date:20050131

RE: [ActiveDir]Group Policy editor

2005-01-31 Thread Darren Mar-Elia




Check out http://support.microsoft.com/default.aspx?scid=kb;en-us;555218. 
Its my own personal little KB article :-)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. 
Team EITCSent: Monday, January 31, 2005 7:49 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]Group Policy 
editor


No these are not the 
admin  templates.  These are like I cannot see the options for 
internet maintenance wizard, startup and shutdown script, Folder 
redirection..  Nothing except Remote installation service.  This is on 
a Windows XP SP2 workstation with the 2k3 admin pak installed. 

 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Monday, January 31, 
2005 9:52 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir]Group Policy 
editor
 
What were you expecting 
to see?  Some of the options will only show up from a machine that has that 
software loaded.  An example of that is the Windows Firewall settings which 
are found when connecting via XP SP2 workstation but not from the server 
console.
 
Is that possible in 
this case?
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Cothern Jeff D. Team 
EITCSent: Monday, January 31, 
2005 8:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir]Group Policy 
editor
My Group policy editor 
is missing some options.  For instance under user configuration windows 
settings the only thing there is Remote installation Services.  None of the 
other options are there to set.  Anyone seen this and know a 
fix?

RE: [ActiveDir]Group Policy editor

2005-01-31 Thread Douglas M. Long

Sounds to me like you may have a user mode custom console. Try creating a new 
instance, or cleaning out the view options by going to options/disk cleanup in 
the mmc console

From: [EMAIL PROTECTED] on behalf of Cothern Jeff D. Team EITC
Sent: Mon 1/31/2005 10:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]Group Policy editor

No these are not the admin  templates.  These are like I cannot see the options 
for internet maintenance wizard, startup and shutdown script, Folder 
redirection..  Nothing except Remote installation service.  This is on a 
Windows XP SP2 workstation with the 2k3 admin pak installed. 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, January 31, 2005 9:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]Group Policy editor

What were you expecting to see?  Some of the options will only show up from a 
machine that has that software loaded.  An example of that is the Windows 
Firewall settings which are found when connecting via XP SP2 workstation but 
not from the server console.

Is that possible in this case?

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. 
Team EITC
Sent: Monday, January 31, 2005 8:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]Group Policy editor

My Group policy editor is missing some options.  For instance under user 
configuration windows settings the only thing there is Remote installation 
Services.  None of the other options are there to set.  Anyone seen this and 
know a fix?

<>

RE: [ActiveDir] ADS&S mods replicate, ADUC mods does not

2005-01-31 Thread Eric Fleischman









That tells me where in code you were when that
error condition was noticed.

 

~Eric

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Witasick
Sent: Monday, January 31, 2005
8:53 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ADS&S
mods replicate, ADUC mods does not



 



Thanks much!





 





Any idea what NTDS (708)
Internal trace: [EMAIL PROTECTED] is all about?





 





John W







- Original Message - 





From: Katherine
Coombs 





To: ActiveDir@mail.activedir.org






Sent: Monday, January
31, 2005 8:19 PM





Subject: RE: [ActiveDir]
ADS&S mods replicate, ADUC mods does not





 



Hi John,

 

Check out:

 

http://www.eventid.net/display.asp?eventid=1084&eventno=980&source=NTDS%20Replication&phase=1

 

HTH,

Katherine

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of John Witasick
Sent: Tuesday, 1 February 2005
11:05 AM
To: ActiveDir List Server
Subject: [ActiveDir] ADS&S
mods replicate, ADUC mods does not



One of our divisions has a DC in a child domain of
a large W2k forest (empty root & 8 child domains, 200+ total DCs) that
is having replication issues.  Sites and Services modifications replicate
ok (we have successfully manipulated ntdsConnections settings), but changes
made in Users and Computers (new user accounts) do not.  Our plan is to
blow away the server, clean up the metadata, and then rebuild and reintroduce
the server.  Prior to doing this, however, I was wondering if anyone had
any input given on the listed errors:





 





The following errors are consistent in the Directory Service log on the
remote server:





 





Event Type: Error
Event Source: NTDS Replication
Event Category: (5)
Event ID: 1084
Date:  1/31/2005
Time:  6:09:46 PM
User:  Everyone
Computer: 
Description:
Replication error: The directory replication agent (DRA) couldn't update object
CN=,OU=Member Servers,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
(GUID 95a006b5-ca6f-439c-950d-357a5e34e81e) on this system with changes which
have been received from source server 752eec36-9ccf-46e7-931c-ffa4f28bcefe._msdcs.xxx.xxx.xxx.xxx.
An error occurred during the application of the changes to the directory
database on this system. 
 
The error message is: 
The replication operation encountered a database error.
 
The directory will try to update the object later on the next replication
cycle. Synchronization of this server with the source is effectively blocked
until the update problem is corrected. 





If this condition appears to be related to
a resource shortage, please stop and restart this Windows Domain
Controller. 






If this condition is an internal
error, a database error, or an object relationship or constraint error, manual
intervention will be required to correct the database and allow the update to
proceed.  It is valuable to note that the problem is caused by the fact
that the change on the remote system cannot be applied locally. Manually
updating the objects on the local system in not recommended. Instead, on the
source system (which has the changes already), try to reverse or back out the
change.  Then, on the next replication cycle, observe whether the change
can now be applied locally. 





The record data is the status code. 
Data:
: 03 21 00
00  
.!..    





 





The above error occurs twice for two different objects, one object
from within the domain, and one object from outside the domain (a
different child domain).  Each iteration is followed by the following
Information entry:





 





Event Type: Information
Event Source: NTDS ISAM
Event Category: General 
Event ID: 901
Date:  1/31/2005
Time:  6:09:59 PM
User:  N/A
Computer: 
Description:
NTDS (708) Internal trace: [EMAIL PROTECTED] 





 





DCDiags yields the following information:





 





Domain Controller Diagnosis





 





Performing initial setup:
   Done gathering initial info.





 





Doing initial required tests





 





   Testing server:
\
  Starting test: Connectivity
 .
 passed test Connectivity





 





Doing primary tests





 





   Testing server:
\
  Starting test: Replications
 REPLICATION LATENCY WARNING
 :
This replication path was preempted by higher priority work.
    from
 to 
    Reason: The
operation completed successfully.
    The last
success occurred at (never).
    Replication
of new changes along this path will be delayed.
    Progress is
occurring normally on this path.
 REPLICATION LATENCY WARNING
 : A
full synchronization is in progress
    from
 to 
    Replication
of new changes along this path will be delayed.
    The full
sync is 0.00% complete.
 [Replications
Check,] A recent replication attempt failed:





 





   
>From  to 
    Naming
Context: DC=xxx,DC=xxx,DC=xxx,DC=xxx.DC=xxx
    Th

RE: [ActiveDir]Group Policy editor

2005-01-31 Thread Cothern Jeff D. Team EITC









No these are not the admin  templates. 
These are like I cannot see the options for internet maintenance wizard,
startup and shutdown script, Folder redirection..  Nothing except Remote
installation service.  This is on a Windows XP SP2 workstation with the 2k3
admin pak installed. 

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Monday, January 31, 2005
9:52 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]Group
Policy editor



 

What were you expecting to see?  Some
of the options will only show up from a machine that has that software
loaded.  An example of that is the Windows Firewall settings which are
found when connecting via XP SP2 workstation but not from the server console.

 

Is that possible in this case?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC
Sent: Monday, January 31, 2005
8:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir]Group Policy
editor

My Group policy editor is missing some
options.  For instance under user configuration windows settings the only
thing there is Remote installation Services.  None of the other options
are there to set.  Anyone seen this and know a fix?

