RE: [ActiveDir] Forest trusts vs trusts within forests
that may bea matter of personal preference and of the way that your DNS is currently setup. Granted - in the scenario I described, Stubs would have the benefit of being AD integrated and would thus replicate to any DC-DNS server, but if you have to combine two different DNS worldswith a non-contiguous namespace, conditional forwarding may be more straight forward. Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Saturday, January 08, 2005 12:33 AMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] Forest trusts vs trusts within forests No, Dean. You are all alone in your own little "stubby" world :o) Actually, I use Stubs, especially in the scenario Guido described. I wouldn't introduce CF or secondaries in that situation. Sincerely,Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP -Directory Services www.readymaids.com - we know ITwww.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Dean WellsSent: Fri 1/7/2005 3:21 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Forest trusts vs trusts within forests Does nobody but me like or even prefer stub zones? ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, January 07, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests I'd say JFK jr. answered it between the lines ;-) Happy New Year John and all! A domain in a separate forest with a trust to another forest will be less risky than a domain within the same forest - esp. under the circumstances that Dave described (such as limited physical security in the remote offices). So without going in details, with the information given I'd say two forests + trusts is a valid choice. If you require Kerberos auth. between the two domains (in the two forests), then both would need to run 2003. Otherwise it'll be a "NT4 style" external trust using NTLM auth. Naturally you'll have a little more hassle with DNS, but the second domain/forest could certainly use a child zone of the existing forest (e.g. 1st-dommain = company.com, 2nd-domain = child.company.com) and will need to setup your zone transfers or forwarding appropriately (again something which is done more easily with Win2003's conditional forwarding...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 11:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday,
RE: [ActiveDir] Forest trusts vs trusts within forests
Hello Dèjì, good thoughts, but not sure thatI agree with all you say - Ibelieve Dave's scenario could benefit from a separate forest- see some comments below. Cheers, Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Saturday, January 08, 2005 12:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Forest trusts vs trusts within forests Without disagreeing with any of the points you made, don't you think multi-forest deployment is an "overkill" for what he's trying to achieve? Let's look at the SOW again: The motivations for considering another forest are the following: 1) we havesome remote sites with workstations that authenticate to the domain so they can be managed with GPOs and software distribution. They have no real need to access MS resources at the main site. In some cases, there are enough of these workstations to warrant a local DC. We don't want DCs for the one and only existing domain in some of these locations, because we can't always control physical access to them. An isolatedforest (no trusts) for these would protect the internal forest in the event the new forest was compromised, compartmentalizing the damage. OK, if he does implement a separate forest, he will still NEED Trusts in order to have any relationship between these forests, so we know that the NO TRUST aspect of this requirement can't be met. So, if there is TRUST, and the UNPROTECTED (throw-away) forest is compromise, the malicious 0wn3r now has the ability to compromise the PROTECTED forest as well. I know it is harder to do, but it is a reality[Guido]I do have to disagree here, as you're making it sound as ifthere's no real benefitforseparate forestsfrom a security perspective. That's not true. It's not neccessarily the trust between one forest or the other that allows a malicious user to attack the "PROTECTED" forest. It's the fact that this user has some kind of physical access or network connectivity to the "UNPROTECTED" network, which- with or without compromise of the "UNPROTECTED" forest - allows him to attack the other forest. The trustbetween the two forests (with SID-filteringenabled, which is the case by default) doesn'treally make it easier for the attacker - especially if you'vetaken appropriate precautions in the "PROTECTED"forest to hinder enumeration of all accounts to all authenticated users (which would be even easier to restrict using Selective Auth. as available with 2003 DFL) etc. In any case, this attack won't be nearly as easy as an attack against the "PROTECTED" forest, if Dave were to add another domain to this forest and locate it's DCs in the "UNPROTECTED" locations. In general I advise, if a separate OU in your main forest is not enough isolation for your security needs, then you'll have to create a separate forest - don't even think about creating a new domain in the same forest to gain any _security_ benefits. 2) there's no need to replicate the thousands of internal user and computer accounts to the locations mentioned above - a new domain, whether it's in a new forest or not, would eliminate this unwanted replication. Someone already answered this previously, pointing to the enchanced compression and replication algorithm in 2K3. Even so, any replication "storm" will be mostly a one-time incident for the initial synch. So, we can eliminate this from the list of reasons to do a new Forest[Guido]maybe I missed it, but I didn't seeDave mention any numbers or sizes of his environment. If e.g. his current main domain/forest has 100.000 users and the remote sites have a total of 1.000 users, then it's simplya different story compared to a main domain of 5.000 users with 500 remote users... Also, I do not generally agree that there is less replication traffic in Win2k3 - naturally the replication traffic caused from group membership changes has decreased through LVR (which requires the forest to be at 2003 FFL), but for other changes such as new orchanged accounts, PW changes etc. theamount of data that's replicated between sites has actually increased slightly from 2000 to 2003. This is due to a change of the compression algorithm which has been improved in performance/speed in 2003, but which doesn't reach the same compression ratio as the slower algorithm of Win2000. This means, that although a 2003 DC will spend less CPU cycles on compressing data to replicate to remote sites, it will actually transfer more data to the remote site (if you have very slow links, you can actually change the compression algorithm back to that of Win2000). Again, the net impact really depends on the size of Dave's main forest and the ratio between the amount of changes done to group memberships vs. other changes etc. 3)some applicationsrequire access by vendors, suppliers, etc. There is some desire to keep such accounts physically seperate from the internal directory. Part of this
RE: [ActiveDir] Forest trusts vs trusts within forests
that's also my understanding Dean and that's how I've tested it that it works - but I certainly wouldn't mind the lengthy version of the explanation... I do have to say, that the statement to require FFL2 to use SA for forests trusts is somewhat of a joke though: you'll have to have both forests running at FFL2 anyways to create a forest trust in the first place ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, January 08, 2005 12:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one people go to for AD expertise, so when I need to bounce things off of people it's often on this list. Happy Friday! Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Reijnders Sent: Friday, January 07, 2005 10:36 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Forest trusts
Re: [ActiveDir] Add users?
