RE: [ActiveDir] Excahnge suggestion
The best exchange list on the web till date http://www.MSExchange.org/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Friday, November 12, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Excahnge suggestion Can this list suggest a good Exchange 2000/2003 list? I am now being tasked with providing Exchange 2003 support and hope to find an Exchange list that can provide the same high quality support, suggestions, and advise as this list. Daniel List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Deny Domain GP to a single user
Many thanks for the suggestions! I'm planning to do the following. Let me re-phrase what Guido suggested: - Add a Group called, say, Ignore Proxy Settings. Make my user a member of this group. - Add a new GPO at the domain level which includes the proxy settings and filter on the Ignore Proxy Settings group. Sounds about right? - Seán Carr ___ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Conenction Manager Deployment
Return Receipt Your [ActiveDir] Conenction Manager Deployment document : was Lucia Washaya/UNAMSIL received by: at: 13/11/2004 13:18:56 GMT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to check on GCs response/health?
Title: Message Hi Joe, Thanks for ideas! I've built some code that runs every hour and the numbers are interesting. I've found a coupleof GCs that are in the 4 second range while the majority arein the neighborhood of 0.3 seconds but I expect the numberswill fluctuate more as I collect more statistics. Can I assume the following query (using each GC passed as %1) is appropriate? adfind.exe -h %1 -b dc=xxx,dc=gov -f name=admin-renamed -gc -s subtree cn Thanks again! Mike Thommes -Original Message-From: listmail [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 12:24 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Script to check on GCs response/health? One quick and fairly easy method to partially do this is to set up a simple script that does a basic query (say against the schema which should be quick but not say a rootdse query) and have a baseline acceptable time frame for the response. I have done this in the past and found choked up GCs (specifically in relation to Exchange) using a little perl and a little adfind. Versus hardcoding GCs set up a dedicated Exchange site. This protects you main site from Exchange and Exchange from everything else. I.E. If Exchange tears down a DC, Exchange suffers. If something else tears down a DC, Exchange should be fairly protected as it shouldn't be a DC Exchange is using.ALSO and this is a point I have a strong opinion of. Most GCs can go down and things don't care, authentication will work, etc.Exchange GCs can't generally do this. This means that you can keep certain GCs in mind for monitoring and your response to them going offline. At the widget factory I worked for there were only a few GCs I cared about going down in terms of speed to get them back up and running. The Exchange GCs and the PDC's. The other DC's/GCs we cared about but we weren't running in the middle of the night because of them. Anyway, set up a script that you specify a list of GCs or (better) takes a site or list of sites and then goes into a loop. In the loop it gets a list of GCs or DCs, it then does a basic schema query that will return some subset of objects and attributes. Unless you are going against a GC across some slow wires, any query should be back in a second or less for an idle DC. As you load up you will see 1,2,3,6,8 second responses. Once you hit 20+ seconds on a query, you really need to be looking at things. You get to 30 seconds and you most certainly have Exchange queue backups and probably store hangs. If you are monitoring this and you are normally at 3-4 seconds at main load and you hit 10 seconds consistently on a GC, then you page on that and start chasing. joe From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Thu 11/11/2004 11:59 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Script to check on GCs response/health? In our environment we have lots of GCs, most of which I don't control.While I run a dcdiag report each morning that checks the overall healthof my domain including whether a DC is advertising itself as a GC, wesee issues once in a while when a process does a GC discovery action andends up on a "bad" one, e.g., not available, busy, slow network, maybepermissions, etc.The other day our Exchange cluster was running like a dog since after areboot, it hooked itself up with a GC that was not performingparticularly well. As a solution for that particular problem, we wereable to hardcode into the Exchange servers specific GCs that I know workwell. Has anyone developed a script that checks on the health of GCfunctionality or dealt with this issue some other way? Thanks inadvance!Mike ThommesList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to check on GCs response/health?
