. This is not in any way related to joeware nor ADFind and I do not otherwise endorse or recommend, however I know some folks were looking for this capability so I thought I would let you know I ran into it so thought they may want to check it out. http://bink.nu/?ArticleID=2782 FYI, I am looking at the CSV options. I want to make sure that they are consistent across adfind, admod, and the up and coming adadd [1] joe [1]Yeah that is a stupid name I know but I have to stick with the convention or possibly wrap into admod which I may do just because of how bad that name is...
RE: [ActiveDir] Rename local and global groups
What is it exactly that you are looking for? You can rename groups through Active Directory Users Computers. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Wohlgemuth Sent: Tuesday, November 02, 2004 1:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Rename local and global groups Hello I´am looking for a possibility to rename local and global groups into a AD. Can anybody help me? THX Thomas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Rename local and global groups
Hello I would create a little script for renaming a great amount of groups from time to time (changes in the structure of our company). Thomas - Original Message - From: Renouf, Phil [EMAIL PROTECTED] To: unsure; [EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 8:05 PM Subject: RE: [ActiveDir] Rename local and global groups What is it exactly that you are looking for? You can rename groups through Active Directory Users Computers. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Wohlgemuth Sent: Tuesday, November 02, 2004 1:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Rename local and global groups Hello I´am looking for a possibility to rename local and global groups into a AD. Can anybody help me? THX Thomas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Rename local and global groups
You could create a script based on dsmove to change the names of groups: dsmove DN of group -newname New group name -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Wohlgemuth Sent: Tuesday, November 02, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Rename local and global groups Hello I would create a little script for renaming a great amount of groups from time to time (changes in the structure of our company). Thomas - Original Message - From: Renouf, Phil [EMAIL PROTECTED] To: unsure; [EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 8:05 PM Subject: RE: [ActiveDir] Rename local and global groups What is it exactly that you are looking for? You can rename groups through Active Directory Users Computers. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Wohlgemuth Sent: Tuesday, November 02, 2004 1:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Rename local and global groups Hello I´am looking for a possibility to rename local and global groups into a AD. Can anybody help me? THX Thomas List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Excel plugin for directory access
admod -add :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, November 02, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Excel plugin for directory access I haven't look at this but saw an email on it today... It is a Active Directory plugin for Excel 2003. This is not in any way related to joeware nor ADFind and I do not otherwise endorse or recommend, however I know some folks were looking for this capability so I thought I would let you know I ran into it so thought they may want to check it out. http://bink.nu/?ArticleID=2782 FYI, I am looking at the CSV options. I want to make sure that they are consistent across adfind, admod, and the up and coming adadd [1] joe [1]Yeah that is a stupid name I know but I have to stick with the convention or possibly wrap into admod which I may do just because of how bad that name is...
RE: [ActiveDir] Excel plugin for directory access
I got the tool, Pretty slick, takes some getting used to, and I havent done any live modifications yet, but could be quite useful for bulk updates, etc. Todd From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 02, 2004 2:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Excel plugin for directory access I vote for putting add functionality in admod and not breaking it out as a separate tool. (you didn'tput AD deletions into a separate tool) Robbie Allen http://www.rallenhome.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, November 02, 2004 1:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Excel plugin for directory access I haven't look at this but saw an email on it today... It is a Active Directory plugin for Excel 2003. This is not in any way related to joeware nor ADFind and I do not otherwise endorse or recommend, however I know some folks were looking for this capability so I thought I would let you know I ran into it so thought they may want to check it out. http://bink.nu/?ArticleID=2782 FYI, I am looking at the CSV options. I want to make sure that they are consistent across adfind, admod, and the up and coming adadd [1] joe [1]Yeah that is a stupid name I know but I have to stick with the convention or possibly wrap into admod which I may do just because of how bad that name is...
