RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG
Hi, Remember: * if you're doing a D2 on some DC it is not mandatory to do a D4 on another DC. * if you're doing a D4 on some DC it IS mandatory to do a D2 on all other replica's!!! See http://support.microsoft.com/default.aspx?scid=kb;en-us;290762 section authoritative restore Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Friday, November 12, 2004 00:24 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG Eric, Thanks for all your information here. I read up on it and consulted Microsoft it was a D4 that was actually required due to this machine being the Main DC. All changes were made on this machine and it was not replicating the changes out to the other servers. I also checked to see why it Journal Wrapped and Microsoft also suggested it was due more than likely due to the stability of the machine. (It use to restart itself for what appeared to be no reason several times a day but that has now been resolved as well.) The change was smooth sailing as it is only a small site. FRS is happening sweetly now. Thanks again. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, 26 October 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG It's unpleasant only in that you vvJoin. I'd suggest doing it off hours, but unless it's a HUGE data set, it probably will be smooth sailing. I'd definitely check out some KB articles on it first (search on burflags and D2 to find them) but really, it shouldn't be all that bad. Again, if you have a large data set (many gigs) it's worth talking about. If it's small, no worries. Also, Ultrasound? Not sure what you mean here. Ah, Ultrasound is the tool we release for monitoring FRS replica sets. http://www.microsoft.com/downloads/details.aspx?FamilyID=61acb9b9-c354-4 f98-a823-24cc0da73b50displaylang=en ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Monday, October 25, 2004 6:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG Eric, I am running SP4. It sounds like a D2 is not a pleasant action to take from your If Afraid comment. I will read up on this as much as possible but are there any major dangers of doing a D2 as this error is coming up on our main PDC which is all the Operations Masters and Catalo Server. It is also our Exchange2000 box. I am a little concerned that if I make a change with this D2 that there could be ramifications that cause a bigger problem. Also, Ultrasound? Not sure what you mean here. Yeah, the last statement did make sense. I am not heaps familiar with Win2000. I am learning a lot as I go but we had Professionals come in and set things up and we have had many a trouble. I am trying to fix all the troubles as I go along etc. Thanks for your help so far and I appreciate any final thoughts etc that you can give me with doing a D2 and setting up Ultrasound. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, 26 October 2004 6:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG If the value isn't there, then that means you're using Windows defaults. If you're journal wrapping with SP3+, you almost definitely had a long-term replication issue. I'd suggest: 1) D2 the node - that's the recovery from a journal wrap I'm afraid 2) Set up Ultrasound to monitor FRS in the long term. #2 will let you know you have a problem before you have a problem, if that makes sense. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Monday, October 25, 2004 12:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG Eric, Thanks for the info. I took a look at the registry setting to see how big the Journal Size was as per the KB Article:- HKLM\System\CCS\Services\NTFRS\Parameters\Ntfs Journal size in MB (REG_DWORD) Does this need to be added?? But I do not have that setting in that registry position. The closest I had was:- HKLM\System\CCS\Services\NTFRS\Parameters\Staging Space Limit in KB (REG_DWORD) and it was 675840 I also checked the WinNT\Ntfrs\jet Folder and the NTFRS.JDB is only 1MB in size. I also used the repadmin /showreps tool and it stated that the inbound have all been successful for all 3 (CN=Schema, CN=Configuration, DC=domain). And as for Outbound there were no last attempts for the 3 types. As for the full FRS Event Logs in Event Viewer they are all the same:- It states The FRS Services is starting and then about 3 minutes later the warning I posted below appears. The only other
RE: [ActiveDir] OU and Policies
Well, it depends... If you wish all your terminal servers to get the same policy, just put them all in one OU... Apply the policy there, and you're set. If you have multiple different policies to apply, you may need more OU's. Policies have a scope ...It's kind of like it has to be over the object, user or computer. So, if you have a TS OU, and the users and computers aren't nested under that same structure, you can control what policy they get only when they TS. John Rosales, Mario [EMAIL PROTECTED] com To Sent by: '[EMAIL PROTECTED]' [EMAIL PROTECTED] [EMAIL PROTECTED] ail.activedir.org cc Subject 11/13/2004 10:24 RE: [ActiveDir] OU and Policies AM Please respond to [EMAIL PROTECTED] tivedir.org Thank you everyone for the information. So if loopback is the only option here. How do you handle doing loopbacks for multiple servers? Do you create a local loopback policy on all the computers you want affected and then Setup the Computer OU (OU2) with a gpo with the instructions listed here - http://support.microsoft.com/default.aspx?scid=kb;en-us;231287 I am assuming there is no way to do it through AD without having to touch each citrix server, Correct? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Seielstad Sent: Friday, November 12, 2004 10:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies SO there are a few things going on here of which you should be aware. First, GPO's applied to users take precedence over GPO's applied to computers. The general concept is that closest policy applies last. By that I mean the default domain policy is applied first, then walking down the OU hierarchy, and at the same level the computer policies get applied before the user policies. Second, block inheritance only blocks it for the objects within the OU (and the child Ous). So, you're only blocking inheritance to objects which exist in OU2. Since that's the computer only, and the computer settings get applied before the user settings, its working exactly as it should. Finally, you mentioned Citrix. I'm guessing what you're really trying to accomplish is controlling users' rights when logged into a specific set of machines only. What you want is called Loopback processing. It's one of the other options for GPO's, and basically it will force the computer policy to override the users' policies. Its not quite that simple, and it does have some drawbacks from what I remember. But that's what you're looking to do. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 6:33 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OU and Policies So are you saying that cannot be done? Then how do you handle citrix servers? For example users logging into their computer should have the settings from both policies but if they log into a Terminal type server, how do you override that setting? Create an entire new User Policy? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, November 12, 2004 8:25 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Wow. Can you reword that? I think your saying that you have a user in one OU, and a computer account in another with the policy blocked. You want to know why user policy is being applied to a user using a computer that is in an OU with blocked policy (now you have me doing it :), right? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Sent: Friday, November 12, 2004 9:06 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] OU and Policies Ok have a question hopefully some of you out there could help me out. We have
Re: [ActiveDir] OU and Policies
Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/13/2004 08:58 AM| | | ZE11 | | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | --| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml - Original Message - From: Rosales, Mario [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 13, 2004 4:16 AM Subject: RE: [ActiveDir] OU and Policies So In your previous e-mail you said split the sites but do we really want to do that? So if I were trying to do the terminal server policies. For Site I could do a User Policy Then for the terminal servers I create the ou and put the User Policy settings I want at that ou. That will override the OU Settings at the site level? Did I understand that correctly? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 10:49 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Hi Mario Either Loopback policies or Site policies. Site policies will work based on the site (determined by the IP Subnet) of the computer the user logs into. They will be overwritten by OU GPOs or domain GPOs but they will give you the option of two separate user policies for the same user. Regards; James R. Day
RE: [ActiveDir] Joining a Domain thru Command Line
Leaving the computer out will cause it to pause at that point and you could enter a name. Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland Knight LLP NOTICE: This e-mail is from a law firm, Holland Knight LLP (HK), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of HK, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to HK in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of HK, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Sunday, November 14, 2004 3:08 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining a Domain thru Command Line Problem with that is I need to be able to assign a workstation name before joining the domain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, November 14, 2004 12:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Joining a Domain thru Command Line You could use a Sysprep.inf file if that is an option. [Identification] DomainAdmin = domain\account DomainAdminPassword = accountpassword JoinDomain = domain MachineObjectOU = OU = ,DC = ,DC = ,Dc = ,DC = Holland + Knight Travis Abrams MCSE, GCIH Systems Engineer Holland Knight LLP NOTICE: This e-mail is from a law firm, Holland Knight LLP (HK), and is intended solely for the use of the individual(s) to whom it is addressed. If you believe you received this e-mail in error, please notify the sender immediately, delete the e-mail from your computer and do not copy or disclose it to anyone else. If you are not an existing client of HK, do not construe anything in this e-mail to make you a client unless it contains a specific statement to that effect and do not disclose anything to HK in reply that you expect it to hold in confidence. If you properly received this e-mail as a client, co-counsel or retained expert of HK, you should maintain its contents in confidence in order to preserve the attorney-client or work product privilege that may be available to protect confidentiality. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, November 12, 2004 6:59 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Joining a Domain thru Command Line Ok I know there is a way but I seem to have a disconnect and cant find where I read about it at. I want to take a windows xp sp2 machine newly built and join it to the domain and have that workstations name go into a certain OU. Whats the command. Thanks Jeff And to think only 5 more days of work to go till break. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