Ok I could see it now, sorry, thanks its working great I have only one question, whats the use of the -uci option if I can't pass the parameteres in an input file? and I have to make the command each time I want to create a new user? Also in the addusers.exe windows2k tool, the username was used, now I have to use UserDN and samid and nither seem to be working as a username? thank you On Mon, 10 Jan 2005 10:32:57 +0300, rubix cube [EMAIL PROTECTED] wrote: Hi Sakari I can't find the adminContextMenu attribute? I search in the CN=409, CN=Display Specifiers, CN=Configuration but I can't see the adminContextMenu I see other attributes, address and other things, what am I missing? I use ADSI Editer on my machine, doI have to be on the server? my user account is enterprise admin On Tue, 4 Jan 2005 19:27:15 +0200, Sakari Kouti [EMAIL PROTECTED] wrote: The control I was talking about would require Visual Basic or C++ programming, and the result would be a binary DLL file. I sent the above text a few minutes ago. Now I noticed that the Platform SDK actually says It is not currently possible to create an Active Directory property sheet extension using Visual Basic. Sorry about the error. Yours, Sakari List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
Actually Dean, would like to hear that explanation as to why if it's not too much trouble. It often helps to make the idea stick :) As for the replication, Dave I understood the replication differences to be more for security reasons than performance etc. Something along the lines of not putting information where it wasn't absolutely needed anyway. Was I off on that? Much of the conversation has been around protecting assets should some event occur. I get the sense that there is an operational component to this and that you have a well defined process to handle events should they occur. Could just be me though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 10, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests that's also my understanding Dean and that's how I've tested it that it works - but I certainly wouldn't mind the lengthy version of the explanation... I do have to say, that the statement to require FFL2 to use SA for forests trusts is somewhat of a joke though: you'll have to have both forests running at FFL2 anyways to create a forest trust in the first place ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, January 08, 2005 12:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some
RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2
Thanks! I'd tried clicking, right clicking, and double clicking on the entries to see if I could find the class ID in that window, all to no avail! Never thought the CLSID might be there in a column... Sheesh. Nothing like making it easy on us poor admins... Now if there was some way to copy and paste the entries instead of having to retype them by hand. OR if you could at least resize plug-in management window. Ah well. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: wilson chang [mailto:[EMAIL PROTECTED] Sent: Friday, January 07, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 On Thu, 6 Jan 2005 13:50:44 -0500, Joe Pochedley [EMAIL PROTECTED] wrote: So, the question is: Does someone out there have a listing of the class ID strings for common web component ActiveX plugins? OR am I wasting The best way I know how is to load the plugins yourself and then copy down the CLSID's. They're located in Internet Explorer. From the Tools menu, select Manage Add-ons. Then right click in the column headings and select Class ID. You should now see the CLSID's listed. I hope that's what you're looking for. Wilson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
Good point ... it is somewhat redundant isn't it :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 10, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests that's also my understanding Dean and that's how I've tested it that it works - but I certainly wouldn't mind the lengthy version of the explanation... I do have to say, that the statement to require FFL2 to use SA for forests trusts is somewhat of a joke though: you'll have to have both forests running at FFL2 anyways to create a forest trust in the first place ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, January 08, 2005 12:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious mostly. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 3:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Thanks John. To answer your questions: 1) the topology is hub/spoke. I would put a couple DCs for the new forest in the hub location. 2) Regarding replication, most of these sites have few to no Exchange users - those that do use OWA. So, I'm not worried losing the common GC that a single forest provides. I'll need to work with the Exchange team to see if/how any future plans impact this assessment, of course. Bandwidth is not the issue for wanting to compartmentalize replication. It's more about having a r/w copy of the internal directory at all of these sites that have no use for it. 3) The applications would by and large be at the central location. Some could live in the second forest (see #1). I'm certain that the business will want some of these users to access some apps in the internal forest, though- hence the need to trust the new forest. I'm also sure that our support people will want the new forest to trust the internal forest to make it easier to support. There's no illusion on my part that any configuration gives me a 100% security guarantee - if there was, someone would have found it an all of us in info security would have to find real jobs! Thanks again for the insights. I truly appreciate getting a sanity check. Around my company I'm the one
RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2
Joe, You can download BHODemon and install it, double-click on any entry and you will see the CLSID in that entry. http://www.pcworld.com/downloads/file_description/0,fid,23611,00.asp HTH, Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Monday, January 10, 2005 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 Thanks! I'd tried clicking, right clicking, and double clicking on the entries to see if I could find the class ID in that window, all to no avail! Never thought the CLSID might be there in a column... Sheesh. Nothing like making it easy on us poor admins... Now if there was some way to copy and paste the entries instead of having to retype them by hand. OR if you could at least resize plug-in management window. Ah well. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: wilson chang [mailto:[EMAIL PROTECTED] Sent: Friday, January 07, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 On Thu, 6 Jan 2005 13:50:44 -0500, Joe Pochedley [EMAIL PROTECTED] wrote: So, the question is: Does someone out there have a listing of the class ID strings for common web component ActiveX plugins? OR am I wasting The best way I know how is to load the plugins yourself and then copy down the CLSID's. They're located in Internet Explorer. From the Tools menu, select Manage Add-ons. Then right click in the column headings and select Class ID. You should now see the CLSID's listed. I hope that's what you're looking for. Wilson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add users?
Hi Rubix, I'm not sure what you mean, but HTH. A user in AD has the following names: A. CN = common name = Name column in tools = RDN (e.g. Jack Brown or CN=Jack Brown) B. First name = givenName (e.g. Jack) C. Last name = sn (e.g. Brown) D. Display name = displayName (e.g. Jack Brown) E. User logon name = userPrincipalName = UPN = long logon name (e.g. [EMAIL PROTECTED]) F. User logon name (pre-Win2000) = sAMAccountName = SAM name = NT name = short logon name (e.g. JackB) A and F are mandatory, the rest are optional. E and F the user can use for logon, interchangeably. The label of F includes pre-Win2000, but it's a little incorrect, because you can use is practically anywhere in Windows 2000 and newer. The samid option of DSAdd is the same as F above, and it should work as a username for you (depending on what you mean). Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, January 10, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Ok I could see it now, sorry, thanks its working great I have only one question, whats the use of the -uci option if I can't pass the parameteres in an input file? and I have to make the command each time I want to create a new user? Also in the addusers.exe windows2k tool, the username was used, now I have to use UserDN and samid and nither seem to be working as a username? thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Office Topic: Windows 2000 2003 Servers Lockdown Policies
This might not be the right forum for this question, but, does anyone have any templates for what needs to be locked-down for servers in the domain and in a DMZ. What ports and services that do not need to be running/open. Ron Pennell Institute For Defense Analyses [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add users?