RE: [ActiveDir]Group Policy editor

2005-01-31 Thread Mulnick, Al




What were you expecting to see?  Some of the options 
will only show up from a machine that has that software loaded.  An example 
of that is the Windows Firewall settings which are found when connecting via XP 
SP2 workstation but not from the server console.
 
Is that possible in this case?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. 
Team EITCSent: Monday, January 31, 2005 8:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir]Group Policy 
editor


My Group policy editor 
is missing some options.  For instance under user configuration windows 
settings the only thing there is Remote installation Services.  None of the 
other options are there to set.  Anyone seen this and know a 
fix?

Re: [ActiveDir] ADS&S mods replicate, ADUC mods does not

2005-01-31 Thread John Witasick




Thanks much!
 
Any idea what NTDS (708) 
Internal trace: [EMAIL PROTECTED] is all about?
 
John W

  - Original Message - 
  From: 
  Katherine 
  Coombs 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, January 31, 2005 8:19 
  PM
  Subject: RE: [ActiveDir] ADS&S mods 
  replicate, ADUC mods does not
  
  Hi John,
   
  Check out:
   
  http://www.eventid.net/display.asp?eventid=1084&eventno=980&source=NTDS%20Replication&phase=1
   
  HTH,
  Katherine
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of John 
  WitasickSent: Tuesday, 1 February 2005 11:05 AMTo: 
  ActiveDir List ServerSubject: [ActiveDir] ADS&S mods replicate, 
  ADUC mods does not
  
  One of our divisions has a DC in a child domain of 
  a large W2k forest (empty root & 8 child domains, 200+ total DCs) 
  that is having replication issues.  Sites and Services modifications 
  replicate ok (we have successfully manipulated ntdsConnections settings), but 
  changes made in Users and Computers (new user accounts) do not.  Our plan 
  is to blow away the server, clean up the metadata, and then rebuild and 
  reintroduce the server.  Prior to doing this, however, I was wondering if 
  anyone had any input given on the listed errors:
   
  The following errors are consistent in the Directory Service 
  log on the remote server:
   
  Event Type: ErrorEvent 
  Source: NTDS ReplicationEvent Category: (5)Event 
  ID: 1084Date:  1/31/2005Time:  6:09:46 
  PMUser:  EveryoneComputer: Description:Replication 
  error: The directory replication agent (DRA) couldn't update object 
  CN=,OU=Member Servers,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx 
  (GUID 95a006b5-ca6f-439c-950d-357a5e34e81e) on this system with changes which 
  have been received from source server 
  752eec36-9ccf-46e7-931c-ffa4f28bcefe._msdcs.xxx.xxx.xxx.xxx. An error occurred 
  during the application of the changes to the directory database on this 
  system.  The error message is: The replication operation 
  encountered a database error. The directory will try to update 
  the object later on the next replication cycle. Synchronization of this server 
  with the source is effectively blocked until the update problem is corrected. 
  
  If this condition appears to be related to a 
  resource shortage, please stop and restart this Windows Domain 
  Controller. 
  If this condition is an internal error, a 
  database error, or an object relationship or constraint error, manual 
  intervention will be required to correct the database and allow the update to 
  proceed.  It is valuable to note that the problem is caused by the fact 
  that the change on the remote system cannot be applied locally. Manually 
  updating the objects on the local system in not recommended. Instead, on the 
  source system (which has the changes already), try to reverse or back out the 
  change.  Then, on the next replication cycle, observe whether the change 
  can now be applied locally. 
  The record data is the status code. 
  Data:: 03 21 00 
  00   
  .!..    
   
  The above error occurs twice for two different objects, 
  one object from within the domain, and one object from outside the domain 
  (a different child domain).  Each iteration is followed by the following 
  Information entry:
   
  Event Type: InformationEvent 
  Source: NTDS ISAMEvent Category: General Event 
  ID: 901Date:  1/31/2005Time:  6:09:59 
  PMUser:  N/AComputer: 
  Description:NTDS (708) Internal trace: 
  [EMAIL PROTECTED] 
   
  DCDiags yields the following information:
   
  Domain Controller Diagnosis
   
  Performing initial setup:   Done 
  gathering initial info.
   
  Doing initial required tests
   
     Testing server: 
  \  
  Starting test: 
  Connectivity 
  .  passed test 
  Connectivity
   
  Doing primary tests
   
     Testing server: 
  \  
  Starting test: 
  Replications REPLICATION 
  LATENCY WARNING 
  : This replication path was preempted by higher 
  priority 
  work.    
  from  to 
      
  Reason: The operation completed 
  successfully.    
  The last success occurred at 
  (never).    
  Replication of new changes along this path will be 
  delayed.    
  Progress is occurring normally on this 
  path. REPLICATION LATENCY 
  WARNING 
  : A full synchronization is in 
  progress    
  from  to 
      
  Replication of new changes along this path will be 
  delayed.    
  The full sync is 0.00% 
  complete. [Replications 
  Check,] A recent replication attempt 
  failed:
   
      From 
   to 
      
  Naming Context: 
  DC=xxx,DC=xxx,DC=xxx,DC=xxx.DC=xxx    
  The replication generated an error 
  (8451):    
  The replication operation encountered a database 
  error.    
  The failure occurred at 2005-01-31 
  18:09.50.    
  The last success occurred at

RE: [ActiveDir] ADS&S mods replicate, ADUC mods does not

2005-01-31 Thread Eric Fleischman









I’m not sure I’d do all of the
steps on that page.

Q837932 could be it, but hard to say with
just the event message text.

 

I’d recommend following 837932, and
if that doesn’t do it get us a ds event log from the target DC and source
DC with replication + internal processing both set to 5. With those two EVTs we
could better say what’s going on.

I would not recommend deleting log files
or running esentutl to repair your db. Both are not so hot ideas.

 

~Eric

 

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katherine Coombs
Sent: Monday, January 31, 2005
7:20 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADS&S
mods replicate, ADUC mods does not



 

Hi John,

 

Check out:

 

http://www.eventid.net/display.asp?eventid=1084&eventno=980&source=NTDS%20Replication&phase=1

 

HTH,

Katherine

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Witasick
Sent: Tuesday, 1 February 2005
11:05 AM
To: ActiveDir List Server
Subject: [ActiveDir] ADS&S
mods replicate, ADUC mods does not



One of our divisions has a DC in a child domain of
a large W2k forest (empty root & 8 child domains, 200+ total DCs) that
is having replication issues.  Sites and Services modifications replicate
ok (we have successfully manipulated ntdsConnections settings), but changes
made in Users and Computers (new user accounts) do not.  Our plan is to
blow away the server, clean up the metadata, and then rebuild and reintroduce
the server.  Prior to doing this, however, I was wondering if anyone had
any input given on the listed errors:





 





The following errors are consistent in the Directory Service log on the
remote server:





 





Event Type: Error
Event Source: NTDS Replication
Event Category: (5)
Event ID: 1084
Date:  1/31/2005
Time:  6:09:46 PM
User:  Everyone
Computer: 
Description:
Replication error: The directory replication agent (DRA) couldn't update object
CN=,OU=Member Servers,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx
(GUID 95a006b5-ca6f-439c-950d-357a5e34e81e) on this system with changes which
have been received from source server
752eec36-9ccf-46e7-931c-ffa4f28bcefe._msdcs.xxx.xxx.xxx.xxx. An error occurred
during the application of the changes to the directory database on this system. 
 
The error message is: 
The replication operation encountered a database error.
 