RE: [ActiveDir] User export/import
This article may be of assistance too. http://support.microsoft.com/default.aspx?scid=kb;en-us;276440Product=win20 00 Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, 3 November 2004 12:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User export/import I believe LDIFDE will allow you to achieve this. http://support.microsoft.com/kb/q237677/ Its available on the Windows 200x Server CD Iain -Original Message- From: Bruyere, Michel [mailto:[EMAIL PROTECTED] Sent: 02 November 2004 13:15 To: [EMAIL PROTECTED] Subject: [ActiveDir] User export/import Hi, I would like to know what would be the best way to export and reimport users and group from a DC to another. The source DC is the one that is in our LAN and the second one is in a test lab. They both must have the same accounts and groups but, they are not connected in any way and the configuration differ from one to the other (ip range is not the same). IIRC I saw a VBS script that could export users and groups in a file then allow the reimport process... but this is a long time ago, so I may not recall correctly. So what you guys would do to achieve this goal? BTW, I tried to backup the system state and restore it to the other DC, but the DC froze after the reboot... I don't know if this could be caused because of the configuration diff. Thanks! M.Bruyere List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** This electronic message contains information from Hampshire Constabulary which may be legally privileged and confidential. Any opinions expressed may be those of the individual and not necessarily the Hampshire Constabulary. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message in error, please notify us by telephone +44 (0) 845 045 45 45 or email to [EMAIL PROTECTED] immediately. Please then delete this email and destroy any copies of it. All communications, including telephone calls and electronic messages to and from the Hampshire Constabulary may be subject to monitoring. Replies to this email may be seen by employees other than the intended recipient. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] locked out
James, Thanks for that. I do not have this problem though - I was taking onto the end of a previous post to find out where to get the tool that was spoken of. Thanks for the script too. Also note that on www.joeware.net web site there is a tool been created to help with bulk unlock etc. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, 2 November 2004 11:39 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out Hi Rodney Lockoutstatus.exe is part of the 2003 resource kit (and I would assume the 2000 resource kit as well) although it can be downloaded separately from Microsoft. I did a search on google for lockoutstatus.exe to get it. We saw pretty much the same thing about 3 months ago and it turned out to be a new flavor of a popular internet worm that Symantec was unable to detect. There have since been several other variations. In our case we audit for logon failures, lockoutstatus gave us the DC to check, the audit log showed several failures for a handful of accounts at a set time all coming from one ip address and that ip had wintaskx and payload both running - the viral infections. Good luck tracking down the culprit. If you do get it and you need a bulk unlock script: ' Open the file system object - allows connections into the file system Set fso = CreateObject(Scripting.FileSystemObject) set fso2 = CreateObject(Scripting.FileSystemObject) ' Opens a file for reading lock = 0 set myreadfyle = fso.opentextfile(c:\ntuserlist.txt) ' Sets up a loop. This will read every line in the text file and perform operations until the last line of the text file set myfile2 = fso2.opentextfile(c:\lockedaccounts.txt,2) While Not myreadfyle.AtEndOfStream ' Read the line, splitting it at the commas for reading. The split command looks for the value in brackets (,) and ' splits the line there. It will become an array now. the value dnarray(0) will be column one from the csv. ' dnarray(1) is then column two. strusername = myreadfyle.readline strdomain = hq ' dnarray = split(fyleline,,,-1,1) ' This line echos the values to a message box on the screen. Again, values in the s are absolute, values ' outside the s are variables, and the is used to append the different value sets together into one line. ' wscript.echo The first value is dnarray(0) The second value is dnarray(1) ' ends the while statement - while end. In VBS while end will fail, in dotnet it works. set objuser=getobject(WinNT:// strdomain / strUsername) if objuser.IsAccountLocked= True then myfile2.writeline strusername objuser.isaccountlocked=false objuser.setinfo lock = lock + 1 ' wscript.echo strusername unlocked else ' wscript.echo strusername not locked end if WEND wscript.echo lock accounts unlocked - see c:\lockedaccounts.txt for a list of usernames myreadfyle.close You will need to pre-create the ntuserlist.txt file with a full list of your users, and a blank file called lockedaccounts.txt on the root of drive C for logging the locked accounts. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] Rodney Gardiner [EMAIL PROTECTED]To: [EMAIL PROTECTED] m.au cc: (bcc: James Day/Contractor/NPS) Sent by: Subject: RE: [ActiveDir] locked out [EMAIL PROTECTED] tivedir.org 11/02/2004 09:16 AM ZE11 Please respond to ActiveDir Just curious as to where this lockedoutstatus.exe is kept? Rodney _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Randy White Sent: Tuesday, 2 November 2004 7:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] locked out This is probably caused by a virus. Use lockedoutstatus.exe to find out what where the lock outs are originating. Then check the event log of that DC to find out the perpetrating computer. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, November 01, 2004 2:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] locked out All gurus, Wonder if any of you have experienced this before. Suddently over the weekend, all domain accounts ( i mean all ) are locked out except the domain admin accounts. What could have caused this problem ? The only clue that I had is this is the week to change the summer time back but we had this done every year, had never had this issue before. Could this be a worm of some sort of