The -uci switch you mention in dsadd isn't for input from a file, it is referencing input from pipe (ie: | ). You can use information from a tool like dsquery to pipe information to dsadd (you can pipe the DN for an account for example). Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, January 10, 2005 6:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Ok I could see it now, sorry, thanks its working great I have only one question, whats the use of the -uci option if I can't pass the parameteres in an input file? and I have to make the command each time I want to create a new user? Also in the addusers.exe windows2k tool, the username was used, now I have to use UserDN and samid and nither seem to be working as a username? thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add users?
To reply to myself, I made a dumb statement...you can't pipe the DN from dsquery to dsadd since the user wouldn't exist yet, but that is one thing that you can do with dsquery and some of the dstools (dsget, dsmod etc.) Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, January 10, 2005 6:22 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Ok I could see it now, sorry, thanks its working great I have only one question, whats the use of the -uci option if I can't pass the parameteres in an input file? and I have to make the command each time I want to create a new user? Also in the addusers.exe windows2k tool, the username was used, now I have to use UserDN and samid and nither seem to be working as a username? thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
You're correct, Al - the thought regarding replication is that there's no reason to put information from the internal domain on those DCs in the less-trusted domain. There is no need for it there in the first place, and if I don't replicate it there I have that much less to worry about if that forest should be compromised. Of course, that assumes using SA and SID filtering. Deji (and others who mentioned it), you're absolutely correct that the permissioning on the existing domain needs to improve - I'm steering things that way. However, I like defense in depth, and it seems to me that the additional forest, while not a cure-all, does make it more difficult (not impossible, just harder) for someone who 0wnz one forest to attack the other (for the reasons sited by Guido, John, and others). Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 10, 2005 7:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Actually Dean, would like to hear that explanation as to why if it's not too much trouble. It often helps to make the idea stick :) As for the replication, Dave I understood the replication differences to be more for security reasons than performance etc. Something along the lines of not putting information where it wasn't absolutely needed anyway. Was I off on that? Much of the conversation has been around protecting assets should some event occur. I get the sense that there is an operational component to this and that you have a well defined process to handle events should they occur. Could just be me though. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, January 10, 2005 5:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests that's also my understanding Dean and that's how I've tested it that it works - but I certainly wouldn't mind the lengthy version of the explanation... I do have to say, that the statement to require FFL2 to use SA for forests trusts is somewhat of a joke though: you'll have to have both forests running at FFL2 anyways to create a forest trust in the first place ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, January 08, 2005 12:20 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Forest trusts vs trusts within forests For forest trust: must be forest functional level 2 For external trust: must be domain functional level 2 If an explanation as to why is desirable, please ask ... it's lengthy. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, January 07, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Al - that was basically the first question, and I did get the confirmation I was looking for. The other part was regarding the 'functional level' requirements for SA. I had read conflicting things there - the one that troubled me was this: To enable selective authentication on forest trusts, the trusting forest in which shared resources are located must have the forest functional level set to Windows Server 2003. To enable selective authentication on external trusts, the trusting domain in which shared resources are located must have the domain functional level set to Windows 2000 native. (From http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/te chref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/al l/techref/en-us/w2k3tr_trust_security.asp) The second sentence sounds as though the trusting domain can be at Win2K Native and still use SA on an external trust. The info I see other places (including a post from John) sounds like the trusting domain must be at least Win2K3 Domain Functional Level. I'm not still not sure which is true, as I haven't tried it in the lab yet :) My guess is that SA is not available til the trusting domain (which would have to stamp the Other Organization SID in the token) is at W2K3 DFL. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, January 07, 2005 4:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Out of curiosity, did you get your question answered? The original that I read was that you wanted to know if you had two separate forests with trusts, would that create the same risks as if they were in the same forest. I *think* I read that correctly. I think John had a lot of great information in there, but I got to the thread too late which makes it harder to read and tell what was said etc. Just curious
[ActiveDir] OT:winsock
I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Office Topic: Windows 2000 2003 Servers Lockdown Policies
Pennell, Ronald B. wrote: This might not be the right forum for this question, but, does anyone have any templates for what needs to be locked-down for servers in the domain and in a DMZ. What ports and services that do not need to be running/open. I don't know what role this server plays but take a look at this documents, I hope they will help You: Active Directory in Networks Segmented by Firewalls http://www.microsoft.com/downloads/details.aspx?FamilyID=c2ef3846-43f0-4caf-9767-a9166368434eDisplayLang=en Active Directory Replication over Firewalls http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:winsock
Have you got something else interfacing with the stack on the box, i.e. f/w software? Also... uninstall the wlan card and see if you still get the same issue on the internal nic. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 10 January 2005 15:39 To: ActiveDir (E-mail) Subject: [ActiveDir] OT:winsock I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:winsock
its uninstalled. this user has no firewall sw that i can tell. though i get a pop up saying outlook express is trying to send a email. do you want to let it send it? i have no idea whats making that pop up. its made to look like its coming from OE. the email is just the welcome message OE sends on first use. thanks -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:winsock Have you got something else interfacing with the stack on the box, i.e. f/w software? Also... uninstall the wlan card and see if you still get the same issue on the internal nic. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 10 January 2005 15:39 To: ActiveDir (E-mail) Subject: [ActiveDir] OT:winsock I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Forest trusts vs trusts within forests