Title: Message Sure that would be fine, note that scope is by default subtree with adfind so you can cut out the -s subtree switch. For the initial startup you might want to run the check every 10 or 15 minutes and see what you get. Build up a map in your head of what it is doing. Then once you are confident on how consistent the numbers are, push the frequency back up to once per hour. Alternatively set a threshhold and if a machine exceed it, crank up the frequency for that machine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Saturday, November 13, 2004 9:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Script to check on GCs response/health? Hi Joe, Thanks for ideas! I've built some code that runs every hour and the numbers are interesting. I've found a coupleof GCs that are in the 4 second range while the majority arein the neighborhood of 0.3 seconds but I expect the numberswill fluctuate more as I collect more statistics. Can I assume the following query (using each GC passed as %1) is appropriate? adfind.exe -h %1 -b dc=xxx,dc=gov -f name=admin-renamed -gc -s subtree cn Thanks again! Mike Thommes -Original Message-From: listmail [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 12:24 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Script to check on GCs response/health? One quick and fairly easy method to partially do this is to set up a simple script that does a basic query (say against the schema which should be quick but not say a rootdse query) and have a baseline acceptable time frame for the response. I have done this in the past and found choked up GCs (specifically in relation to Exchange) using a little perl and a little adfind. Versus hardcoding GCs set up a dedicated Exchange site. This protects you main site from Exchange and Exchange from everything else. I.E. If Exchange tears down a DC, Exchange suffers. If something else tears down a DC, Exchange should be fairly protected as it shouldn't be a DC Exchange is using.ALSO and this is a point I have a strong opinion of. Most GCs can go down and things don't care, authentication will work, etc.Exchange GCs can't generally do this. This means that you can keep certain GCs in mind for monitoring and your response to them going offline. At the widget factory I worked for there were only a few GCs I cared about going down in terms of speed to get them back up and running. The Exchange GCs and the PDC's. The other DC's/GCs we cared about but we weren't running in the middle of the night because of them. Anyway, set up a script that you specify a list of GCs or (better) takes a site or list of sites and then goes into a loop. In the loop it gets a list of GCs or DCs, it then does a basic schema query that will return some subset of objects and attributes. Unless you are going against a GC across some slow wires, any query should be back in a second or less for an idle DC. As you load up you will see 1,2,3,6,8 second responses. Once you hit 20+ seconds on a query, you really need to be looking at things. You get to 30 seconds and you most certainly have Exchange queue backups and probably store hangs. If you are monitoring this and you are normally at 3-4 seconds at main load and you hit 10 seconds consistently on a GC, then you page on that and start chasing. joe From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.Sent: Thu 11/11/2004 11:59 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Script to check on GCs response/health? In our environment we have lots of GCs, most of which I don't control.While I run a dcdiag report each morning that checks the overall healthof my domain including whether a DC is advertising itself as a GC, wesee issues once in a while when a process does a GC discovery action andends up on a "bad" one, e.g., not available, busy, slow network, maybepermissions, etc.The other day our Exchange cluster was running like a dog since after areboot, it hooked itself up with a GC that was not performingparticularly well. As a solution for that particular problem, we wereable to hardcode into the Exchange servers specific GCs that I know workwell. Has anyone developed a script that checks on the health of GCfunctionality or dealt with this issue some other way? Thanks inadvance!Mike ThommesList info : http://www.activedir.org/mail_list.htmList FAQ : http://www.activedir.org/list_faq.htmList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Thank you everyone for the information. So if loopback is the only option here. How do you handle doing loopbacks for multiple servers? Do you create a local loopback policy on all the computers you want affected and then Setup the Computer OU (OU2) with a gpo with the instructions listed here - http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 I am assuming there is no way to do it through AD without having to touch each citrix server, Correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Friday, November 12, 2004 10:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies SO there are a few things going on here of which you should be aware. First, GPO's applied to users take precedence over GPO's applied to computers. The general concept is that closest policy applies