Well everyone, after all the questions and answers, I finally have it figure out. I appreciate all the help everyone has given me. Whew, I feel like if I just went though my College final exams! THANKS FOR YOUR HELP EVERYONE!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 4:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and Policies Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/13/2004 08:58 AM| | | ZE11 | | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | --- ---| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml - Original Message - From: Rosales, Mario [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, November 13, 2004 4:16 AM Subject: RE: [ActiveDir] OU and Policies So In your previous e-mail you said split the sites but do we really want to do that? So if I were trying to do the terminal server policies. For Site I could do a User Policy Then for the terminal servers I create the ou and put the User Policy settings I want at that ou. That will override the OU Settings at the site level? Did I understand that correctly? Thanks, Mario -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 10:49 AM To: [EMAIL PROTECTED] Cc: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Subject: RE: [ActiveDir] OU and Policies Hi Mario Either Loopback policies or Site policies. Site policies will work based on the site (determined by the IP Subnet) of the computer the user logs into. They will be overwritten by OU
RE: [ActiveDir] OU and Policies
Return Receipt Your RE: [ActiveDir] OU and Policies document: wasJustin Leney/US/DCI received by: at:11/15/2004 10:04:48 AM List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Deny Domain GP to a single user
Instead of specifying the proxy settings in a GPO, you could point IE at a Automatic Config script (hosted on a website or file share). You could then set proxy exclusions on a per domain basis rather than stopping this user from using the proxy for anything. You could also exclude internal sites if desired. Here is an example config.pac file: function FindProxyForURL(url,host){ if( isPlainHostName(host)){return (DIRECT);} if( host.search(usersbankingsite.com) != -1){return (DIRECT);} if( host.search(myinternalwebsites.com) != -1){return (DIRECT);} if( host.search(^10.*.*.*) != -1){return (DIRECT);} return PROXY myproxyserver.mycompany.com:8080; } Regards Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Seán Sent: 12 November 2004 16:14 To: [EMAIL PROTECTED] Subject: [ActiveDir] Deny Domain GP to a single user I've set the proxy settings for the Domain Group policy to the IP address of an ISA server. Is there an easy way of bypassing the proxy settings for one user? This particular user needs direct access to a banking site. I don't want to (but might end up) creating a new group and putting everyone but this particular user, then reapplying the proxy settings. Am using 2000 DCs. - Seán Carr ___ Moving house? Beach bar in Thailand? New Wardrobe? Win 10k with Yahoo! Mail to make your dream a reality. Get Yahoo! Mail http://uk.mail.yahoo.com List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ** This is a commercial communication from Commerzbank AG. This communication is confidential and is intended only for the person to whom it is addressed. If you are not that person you are not permitted to make use of the information and you are requested to notify mailto:[EMAIL PROTECTED] immediately that you have received it and then destroy the copy in your possession. Commerzbank AG may monitor outgoing and incoming e-mails. By replying to this e-mail you consent to such monitoring. This e-mail message and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open attachments at your own risk. This email was sent either by Commerzbank AG, London Branch, or by Commerzbank Securities, a division of Commerzbank. Commerzbank AG is a limited liability company incorporated in the Federal Republic of Germany. Registered Company Number in England BR001025. Our registered address in the UK is 23 Austin Friars, London, EC2P 2JD. We are regulated by the Financial Services Authority for the conduct of investment business in the UK and we appear on the FSA register under number 124920. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script to check on GCs response/health?
Title: Message Definitely. Nice thing about testing with LDAP queries though is it can be a normal userid. No admin rights required. Also it will take a more involved tool generally to start doing perf counters. Not saying people shouldn't have more in depth monitoring such as MOM or OpenView but it is sometimes an expense people can't get through the system, spinning upproducts like MOM and SQL can be costly if you don't get it for free plus there is admin overhead that has to be accounted for. I know I fought that battle for several years for a Fortune 5 company and never got heavy duty monitoring like that due to costs and politics. In the endit all came down to my basic perl scripts doing basic things like this and and quite honestly, that combined with being aware of my DCs and how they should be running kept us running very well. However, that won't work for everyone. Anyway, once you start seeing any slowness in basic queries, then you can bounce into more detailed checking of what is going on. I have used this method to ascertain issues with DCs in a couple of different companies. It is simple and basic, but if a DC can't do these simple basic things, there is definitely an issue to investigate. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Saturday, November 13, 2004 2:25 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Script to check on GCs response/health? Perhaps a different way to skin the same cat..the problem with any single query is that it could be performant in the fact of other, slow things. For example, who cares if ldap is fast if you have a bind perf problem due to slow trusted dc. I think you really want to better measure your app, not as much a single query. That said, Id be more interested in watching key perfmon counters, where key==what you are interested in. So, ldap response time, bind time, etc. If it exceeds X ms, then kick out. My $0.02 ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, November 13, 2004 7:42 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Script to check on GCs response/health? Sure that would be fine, note that scope is by default subtree with adfind so you can cut out the -s subtree switch. For the initial startup you might want to run the check every 10 or 15 minutes and see what you get. Build up a map in your head of what it is doing. Then once you are confident on how consistent the numbers are, push the frequency back up to once per hour. Alternatively set a threshhold and if a machine exceed it, crank up the frequency for that machine. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Saturday, November 13, 2004 9:54 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Script to check on GCs response/health? Hi Joe, Thanks for ideas! I've built some code that runs every hour and the numbers are interesting. I've found a coupleof GCs that are in the 4 second range while the majority arein the neighborhood of 0.3 seconds but I expect the numberswill fluctuate more as I collect more statistics. Can I assume the following query (using each GC passed as %1) is appropriate? adfind.exe -h %1 -b dc=xxx,dc=gov -f name=admin-renamed -gc -s subtree cn Thanks again! Mike Thommes -Original Message-From: listmail [mailto:[EMAIL PROTECTED] Sent: Thursday, November 11, 2004 12:24 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Script to check on GCs response/health? One quick and fairly easy method to partially do this is to set up a simple script that does a basic query (say against the schema which should be quick but not say a rootdse query) and have a baseline acceptable time frame for the response. I have done this in the past and found choked up GCs (specifically in relation to Exchange) using a little perl and a little adfind. Versus hardcoding GCs set up a dedicated Exchange site. This protects you main site from Exchange and Exchange from everything else. I.E. If Exchange tears down a DC, Exchange suffers. If something else tears down a DC, Exchange should be fairly protected as it shouldn't be a DC Exchange is using.ALSO and this is a point I have a strong opinion of. Most GCs can go down and things don't care, authentication will work, etc.Exchange GCs can't generally do this. This means that you can keep certain GCs in mind for monitoring and your response to them going offline. At the widget factory I worked for there were only a few GCs I cared about going down in terms of speed to get them back up and running. The Exchange GCs and the PDC's. The other DC's/GCs we cared about but we weren't running in the middle of the night because of them. Anyway, set up a script that you specify a list of GCs or (better)
RE: [ActiveDir] ADS (Storage Limits)
If you mean mailbox quotas, you should be able to get away with just having permission on mDBOverHardQuotaLimit mDBOverQuotaLimit mDBUseDefaults That being said, the GUI may still bounce you because of MS's insistence (especially in Exchange) to try and secure the system by disallowing things in the GUI but you can write the attributes truly responsible and could do it with a script. There were several things I ran into where the GUI wouldnt allow the change and gave an access denied though I could easily change what I wanted with a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 12, 2004 10:24 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ADS (Storage Limits) Sensitivity: Private http://support.microsoft.com/default.aspx?scid=kb;EN-US;q316792 Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 11/12/2004 7:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADS (Storage Limits) Hi - Anybody know what is the permission to grant modify storage limits, in active directory users and computer (Exchange Advance) ?, I can whit user object (write all property), but I´ll like to know if exist another way (something less). Thanks. AVISO LEGAL: Esta información es privada y confidencial y está dirigida únicamente a su destinatario. Si usted no es el destinatario original de este mensaje y por este medio pudo acceder a dicha información por favor elimine el mensaje. La distribución o copia de este mensaje está estrictamente prohibida. Esta comunicación es sólo para propósitos de información y no debe ser considerada como propuesta, aceptación ni como una declaración de voluntad oficial de REPSOL YPF S.A. y/o subsidiarias y/o afiliadas. La transmisión de e-mails no garantiza que el correo electrónico sea seguro o libre de error. Por consiguiente, no manifestamos que esta información sea completa o precisa. Toda información está sujeta a alterarse sin previo aviso. This information is private and confidential and intended for the recipient only. If you are not the intended recipient of this message you are hereby notified that any review, disseminastribution or copying of this message is strictly prohibited. This communication is for information purposes only and shall not be regarded neither as a proposal, acceptance nor as a statement of will or official statement from REPSOL YPF S.A. and/or subsidiaries and/or affiliates. Email transmission cannot be guaranteed to be secure or error-free. Therefore, we do not represent that this information is complete or accurate and it should not be relied upon as such. All information is subject to change without notice. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] dsadd user exchmbx