Simplified question is - why do we require domain (external trust) or forest (forest trust) functional level 2 when using selective authentication? - Let's begin with what selective authentication (SA) does ... when configured across a particular trust it tells the KDCs within the domain at the end of the trust to perform an additional validity check before issuing the session ticket (we normally rely solely on authorization ... SA prevents the ticket from even being issued thus it is known as the authentication firewall). The additional validity check uses the SPN (service principal name) within the ticket request and resolves it to a computer object within the domain NC (nothing new so far) and looks for an Allow for the extended right Allowed to authenticate assigned to any SID within the requesting user's PAC or access token (this is the new validity check). Allowed to authenticate should be assigned against the computer object that represents the physical computer housing the resource. It must be assigned to the user or group from the trusted domain that you wish to grant access to. If the right is allowed, the ticket is issued. If the right is denied or not listed/not applicable to the requesting user, the ticket is not issued and access will not be granted since authorization cannot proceed. It is important to note that this process is only performed against TGS requests originating in a foreign realm/domain for which the trust relationship's TDO (trusted domain object) indicates SA as opposed to forest wide authentication. Before a session ticket can be issued a requesting client must possess a TGT issued by a KDC authoritative over the server holding the target service. Upon requesting initial auth., the KDC in the trusting domain decrypts the TGS referral, validates the authenticator and, if valid, constructs a new TGT containing a near bit for bit copy of the PAC from the original ticket (PAC = privileged attribute certificate). At this juncture, a new SID is injected into the PAC dependant upon the trust's authentication type; selective or forest-wide. * If forest wide, the SID is This Organization = Well-known group = S-1-5-15 * If selective, the SID is Other Organization = Well-known group = S-1-5-1000 So how do we know whether or not to invoke this new behavior and which SID should be injected during the TGT's construction? We do that by determining where the ticket request originated. If memory serves, each ticket contains an attribute known as the transited path attribute which maintains a list of the domains/realms through which the ticket has passed to get here thereby allowing us to determine behaviors relevant to the ticket's origin. The presence of the Other Org SID within a TGT dictates that the new behavior (the extra validity check) must be used before issuing a session ticket. Since this behavior is only known to a 2003+ KDC, the need for a functional level is imposed. SA is also supported for downlevel NTLM-only clients ... they use a mechanism known as pass-through authentication in order to dynamically inject additional domain relevant SIDs ... this allows the DCs to detect the presence of the Other Org SID and perform the new validity check before returning the newly formed token (or not). Note also that since This and Other Org are SIDs (and therefore security principals), they can be assigned access to resources allowing you to permit or deny access to a any resource based on whether the request originated within a domain that is considered as part of _our_ organization or not. I've found it useful to keep the following in mind; when creating a trust between 2 domains or forests, treat the authentication type as follows - * If selective auth. is used then we're saying that we have 2 separate organizations wishing solely to share resources when suitable * If forest/domain-wide auth. is used then we're saying that although we have two isolated domains they still represent one organization and additional validity checks are not necessary Hope this proves useful ... that's my post quota for '05 ;-) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 10, 2005 8:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Forest trusts vs trusts within forests Actually Dean, would like to hear that explanation as to why if it's not too much trouble. It often helps to make the idea stick :) As for the replication, Dave I understood the replication differences to be more for security reasons than performance etc. Something along the lines of not putting information where it wasn't absolutely needed anyway. Was I off on that? Much of the conversation has been around protecting assets should some event occur. I get the sense that there is an operational component to this and that you have a well
[ActiveDir] time server
Title: time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] OT:winsock
hmmm ... could be a virus trying to send the mail through outlook. Can you see any other protocols, services, etc bound to the adapter? From: [EMAIL PROTECTED] on behalf of Kern, Tom Sent: Mon 1/10/2005 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:winsock its uninstalled. this user has no firewall sw that i can tell. though i get a pop up saying outlook express is trying to send a email. do you want to let it send it? i have no idea whats making that pop up. its made to look like its coming from OE. the email is just the welcome message OE sends on first use. thanks -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:winsock Have you got something else interfacing with the stack on the box, i.e. f/w software? Also... uninstall the wlan card and see if you still get the same issue on the internal nic. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 10 January 2005 15:39 To: ActiveDir (E-mail) Subject: [ActiveDir] OT:winsock I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === winmail.dat
RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2
Thanks, but BHODemon only shows Browser Helper Objects. It doesn't show ActiveX controls or Browser Extensions which are also add-ins for IE that need to be defined for the GPO to effectively manage all the activex controls. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: Dale, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 9:59 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 Joe, You can download BHODemon and install it, double-click on any entry and you will see the CLSID in that entry. http://www.pcworld.com/downloads/file_description/0,fid,23611,00.asp HTH, Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Monday, January 10, 2005 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 Thanks! I'd tried clicking, right clicking, and double clicking on the entries to see if I could find the class ID in that window, all to no avail! Never thought the CLSID might be there in a column... Sheesh. Nothing like making it easy on us poor admins... Now if there was some way to copy and paste the entries instead of having to retype them by hand. OR if you could at least resize plug-in management window. Ah well. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: wilson chang [mailto:[EMAIL PROTECTED] Sent: Friday, January 07, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 On Thu, 6 Jan 2005 13:50:44 -0500, Joe Pochedley [EMAIL PROTECTED] wrote: So, the question is: Does someone out there have a listing of the class ID strings for common web component ActiveX plugins? OR am I wasting The best way I know how is to load the plugins yourself and then copy down the CLSID's. They're located in Internet Explorer. From the Tools menu, select Manage Add-ons. Then right click in the column headings and select Class ID. You should now see the CLSID's listed. I hope that's what you're looking for. Wilson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:winsock
http://support.microsoft.com/default.aspx?scid=kb;en-us;318584 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, January 10, 2005 7:39 AM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:winsock I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DNS timeouts
When we do an nslookup on an external host, we often get a timeout 3 or 4 times before it finally resolves. We are using our child domain controllers for all our desktops DNS. The child DCs are forwarding to the root DCs. The root DCs have the root-hints on them, and are allowed by the firewall to go out port 53 for UDP and TCP. Any settings we need to tweak? I did a couple lookups on carmax.com and they timed out, then they finally resolved. Our child DC is 10.4.223.32. This is part of a debug log on my root DC. Any ideas? 11:23:13 2334 PACKET UDP Rcv 10.4.223.32 0d2d Q [0001 D NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 192.41.162.30 35c0 Q [ NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Rcv 192.41.162.30 35c0 R Q [0080 NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 199.191.128.105 35c0 Q [ NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Rcv 199.191.128.105 35c0 R Q [0084 A NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 10.4.223.32 0d2d R Q [8081 DR NOERROR] (6)carmax(3)com(0) ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2