The directory will try to update the object later on the next replication
cycle. Synchronization of this server with the source is effectively blocked
until the update problem is corrected. 





If this condition appears to be related to
a resource shortage, please stop and restart this Windows Domain
Controller. 






If this condition is an internal
error, a database error, or an object relationship or constraint error, manual
intervention will be required to correct the database and allow the update to
proceed.  It is valuable to note that the problem is caused by the fact
that the change on the remote system cannot be applied locally. Manually
updating the objects on the local system in not recommended. Instead, on the
source system (which has the changes already), try to reverse or back out the
change.  Then, on the next replication cycle, observe whether the change
can now be applied locally. 





The record data is the status code. 
Data:
: 03 21 00
00  
.!..    





 





The above error occurs twice for two different objects, one object
from within the domain, and one object from outside the domain (a
different child domain).  Each iteration is followed by the following
Information entry:





 





Event Type: Information
Event Source: NTDS ISAM
Event Category: General 
Event ID: 901
Date:  1/31/2005
Time:  6:09:59 PM
User:  N/A
Computer: 
Description:
NTDS (708) Internal trace: [EMAIL PROTECTED] 





 





DCDiags yields the following information:





 





Domain Controller Diagnosis





 





Performing initial setup:
   Done gathering initial info.





 





Doing initial required tests





 





   Testing server:
\
  Starting test: Connectivity
 .
 passed test Connectivity





 





Doing primary tests





 





   Testing server:
\
  Starting test: Replications
 REPLICATION LATENCY WARNING
 :
This replication path was preempted by higher priority work.
    from
 to 
    Reason: The
operation completed successfully.
    The last
success occurred at (never).
    Replication
of new changes along this path will be delayed.
    Progress is
occurring normally on this path.
 REPLICATION LATENCY WARNING
 : A
full synchronization is in progress
    from
 to 
    Replication
of new changes along this path will be delayed.
    The full
sync is 0.00% complete.
 [Replications
Check,] A recent replication attempt failed:





 





   
>From  to 
    Naming
Context: DC=xxx,DC

RE: [ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Salandra, Justin A.

Yes I am



From: [EMAIL PROTECTED] on behalf of Darren Mar-Elia
Sent: Mon 1/31/2005 4:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO My Documents Redirect Question



Are you checking the "Grant Exclusive rights to the folder..." option
when you set up redirection?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:31 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

There are only errors when the user is not the owner of the folder.
Once they are the owner then all is good.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 31, 2005 3:36 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

Justin-
This should not be the case. Are there any Folder Redirection errors in
the application event log? If not you might try enabling verbose FR
logging. Check out my gpolog.adm for details.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

How can I get it so that when I create the home directory through ADU&C
the redirecting of the My Documents works correctly.. I have found that
it doesn't work unless the user account is the owner of the folder and
you can imagine how much of a pain that is.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO My Documents Redirect Question

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] Sites and Folder Redirection

2005-01-31 Thread Bernard, Aric









Unfortunately it does not relieve any
network traffic.  If the online file can be accessed (network is up) it will be
used.  Only when the online copy is inaccessible will the offline cache be
used.  Not sure if SP2 has had any impact on this though….

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Monday, January 31, 2005
5:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites and
Folder Redirection



 

Yes. I believe if you enable

 

User Configuration\Administrative
Templates\Network\Offline Files\Do not automatically make redirected folders
available offline

 

…that it does not affect the ability
of users to make things “manually” available offline.

 

I was mostly wondering if folks had found
this “automatic” feature to be of any real value. I think it was
created to provide some redundancy and relieve network traffic.

 

--- nme

 













From: Cothern
Jeff D. Team EITC [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 31, 2005
5:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites and
Folder Redirection



 

 

 

“Slight
aside: XP automatically sets these redirected folders to be available offline.
Do people generally leave this enabled?”

 

Ok can this be disabled
without disabling the ability for users to make files that want offline to be
offline?

RE: [ActiveDir] FTP Server In or Out

2005-01-31 Thread Brian Desmond

Van Dyke's product will tie back into AD. It encrypts all the traffic with the 
SSH protocol, which I think has been pretty good as far as history goes.
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101



From: [EMAIL PROTECTED] on behalf of Noah Eiger
Sent: Mon 1/31/2005 5:38 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FTP Server In or Out


Wow. Thanks for the reply.
 
It sounds to me like it simply is not worth it. At least in our case, it is 
just not that many accounts to setup. Frankly, since it is pretty open anyway, 
I would be willing to setup some slightly more generic accounts (violating my 
rule about not having anonymous accounts) and just change the passwords 
frequently. 
 
Just out of curiosity would those SFTP servers tie back into AD or does that 
just mean that the data and initial challenge are encrypted?
 
-- nme
 


From: joe [mailto:[EMAIL PROTECTED] 
Sent: Saturday, January 29, 2005 9:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FTP Server In or Out
 
Single Sign On is the holy grail, however getting it internally versus 
everywhere is a noble goal on its own. Getting it there would relieve 
tremendous amounts of admin work for many companies and it is pretty feasible 
to pull off with the support of kerberos. Going outside makes things sticky. AD 
on its own with other MS resources really isn't enough of a segregated bastion 
I think for this type of use. AD was designed at the time of share everything 
and keep it all open and interconnect. The lockdown of security came after that 
and most people are afraid (rightly I often think) of locking down the default 
security in fear of what other MS apps will break and then they hear the 
dreaded words of not supported in that configuration from MS. I encountered 
that a couple of times with Exchange when trying to tighten things down. You 
are not only dependent upon any apps that were developed internally by people 
who didn't understand AD security but those written by other vendors including 
Microsoft. For fun, take away authenticated users read access sometime and see 
how many apps nose dive. 
 
If you look at the security of AD/AM, it is much closer to what the security of 
AD should be. In fact I would like to see an MS high AD security pack for 
people deploying AD that sets up the directory in a secure manner that is fully 
supported by MS. As it is, you can start locking it down (especially some of 
the prop sets) and you can't get complete answers out of MS on what MS apps 
will break. The times I have asked I have gotten responses along the lines of 
well, we can't track all apps across the world... etc etc, So then I say, I 
just want the info for MS apps, they can't produce even that. 
 
If you could say this machine here in the DMZ, can only send auth packets only 
to AD for these specific users that would be much better. If it only allowed x 
auths from a certain IP and then blocked the IP that would be better. If it did 
the same with address blocks even better. You can't tell the OS to do that. You 
can play with firewalls and see what you can block off but again, you run the 
risk of running into a configuration that MS will say well we don't really 
recommend that. Plus, things piggyback and if you can get one thing through, 
something else will probably go with it. 
 
I have no problem having the single signon barrier be at the internal/external 
line assuming you don't have something else to block the intial access to the 
internal stuff. Again if you are frontending the access to AD with something 
like a securID FOB then AD is significantly less exposed. 
 
People who have OWA and whatever out there exposed and backending into their 
production internal AD aren't necessarily safe because nothing has ever 
happened. They just haven't been hit yet or don't think they have been hit yet. 
That isn't secure by any definition. 
 
I agree with Brian's comment of "Anything that prompts a user for credentials 
and takes them to AD is just as much a problem as the next, assuming the apps 
are all coded properly.". From the standpoint of DOSing that is quite true. 
Outside of that though is what else does it need from AD and how much access 
does it have to AD. Do you put deny ACE's on everything in AD for computer 
accounts or remove all mention of everyone and authenticated users and 
pre-windows 2000 in the event someone compromised one of those boxes and starts 
dinging against AD as localsystem of that machine? 
 