I will try to move heaven and Earth before I use WMI. :o) I like ADSI better than I like WMI and I dislike ADSI. Good to see you posting again Roger. It was good to see you at Jillian's as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, November 11, 2004 3:01 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] dsadd user exchmbx Just so you don't go running too far down that path blindly, there is a WMI provider that can generate the content for your little QFE data. It seems to put out some useful info... On Sun, Oct 24, 2004 at 11:32:27AM -0400, joe wrote: LOL. I have been fleshing that out as well... It is going to probably take ADFIND V2.00.00 to do it. My current structuring doesn't easily allow me to do it. However, I have now committed myself to doing it in some future version. You all sold me. :) I also just wrote out some more notes for a new tool that runs on a local machine and updates the description of itself in AD and also the QFEs. You will recall we had a conversation on that previously. I still see nothing coming from MS so I want to do something. You are welcome for the tools. :o) joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Sunday, October 24, 2004 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] dsadd user exchmbx CSV in ADFIND first! :-) (lather, rinse, repeat!) Thanks for your tools, Joe. M _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 24, 2004 10:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] dsadd user exchmbx Yes, that should be fine. I am working out in my head now an adadd (fun name I know...) as well so you don't have to fall back to dsadd. Like the other ad* tools I have I want to keep it as generic as possible which is kind of fun to work out. :o) And you are very welcome. Glad you find the tools (or at least exchmbx) useful. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, October 21, 2004 7:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] dsadd user exchmbx Just so I am clear: if I want to create a bunch o' users from a simple batch file, I can use the dsadd command and THEN use the exchmbx tool to create their mailboxes. I can even do this from within the same simple batch file. Do I have this correct? As always, beaucoup de thanks, Joe. -- nme List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Excahnge suggestion
The msexchange.org list is quite active, I assure you. Greg Lara --- This e-mail message may contain privileged, confidential and/or proprietary information intended only for the person(s) named. If you are not the intended recipient, please destroy this message, and any attachments, and notify the sender by return e-mail. If you are not the intended recipient(s), or the employee or agent responsible for delivering the message to the intended recipient(s), you are hereby notified that any dissemination, disclosure or copying of this communication is strictly prohibited. --- -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Sunday, November 14, 2004 10:53 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Excahnge suggestion The old msexchange.org list is dead, kinda. It moved to swynk.com, then to internet.com, and can be subbed to at http://e-newsletters.internet.com/discussionlists.html/. I haven't checked to see if msexchange.org (new owners) have a list or not, but if they do, I'll sub there too. The best Exchange 2000/Exchange 2003 lists I'm on are run through yahoogroups, and hosted by Martin Tuip, an Exchange MVP. http://groups.yahoo.com/group/Exchange2000/ and http://groups.yahoo.com/group/exchange-2003/. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Indexing an attribute
Ok after further discussions with ~Eric on this and some testing in AD/AM on my flight back to MIand against one major Active Directory since being back I have learned something very cool. In Windows Server 2003 AD there should be no real difference in speed in hitting the FL's of a linked attribute and the BL's. This is a huge change in AD from Windows 2000. In Windows 2000 there was no doubt that pulling the memberof attribute of cn=joe,cn=users,dc=joe,dc=com was not only faster than pulling the group DNsbased on a the following query "(member=cn=joe,cn=users,dc=joe,dc=com)" but not even worth comparison in larger deployments. Now, in K3 AD These times are almost equal in every test I have done so far. This is EXTREMELY cool and helps with an issue with enumerating groups for a user across a forest. No longer in K3 AD would you need to query the memberof attribute of a user ona GC in every domain. Of course if running from a Windows machine it may still be more performant to hit every GC and grab the tokenGroups attribute so you can avoid having to recurse into the groups for nesting but from a non-Windows platform where binary blob of the SID to userid may be a pain this is a great boon to have this search speed be so much better. Specific to the post below, this means you do NOT have to go against the homeMDBBL to get the list of users in a given Exchange Database in a performant way. You can query the FL's via a query as simple as (homeMDB=blah blah blah). Where blah blah blah is the full DN of the store you are interested in. This is just one more reason to deploy K3 out there... After rereading the whole thread again,this brings up a question in my mind for ~Eric I didn't ask offline but which goes back to the heart of the original question. On 2K specifically if you index this attribute, what would be the impact to the size of the DIT? Since it is already implicitly indexed I would think that should mean there is no impact. Would that be accurate? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmailSent: Wednesday, November 10, 2004 7:14 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Indexing an attribute I sit corrected. :o) I guess what I meant is that a linked attribute is used as an implied indexed attribute for queries in K3. Might be interesting to just have the engine light the indexed flag of any attributes that are linked and clear all confusion in K3. On another topic,I know everyone on the list is jealous, I actually met ~Eric face to face today. He looks amazingly like Tom Cruise. joe From: [EMAIL PROTECTED] on behalf of Eric FleischmanSent: Wed 11/10/2004 5:56 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Indexing an attribute Thats not entirely true either, but close. A more accurate statement: the index is not used _by query processor_ in 2k, but is in 2k03. The index is used by other things in AD in 2k, like a simple read of the member attribute of a group. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, November 10, 2004 6:03 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Indexing an attribute Note what he indicates though. Indexed for free due to the nature of being a linked attribute, ***but the index isn't used unless it is on Windows Server 2003 AD***. I actually spoke to ~Eric about this in the past and it had completely slipped my mind when discussing here. The whole idea is that someone at MS realized, hey wait, basicallyall of the linking info needed for these attributes is already available and so theyenhanced the engine to take advantage of it. This is just one more reason to use Windows Server 2003 for your Domain Controllers. But again, use the BL if it is possible for you. Much much faster. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holland Matthew BC GBSent: Wednesday, November 10, 2004 2:08 AMTo: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Indexing an attribute Interesting, I didnt realize HomeMDB is indexed for free! Although, as you mentioned, it seems to make sense to use homeMDBBL. Thanks for your help! Matty From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: 09 November 2004 20:51To: [EMAIL PROTECTED]Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Indexing an attribute HomeMDB need not be indexed. Linked values are implicitly indexed and those indexes will be used by QP in 2k03 out of the box. If you run it with STATS spew, youll see that the index type is L, for linked. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmailSent: Tuesday, November 09, 2004 11:10 AMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Cc: Eric Fleischman; [EMAIL PROTECTED]Subject: RE: [ActiveDir] Indexing an attribute First off, your initial query
RE: [ActiveDir] AD Sync with OpenLDAP
Whew... I was staggered by the number of responses to this one... ;o) joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Wednesday, November 10, 2004 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Sync with OpenLDAP Anybody here actually Syncing OpenLDAP with Active Directory using MIIS? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] AD Sync with OpenLDAP
I would have to agree with Al here... Just have the perl script making the changes to OpenLDAP make the changes directly to AD as well. You don't need additional Sync software if this is all one way and all of your changes are being forced through one interface that you can already manipulate as needed. The sync software would be, IMO, additional unneeded overhead. I would also agree with Jackson's post if you can do it. I understand the politics and such argument though. Politics is cause for many bad decisions. Also though if you have a ton of APP data, I am not necessarily of the opinion that that should be in AD anyway. I am all for the idea of AD as the NOS directory and App data going elsewhere. Maybe say an AD/AM and then just work out some method to link an AD ID to an AD/AM entry WITHOUT syncing all of the damn AD Data into AD/AM. Say you have an attribute in AD that says, also see this AD/AM. Then in AD/AM there is an attribute say a bindable GUID or something that says this entry is linked to this AD Entry, go there to find the rest of the info. Obviously there would be some limitations in searching though if the data you needed to compare was partially in AD and partially in AD/AM, at that point you don't have a choice but to use one or the other or sync the data from one to the other. Just the same, using AD/AM, you still get to use AD for auth which is nice not having multiple auth stores That way when your tool that changes the passwords in both places breaks on one or the other, it isn't a big deal. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, November 10, 2004 4:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Sync with OpenLDAP So if it's just account data that you're interested in, any particular reason you want to change it? Are there problems? One idea that does come to mind is that you could have a perl script that controls all of it without LDIFDE in the middle. If you wanted to. The advantage of something like MIIS or another commercial product is the control and logic already built in without you having to work in all the crazy logic to make it more robust. You could however just use perl if that's what you're comfortable with since you're not really doing anything too more than reading user-objects from the OL directory and duplicating them in AD. It's more or less a mapping function and a function to make sure that you get new accounts either as they are introduced else on commit. Am I missing anything? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Wednesday, November 10, 2004 3:56 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Sync with OpenLDAP Currently I have one way sync coming from my OpenLDAP server to my AD Domain. The modifications that happen to the OpenLDAP server are done daily with Perl Scripts which then create ldife files for AD whenever changes are made to the account. A batch file is then used to grab the ldife files and import them into AD using LDIFDE. All passwords are handled separately through a web page I have programmed (php/asp) that sets both OpenLDAP password and the AD password whenever a user changes their password. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Wednesday, November 10, 2004 12:21 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Sync with OpenLDAP MIIS or simplesynch come to mind. What level of sync do you have? For example, are synching passwords, groups, id's etc? What kind of process do you have now? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Wednesday, November 10, 2004 3:05 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Sync with OpenLDAP Well, I have an OpenLDAP server running with all user accounts (approx 14k accounts) in it. Id like to keep a replica of all the accounts in Active Directory, making appropriate changes when necessary. (IE: account renames, ou changes, etc.) I currently have something in place to do this, but its a cumbersome process and Im curious what others are doing and how they are getting the job done. Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University