Open C:\WINDOWS\Downloaded Program Files, double-click the control, highlight and copy the ID from the property page. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Monday, January 10, 2005 10:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 Thanks, but BHODemon only shows Browser Helper Objects. It doesn't show ActiveX controls or Browser Extensions which are also add-ins for IE that need to be defined for the GPO to effectively manage all the activex controls. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: Dale, Rick [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 9:59 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 Joe, You can download BHODemon and install it, double-click on any entry and you will see the CLSID in that entry. http://www.pcworld.com/downloads/file_description/0,fid,23611,00.asp HTH, Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Monday, January 10, 2005 8:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 Thanks! I'd tried clicking, right clicking, and double clicking on the entries to see if I could find the class ID in that window, all to no avail! Never thought the CLSID might be there in a column... Sheesh. Nothing like making it easy on us poor admins... Now if there was some way to copy and paste the entries instead of having to retype them by hand. OR if you could at least resize plug-in management window. Ah well. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: wilson chang [mailto:[EMAIL PROTECTED] Sent: Friday, January 07, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GPO for restricting ActiveX controls on XPSP2 On Thu, 6 Jan 2005 13:50:44 -0500, Joe Pochedley [EMAIL PROTECTED] wrote: So, the question is: Does someone out there have a listing of the class ID strings for common web component ActiveX plugins? OR am I wasting The best way I know how is to load the plugins yourself and then copy down the CLSID's. They're located in Internet Explorer. From the Tools menu, select Manage Add-ons. Then right click in the column headings and select Class ID. You should now see the CLSID's listed. I hope that's what you're looking for. Wilson List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS timeouts
Have you tried doing a network trace to see the DNS queries and responses? That should help you determine where the delay is. - Original Message - From: Rimmerman, Russ [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 10, 2005 12:41 PM Subject: [ActiveDir] DNS timeouts When we do an nslookup on an external host, we often get a timeout 3 or 4 times before it finally resolves. We are using our child domain controllers for all our desktops DNS. The child DCs are forwarding to the root DCs. The root DCs have the root-hints on them, and are allowed by the firewall to go out port 53 for UDP and TCP. Any settings we need to tweak? I did a couple lookups on carmax.com and they timed out, then they finally resolved. Our child DC is 10.4.223.32. This is part of a debug log on my root DC. Any ideas? 11:23:13 2334 PACKET UDP Rcv 10.4.223.32 0d2d Q [0001 D NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 192.41.162.30 35c0 Q [ NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Rcv 192.41.162.30 35c0 R Q [0080 NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 199.191.128.105 35c0 Q [ NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Rcv 199.191.128.105 35c0 R Q [0084 A NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 10.4.223.32 0d2d R Q [8081 DR NOERROR] (6)carmax(3)com(0) ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS timeouts
Are you referring to a tracert or something more in-depth? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Monday, January 10, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS timeouts Have you tried doing a network trace to see the DNS queries and responses? That should help you determine where the delay is. - Original Message - From: Rimmerman, Russ [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 10, 2005 12:41 PM Subject: [ActiveDir] DNS timeouts When we do an nslookup on an external host, we often get a timeout 3 or 4 times before it finally resolves. We are using our child domain controllers for all our desktops DNS. The child DCs are forwarding to the root DCs. The root DCs have the root-hints on them, and are allowed by the firewall to go out port 53 for UDP and TCP. Any settings we need to tweak? I did a couple lookups on carmax.com and they timed out, then they finally resolved. Our child DC is 10.4.223.32. This is part of a debug log on my root DC. Any ideas? 11:23:13 2334 PACKET UDP Rcv 10.4.223.32 0d2d Q [0001 D NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 192.41.162.30 35c0 Q [ NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Rcv 192.41.162.30 35c0 R Q [0080 NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 199.191.128.105 35c0 Q [ NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Rcv 199.191.128.105 35c0 R Q [0084 A NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 10.4.223.32 0d2d R Q [8081 DR NOERROR] (6)carmax(3)com(0) ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] time server
Title: time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Title: time server Thanks Joe, I suspect thats it then. There wasnt anything in the interface about an SNTP server. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 10, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
Re: [ActiveDir] DNS timeouts
Something more in depth like network monitor? - Original Message - From: Rimmerman, Russ [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 10, 2005 1:51 PM Subject: RE: [ActiveDir] DNS timeouts Are you referring to a tracert or something more in-depth? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Monday, January 10, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS timeouts Have you tried doing a network trace to see the DNS queries and responses? That should help you determine where the delay is. - Original Message - From: Rimmerman, Russ [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, January 10, 2005 12:41 PM Subject: [ActiveDir] DNS timeouts When we do an nslookup on an external host, we often get a timeout 3 or 4 times before it finally resolves. We are using our child domain controllers for all our desktops DNS. The child DCs are forwarding to the root DCs. The root DCs have the root-hints on them, and are allowed by the firewall to go out port 53 for UDP and TCP. Any settings we need to tweak? I did a couple lookups on carmax.com and they timed out, then they finally resolved. Our child DC is 10.4.223.32. This is part of a debug log on my root DC. Any ideas? 11:23:13 2334 PACKET UDP Rcv 10.4.223.32 0d2d Q [0001 D NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 192.41.162.30 35c0 Q [ NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Rcv 192.41.162.30 35c0 R Q [0080 NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 199.191.128.105 35c0 Q [ NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Rcv 199.191.128.105 35c0 R Q [0084 A NOERROR] (6)carmax(3)com(0) 11:23:13 2334 PACKET UDP Snd 10.4.223.32 0d2d R Q [8081 DR NOERROR] (6)carmax(3)com(0) ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] time server
Title: time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Title: time server Thiscomment is accurate for Windows 2000, but not for Windows XP/2003. References: http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> and http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Conflicting information: (http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/use cdirw/06wsdsu.mspx) To sum it up, SNTP and NTP are supposed to be interchangeable and compatible. Reality is, some verbs/commands aren't. When setting up a time server from a non-Microsoft client, you need to check to see what the error actually is. That'll help you to narrow down what the cause is and how to adjust your client/server to make it work. Time sync is highly critical in a Kerberos environment, and making it work with multiple vendors would infer that a 2003 DC should speak both NTP and SNTP. Event logs are helpful here. ;) I've had a heck of a time with the time service changes in the past. There're several options you can use if it doesn't work as a client although those are some rare occasions supposedly. As a server, you'll have to figure out what's going on first. Maybe a network trace would be helpful as well? Configuring Time Services Kerberos 5 authentication is dependent upon the synchronization of the internal clocks within the Kerberos domain. Before proceeding with building a security solution using Kerberos, it is necessary to set up a time service to ensure this required accuracy. Windows Server 2003 time services are based upon the Simple Network Time Protocol (SNTP); this is a simplified version of the UNIX Network Time Protocol (NTP). The packet formats of both protocols are identical, and the servers and clients for each can be used interchangeably. More information about the time service protocols can be found in the RFCs for each protocol. These are as follows: * RFC 2030: Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6, and OSI * RFC 1305: Network Time Protocol (Version 3) Specification, Implementation, and Analysis Version 4 of NTP is currently in development and has yet to be released as a RFC. More information on the specifics of implementing time services in the Active Directory environment can be found in The Windows Time Service (Brandolini and Green) at http://www.microsoft.com/windows2000/techinfo/howitworks/security/wintimeser v.asp. The following sections address the most common configuration scenarios for setting up time servers and clients in a heterogeneous environment. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, January 10, 2005 2:07 PM To: Send - AD mailing list Subject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 10, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesn't seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:winsock
I have had a winsock problem on a few different machines that was only fixable with an exe I downloaded somewhere. I will look for the link, or if I can't find it, I can probably at least find the file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, January 10, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:winsock its uninstalled. this user has no firewall sw that i can tell. though i get a pop up saying outlook express is trying to send a email. do you want to let it send it? i have no idea whats making that pop up. its made to look like its coming from OE. the email is just the welcome message OE sends on first use. thanks -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:winsock Have you got something else interfacing with the stack on the box, i.e. f/w software? Also... uninstall the wlan card and see if you still get the same issue on the internal nic. BR Rob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: 10 January 2005 15:39 To: ActiveDir (E-mail) Subject: [ActiveDir] OT:winsock I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:winsock
Ok, I really don't have the time to go searching for the link, but I do have the file if you want it. I don't think I am supposed to attach files to messages in here, so just let me know if and how you want the file. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Fontana Sent: Monday, January 10, 2005 12:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:winsock http://support.microsoft.com/default.aspx?scid=kb;en-us;318584 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Monday, January 10, 2005 7:39 AM To: ActiveDir (E-mail) Subject: [ActiveDir] OT:winsock I keep getting an error on a win2k pro sp4 laptop when renewing an ip address-an operation was attempted on something that is not a socket also when i try to start my linksys wlan adapter, i get 10093:Successful WSAStartup not yet performed I've uninstalled and reinstalled tcp/ip but no go. I know this is not a server issue, so I apologize for the OT. thanks List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] time server
Title: time server From my understandingit (2K and K3) supports NTP for reading time from a source, not as a source. I.E. Windows with the default time service is not a NTP Source, it is a SNTP Source. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, January 10, 2005 2:07 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Title: time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesnt seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, January 10, 2005 11:07 AM To: Send - AD mailing list Subject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 10, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Title: time server That's a good point Joe, I've never sniffed the traffic off the wire to be sure (nor used ~any other means) but the link I supplied certainly implies it's NTP based. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 2:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server From my understandingit (2K and K3) supports NTP for reading time from a source, not as a source. I.E. Windows with the default time service is not a NTP Source, it is a SNTP Source. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, January 10, 2005 2:07 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Title: time server As Al pointed out, some MS docs need to be reviewed... The one Al specifically pointed out "http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/06wsdsu.mspx" says straight out that the Time Server is SNTP based. WindowsServer2003 time services are based upon the Simple Network Time Protocol (SNTP); this is a simplified version of the UNIX Network Time Protocol (NTP). The packet formats of both protocols are identical, and the servers and clients for each can be used interchangeably. The interchangeable part seems to be more of a theory or hope than strictly the real world. From chats I have had previously with people who played with the time stuff a lot it seems that it is more likely a SNTP client will be able to use a NTP source than an NTP client using a SNTP source. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan MuggliSent: Monday, January 10, 2005 3:02 PMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesnt seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, January 10, 2005 11:07 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Title: time server I've had problems with machines that are not part of the domain being unable to synch with the time service on a DC. It seems that if the machine is not part of the domain you are unable to use it as a time NTP or SNTP server. Mike From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Monday, January 10, 2005 3:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Its an AVAYA S8700 Media Server. The phone system admin showed me the web page where the Network Time Server should be configured on the AVAYA. It doesnt let me choose which protocol, it simply has a place for the IP address or DNS name of the Network Time Server. We entered the IP, and it says Could not update Network Time Server (as if it tries to query and fails). We can ping the AVAYA from the DC, and they are on the same subnet. I think (though unconfirmed) that the AVAYA runs on a proprietary Linux version. Only other option I thought might be a factor is Multicast client support, which is currently set to no. Our AD domains are Windows 2000. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan MuggliSent: Monday, January 10, 2005 3:02 PMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesnt seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, January 10, 2005 11:07 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Title: Message 510 software has a windows port of NTP that works very well (all of my servers were running it back in the NT4 days). I suppose a person could usew32timeto sync to the forest, and run ntp acting as a local time master to provide sync to the phone switch. You'd have to alternate them somehow (scheduled batch file?) because they'd both be trying to grab port 123. Messy, to say the least. Also, confguring NTP is a PITA. Can't you point the phone switch to some public NTP server? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 3:19 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server As Al pointed out, some MS docs need to be reviewed... The one Al specifically pointed out "http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/06wsdsu.mspx" says straight out that the Time Server is SNTP based. WindowsServer2003 time services are based upon the Simple Network Time Protocol (SNTP); this is a simplified version of the UNIX Network Time Protocol (NTP). The packet formats of both protocols are identical, and the servers and clients for each can be used interchangeably. The interchangeable part seems to be more of a theory or hope than strictly the real world. From chats I have had previously with people who played with the time stuff a lot it seems that it is more likely a SNTP client will be able to use a NTP source than an NTP client using a SNTP source. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan MuggliSent: Monday, January 10, 2005 3:02 PMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesnt seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, January 10, 2005 11:07 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] Office Topic: Windows 2000 2003 Servers Lockdo wn Policies