last. By that I mean the default domain policy is applied first, then walking down the OU hierarchy, and at the same level the computer policies get applied before the user policies. Second, block inheritance only blocks it for the objects within the OU (and the child Ous). So, you're only blocking inheritance to objects which exist in OU2. Since that's the computer only, and the computer settings get applied before the user settings, its working exactly as it should. Finally, you mentioned Citrix. I'm guessing what you're really trying to accomplish is controlling users' rights when logged into a specific set of machines only. What you want is called Loopback processing. It's one of the other options for GPO's, and basically it will force the computer policy to override the users' policies. Its not quite that simple, and it does have some drawbacks from what I remember. But that's what you're looking to do. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 6:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company
RE: [ActiveDir] Deny Domain GP to a single user
yep - sounds good - just make sure the new GPO has a higher priority than the default domain policy /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seán Sent: Saturday, November 13, 2004 2:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Deny Domain GP to a single user Many thanks for the suggestions! I'm planning to do the following. Let me re-phrase what Guido suggested: - Add a Group called, say, Ignore Proxy Settings. Make my user a member of this group. - Add a new GPO at the domain level which includes the proxy settings and filter on the Ignore Proxy Settings group. Sounds about right? - Seán Carr ___ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to check on GCs response/health?
Title: Message Perhaps a different way to skin the same cat..the problem with any single query is that it could be performant in the fact of other, slow things. For example, who cares if ldap is fast if you have a bind perf problem due to slow trusted dc. I think you really want to better measure your app, not as much a single query. That said, Id be more interested in watching key perfmon counters, where key==what you are interested in. So, ldap response time, bind time, etc. If it exceeds X ms, then kick out. My $0.02 ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, November 13, 2004 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Script to check on GCs response/health? Sure that would be fine, note that scope is by default subtree with adfind so you can cut out the -s subtree switch. For the initial startup you might want to run the check every 10 or 15 minutes and see what you get. Build up a map in your head of what it is doing. Then once you are confident on how consistent the numbers are, push the frequency back up to once per hour. Alternatively set a threshhold and if a machine exceed it, crank up the frequency for that machine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Saturday, November 13, 2004 9:54 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Script to check on GCs response/health? Hi Joe, Thanks for ideas! I've built some code that runs every hour and the numbers are interesting. I've found a coupleof GCs that are in the 4 second range while the majority arein the neighborhood of 0.3 seconds but I expect the numberswill fluctuate more as I collect more statistics. Can I assume the following query (using each GC passed as %1) is appropriate? adfind.exe -h %1 -b dc=xxx,dc=gov -f name=admin-renamed -gc -s subtree cn Thanks again! Mike Thommes -Original Message- From: listmail [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 12:24 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Script to check on GCs response/health? One quick and fairly easy method to partially do this is to set up a simple script that does a basic query (say against the schema which should be quick but not say a rootdse query) and have a baseline acceptable time frame for the response. I have done this in the past and found choked up GCs (specifically in relation to Exchange) using a little perl and a little adfind. Versus hardcoding GCs set up a dedicated Exchange site. This protects you main site from Exchange and Exchange from everything else. I.E. If Exchange tears down a DC, Exchange suffers. If something else tears down a DC, Exchange should be fairly protected as it shouldn't be a DC Exchange is using.ALSO and this is a point I have a strong opinion of. Most GCs can go down and things don't care, authentication will work, etc.Exchange GCs can't generally do this. This means that you can keep certain GCs in mind for monitoring and your response to them going offline. At the widget factory I worked for there were only a few GCs I cared about going down in terms of speed to get them back up and running. The Exchange GCs and the PDC's. The other DC's/GCs we cared about but we weren't running in the middle of the night because of them. Anyway, set up a script that you specify a list of GCs or (better) takes a site or list of sites and then goes into a loop. In the loop it gets a list of GCs or DCs, it then does a basic schema query that will return