In the end you can never positively prove something is secure. You can prove 
something is insecure, but the state of not being known to be insecure isn't 
secure. Another one I like to throw out there is that just because you or your 
friends can't work out a way to hack into something doesn't mean it can't be 
done. Assuming that is dangerous.

[ActiveDir]Group Policy editor

2005-01-31 Thread Cothern Jeff D. Team EITC









My Group policy editor is missing some
options.  For instance under user configuration windows settings the only thing
there is Remote installation Services.  None of the other options are there to
set.  Anyone seen this and know a fix?

RE: [ActiveDir] Sites and Folder Redirection

2005-01-31 Thread Noah Eiger









Yes. I believe if you enable

 

User Configuration\Administrative
Templates\Network\Offline Files\Do not automatically make redirected folders
available offline

 

…that it does not affect the ability
of users to make things “manually” available offline.

 

I was mostly wondering if folks had found
this “automatic” feature to be of any real value. I think it was
created to provide some redundancy and relieve network traffic.

 

--- nme

 









From: Cothern
Jeff D. Team EITC [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 31, 2005
5:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites and
Folder Redirection



 

 

 

“Slight
aside: XP automatically sets these redirected folders to be available offline.
Do people generally leave this enabled?”

 

Ok can this be disabled
without disabling the ability for users to make files that want offline to be
offline?

RE: [ActiveDir] ADS&S mods replicate, ADUC mods does not

2005-01-31 Thread Katherine Coombs




Hi John,
 
Check out:
 
http://www.eventid.net/display.asp?eventid=1084&eventno=980&source=NTDS%20Replication&phase=1
 
HTH,
Katherine


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
WitasickSent: Tuesday, 1 February 2005 11:05 AMTo: 
ActiveDir List ServerSubject: [ActiveDir] ADS&S mods replicate, 
ADUC mods does not

One of our divisions has a DC in a child domain of 
a large W2k forest (empty root & 8 child domains, 200+ total DCs) that 
is having replication issues.  Sites and Services modifications replicate 
ok (we have successfully manipulated ntdsConnections settings), but changes made 
in Users and Computers (new user accounts) do not.  Our plan is to blow 
away the server, clean up the metadata, and then rebuild and reintroduce the 
server.  Prior to doing this, however, I was wondering if anyone had any 
input given on the listed errors:
 
The following errors are consistent in the Directory Service 
log on the remote server:
 
Event Type: ErrorEvent 
Source: NTDS ReplicationEvent Category: (5)Event 
ID: 1084Date:  1/31/2005Time:  6:09:46 
PMUser:  EveryoneComputer: Description:Replication 
error: The directory replication agent (DRA) couldn't update object 
CN=,OU=Member Servers,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx 
(GUID 95a006b5-ca6f-439c-950d-357a5e34e81e) on this system with changes which 
have been received from source server 
752eec36-9ccf-46e7-931c-ffa4f28bcefe._msdcs.xxx.xxx.xxx.xxx. An error occurred 
during the application of the changes to the directory database on this 
system.  The error message is: The replication operation 
encountered a database error. The directory will try to update the 
object later on the next replication cycle. Synchronization of this server with 
the source is effectively blocked until the update problem is corrected. 

If this condition appears to be related to a 
resource shortage, please stop and restart this Windows Domain 
Controller. 
If this condition is an internal error, a database 
error, or an object relationship or constraint error, manual intervention will 
be required to correct the database and allow the update to proceed.  It is 
valuable to note that the problem is caused by the fact that the change on the 
remote system cannot be applied locally. Manually updating the objects on the 
local system in not recommended. Instead, on the source system (which has the 
changes already), try to reverse or back out the change.  Then, on the next 
replication cycle, observe whether the change can now be applied locally. 

The record data is the status code. Data:: 
03 21 00 
00   
.!..    
 
The above error occurs twice for two different objects, 
one object from within the domain, and one object from outside the domain 
(a different child domain).  Each iteration is followed by the following 
Information entry:
 
Event Type: InformationEvent 
Source: NTDS ISAMEvent Category: General Event 
ID: 901Date:  1/31/2005Time:  6:09:59 
PMUser:  N/AComputer: 
Description:NTDS (708) Internal trace: 
[EMAIL PROTECTED] 
 
DCDiags yields the following information:
 
Domain Controller Diagnosis
 
Performing initial setup:   Done 
gathering initial info.
 
Doing initial required tests
 
   Testing server: 
\  
Starting test: Connectivity 
.  passed test 
Connectivity
 
Doing primary tests
 
   Testing server: 
\  
Starting test: Replications 
REPLICATION LATENCY WARNING 
: This replication path was preempted by higher 
priority 
work.    from 
 to 
    
Reason: The operation completed 
successfully.    
The last success occurred at 
(never).    
Replication of new changes along this path will be 
delayed.    
Progress is occurring normally on this 
path. REPLICATION LATENCY 
WARNING 
: A full synchronization is in 
progress    
from  to 
    
Replication of new changes along this path will be 
delayed.    
The full sync is 0.00% 
complete. [Replications 
Check,] A recent replication attempt 
failed:
 
    From 
 to 
    
Naming Context: 
DC=xxx,DC=xxx,DC=xxx,DC=xxx.DC=xxx    
The replication generated an error 
(8451):    
The replication operation encountered a database 
error.    The 
failure occurred at 2005-01-31 
18:09.50.    
The last success occurred at 2004-11-24 
08:55.01.    
20 failures have occurred since the last 
success.    A 
serious error is preventing replication from 
continuing.    
Consult the error log for further 
information.    
If a particular object is named, it may be necessary to 
manually    
modify or delete the 
object.    If 
the condition persists, contact Microsoft 
Support. REPLICATION LATENCY 
WARNING 
: This replication path was preempted by higher 
priority 
work.    from 
 to 
    
Reason: The operation completed 
suc

RE: [ActiveDir] Sites and Folder Redirection

2005-01-31 Thread Cothern Jeff D. Team EITC









 

 

“Slight aside: XP
automatically sets these redirected folders to be available offline. Do people
generally leave this enabled?”

 

Ok can this be disabled without disabling
the ability for users to make files that want offline to be offline?

RE: [ActiveDir] Sites and Folder Redirection

2005-01-31 Thread Bernard, Aric









Unfortunately GPOs are not particularly flexible,
and in most cases embedding the code needed to detect the non-existence of a
share, file, or directory is better left to a login script (for example).  Not
sure if you would consider this simple or not….

 

Your understanding of DFS appears to be accurate;
however DFS itself does not provide the means for data replication.  This is
something you would need to implement outside of DFS.

 

-Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Monday, January 31, 2005
5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites and
Folder Redirection



 

Thanks, Aric. That is about what I figured
(and have experienced). As for the OU approach, I was not referring to putting
servers in the OU but rather users. I suppose the downside is that it forces
folder redirection over a slow WAN link. 

 

If using Sites, there a way to simply have
the redirection fail if the user does not already have a home dir at SiteB?

 

Under DFS, I am assuming we would create a
single, domain-wide share called home$ (or so) and everyone’s home dir would
under there. Does that mean all home dirs would replicate between all sites,
essentially providing replicas at each site (of course, until someone changed
something but before the next replication).

 

-- nme

 













From: Bernard,
Aric [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 31, 2005
4:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites and
Folder Redirection



 

Noah,

 

The policy that you want
to implement (folder redirection) is a user based policy, so implementing it against
the file servers (or an OU that contains one or more of the file servers to be
more accurate) will not have the affect you want.  If you want a policy to
be implemented based on where the user is (currently), ensure that your site
topology is up-to-date, and implement you GPOs based on sites.