[ActiveDir] Master Browser
One of my DCs is returning the following error and Im not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so Im not sure what I need to tell this server so I dont get this error anymore. Thanks Jake -- Jake Stabl Network Engineer Plain Local Schools www.plainlocal.org Office - 330.492.3500 x. 383 Cell - 330.704.1278
RE: [ActiveDir] AD OpenLDAP
Note that while IIFP is free, it does require SQL Server 2000 Enterprise Edition for production use which is decidely NOT free. It also requires an Enterprise Windows Server 2003 license and install. This was something that was pointed out to MS last April at the MVP summit as being a high barrier to implementation. The fact that you had to pay for SQL Server and that you had to use SQL at all instead of just being able to ODBC into whatever your corporate Database standard solution is. Honestly, the Database should be integrated into the product in such a way that there is no additional cost to the free product and there is no additional overhead to maintain it. The idea behind IIFP it seemed to me to help enable a company to use MS tech. They said it was free to make it even more enticing, however I think having to pay for and learn SQL defeats it. I know of an MCS friend who has had to go back to a company three times now because the MOM implementation blew up because of backend Database failures because the people didn't know how to manage SQL 2000 and didn't seem to be willing to invest in learning the product. They bought a monitoring solution and wanted to learn monitoring stuff, they didn't want to have to become DBA's. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, November 05, 2004 5:02 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD OpenLDAP There are two versions of MIIS - Paid version and a free add-on -Identity Integration Feature Pack for Microsoft Windows Server Active Directory http://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-41c4- b7ea-6f56819769d5DisplayLang=en steve - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 04, 2004 12:59 PM Subject: RE: [ActiveDir] AD OpenLDAP Does MIIS stand for Microsoft Internet Information Services? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, November 04, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP AD is quick, painless and mostly maintenance free. That's easy. Think of it as an app that comes with it's own directory just like so many others :) Sounds like you want the account lifecycles to be authoritative in another system and just have them flow down to AD. If that's the case, they MIIS might be your ticket. It could also be that you want to have a look at the current metadirectory systems you have (for lack of a better name even if they're homegrown) to see if they can do what you want. For more reading on the product and how to plan, deploy, and run it have a look at the website: http://www.microsoft.com/ad Note that AD relies heavily on DNS which is the usual biggest fight for deployment. Best bet is to delegate a sub zone for AD usage and get the workstations to use a AD DNS and forwarders to other DNS systems if your environment is similar to ones I've seen before. That allows your AD infrastructure to be self-contained and mostly integrated with the other systems in the landscape. Over time somebody is bound to realize that the AD is the more important of the systems as it contains and controls the desktops which are the only access points of gates to the back room infrastructure. Helps to have it in place and working first though :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Romeyn Prescott Sent: Thursday, November 04, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP I want the users of the PCs I manage to authenticate against AD so I can use Group Policies to manage (or micromanage) their permissions on the computer based either on A) who they are and/or B) which computer it is. Not having had a Windows server newer than NT4 to play/experiment with before now, I'm only going based on what I've read and seen others talk about on other lists. We run SCT Banner on a VAX. That is where all student data gets initially entered. Changes to that data are frequently sent to another of our systems, and that userbase is mirrored to various of our other systems and services. I sense I'm going to have a battle on my hands getting AD even turned ON in this environment. So if it can be quick, painless, and maintenance-free that'd be a huge selling point for me. :-) ...ROMeyn At 9:22 AM -0500 11/4/04, Mulnick, Al scribbled: Out of curiosity, why would you want Active Directory to not be the source or user accounts and then want to sync with openldap? Can you describe the goals a little more and why you're wanting to put Active Directory into your environment in the first place? What planning have you already done? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Thursday, November 04, 2004 9:17 AM To:
RE: [ActiveDir] Logon Information
You can tweak how realtime it is by modifying the msDS-LogonTimeSyncInterval value on the domain NC head. I would suggest being very careful with that. If you have a ton of authentications you could put yourself into a very bad spot by cranking that value up. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 10, 2004 11:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Logon Information In 2K AD, yes. In 2K3 AD, no. In 2K3, there is the lastlogontimestamp attribute and this is replicated to all DCs. It's not completely real-time, though. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Rosales, Mario Sent: Wed 11/10/2004 8:16 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Logon Information I remember on NT 4.0 Logon information was not replicated from dc to dc. For example: user1 logs in to the dc2 but dc1 always sees the account as never logged in. Does that still apply for AD Controllers? Thanks, Mario *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Master Browser
Title: Message To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: Monday, November 15, 2004 12:01 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Master Browser One of my DCs is returning the following error and Im not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so Im not sure what I need to tell this server so I dont get this error anymore. Thanks Jake -- Jake Stabl Network Engineer Plain Local Schools www.plainlocal.org Office - 330.492.3500 x. 383 Cell - 330.704.1278
RE: [ActiveDir] LDP does not return modifyTimeStamp attribute...
ping ~Eric Pinging ~Eric.texas.cpr.microsoft.com [xx.xx.xx.xx] with 32 bytes of data: Request timed out. Request timed out. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Tuesday, November 09, 2004 7:44 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Let me digest a bit and report back. The answer is probably yes, I just need to think about it. aside Have you noticed that every ldp snip I do is from a different domain? Yes, I have that many forests in virtual machines. I just noticed that Im not sure if Ive used the same one twice on this list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmailSent: Tuesday, November 09, 2004 5:30 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Understoodon the constructed. Though it makes you wonder why that one is and whenChanged isn't. :o) How about the overall more general question, is there a way to ascertain what would and wouldn't be displayed? For instance, isthere something "query-able" that tells me ntsecuritydescriptor would or wouldn't be displayed. joe From: [EMAIL PROTECTED] on behalf of Eric FleischmanSent: Tue 11/9/2004 6:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... In this case: Dn: CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=corp,DC=microsoft,DC=com 1 lDAPDisplayName: modifyTimeStamp; 1 systemFlags: 0x814 = ( FLAG_ATTR_IS_CONSTRUCTED | FLAG_SCHEMA_BASE_OBJECT | FLAG_DOMAIN_DISALLOW_RENAME ); Constructed attributes are only returned 1) If requested AND 2) if requested in a base search against the object ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmailSent: Tuesday, November 09, 2004 5:16 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Nope. Not every attribute is returned. I don't know personally what the logic is that specifies what is returned and what isn't. I would like to think it is something you can query out of the schema but I have never seen anything to substantiate that thought. It is easy to see it in action though, query the schema on 2K and do the same on K3. You will certain attribs on certain objects returned in 2K but not in K3, you have to ask for them meaning that MS backed out the default return set. Why I don't know but helped someone with an App that blew up because of it. I don't recall exactly what the attribute was though, I purposely forgot it so I could have enough room in my head to remember the thing about ntsecuritydescriptors... What about ntsecuritydescriptors you ask? ntsecuritydescriptor should be on every object but when have you seen a query where you didn't specifically specify you needed it that it did get returned? Answer, you have to ask for it. With adfind you would do something like adfind -b somebase -f somefilter * ntsecuritydescriptor That will return what I call the * set (star set) and also the ntsecuritydescriptor attribute. I started to talk to ~Eric about this once before but I don't think we ever got to the part of the discussion concerning how it was determined what is returned and what isn't. joe From: [EMAIL PROTECTED] on behalf of ADSent: Tue 11/9/2004 6:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Hmm, I am a little bit confused joe. I did not ask for msExchAlObjectVersion but it returns it anyways. Isn't LDP suppose to return every attribute that is set for a an object? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmailSent: Tuesday, November 09, 2004 4:31 PMTo: [EMAIL PROTECTED]; [EMAIL PROTECTED]Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Because you didn't request it. That one needs to be specifically requested, you can instead use whenChanged which is returned in the default * set. joe From: [EMAIL PROTECTED] on behalf of ADSent: Tue 11/9/2004 4:24 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] LDP does not return modifyTimeStamp attribute... Does anyone know why LDP does not return the modifyTimeStamp attribute?