Hi Ron, Use could use the Windows Server 2003 Security Guide from MS. # Windows Server 2003 Security Guide The Windows Server 2003 Security Guide provides guidance to assist in hardening Domain Controllers, Infrastructure servers, File servers, Print servers, IIS servers, IAS servers.Certificate Services, and bastion hosts. # Click on the link to go to page where you can download it! http://www.microsoft.com/downloads/details.aspx?FamilyID=8a2643c1-0685-4d89- b655-521ea6c7b4dbdisplaylang=en You could also use the info provided by the National Security Agency in their their Security Configuration Guides (http://www.nsa.gov/snac/) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 1/10/2005 4:29 PM Subject: [ActiveDir] Office Topic: Windows 2000 2003 Servers Lockdown Policies This might not be the right forum for this question, but, does anyone have any templates for what needs to be locked-down for servers in the domain and in a DMZ. What ports and services that do not need to be running/open. Ron Pennell Institute For Defense Analyses [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Office Topic: Windows 2000 2003 Servers Lockdown Policies
In the documents shown to you so far, you should find all the services (including ports, etc) that you need to open up such a configuration. A good, basic hardening rule is: Shut everything down (apart from the most basic services, you'll find those in the documents mentioned earlier) and then decide which services you need based on the server roles you designate to your servers. However, I'd recommend thinking carefully whether or not you really, really want to open up your firewall like this. If it's just authentication you're looking for, perhaps IAS or a RADIUS server are more suitable, or consider using a standalone server. Also consider any legal requirements your organization might be subject to regarding security measures. Regards, Paul. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pennell, Ronald B. Sent: Monday, January 10, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Office Topic: Windows 2000 2003 Servers Lockdown Policies This might not be the right forum for this question, but, does anyone have any templates for what needs to be locked-down for servers in the domain and in a DMZ. What ports and services that do not need to be running/open. Ron Pennell Institute For Defense Analyses [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] time server
Have you checked the DC in question to see what it's reporting? You may also want to grab a net trace to see the packets on the wire. Those two things might help to clarify the issue faster (permissions, incompat, etc) faster. If the phone switch has a log file or output, that also might be helpful in this situation. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server It's an AVAYA S8700 Media Server. The phone system admin showed me the web page where the Network Time Server should be configured on the AVAYA. It doesn't let me choose which protocol, it simply has a place for the IP address or DNS name of the Network Time Server. We entered the IP, and it says Could not update Network Time Server (as if it tries to query and fails). We can ping the AVAYA from the DC, and they are on the same subnet. I think (though unconfirmed) that the AVAYA runs on a proprietary Linux version. Only other option I thought might be a factor is Multicast client support, which is currently set to no. Our AD domains are Windows 2000. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: Monday, January 10, 2005 3:02 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesn't seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, January 10, 2005 11:07 AM To: Send - AD mailing list Subject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 10, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesn't seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] time server
Is there anything on the network in between your AD domain and the phone switch? I know it's fairly common for phone switches to be behind some type of NATing firewall, although it doesn't happen everywhere. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, January 10, 2005 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Have you checked the DC in question to see what it's reporting? You may also want to grab a net trace to see the packets on the wire. Those two things might help to clarify the issue faster (permissions, incompat, etc) faster. If the phone switch has a log file or output, that also might be helpful in this situation. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 3:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server It's an AVAYA S8700 Media Server. The phone system admin showed me the web page where the Network Time Server should be configured on the AVAYA. It doesn't let me choose which protocol, it simply has a place for the IP address or DNS name of the Network Time Server. We entered the IP, and it says Could not update Network Time Server (as if it tries to query and fails). We can ping the AVAYA from the DC, and they are on the same subnet. I think (though unconfirmed) that the AVAYA runs on a proprietary Linux version. Only other option I thought might be a factor is Multicast client support, which is currently set to no. Our AD domains are Windows 2000. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: Monday, January 10, 2005 3:02 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesn't seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, January 10, 2005 11:07 AM To: Send - AD mailing list Subject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 10, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesn't seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. List info : http://www.activedir.org/mail_list.htm List FAQ:
RE: [ActiveDir] time server
Title: time server The packets are identical, and NTP actually came first. I just spoke with my time developer and he confirmed that time syncs should be able to work ntp - sntp, and sntp - ntp. Most of the problems weve seen with interoperability have been caused by client side logic in applications doing weird things like version checks, etc. The best way to get to the bottom of Marks NTP phone problem is network sniffs. You could try turning on W32time debug logging on the 2000 server and see if you can catch the discovery request. I think the sniff is the best way to go. Or, you could always upgrade to 2003 J. Regarding the Doc, its obviously wrong (Ill get it fixed). The W32time server service in 2000 was SNTP, and 2003 its NTP. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 10, 2005 12:19 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server As Al pointed out, some MS docs need to be reviewed... The one Al specifically pointed out http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/06wsdsu.mspx says straight out that the Time Server is SNTP based. WindowsServer2003 time services are based upon the Simple Network Time Protocol (SNTP); this is a simplified version of the UNIX Network Time Protocol (NTP). The packet formats of both protocols are identical, and the servers and clients for each can be used interchangeably. The interchangeable part seems to be more of a theory or hope than strictly the real world. From chats I have had previously with people who played with the time stuff a lot it seems that it is more likely a SNTP client will be able to use a NTP source than an NTP client using a SNTP source. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: Monday, January 10, 2005 3:02 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesnt seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, January 10, 2005 11:07 AM To: Send - AD mailing list Subject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, January 10, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, January 10, 2005 11:27 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.