 

For users that roam from
one site to another, this becomes a little more complex.  If they move
from Site A to Site B, the policies (if implemented against sites) will
redirect them to a different server.  This new location would of course
not contain any data – which may (I suspect) or may not be a bad thing.
 This potential problem can be over come by replicating the home directory
data between locations.  Of course this process is not without its own
issues:

 

1.   Is there any organization issue (i.e. security, policy, etc.) with
having this data replicated?

2.   How will the data be replicated? (i.e. underlying storage
infrastructure, third party data replication product, home grown process, etc.)

3.   How much data is there?  Have quotas been implemented?

4.   Is there capacity for all data at each location?

5.   Often should data be replicated between sites? How often do users
roam between locations?

6.   Is there enough available bandwidth to support replication at the
scheduled times?

7.   How will conflicts be resolved during the replication process?

 

You could throw something
like DFS on top of this to provide a common namespace and reduce the number of
policies implemented.

 

If you want your notebook
users to be able to access their redirected folders when they have no access to
the file server then offline files will be required.

 

Some food for thought I
suppose….

 

 

Aric

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Monday, January 31, 2005
3:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sites and
Folder Redirection



 

Hello:

 

Say I have three sites: Site1,
Site2, Site3 (all properly defined in Sites & Services). Each site has a
file server with a home directory share: \\server1\home$, \\server2\home$,
and \\server3\home$ , respectively. I want to redirect My Documents to these
home directories using a GPO that creates the subfolders and assigns tight
permissions (as per MSKB 274443). 

 

Where is the best place to create
these GPOs (a separate one for each server)? Obviously, it needs to apply to
the users only at that site. So, I could place it at the Site level. However,
then when a user from Site 1 logs in at Site 2 will they get a new home
directory created on server2? I could create separate OUs that parallel the
site structure and place users in those OUs and then apply the GPO there.
However, that becomes a bit of an administrative hassle when users move around.
Finally, how do either of these configurations affect laptop users that move
from site to site?

 

Slight aside: XP automatically sets
these redirected folders to be available offline. Do people generally leave
this enabled?

 

Thanks.

 

-- nme

RE: [ActiveDir]GPO for TCPIP

2005-01-31 Thread Free, Bob




 http://support.microsoft.com/kb/294832/EN-US/ describes 
how to create a custom ADM file to accomplish it for W2K. 
 
In later OS's look at Computer Policy-Administrative 
Templates-Network-DNS Client-Dynamic Update


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. 
Team EITCSent: Monday, January 31, 2005 4:13 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir]GPO for 
TCPIP



Is there a group policy 
setting that will turn off Dynamic update for DNS?

RE: [ActiveDir] Sites and Folder Redirection

2005-01-31 Thread Noah Eiger









Thanks, Aric. That
is about what I figured (and have experienced). As for the OU approach, I was
not referring to putting servers in the OU but rather users. I suppose the
downside is that it forces folder redirection over a slow WAN link. 

 

If using Sites, there a way to simply have
the redirection fail if the user does not already have a home dir at SiteB?

 

Under DFS, I am assuming we would create a
single, domain-wide share called home$ (or so) and everyone’s home dir
would under there. Does that mean all home dirs would
replicate between all sites, essentially providing replicas at each site (of
course, until someone changed something but before the next replication).

 

-- nme

 









From: Bernard,
Aric [mailto:[EMAIL PROTECTED] 
Sent: Monday, January 31, 2005
4:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites and
Folder Redirection



 

Noah,

 

The policy that you want
to implement (folder redirection) is a user based policy, so implementing it
against the file servers (or an OU that contains one or more of the file
servers to be more accurate) will not have the affect you want.  If you
want a policy to be implemented based on where the user is (currently), ensure
that your site topology is up-to-date, and implement you GPOs based on sites.

 

For users that roam from
one site to another, this becomes a little more complex.  If they move
from Site A to Site B, the policies (if implemented against sites) will
redirect them to a different server.  This new location would of course
not contain any data – which may (I suspect) or may not be a bad thing.
 This potential problem can be over come by replicating the home directory
data between locations.  Of course this process is not without its own
issues:

 

1.   Is there any organization issue (i.e. security, policy, etc.) with
having this data replicated?

2.   How will the data be replicated? (i.e. underlying storage
infrastructure, third party data replication product, home grown process, etc.)

3.   How much data is there?  Have quotas been implemented?

4.   Is there capacity for all data at each location?

5.   Often should data be replicated between sites? How often do users
roam between locations?

6.   Is there enough available bandwidth to support replication at the
scheduled times?

7.   How will conflicts be resolved during the replication process?

 

You could throw something
like DFS on top of this to provide a common namespace and reduce the number of
policies implemented.

 

If you want your notebook
users to be able to access their redirected folders when they have no access to
the file server then offline files will be required.

 

Some food for thought I
suppose….

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Monday, January 31, 2005
3:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sites and
Folder Redirection



 

Hello:

 

Say I have three sites: Site1,
Site2, Site3 (all properly defined in Sites & Services). Each site has a
file server with a home directory share: \\server1\home$, \\server2\home$,
and \\server3\home$ , respectively. I want to redirect My Documents to these
home directories using a GPO that creates the subfolders and assigns tight
permissions (as per MSKB 274443). 

 

Where is the best place to create
these GPOs (a separate one for each server)? Obviously, it needs to apply to
the users only at that site. So, I could place it at the Site level. However,
then when a user from Site 1 logs in at Site 2 will they get a new home
directory created on server2? I could create separate OUs that parallel the
site structure and place users in those OUs and then apply the GPO there.
However, that becomes a bit of an administrative hassle when users move around.
Finally, how do either of these configurations affect laptop users that move
from site to site?

 

Slight aside: XP automatically sets
these redirected folders to be available offline. Do people generally leave this
enabled?

 

Thanks.

 

-- nme

RE: [ActiveDir] Sites and Folder Redirection

2005-01-31 Thread Bernard, Aric









Noah,

 

The policy that you want to implement
(folder redirection) is a user based policy, so implementing it against the
file servers (or an OU that contains one or more of the file servers to be more
accurate) will not have the affect you want.  If you want a policy to be
implemented based on where the user is (currently), ensure that your site
topology is up-to-date, and implement you GPOs based on sites.

 

For users that roam from one site to
another, this becomes a little more complex.  If they move from Site A to
Site B, the policies (if implemented against sites) will redirect them to a
different server.  This new location would of course not contain any data –
which may (I suspect) or may not be a bad thing.  This potential problem
can be over come by replicating the home directory data between locations.  Of
course this process is not without its own issues:

 


 Is
 there any organization issue (i.e. security, policy, etc.) with having
 this data replicated?
 How
 will the data be replicated? (i.e. underlying storage infrastructure,
 third party data replication product, home grown process, etc.)
 How
 much data is there?  Have quotas been implemented?
 Is
 there capacity for all data at each location?
 Often
 should data be replicated between sites? How often do users roam between
 locations?
 Is
 there enough available bandwidth to support replication at the scheduled
 times?
 How
 will conflicts be resolved during the replication process?


 

You could throw something like DFS on top
of this to provide a common namespace and reduce the number of policies
implemented.

 

If you want your notebook users to be able
to access their redirected folders when they have no access to the file server
then offline files will be required.

 

Some food for thought I suppose….

 

 

Aric

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Monday, January 31, 2005
3:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Sites and
Folder Redirection



 

Hello:

 

Say I have three sites: Site1, Site2, Site3 (all properly
defined in Sites & Services). Each site has a file server with a home
directory share: \\server1\home$, \\server2\home$,
and \\server3\home$ , respectively. I want to redirect My Documents to these
home directories using a GPO that creates the subfolders and assigns tight
permissions (as per MSKB 274443). 