RE: [ActiveDir] Master Browser
The computer browser service is used to populate things like Network Neighborhood and isn't related to any of the FSMO roles or truly critical network use. Unless it's causing problems for your users, I wouldn't worry about it. If you do want to worry about it: http://support.microsoft.com/default.aspx?scid=kb;en-us;188305 I've used this article a couple of times to troubleshoot because a PHM thinks the network is down because he can only see 8 computers in Network Neighborhood, regardless of the status of e-mail and everything else. Dave David J. Perdue NetworkSecurity Engineer, InDyne Inc Comm: (805) 606-4597 DSN: 276-4597 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 9:01 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake -- Jake Stabl Network Engineer Plain Local Schools www.plainlocal.org Office - 330.492.3500 x. 383 Cell - 330.704.1278
RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome
It was just that the NEVER was pretty strong and this is a questioning type of group which is really good. This may or may not be a great best practice. The idea was to determine why you feel that this should be done this way. What have you avoided or protected against in implementing domain level polices this way or is it simply to more easily identify what is the default versus what you have chosen? The attach them wherever you need them is something you need to be careful with, since again, the domain level policies (not to be confused with domain gpo) can not be overridden due to how it is implemented as mentioned in some other posts. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jared Manhat Sent: Monday, November 08, 2004 4:53 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Guy's it's not really worth going back-and-forth, and it's filling up my inbox. Modify whatever you want. Sorry for bringing it up. I, however, never modify the default policies. Instead I create custom policies and prefix with Accutest (my company name) so that they stand out, and attach them wherever I need them. Jared Manhat Systems Administrator Accutest Laboratories -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, November 08, 2004 9:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome You could create a new policy at the domain level that would allow you to do these things. I however modify the Default Domain Policy for these things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, November 05, 2004 10:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Oh? How do you go about setting password policies, lockout policies, kerb policies, etc with this practice? Thanks. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Jared Manhat Sent: Friday, November 05, 2004 3:07 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome You should never modify the Default Domain Policy, instead create a new one. Jared Manhat Systems Administrator Accutest Laboratories -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Friday, November 05, 2004 11:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Try under: Default Domain Policy -Computer Configuration -Windows Settings -Security Settings -Local Policies -Security Options -Message Title for users attempting to logon r/ Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Friday, November 05, 2004 10:52 AM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] How to Enable a Warning Message During Windows Logon Welcome Hello, Running windows 2k ad and I was wondering if there is a way via group policy to Enable a Warning Message During Windows Logon Welcome. I know there is a reg hack for it, but I won't want to touch 300 desktops. Thanks. Christine List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Master Browser
Title: Message I wouldnt turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DCs is returning the following error and Im not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so Im not sure what I need to tell this server so I dont get this error anymore. Thanks Jake -- Jake Stabl Network Engineer Plain Local Schools www.plainlocal.org Office - 330.492.3500 x. 383 Cell - 330.704.1278
Re: [ActiveDir] Master Browser
Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Master Browser
http://www.ultratech-llc.com/KB/?File=Browser.TXT - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:01:15 -0500, Jacob Stabl [EMAIL PROTECTED] wrote: One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Master Browser
If you turn off the service to fix your problem you want to do it on the box that has taken over the role as Master Browser, not on the DC. David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 9:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Excahnge suggestion
I joined, so I imagine I'll see soon. :) - Original Message - From: Lara, Greg [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, November 15, 2004 10:44 AM Subject: RE: [ActiveDir] Excahnge suggestion The msexchange.org list is quite active, I assure you. Greg Lara --- This e-mail message may contain privileged, confidential and/or proprietary information intended only for the person(s) named. If you are not the intended recipient, please destroy this message, and any attachments, and notify the sender by return e-mail. If you are not the intended recipient(s), or the employee or agent responsible for delivering the message to the intended recipient(s), you are hereby notified that any dissemination, disclosure or copying of this communication is strictly prohibited. --- -Original Message- From: Missy Koslosky [mailto:[EMAIL PROTECTED] Sent: Sunday, November 14, 2004 10:53 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Excahnge suggestion The old msexchange.org list is dead, kinda. It moved to swynk.com, then to internet.com, and can be subbed to at http://e-newsletters.internet.com/discussionlists.html/. I haven't checked to see if msexchange.org (new owners) have a list or not, but if they do, I'll sub there too. The best Exchange 2000/Exchange 2003 lists I'm on are run through yahoogroups, and hosted by Martin Tuip, an Exchange MVP. http://groups.yahoo.com/group/Exchange2000/ and http://groups.yahoo.com/group/exchange-2003/. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] dsadd user exchmbx
Yeah, I haven't seen Roger in a while! - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 11:29:20 -0500, joe [EMAIL PROTECTED] wrote: I will try to move heaven and Earth before I use WMI. :o) I like ADSI better than I like WMI and I dislike ADSI. Good to see you posting again Roger. It was good to see you at Jillian's as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, November 11, 2004 3:01 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] dsadd user exchmbx Just so you don't go running too far down that path blindly, there is a WMI provider that can generate the content for your little QFE data. It seems to put out some useful info... On Sun, Oct 24, 2004 at 11:32:27AM -0400, joe wrote: LOL. I have been fleshing that out as well... It is going to probably take ADFIND V2.00.00 to do it. My current structuring doesn't easily allow me to do it. However, I have now committed myself to doing it in some future version. You all sold me. :) I also just wrote out some more notes for a new tool that runs on a local machine and updates the description of itself in AD and also the QFEs. You will recall we had a conversation on that previously. I still see nothing coming from MS so I want to do something. You are welcome for the tools. :o) joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Sunday, October 24, 2004 11:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] dsadd user exchmbx CSV in ADFIND first! :-) (lather, rinse, repeat!) Thanks for your tools, Joe. M _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, October 24, 2004 10:57 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] dsadd user exchmbx Yes, that should be fine. I am working out in my head now an adadd (fun name I know...) as well so you don't have to fall back to dsadd. Like the other ad* tools I have I want to keep it as generic as possible which is kind of fun to work out. :o) And you are very welcome. Glad you find the tools (or at least exchmbx) useful. joe _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, October 21, 2004 7:40 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] dsadd user exchmbx Just so I am clear: if I want to create a bunch o' users from a simple batch file, I can use the dsadd command and THEN use the exchmbx tool to create their mailboxes. I can even do this from within the same simple batch file. Do I have this correct? As always, beaucoup de thanks, Joe. -- nme List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OU and Policies
I use Site GPOs extensively to have Site-specific logon scripts run. I just double-checked, and the logon/logoff script settings are definitely in the User portion of the GPO. If I remember correctly, the computer determines what site it is in during GPO processing, and applies any associated Site GPO objects. This includes both parts of Site GPOs. In our case the logon script associated with the Site is launched from the User portion of the GPO, and maps the drives appropriate for that site. User settings in Domain or OU policies will be applied after settings from the Site GPO, so they may override whatever User or Computer settings you are trying to apply in the Site GPO (Local-Site-Domain-OU...). Jeff Jeff Salisbury Network Infrastructure and Security Manager Belkin Corporation Information Services www.belkin.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 12, 2004 2:11 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OU and Policies Thanks for pointed out my boneheadedness - site policies will apply on the computer but do not apply to the user because, obviously, a user will never be part of an ip subnet. The site policies would work well for applying laptop settings for travelling laptops, not for setting user settings for multiple machines. Sorry for any confusion I caused during my caffeine lacking state this morning. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | [EMAIL PROTECTED]| | | | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 11/13/2004 08:58 AM| | | ZE11 | | | Please respond to | | | ActiveDir | |-+-- --| | | | To: [EMAIL PROTECTED] | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OU and Policies | --| Mario, I think you have got it now... The OU that the USER belongs to should contain the policies you normally want The OU the Citrix server belongs to should contain the Loopback option enabled. It should also contain the User polices that you want the user to get when they log on to Citrix If you set Loopback processing to REPLACE, then the User will ONLY get the settings defined in the Citrix OU If you set Loopback processing to MERGE, then the User will get the their normal settings, followed by those in the Citrix OU. I normally prefer MERGE since you don't have to create your common policies twice. The blocking of policies confuses the situation and just Note: I think James is mistaken about Site Policies. My understanding is that all that sites policies do is add another set of policies that the machines receive. It does not effect the user settings Admittedly, if Loopback processing is enabled, the user will get the User component of the policies held in the CITRIX OU policy plus the User polices held in the site policy. Can I just put in a plug for our free Policy Log Reporter. It makes it very easy to see exactly what is happening on the machine when policies were applied, i.e what OU's and sites were checked, what policies were found, what were rejected because of security, what was rejected because of blocking, what was used because of loopback etc. Of course all the information is in the UserENV log, but you have to be someone like Darren to understand it! http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Alan Cuthbertson Policy Management Software:- http://www.sysprosoft.com/index.php?ref=activedir2f=pol_summary.shtml ADM Template Editor:- http://www.sysprosoft.com/index.php?ref=activedir2f=adm_summary.shtml Policy Log Reporter(Free) http://www.sysprosoft.com/index.php?ref=activedir2f=policyreporter.shtml Confidential This e-mail and any files transmitted with it are the
RE: [ActiveDir] Master Browser
I found it better to turn it off on all client workstations and just leave it running on the DC's As long as you have WINS for NT 4.0 Networks, and for Windows 2000 and Above networks, just make sure your DNS servers are working properly and leave the DC's with it on. If you try and troubleshoot Master Browser issues on a large network you will be working on the issue forever! Good Luck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Monday, November 15, 2004 11:58 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Master Browser If you turn off the service to fix your problem you want to do it on the box that has taken over the role as Master Browser, not on the DC. David J. Perdue Network Security Engineer, InDyne Inc Comm: (805) 606-4597DSN: 276-4597 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 9:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. *** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] adfind and -excl
Adfind.exe has a switch called excl which basically exclude certain attributes. Does anyone know if it can do the opposite? I want to specify only certain attributes to include. (too many to exclude) Devon Harding Windows Systems Engineer Southern Wine Spirits - GSD 954-602-2469 __This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
[ActiveDir] Syskey and AD
Is it still necessary to syskey DC's? On NT 4.0 we always did that. Does the same apply for Windows 2003? *** The contents of this communication are intended only for the addressee and may contain confidential and/or privileged material. If you are not the intended recipient, please do not read, copy, use or disclose this communication and notify the sender. Opinions, conclusions and other information in this communication that do not relate to the official business of my company shall be understood as neither given nor endorsed by it. ***
[ActiveDir] ADMT migrated users
Hi all, I used ADMT2 to migrate some users from an NT4 domain to a 2003 Domain. The accounts came across, but some of the user attributes did not (first name, last name). Did I do something wrong, or is this normal behavior? Also, after filling in the first name and last name and display name, the username is still what is displayed in the name field aduc. New accounts display the display name property. Any ideas on how I can get what is in the display name to display in the name field in ADUC? Thanks in advance. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] adfind and -excl
Sure. Just name them on the command line adfind -gc -b "" -f name=joe samaccountname homeMDB blah1 blah2 blah3 blah4 Basically ADFind takes a couple of main parameters Search Base Search Filter Attributes to Return If no filter is specified, unless it is a BASE scope search, it will fail. If it is a BASE scope it will assume objectclass=* If no base (or special base such as -root, -schema, -default, etc) it will fail. If no attributes specified it will return the * set which is the default return set for a given object. If you want everything in the * set PLUS some stuff not normally there you can specify * as one of the attributes along with others. adfind -gc -b "" -f objectcategory=group * modifyTimeStamp ntsecuritydescriptor joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Monday, November 15, 2004 2:51 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] adfind and -excl Adfind.exe has a switch called excl which basically exclude certain attributes. Does anyone know if it can do the opposite? I want to specify only certain attributes to include. (too many to exclude) Devon Harding Windows Systems Engineer Southern Wine Spirits - GSD 954-602-2469 __This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use or distribution of the information included in the message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank You.