RE: [ActiveDir] time server
Title: time server Mark, I've got a number of Avayas (S8700's) at work. I can check with our on-staff Avaya folks, as I know that they are synching time internally. However, I think that it's going back against our AIX systems. But, as to it being Linux - it's how you order the modules. I have at least one or two modules that are Windows 2000 based for our CTI needs. -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 2:14 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Its an AVAYA S8700 Media Server. The phone system admin showed me the web page where the Network Time Server should be configured on the AVAYA. It doesnt let me choose which protocol, it simply has a place for the IP address or DNS name of the Network Time Server. We entered the IP, and it says Could not update Network Time Server (as if it tries to query and fails). We can ping the AVAYA from the DC, and they are on the same subnet. I think (though unconfirmed) that the AVAYA runs on a proprietary Linux version. Only other option I thought might be a factor is Multicast client support, which is currently set to no. Our AD domains are Windows 2000. mc From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan MuggliSent: Monday, January 10, 2005 3:02 PMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] time server I own the time service for Windows, so I can field the OS question. The NTP server in Windows 2003 is NTP V3 RFC compliant and third party NTP clients can (well *should*) be able to sync with it. When you say doesnt seem to recognize, is there an error message? How does it find a valid NTP server? -Nathan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, January 10, 2005 11:07 AMTo: Send - AD mailing listSubject: RE: [ActiveDir] time server Uncertain as to the OS in question here but Windows 2003 supports both NTP and SNTP - http://www.microsoft.com/technet/security/guidance/secmod118.mspx --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 10, 2005 1:56 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] time server Does your switch use/support SNTP (Simple NTP)? That is what Windows DCs support, not NTP. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, January 10, 2005 11:27 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] time server Our forest root server acts as the time server for AD domain member machines (I think that happens by default.) Do I have to take any additional steps to allow that same server to be the NTP server for a non-Windows device? The device is a phone switch on our network, and it doesnt seem to recognize that server as being a valid NTP server. Thanks! Mark Creamer This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation.This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. Thank you. Cintas Corporation. smime.p7s Description: S/MIME cryptographic signature
[ActiveDir] Domain name and server name don't match
Apparently I'm now the new parent of an(misconfigured, I thnk ) AD that was unceremoniously dumped in my lap. Not having any 'real' experience with AD I set off on a search. I've used my trusty O'Reilly Bookshelf to grab some of the more recomended books (AD Cookbook, AD Forestry and Inside Active Directory). Until I can make it through these books I have a couple of questions. 1) If there is only one Win2k DC in a domain, does it take on all the FSMO roles (Schema Master, Domain Naming Master, RID Master, PDC Emulater, Infrastructure Daemon)? 2) If you add more DC's, how/what decides who is going to be the Schema master, Domain Naming Master, etc? 3) To run the AdPrep /ForestPrep and AdPrep /DomainPrep commands you must be a member of the Schema Admins and Enterprise Admins groups. Are those groups created when you up the functional level from Mixed to Native mode? Because our AD is in mixed mode and those groups are not present. Thanks is advance. Alonzo List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain name and server name don't match
1,2. The first DC in a Forest will hold all 5 roles. Moving the roles around when additional DC's are introduced has some factors involved. For small/simple environments, leaving them all on one DC is probably fine. I would make each DC a GC, too. More specifically, there's little need to move the Domain Naming and Schema Master roles since they're minimally utilized. PDCE, RID and Infrastructure Master roles are more of a concern. 3. Those groups should exist. You may want to look around in case they've been renamed. You can review the following KB article for the SID's since they're part of the well known list. http://support.microsoft.com/default.aspx?scid=kb;en-us;243330 SID: S-1-5-root domain-518 Name: Schema Admins Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. . SID: S-1-5-root domain-519 Name: Enterprise Admins Description: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alonzo Hess Sent: Monday, January 10, 2005 20:13 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain name and server name don't match Apparently I'm now the new parent of an(misconfigured, I thnk ) AD that was unceremoniously dumped in my lap. Not having any 'real' experience with AD I set off on a search. I've used my trusty O'Reilly Bookshelf to grab some of the more recomended books (AD Cookbook, AD Forestry and Inside Active Directory). Until I can make it through these books I have a couple of questions. 1) If there is only one Win2k DC in a domain, does it take on all the FSMO roles (Schema Master, Domain Naming Master, RID Master, PDC Emulater, Infrastructure Daemon)? 2) If you add more DC's, how/what decides who is going to be the Schema master, Domain Naming Master, etc? 3) To run the AdPrep /ForestPrep and AdPrep /DomainPrep commands you must be a member of the Schema Admins and Enterprise Admins groups. Are those groups created when you up the functional level from Mixed to Native mode? Because our AD is in mixed mode and those groups are not present. Thanks is advance. Alonzo List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Sorry about the subject on the previous post
Sorry about the subject on the previous post, That was another question I was going to ask. Alonzo List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Add users?
Hi I mean when I see the properties of the user, in the Account tab, in teh User logon name I find it empty, even in the script am putting A and F, and in the User logon name (pre-windows2000) there is the user name, but in the User logon name there is nothing, is this ok? thank u On Mon, 10 Jan 2005 17:23:27 +0200, Sakari Kouti [EMAIL PROTECTED] wrote: Hi Rubix, I'm not sure what you mean, but HTH. A user in AD has the following names: A. CN = common name = Name column in tools = RDN (e.g. Jack Brown or CN=Jack Brown) B. First name = givenName (e.g. Jack) C. Last name = sn (e.g. Brown) D. Display name = displayName (e.g. Jack Brown) E. User logon name = userPrincipalName = UPN = long logon name (e.g. [EMAIL PROTECTED]) F. User logon name (pre-Win2000) = sAMAccountName = SAM name = NT name = short logon name (e.g. JackB) A and F are mandatory, the rest are optional. E and F the user can use for logon, interchangeably. The label of F includes pre-Win2000, but it's a little incorrect, because you can use is practically anywhere in Windows 2000 and newer. The samid option of DSAdd is the same as F above, and it should work as a username for you (depending on what you mean). Yours, Sakari -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, January 10, 2005 1:22 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Add users? Ok I could see it now, sorry, thanks its working great I have only one question, whats the use of the -uci option if I can't pass the parameteres in an input file? and I have to make the command each time I want to create a new user? Also in the addusers.exe windows2k tool, the username was used, now I have to use UserDN and samid and nither seem to be working as a username? thank you List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/