 

Where is the best place to create these GPOs (a separate one
for each server)? Obviously, it needs to apply to the users only at that site.
So, I could place it at the Site level. However, then when a user from Site 1
logs in at Site 2 will they get a new home directory created on server2? I
could create separate OUs that parallel the site structure and place users in
those OUs and then apply the GPO there. However, that becomes a bit of an
administrative hassle when users move around. Finally, how do either of these
configurations affect laptop users that move from site to site?

 

Slight aside: XP automatically sets these redirected folders
to be available offline. Do people generally leave this enabled?

 

Thanks.

 

-- nme

[ActiveDir]GPO for TCPIP

2005-01-31 Thread Cothern Jeff D. Team EITC











Is there a group policy setting that will
turn off Dynamic update for DNS?

[ActiveDir] ADS&S mods replicate, ADUC mods does not

2005-01-31 Thread John Witasick




One of our divisions has a DC in a child domain of 
a large W2k forest (empty root & 8 child domains, 200+ total DCs) that 
is having replication issues.  Sites and Services modifications replicate 
ok (we have successfully manipulated ntdsConnections settings), but changes made 
in Users and Computers (new user accounts) do not.  Our plan is to blow 
away the server, clean up the metadata, and then rebuild and reintroduce the 
server.  Prior to doing this, however, I was wondering if anyone had any 
input given on the listed errors:
 
The following errors are consistent in the Directory Service 
log on the remote server:
 
Event Type: ErrorEvent 
Source: NTDS ReplicationEvent Category: (5)Event 
ID: 1084Date:  1/31/2005Time:  6:09:46 
PMUser:  EveryoneComputer: Description:Replication 
error: The directory replication agent (DRA) couldn't update object 
CN=,OU=Member Servers,DC=xxx,DC=xxx,DC=xxx,DC=xxx,DC=xxx 
(GUID 95a006b5-ca6f-439c-950d-357a5e34e81e) on this system with changes which 
have been received from source server 
752eec36-9ccf-46e7-931c-ffa4f28bcefe._msdcs.xxx.xxx.xxx.xxx. An error occurred 
during the application of the changes to the directory database on this 
system.  The error message is: The replication operation 
encountered a database error. The directory will try to update the 
object later on the next replication cycle. Synchronization of this server with 
the source is effectively blocked until the update problem is corrected. 

If this condition appears to be related to a 
resource shortage, please stop and restart this Windows Domain 
Controller. 
If this condition is an internal error, a database 
error, or an object relationship or constraint error, manual intervention will 
be required to correct the database and allow the update to proceed.  It is 
valuable to note that the problem is caused by the fact that the change on the 
remote system cannot be applied locally. Manually updating the objects on the 
local system in not recommended. Instead, on the source system (which has the 
changes already), try to reverse or back out the change.  Then, on the next 
replication cycle, observe whether the change can now be applied locally. 

The record data is the status code. Data:: 
03 21 00 
00   
.!..    
 
The above error occurs twice for two different objects, 
one object from within the domain, and one object from outside the domain 
(a different child domain).  Each iteration is followed by the following 
Information entry:
 
Event Type: InformationEvent 
Source: NTDS ISAMEvent Category: General Event 
ID: 901Date:  1/31/2005Time:  6:09:59 
PMUser:  N/AComputer: 
Description:NTDS (708) Internal trace: 
[EMAIL PROTECTED] 
 
DCDiags yields the following information:
 
Domain Controller Diagnosis
 
Performing initial setup:   Done 
gathering initial info.
 
Doing initial required tests
 
   Testing server: 
\  
Starting test: Connectivity 
.  passed test 
Connectivity
 
Doing primary tests
 
   Testing server: 
\  
Starting test: Replications 
REPLICATION LATENCY WARNING 
: This replication path was preempted by higher 
priority 
work.    from 
 to 
    
Reason: The operation completed 
successfully.    
The last success occurred at 
(never).    
Replication of new changes along this path will be 
delayed.    
Progress is occurring normally on this 
path. REPLICATION LATENCY 
WARNING 
: A full synchronization is in 
progress    
from  to 
    
Replication of new changes along this path will be 
delayed.    
The full sync is 0.00% 
complete. [Replications 
Check,] A recent replication attempt 
failed:
 
    From 
 to 
    
Naming Context: 
DC=xxx,DC=xxx,DC=xxx,DC=xxx.DC=xxx    
The replication generated an error 
(8451):    
The replication operation encountered a database 
error.    The 
failure occurred at 2005-01-31 
18:09.50.    
The last success occurred at 2004-11-24 
08:55.01.    
20 failures have occurred since the last 
success.    A 
serious error is preventing replication from 
continuing.    
Consult the error log for further 
information.    
If a particular object is named, it may be necessary to 
manually    
modify or delete the 
object.    If 
the condition persists, contact Microsoft 
Support. REPLICATION LATENCY 
WARNING 
: This replication path was preempted by higher 
priority 
work.    from 
 to 
    
Reason: The operation completed 
successfully.    
The last success occurred at 
(never).    
Replication of new changes along this path will be 
delayed.    
Progress is occurring normally on this 
path. REPLICATION LATENCY 
WARNING 
: A full synchronization is in 
progress    
from  to 
    
Replication of new changes al

RE: [ActiveDir] FTP Server In or Out

2005-01-31 Thread Noah Eiger

Wow. Thanks for the reply.
 
It sounds to me like it simply is not worth it. At least in our case, it is
just not that many accounts to setup. Frankly, since it is pretty open
anyway, I would be willing to setup some slightly more generic accounts
(violating my rule about not having anonymous accounts) and just change the
passwords frequently. 
 
Just out of curiosity would those SFTP servers tie back into AD or does that
just mean that the data and initial challenge are encrypted?
 
-- nme
 
  _  

From: joe [mailto:[EMAIL PROTECTED] 
Sent: Saturday, January 29, 2005 9:19 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] FTP Server In or Out
 
Single Sign On is the holy grail, however getting it internally versus
everywhere is a noble goal on its own. Getting it there would relieve
tremendous amounts of admin work for many companies and it is pretty
feasible to pull off with the support of kerberos. Going outside makes
things sticky. AD on its own with other MS resources really isn't enough of
a segregated bastion I think for this type of use. AD was designed at the
time of share everything and keep it all open and interconnect. The lockdown
of security came after that and most people are afraid (rightly I often
think) of locking down the default security in fear of what other MS apps
will break and then they hear the dreaded words of not supported in that
configuration from MS. I encountered that a couple of times with Exchange
when trying to tighten things down. You are not only dependent upon any apps
that were developed internally by people who didn't understand AD security
but those written by other vendors including Microsoft. For fun, take away
authenticated users read access sometime and see how many apps nose dive. 
 
If you look at the security of AD/AM, it is much closer to what the security
of AD should be. In fact I would like to see an MS high AD security pack for
people deploying AD that sets up the directory in a secure manner that is
fully supported by MS. As it is, you can start locking it down (especially
some of the prop sets) and you can't get complete answers out of MS on what
MS apps will break. The times I have asked I have gotten responses along the
lines of well, we can't track all apps across the world... etc etc, So then
I say, I just want the info for MS apps, they can't produce even that. 
 
If you could say this machine here in the DMZ, can only send auth packets
only to AD for these specific users that would be much better. If it only
allowed x auths from a certain IP and then blocked the IP that would be
better. If it did the same with address blocks even better. You can't tell
the OS to do that. You can play with firewalls and see what you can block
off but again, you run the risk of running into a configuration that MS will
say well we don't really recommend that. Plus, things piggyback and if
you can get one thing through, something else will probably go with it. 
 