RE: [ActiveDir] ADMT migrated users
We are using Quest/Aelita Domain Migration Wizard to pull these fields across. It worked a LOT better than ADMT for us. It pulls anything you want across. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janson Anderson Sent: Monday, November 15, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADMT migrated users Hi all, I used ADMT2 to migrate some users from an NT4 domain to a 2003 Domain. The accounts came across, but some of the user attributes did not (first name, last name). Did I do something wrong, or is this normal behavior? Also, after filling in the first name and last name and display name, the username is still what is displayed in the name field aduc. New accounts display the display name property. Any ideas on how I can get what is in the display name to display in the name field in ADUC? Thanks in advance. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ADMT migrated users
You could add the display name field through (right click - view - add/remove columns). Jordan On Mon, 15 Nov 2004 14:06:41 -0600, Janson Anderson [EMAIL PROTECTED] wrote: Hi all, I used ADMT2 to migrate some users from an NT4 domain to a 2003 Domain. The accounts came across, but some of the user attributes did not (first name, last name). Did I do something wrong, or is this normal behavior? Also, after filling in the first name and last name and display name, the username is still what is displayed in the name field aduc. New accounts display the display name property. Any ideas on how I can get what is in the display name to display in the name field in ADUC? Thanks in advance. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] RDP
I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). The problem I am having is when I try to connect remotely via Remote Desktop Protocol, the server reboots. It worked fine before the upgrade. Has anyone experienced this problem or know a solution?
Re: [ActiveDir] ADMT migrated users
I looked at that. IIRC we couldn't afford it. On Mon, 15 Nov 2004 14:09:46 -0600, Rimmerman, Russ [EMAIL PROTECTED] wrote: We are using Quest/Aelita Domain Migration Wizard to pull these fields across. It worked a LOT better than ADMT for us. It pulls anything you want across. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janson Anderson Sent: Monday, November 15, 2004 2:07 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ADMT migrated users Hi all, I used ADMT2 to migrate some users from an NT4 domain to a 2003 Domain. The accounts came across, but some of the user attributes did not (first name, last name). Did I do something wrong, or is this normal behavior? Also, after filling in the first name and last name and display name, the username is still what is displayed in the name field aduc. New accounts display the display name property. Any ideas on how I can get what is in the display name to display in the name field in ADUC? Thanks in advance. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RDP
Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. The problem I am having is when I try to connect remotely via Remote Desktop Protocol, the server reboots. It worked fine before the upgrade. Has anyone experienced this problem or know a solution? Does this happen as soon as the connection is established, or while you're logging on? I've never been a fan of domain controller upgrades. Too many things can break or become unstable. You're better off demoting it and rebuilding it from scratch. - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RDP
Title: Message Hi Debbie, This is not an answer but I wonder if you see a differnce in behavior if you use the "/console" switch in your call to mstsc.exe (ie, "mstsc.exe /console"? Mike Thommes -Original Message-From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 2:15 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] RDP I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). The problem I am having is when I try to connect remotely via Remote Desktop Protocol, the server reboots. It worked fine before the upgrade. Has anyone experienced this problem or know a solution?
RE: [ActiveDir] RDP
When it tries to connect, before the log on screen. Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. The problem I am having is when I try to connect remotely via Remote Desktop Protocol, the server reboots. It worked fine before the upgrade. Has anyone experienced this problem or know a solution? Does this happen as soon as the connection is established, or while you're logging on? I've never been a fan of domain controller upgrades. Too many things can break or become unstable. You're better off demoting it and rebuilding it from scratch. - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RDP
Ellis, Debbie wrote: When it tries to connect, before the log on screen. I don't know if it will help with Windows 2003 RD but some time ago I have similiar problems winth Windows 2000 terminal services - upgrading graphic card driver helps. -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RDP
There are a number of PKI things that can't be done without Enterprise Edition. I believe the most important being extra certificate templates that can be used (although my terminology may be wrong). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RDP
We had some issues with the way we had delegated our help desk authority for some computer and user work. Take a look at this article and see if it applies: http://support.microsoft.com/default.aspx?scid=kb;en-us;818080 From: Ellis, Debbie [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 12:15 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] RDP I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). The problem I am having is when I try to connect remotely via Remote Desktop Protocol, the server reboots. It worked fine before the upgrade. Has anyone experienced this problem or know a solution? -- The information in this e-mail and any attachments are for the sole use of the intended recipient and may contain privileged and confidential information. If you are not the intended recipient, any use, disclosure, copying or distribution of this message or attachment is strictly prohibited. If you believe that you have received this e-mail in error, please contact the sender immediately and delete the e-mail and all of its attachments. ==
RE: [ActiveDir] AD OpenLDAP
Two comments on this since I own this product at Microsoft: SP1 for the IIFP (and MIIS) is due out at the end of this month. We have changed the SQL requirements so that a customer can use SQL Enterprise or SQL Standard. With SP1 we have started to bundle other components into our base product. However, not SQL with SP1. It is my intent though, to include SQL with both the IIFP MIIS Enterprise Edition in the next major release. So the key takeaway I'd like to leave with you is this: We hear you and have taken the first step in a plan to make this happen. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, November 15, 2004 9:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP Note that while IIFP is free, it does require SQL Server 2000 Enterprise Edition for production use which is decidely NOT free. It also requires an Enterprise Windows Server 2003 license and install. This was something that was pointed out to MS last April at the MVP summit as being a high barrier to implementation. The fact that you had to pay for SQL Server and that you had to use SQL at all instead of just being able to ODBC into whatever your corporate Database standard solution is. Honestly, the Database should be integrated into the product in such a way that there is no additional cost to the free product and there is no additional overhead to maintain it. The idea behind IIFP it seemed to me to help enable a company to use MS tech. They said it was free to make it even more enticing, however I think having to pay for and learn SQL defeats it. I know of an MCS friend who has had to go back to a company three times now because the MOM implementation blew up because of backend Database failures because the people didn't know how to manage SQL 2000 and didn't seem to be willing to invest in learning the product. They bought a monitoring solution and wanted to learn monitoring stuff, they didn't want to have to become DBA's. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, November 05, 2004 5:02 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD OpenLDAP There are two versions of MIIS - Paid version and a free add-on -Identity Integration Feature Pack for Microsoft Windows Server Active Directory http://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-4 1c4- b7ea-6f56819769d5DisplayLang=en steve - Original Message - From: Salandra, Justin A. [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 04, 2004 12:59 PM Subject: RE: [ActiveDir] AD OpenLDAP Does MIIS stand for Microsoft Internet Information Services? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, November 04, 2004 10:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP AD is quick, painless and mostly maintenance free. That's easy. Think of it as an app that comes with it's own directory just like so many others :) Sounds like you want the account lifecycles to be authoritative in another system and just have them flow down to AD. If that's the case, they MIIS might be your ticket. It could also be that you want to have a look at the current metadirectory systems you have (for lack of a better name even if they're homegrown) to see if they can do what you want. For more reading on the product and how to plan, deploy, and run it have a look at the website: http://www.microsoft.com/ad Note that AD relies heavily on DNS which is the usual biggest fight for deployment. Best bet is to delegate a sub zone for AD usage and get the workstations to use a AD DNS and forwarders to other DNS systems if your environment is similar to ones I've seen before. That allows your AD infrastructure to be self-contained and mostly integrated with the other systems in the landscape. Over time somebody is bound to realize that the AD is the more important of the systems as it contains and controls the desktops which are the only access points of gates to the back room infrastructure. Helps to have it in place and working first though :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Romeyn Prescott Sent: Thursday, November 04, 2004 10:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD OpenLDAP I want the users of the PCs I manage to authenticate against AD so I can use Group Policies to manage (or micromanage) their permissions on the computer based either on A) who they are and/or B) which computer it is. Not having had a Windows server newer than NT4 to play/experiment with before now, I'm only going based on what I've read and seen others talk about on other lists. We run SCT Banner on a VAX. That is where all student data gets initially entered. Changes to that data are frequently sent to another of our systems, and that userbase is
RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG
Jorge, Sorry, I forgot to mention in my previous send that I did that as well on the other two DC's. Thank you for the reminder as it would have come in handy if I had of forgotten. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, 15 November 2004 8:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG Hi, Remember: * if you're doing a D2 on some DC it is not mandatory to do a D4 on another DC. * if you're doing a D4 on some DC it IS mandatory to do a D2 on all other replica's!!! See http://support.microsoft.com/default.aspx?scid=kb;en-us;290762 section authoritative restore Regards, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Friday, November 12, 2004 00:24 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG Eric, Thanks for all your information here. I read up on it and consulted Microsoft it was a D4 that was actually required due to this machine being the Main DC. All changes were made on this machine and it was not replicating the changes out to the other servers. I also checked to see why it Journal Wrapped and Microsoft also suggested it was due more than likely due to the stability of the machine. (It use to restart itself for what appeared to be no reason several times a day but that has now been resolved as well.) The change was smooth sailing as it is only a small site. FRS is happening sweetly now. Thanks again. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, 26 October 2004 10:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG It's unpleasant only in that you vvJoin. I'd suggest doing it off hours, but unless it's a HUGE data set, it probably will be smooth sailing. I'd definitely check out some KB articles on it first (search on burflags and D2 to find them) but really, it shouldn't be all that bad. Again, if you have a large data set (many gigs) it's worth talking about. If it's small, no worries. Also, Ultrasound? Not sure what you mean here. Ah, Ultrasound is the tool we release for monitoring FRS replica sets. http://www.microsoft.com/downloads/details.aspx?FamilyID=61acb9b9-c354-4 f98-a823-24cc0da73b50displaylang=en ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Monday, October 25, 2004 6:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG Eric, I am running SP4. It sounds like a D2 is not a pleasant action to take from your If Afraid comment. I will read up on this as much as possible but are there any major dangers of doing a D2 as this error is coming up on our main PDC which is all the Operations Masters and Catalo Server. It is also our Exchange2000 box. I am a little concerned that if I make a change with this D2 that there could be ramifications that cause a bigger problem. Also, Ultrasound? Not sure what you mean here. Yeah, the last statement did make sense. I am not heaps familiar with Win2000. I am learning a lot as I go but we had Professionals come in and set things up and we have had many a trouble. I am trying to fix all the troubles as I go along etc. Thanks for your help so far and I appreciate any final thoughts etc that you can give me with doing a D2 and setting up Ultrasound. Rodney -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, 26 October 2004 6:20 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG If the value isn't there, then that means you're using Windows defaults. If you're journal wrapping with SP3+, you almost definitely had a long-term replication issue. I'd suggest: 1) D2 the node - that's the recovery from a journal wrap I'm afraid 2) Set up Ultrasound to monitor FRS in the long term. #2 will let you know you have a problem before you have a problem, if that makes sense. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rodney Gardiner Sent: Monday, October 25, 2004 12:41 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] JRNL_WRAP_ERROR in File Replication Service Event LOG Eric, Thanks for the info. I took a look at the registry setting to see how big the Journal Size was as per the KB Article:- HKLM\System\CCS\Services\NTFRS\Parameters\Ntfs Journal size in MB (REG_DWORD) Does this need to be added?? But I do not have that setting in that registry position. The closest I had was:- HKLM\System\CCS\Services\NTFRS\Parameters\Staging Space Limit in KB (REG_DWORD) and it was 675840 I also checked the WinNT\Ntfrs\jet Folder
RE: [ActiveDir] Indexing an attribute
On 2k if you index this attribute it would have no impact on the dit and no impact on perf. The attribute doesnt exist in the true sense of the word. Rather, it is a query of a table that yields the value of the attribute. Therefore no new index will be created in 2k. In 2k03 the same index is there but QP uses it and therefore gets the perf benefit. Glad that the list learned something new. Thats always a good thing. More generally, QP is better and faster (does better==faster for QP you think?) in 2k03 than 2k. This is a big example, but there are others both big and small. ~Eric From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 10:46 AM To: [EMAIL PROTECTED] Cc: Eric Fleischman; 'Stacer, David (D.J.)' Subject: RE: [ActiveDir] Indexing an attribute Ok after further discussions with ~Eric on this and some testing in AD/AM on my flight back to MIand against one major Active Directory since being back I have learned something very cool. In Windows Server 2003 AD there should be no real difference in speed in hitting the FL's of a linked attribute and the BL's. This is a huge change in AD from Windows 2000. In Windows 2000 there was no doubt that pulling the memberof attribute of cn=joe,cn=users,dc=joe,dc=com was not only faster than pulling the group DNsbased on a the following query (member=cn=joe,cn=users,dc=joe,dc=com) but not even worth comparison in larger deployments. Now, in K3 AD These times are almost equal in every test I have done so far. This is EXTREMELY cool and helps with an issue with enumerating groups for a user across a forest. No longer in K3 AD would you need to query the memberof attribute of a user ona GC in every domain. Of course if running from a Windows machine it may still be more performant to hit every GC and grab the tokenGroups attribute so you can avoid having to recurse into the groups for nesting but from a non-Windows platform where binary blob of the SID to userid may be a pain this is a great boon to have this search speed be so much better. Specific to the post below, this means you do NOT have to go against the homeMDBBL to get the list of users in a given Exchange Database in a performant way. You can query the FL's via a query as simple as (homeMDB=blah blah blah). Where blah blah blah is the full DN of the store you are interested in. This is just one more reason to deploy K3 out there... After rereading the whole thread again,this brings up a question in my mind for ~Eric I didn't ask offline but which goes back to the heart of the original question. On 2K specifically if you index this attribute, what would be the impact to the size of the DIT? Since it is already implicitly indexed I would think that should mean there is no impact. Would that be accurate? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmail Sent: Wednesday, November 10, 2004 7:14 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Indexing an attribute I sit corrected. :o) I guess what I meant is that a linked attribute is used as an implied indexed attribute for queries in K3. Might be interesting to just have the engine light the indexed flag of any attributes that are linked and clear all confusion in K3. On another topic,I know everyone on the list is jealous, I actually met ~Eric face to face today. He looks amazingly like Tom Cruise. joe From: [EMAIL PROTECTED] on behalf of Eric Fleischman Sent: Wed 11/10/2004 5:56 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Indexing an attribute Thats not entirely true either, but close. A more accurate statement: the index is not used _by query processor_ in 2k, but is in 2k03. The index is used by other things in AD in 2k, like a simple read of the member attribute of a group. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, November 10, 2004 6:03 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Indexing an attribute Note what he indicates though. Indexed for free due to the nature of being a linked attribute, ***but the index isn't used unless it is on Windows Server 2003 AD***. I actually spoke to ~Eric about this in the past and it had completely slipped my mind when discussing here. The whole idea is that someone at MS realized, hey wait, basicallyall of the linking info needed for these attributes is already available and so theyenhanced the engine to take advantage of it. This is just one more reason to use Windows Server 2003 for your Domain Controllers. But again, use the BL if it is possible for you. Much much faster. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Holland Matthew BC GB Sent: Wednesday, November 10, 2004 2:08 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Indexing an
RE: [ActiveDir] LDP does not return modifyTimeStamp attribute...