some subset of objects and attributes. Unless you are going against a GC across some slow wires, any query should be back in a second or less for an idle DC. As you load up you will see 1,2,3,6,8 second responses. Once you hit 20+ seconds on a query, you really need to be looking at things. You get to 30 seconds and you most certainly have Exchange queue backups and probably store hangs. If you are monitoring this and you are normally at 3-4 seconds at main load and you hit 10 seconds consistently on a GC, then you page on that and start chasing. joe From: [EMAIL PROTECTED] on behalf of Thommes, Michael M. Sent: Thu 11/11/2004 11:59 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Script to check on GCs response/health? In our environment we have lots of GCs, most of which I don't control. While I run a dcdiag report each morning that checks the overall health of my domain including whether a DC is advertising itself as a GC, we see issues once in a while when a process does a GC discovery action and ends up on a bad one, e.g., not available, busy, slow network, maybe permissions, etc. The other day our Exchange cluster was running like a dog since after a reboot, it hooked itself up with a GC that was not performing particularly well. As a
Re: [ActiveDir] OU and Policies
Hi Mario, Maybe this is why you thought it was so hard! There is a policy under Machine/ADM Templates/System/Group Policy called Use Group Policy LoopBack Mode. It all works easy then! Have a look at the Explanation provided for the policy . Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedirf=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedirf=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedirf=policyreporter.shtml - Original Message - From: Rosales, Mario [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, November 14, 2004 3:24 AM Subject: RE: [ActiveDir] OU and Policies Thank you everyone for the information. So if loopback is the only option here. How do you handle doing loopbacks for multiple servers? Do you create a local loopback policy on all the computers you want affected and then Setup the Computer OU (OU2) with a gpo with the instructions listed here - http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 I am assuming there is no way to do it through AD without having to touch each citrix server, Correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Friday, November 12, 2004 10:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies SO there are a few things going on here of which you should be aware. First, GPO's applied to users take precedence over GPO's applied to computers. The general concept is that closest policy applies last. By that I mean the default domain policy is applied first, then walking down the OU hierarchy, and at the same level the computer policies get applied before the user policies. Second, block inheritance only blocks it for the objects within the OU (and the child Ous). So, you're only blocking inheritance to objects which exist in OU2. Since that's the computer only, and the computer settings get applied before the user settings, its working exactly as it should. Finally, you mentioned Citrix. I'm guessing what you're really trying to accomplish is controlling users' rights when logged into a specific set of machines only. What you want is called Loopback processing. It's one of the other options for GPO's, and basically it will force the computer policy to override the users' policies. Its not quite that simple, and it does have some drawbacks from what I remember. But that's what you're looking to do. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 6:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have MAINOU-OU1 MAINOU-OU2 -Block Policy Inheritance MAINOUT- USER POLICY (Lock Down ScreenSaver Setting) COMPUTER POLICY MAINOUT- (Other Policy Settings) Enforced user1 in OU1 Computer1 in ou2 When user1 logs in - the settings of User Policy still apply. Am I doing something wrong? Hope that makes sense Thanks, Mario ** * The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ** * List info :
RE: [ActiveDir] Joining a Domain thru Command Line
You could use a Sysprep.inf file if that is an option. [Identification] DomainAdmin = domain\account DomainAdminPassword = accountpassword JoinDomain = domain MachineObjectOU = OU = ,DC = ,DC = ,Dc = ,DC = Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland Knight LLP NOTICE: This e-mail is from a law firm, Holland Knight LLP (HK), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of HK, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to HK in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of HK, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, November 12, 2004 6:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Joining a Domain thru Command Line Ok I know there is a way but I seem to have a disconnect and cant find where I read about it at. I want to take a windows xp sp2 machine newly built and join it to the domain and have that workstations name go into a certain OU. Whats the command. Thanks Jeff And to think only 5 more days of work to go till break. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/