I have no problem having the single signon barrier be at the
internal/external line assuming you don't have something else to block the
intial access to the internal stuff. Again if you are frontending the access
to AD with something like a securID FOB then AD is significantly less
exposed. 
 
People who have OWA and whatever out there exposed and backending into their
production internal AD aren't necessarily safe because nothing has ever
happened. They just haven't been hit yet or don't think they have been hit
yet. That isn't secure by any definition. 
 
I agree with Brian's comment of "Anything that prompts a user for
credentials and takes them to AD is just as much a problem as the next,
assuming the apps are all coded properly.". From the standpoint of DOSing
that is quite true. Outside of that though is what else does it need from AD
and how much access does it have to AD. Do you put deny ACE's on everything
in AD for computer accounts or remove all mention of everyone and
authenticated users and pre-windows 2000 in the event someone compromised
one of those boxes and starts dinging against AD as localsystem of that
machine? 
 
In the end you can never positively prove something is secure. You can prove
something is insecure, but the state of not being known to be insecure isn't
secure. Another one I like to throw out there is that just because you or
your friends can't work out a way to hack into something doesn't mean it
can't be done. Assuming that is dangerous. So you put compensating controls
into place and think about how bad it could get if something that you don't
think can happen, does happen. If someone compromises your ftp server, how
bad could it be for AD? How bad would it be for you if someone landed a
program on that box that constantly fired authentication at the DCs and
locked out ever single admin account, or ever single account on every single
domain? How costly would that be for you? How fast could you figure out and
stop what happened? If you don't have lock out

[ActiveDir] Sites and Folder Redirection

2005-01-31 Thread Noah Eiger









Hello:

 

Say I have three sites: Site1, Site2, Site3
(all properly defined in Sites & Services). Each site has a file server
with a home directory share: \\server1\home$, \\server2\home$,
and \\server3\home$ , respectively. I want to redirect
My Documents to these home directories using a GPO that creates the subfolders
and assigns tight permissions (as per MSKB 274443). 

 

Where is the best place to create these GPOs
(a separate one for each server)? Obviously, it needs to apply to the users
only at that site. So, I could place it at the Site level. However, then when a
user from Site 1 logs in at Site 2 will they get a new home directory created
on server2? I could create separate OUs that parallel
the site structure and place users in those OUs and
then apply the GPO there. However, that becomes a bit of an administrative
hassle when users move around. Finally, how do either
of these configurations affect laptop users that move from site to site?

 

Slight aside: XP automatically sets these redirected folders
to be available offline. Do people generally leave this enabled?

 

Thanks.

 

-- nme

RE: [ActiveDir] DC Unattended Restart

2005-01-31 Thread Charlie Kaiser

You can also get restarts that don't work if security policy "force
shutdown from a remote system" is locked down. Test, test, test...
:-)

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Paul 
> van Geldrop
> Sent: Monday, January 31, 2005 2:31 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Unattended Restart
> 
> In certain circumstances, a scheduled reboot with 
> shutdown.exe might give 0x15 code errors, indicating a 
> process is still running and that the shutdown command can't 
> execute. Even using the /f switch to force all applications 
> to close won't work. I've seen this happen with virusscanning 
> software combined with temporary backup cache files. Just in 
> case you encounter the same.. closing the handle on the 
> processes did the job for me. That was a b to find out.
>  
> Regards,
>  
> Paul
>  
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Jorge de Almeida Pinto
> Sent: Monday, January 31, 2005 11:23 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DC Unattended Restart
>  
> Yep, using the shutdown.exe tool (command-line and GUI). by 
> default in W2K3 and for W2K you can still add it from the 
> support tools or the resource kit (I always forget which one)
> Jorge
>  
> 
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent
> Sent: maandag 31 januari 2005 22:08
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] DC Unattended Restart
> Is there any way to schedule an unattended restart, warm or 
> cold boot, of a DC ?
> 
> This e-mail and any attachment is for authorised use by the 
> intended recipient(s) only. It may contain proprietary 
> material, confidential information and/or be subject to legal 
> privilege. It should not be copied, disclosed to, retained or 
> used by, any other party. If you are not an intended 
> recipient then please promptly delete this e-mail and any 
> attachment and all copies and inform the sender. Thank you.
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] new 2003 domain controller in windows 200 forest.

2005-01-31 Thread Grillenmeier, Guido




ok - that puts a little different touch to your 
story.
 
in this case (esp. as a DR site and on separate HW 
with physical security in place), you're fine to host a DC in that 
site.
 
Yes, you can add it to your 2000 domain and you've already 
supplied the solution as well: you'll need to prepare the schema of the forest 
via ADPREP /forestprep and then prepare the domain you'll join the DC to 
via ADPREP /domainprep. If you have Exchange 2000 first apply the E2k schema fix 
(read Q314649) 
 
Check here for all the details: http://www.microsoft.com/resources/documentation/windowsserv/2003/all/deployguide/en-us/dssbf_upwn_overview.asp
 
But definitely don't start a new domain (for which you'd 
still need to upgrade the schema) - an OU is perfectly fine for your 
situation.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
KrausSent: Monday, January 31, 2005 10:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain 
controller in windows 200 forest.

physical security is not an issue. locked computer room 
only pt admin and manager has access. this office will eventully become a 
disaster recovery location housing  a bunch of blade servers and replicated 
disk. The need for a domain controller is like you said -- network 
connectivity and access- this office supports a few key personel 
( money makers !!) so the cost of a few servers a some 
2003 licenses and an exchange server is not a big deal speed and relibility 
are more important.
 
but i'm still dealing with the question of
 
 


1: we are planning to upgrade our 
headquarters the 2003 in about 3 -4 months. can we setup the 
new server with 2003 as domain controllers so we won't have to upgrade them 
later ?

if so 
anything special we need to do ? IE: forest prep ?
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
ReijndersSent: Monday, January 31, 2005 3:50 PMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] new 2003 
domain controller in windows 200 forest.


Hi,
 
I could not agree more 
with Guido! The security aspect is the most important reason to go for the 
suggested solution. However, there's one thing to keep in mind in this scenario 
namely the trustworthiness of your network. If you're not placing a DC in the 
remote location, network connectivity becomes a must to enable a user to do 
his/her work. Sure, there's a thing as cached credentials on a client, but logon 
on to a domain is important for a lot of services.
 
Cheers!
John Reijnders (soon to 
change his e-mail address into a MSFT one)
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grillenmeier, 
GuidoSent: maandag 31 januari 
2005 21:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain 
controller in windows 200 forest.
 
definitely give them 
an OU and I'd also urgently suggest you don't make the machine in that remote 
office a DC at all 
=> first of all 
it's not required for 15 folks - you'll need it for other things such as 
file/print (they should easily be able to authenticate to your main office; 
assuming NW connectivity - which you'd also need to setup 
replication...)
=> secondly, it's 
much more secure, as you will likely not have much physical security in an 
office of 15 people and if you're using the one box for everything it's unsecure 
from a delegation perspective
 
/Guido
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jeff 
KrausSent: Monday, January 31, 
2005 7:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] new 2003 domain 
controller in windows 200 forest.

Hi,

we are setting up a remote office if 
about 15 people that will be linked by a vpn.

we are buying new servers that have 
win2003 on them.

 

 

I have a coupe of questions,I 
hope you would indulge me with your opinions.