3 words: blah, blah and blah :) Ill try and revisit this sometime this week. Sorry, I lost track of it. ~Eric From: joe [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 11:16 AM To: [EMAIL PROTECTED] Cc: Eric Fleischman Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... ping ~Eric Pinging ~Eric.texas.cpr.microsoft.com [xx.xx.xx.xx] with 32 bytes of data: Request timed out. Request timed out. :o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, November 09, 2004 7:44 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Let me digest a bit and report back. The answer is probably yes, I just need to think about it. aside Have you noticed that every ldp snip I do is from a different domain? Yes, I have that many forests in virtual machines. I just noticed that Im not sure if Ive used the same one twice on this list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmail Sent: Tuesday, November 09, 2004 5:30 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Understoodon the constructed. Though it makes you wonder why that one is and whenChanged isn't. :o) How about the overall more general question, is there a way to ascertain what would and wouldn't be displayed? For instance, isthere something query-able that tells me ntsecuritydescriptor would or wouldn't be displayed. joe From: [EMAIL PROTECTED] on behalf of Eric Fleischman Sent: Tue 11/9/2004 6:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... In this case: Dn: CN=Modify-Time-Stamp,CN=Schema,CN=Configuration,DC=corp,DC=microsoft,DC=com 1 lDAPDisplayName: modifyTimeStamp; 1 systemFlags: 0x814 = ( FLAG_ATTR_IS_CONSTRUCTED | FLAG_SCHEMA_BASE_OBJECT | FLAG_DOMAIN_DISALLOW_RENAME ); Constructed attributes are only returned 1) If requested AND 2) if requested in a base search against the object ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmail Sent: Tuesday, November 09, 2004 5:16 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Nope. Not every attribute is returned. I don't know personally what the logic is that specifies what is returned and what isn't. I would like to think it is something you can query out of the schema but I have never seen anything to substantiate that thought. It is easy to see it in action though, query the schema on 2K and do the same on K3. You will certain attribs on certain objects returned in 2K but not in K3, you have to ask for them meaning that MS backed out the default return set. Why I don't know but helped someone with an App that blew up because of it. I don't recall exactly what the attribute was though, I purposely forgot it so I could have enough room in my head to remember the thing about ntsecuritydescriptors... What about ntsecuritydescriptors you ask? ntsecuritydescriptor should be on every object but when have you seen a query where you didn't specifically specify you needed it that it did get returned? Answer, you have to ask for it. With adfind you would do something like adfind -b somebase -f somefilter * ntsecuritydescriptor That will return what I call the * set (star set) and also the ntsecuritydescriptor attribute. I started to talk to ~Eric about this once before but I don't think we ever got to the part of the discussion concerning how it was determined what is returned and what isn't. joe From: [EMAIL PROTECTED] on behalf of AD Sent: Tue 11/9/2004 6:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Hmm, I am a little bit confused joe. I did not ask for msExchAlObjectVersion but it returns it anyways. Isn't LDP suppose to return every attribute that is set for a an object? Thanks From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of listmail Sent: Tuesday, November 09, 2004 4:31 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ActiveDir] LDP does not return modifyTimeStamp attribute... Because you didn't request it. That one needs to be specifically requested, you can instead use whenChanged which is returned in the default * set. joe From: [EMAIL PROTECTED] on behalf of AD Sent: Tue 11/9/2004 4:24 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] LDP does not return modifyTimeStamp attribute... Does anyone know why LDP does not return the modifyTimeStamp attribute?
RE: [ActiveDir] RDP
Title: RE: [ActiveDir] RDP What type of server is this? Specifically what video card? I had a machine I was using as a test server with an ATI card in it. Whenever I connected via Terminal Services the thing would boot on me. Updating the video card driver fixed it for me. Mike -Original Message- From: Ellis, Debbie [mailto:[EMAIL PROTECTED]] Sent: Monday, November 15, 2004 3:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RDP When it tries to connect, before the log on screen. Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. The problem I am having is when I try to connect remotely via Remote Desktop Protocol, the server reboots. It worked fine before the upgrade. Has anyone experienced this problem or know a solution? Does this happen as soon as the connection is established, or while you're logging on? I've never been a fan of domain controller upgrades. Too many things can break or become unstable. You're better off demoting it and rebuilding it from scratch. - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Master Browser
Do you still suggest turning it off on all servers and workstations (as per your KB article), even in an all W2K or better environment? We have done so (via group policy) for quite some time, but recently ended up having to defend this decision to an admin in one of our other offices, because he was encountering browse list issues in his domain. (We have left it running on the Domain Controllers only.) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Master Browser
Yes, but you do have to make sure that you have at least one machine on each subnet... I'm going to make sure that I clarify that in an update of the article... -ASB On Mon, 15 Nov 2004 17:47:00 -0700, Tyson Leslie [EMAIL PROTECTED] wrote: Do you still suggest turning it off on all servers and workstations (as per your KB article), even in an all W2K or better environment? We have done so (via group policy) for quite some time, but recently ended up having to defend this decision to an admin in one of our other offices, because he was encountering browse list issues in his domain. (We have left it running on the Domain Controllers only.) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Terminal Services licenses
Hi all, We have a number of per device licenses that are dished out to computers that connect to our Terminal Servers. As you may know they have this annoying feature that the license is taken from the pool and assigned to a particular device for a random number of days between 52 - 89. Does anyone know of a way to forcefully revoke these licenses? Thanks Sakti ** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RDP
Have you set the offending box to do a kernel memory dump then passed it through Windbg to see what's actually happening? What's the blue screen stop code? Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, Debbie Sent: Monday, November 15, 2004 12:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RDP When it tries to connect, before the log on screen. Debbie Ellis Systems Administrator Viasat, Inc. 4356 Communications Drive Norcross, GA 30093 678-924-2591 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Monday, November 15, 2004 3:32 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] RDP Ellis, Debbie wrote: I recently upgraded one of our Windows 2003 Domain Controllers to Enterprise Edition. (Needed for Certificates, auto enrollment). You don't need enterprise edition for that. I'm doing it with standard edition and it works fine. The problem I am having is when I try to connect remotely via Remote Desktop Protocol, the server reboots. It worked fine before the upgrade. Has anyone experienced this problem or know a solution? Does this happen as soon as the connection is established, or while you're logging on? I've never been a fan of domain controller upgrades. Too many things can break or become unstable. You're better off demoting it and rebuilding it from scratch. - Robbie -- Robbie Foust, IT Analyst OIT/CASI - Administrative Information Support Duke University List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Master Browser
I personally favor disabling it on all workstation machines. There's little harm in leaving it running on servers, even non DC's. The big question is whether or not its needed - are the browse list issues relevant enough to fix. In other words, is there a minor change to usage that would eliminate the issue entirely? The biggest place I'd expect to see this is if users are publishing shares from their own machines. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Monday, November 15, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser Do you still suggest turning it off on all servers and workstations (as per your KB article), even in an all W2K or better environment? We have done so (via group policy) for quite some time, but recently ended up having to defend this decision to an admin in one of our other offices, because he was encountering browse list issues in his domain. (We have left it running on the Domain Controllers only.) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Master Browser
So, really the only thing this service does is allow users to click through the Network Neighborhood (or its successors). Is it correct that it does not prevent users from finding devices from the run line or (obviously) from mapped drives? As for publishing shares from workstations ... (zoinks!) you may have bigger fish to fry! ;-) -- nme -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Monday, November 15, 2004 10:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser I personally favor disabling it on all workstation machines. There's little harm in leaving it running on servers, even non DC's. The big question is whether or not its needed - are the browse list issues relevant enough to fix. In other words, is there a minor change to usage that would eliminate the issue entirely? The biggest place I'd expect to see this is if users are publishing shares from their own machines. Roger Seielstad E-mail Geek MS-MVP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tyson Leslie Sent: Monday, November 15, 2004 4:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser Do you still suggest turning it off on all servers and workstations (as per your KB article), even in an all W2K or better environment? We have done so (via group policy) for quite some time, but recently ended up having to defend this decision to an admin in one of our other offices, because he was encountering browse list issues in his domain. (We have left it running on the Domain Controllers only.) Tyson. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, November 15, 2004 10:46 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] Master Browser Turning off the service is a *much* better approach and doesn't generate any errors in the EventLog. - ASB Cheap, Fast, Secure -- Pick Any TWO. http://www.ultratech-llc.com/KB/ On Mon, 15 Nov 2004 12:34:06 -0500, Craig Cerino [EMAIL PROTECTED] wrote: I wouldn't turn of the service - -I would ( and do) go into the registry and tell the box it is NOT a Master Browser and NOT to maintain a list From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Monday, November 15, 2004 12:16 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Master Browser To stop this error message, you will need to turn off the Computer Browser service. The error message is actually an informational message telling you about the browser status of computer CCDC01. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Monday, November 15, 2004 12:01 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Master Browser One of my DC's is returning the following error and I'm not sure what to do: The browser has received a server announcement indicating that the computer CCDC01 is a master browser, but this computer is not a master browser. Event ID 8005 This DC holds none of the FSMO roles so I'm not sure what I need to tell this server so I don't get this error anymore. Thanks Jake List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/