RE: [ActiveDir] Write Cache Enabled
Al, Thank you very much for your comprehensive response. I am currently in the process of trying to Disable Write Cache. I have managed to do it via the Adaptec Software but for some reason windows still states that it is enabled. I go into System manager - Devices - Hard Disks - Properties. In the properties I select Disk Properties and there is a tick next to Write Cache Enabled. I remove the tick and save and then go back in and the tick is still there. Any ideas? If you need more info I will supply what ever is needed. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, 3 November 2004 1:12 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Write Cache Enabled http://www.webopedia.com/TERM/d/disk_cache.html is a reference for what it is. Disk cache is a very dangerous thing when it comes to JET DB technology. The reason is that if the disk device loses power, or corrupts before it can commit to media, then you lose that bit of data likely corrupting the db. If the db is not so far gone that it can't replicate, your problems get worse. You should see SAN implementations of DC's and the conversations it generates ;) On-disk caching is a way for vendors to squeeze a little more speed out of the platters. Consider two 15K scsi drives. One provides 10us write commit time (for example) while the other provides 2us write commit time. The difference? Cache. If you can commit to cache vs. the platter, it's much much faster as you buffer the writes until the platter is in an optimal position to write to media. Great for applications that are random r/w types with heavy or equal write signatures i.e. file and print applications or presentation applications. JET db technology can be very disk IO intensive. That's because it's a two-phase commit database technology; a good one too. But as you scale the database you tend to have more disk activity as more and more transactions take place. Microsoft has gotten quite good at figuring out what works and what doesn't and one thing they've learned is when to use JET DB technology; a typical JET db deployment is likely to be more read-intensive than it is write intensive. A good application for JET technology is something that has at least a 2.5 or 3:1 read/write signature. The more read-intensive, the more likely that JET technology will be a good fit. Sound like an application you're familiar with? LDAP is a read-intensive application by design and great read response is required to scale it successfully. Active Directory would be an example of a LDAP database that needs great read performance with some write performance. Some implementations of LDAP have adapted other db technology, such as DB2, Oracle, etc. to house their LDAP data stores. Microsoft chose their JET (JET Blue if I recall correctly, but don't quote me)engine. Since JET DB applications tend to be very read-intensive, the risk/reward of disk cache is not in your favor. Your better bet is to give the application the amount of spindles required to gain the IOPS needed to satisfy the performance needs of your application. In the case of Active Directory, separate the IO types to gain better performance (sequential IO on one set of dedicated spindles being your biggest performance booster) etc. Don't be fooled by the use of battery backup technology. It's not worth it and it usually comes on the array controllers only not on the disk device itself. The array controller battery backup is intended to protect against power failures when data is in the array cache, which of course is there to provide better performance. But the cache is considered flushed when the controller receives a successful commit response from the disk device. The disk device will send a positive response when you write to it's cache. It's at that point that you tend to be vulnerable to problems (i.e. corruption) for very little performance gain. Turn off the disk caching and you'll barely notice a difference if you've laid out your disk appropriately for your implementation. But you'll greatly reduce your risk. Microsoft knows what they're doing when they suggest you turn it off, trust me on that. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Monday, November 01, 2004 6:46 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Write Cache Enabled I keep getting an error on one of our DC's stating that Write Disk Cache is enabled and if there is a system failure data corruption may occur. I have informed that this should not be enabled on a DC. I checked out Tech Net on the various errors I receive in the Event Viewer and it states generally the error can be ignored and that there is a hotfix that you must call Microsoft for to stop the error appearing. http://support.microsoft.com/default.aspx?scid=kb;en-us;830051 I was also informed that taking off the