 

1: we are planning to upgrade our 
headquarters the 2003 in about 3 -4 months. can we setup the 
new server with 2003 as domain controllers so we won't have to upgrade them 
later ?

if so 
anything special we need to do ? IE: forest prep 
?

 

2: We have a raging 
debate weather  to set  them up as a domain or a org unit in 
their own site. we have a part time adiminstrator there htat we need to give 
right to  for day to day admin work. 

 

thanks for your 
help.

 

 
Jeff 
Kraus
 
Network Manger 

NIC Holding 
Corp.
25 Melville Park 
Rd
Melville NY, 11747
Voice: 
631.753.4272
Fax:    
631.753.4305
 
 

 This 
e-mail and any attachment is for authorised use by the intended recipient(s) 
only. It may contain proprietary material, confidential information and/or be 
subject to legal privilege. It should not be copied, disclosed to, retained or 
used by, any other party. If you are not an intended recipient then please 
promptly delete this e-mail and any attachment and all copies and inform the 
sender. Thank you.

RE: [ActiveDir] DC Unattended Restart

2005-01-31 Thread Grillenmeier, Guido




if you have Win2k3, you can also use nltest 
from the windows support tools - just use the /shutdown: Reason [Seconds] 
option.  
 
/Guido
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida 
PintoSent: Monday, January 31, 2005 11:23 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC Unattended 
Restart

Yep, using the shutdown.exe tool 
(command-line and GUI). by default in W2K3 and for W2K you can still add it from 
the support tools or the resource kit (I always forget which 
one)
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin 
GentSent: maandag 31 januari 2005 22:08To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC Unattended 
Restart

Is there any way to schedule an unattended restart, 
warm or cold boot, of a DC ?This e-mail and any attachment 
is for authorised use by the intended recipient(s) only. It may contain 
proprietary material, confidential information and/or be subject to legal 
privilege. It should not be copied, disclosed to, retained or used by, any other 
party. If you are not an intended recipient then please promptly delete this 
e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] DC Unattended Restart

2005-01-31 Thread Paul van Geldrop










In certain circumstances, a scheduled
reboot with shutdown.exe might give 0x15 code errors, indicating a process is
still running and that the shutdown command can’t execute. Even using the
/f switch to force all applications to close won’t work. I’ve seen
this happen with virusscanning software combined with
temporary backup cache files. Just in case you encounter the same.. closing the handle on the
processes did the job for me. That was a b to find out.

 

Regards,

 

Paul

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: Monday, January 31, 2005
11:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DC
Unattended Restart

 

Yep, using the shutdown.exe tool (command-line and GUI). by default
in W2K3 and for W2K you can still add it from the support tools or the resource
kit (I always forget which one)

Jorge

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent
Sent: maandag 31 januari 2005
22:08
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Unattended
Restart



Is there any way to schedule an
unattended restart, warm or cold boot, of a DC ?




This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread Paul van Geldrop

You know, I was looking forward to seeing piccies of this event, but I'm
starting to get scared now.. ;o)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Monday, January 31, 2005 11:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Joe,

So I presume if you'll be visiting DEC, you're there "with shorts on",
you
drink beer "with shorts on". I still remember your "bathing story"..
Combining it with this one... Also "with shorts on" It sounds like do
you
EVERYTHING "with your shorts on" ;-)))

Cheers!
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: maandag 31 januari 2005 18:06
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

I broke my leg one year, a wrist another year, and sprained an ankle
really
bad yet another year when skiing when I was young and more dumb and
thought
I was invincible. I have since learned that the best part of skiing is
sitting about 5 feet from the fire with some nice smooth alcoholic
beverage
and talking to the snow bunnies. My overall preference though is to be
somewhere where snow is not. Growing up in Northern Lower Michigan I had
seen far more than enough snow by the time I was 10. If going down a
hill at
high speed I rather it be on a mountain bike with shorts on. If fishing
I
rather it be on a nice big boat with shorts on. If snowmobiling, I
rather do
it in a videogame while sitting on a beach with shorts on. A perfect day
for
me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around
the
boonies With shorts on. 

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Didn't all geeks grow up on skateboards, and then graduate to snowboards
in
a desperate attempt to fit in?

Snowboards on the X-Box I mean of course.

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]

  "Renouf, Phil"

  <[EMAIL PROTECTED]To:

  es.com>cc:   (bcc:
James
Day/Contractor/NPS)   
  Sent by:   Subject:  RE:
[ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

  [EMAIL PROTECTED]

  tivedir.org

  01/31/2005 11:34 AM EST

  Please respond to

  ActiveDir

Sorry for turning the list into a ski slope Joe :)

Whistler is hands down one of the best ski areas in North America, I've
spent a lot of time skiing and Whistler is the best place that I have
ever
skied. Even if you aren't a skier it's worth going and checking out,
even if
it is just for the views. A sunny day at the top of Whistler is pretty
incredible.

Did I hear someone mention geeks skiing? That sounds like fun ;)

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Monday, January 31, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

If you are a skier then Whistler/Blackcomb is not to be missed.  IMHO it
is
simply the best, extraordinary, largest, most varied terrain, (insert
your
own gushing adjective here)... ski area in North America.  Maybe Gil
needs
to organize a NetPro ski trip...

-Stuart Fuller

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, January 31, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art
Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell
you
more stuff.

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this...
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys
that
are also visiting DEC. Besides visiting DEC I'm staying a few days
longer
hopefully to see very nice things in the region. Does any of you know
what's
worth visiting/seeing in the region of Vancouver?

Regards,
Jorge

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto
Infrastructure Consultant
__

<<...OL

RE: [ActiveDir] DC Unattended Restart

2005-01-31 Thread Jorge de Almeida Pinto




Yep, using the shutdown.exe tool 
(command-line and GUI). by default in W2K3 and for W2K you can still add it from 
the support tools or the resource kit (I always forget which 
one)
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kevin 
GentSent: maandag 31 januari 2005 22:08To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC Unattended 
Restart

Is there any way to schedule an unattended restart, 
warm or cold boot, of a DC ?

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread Jorge de Almeida Pinto

Joe,

So I presume if you'll be visiting DEC, you're there "with shorts on", you
drink beer "with shorts on". I still remember your "bathing story"..
Combining it with this one... Also "with shorts on" It sounds like do you
EVERYTHING "with your shorts on" ;-)))

Cheers!
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: maandag 31 januari 2005 18:06
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

I broke my leg one year, a wrist another year, and sprained an ankle really
bad yet another year when skiing when I was young and more dumb and thought
I was invincible. I have since learned that the best part of skiing is
sitting about 5 feet from the fire with some nice smooth alcoholic beverage
and talking to the snow bunnies. My overall preference though is to be
somewhere where snow is not. Growing up in Northern Lower Michigan I had
seen far more than enough snow by the time I was 10. If going down a hill at
high speed I rather it be on a mountain bike with shorts on. If fishing I
rather it be on a nice big boat with shorts on. If snowmobiling, I rather do
it in a videogame while sitting on a beach with shorts on. A perfect day for
me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the
boonies With shorts on. 

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Didn't all geeks grow up on skateboards, and then graduate to snowboards in
a desperate attempt to fit in?

Snowboards on the X-Box I mean of course.

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


 

  "Renouf, Phil"

  <[EMAIL PROTECTED]To:


  es.com>cc:   (bcc: James
Day/Contractor/NPS)   
  Sent by:   Subject:  RE:
[ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
  [EMAIL PROTECTED]

  tivedir.org

 

 

  01/31/2005 11:34 AM EST

  Please respond to

  ActiveDir

 





Sorry for turning the list into a ski slope Joe :)

Whistler is hands down one of the best ski areas in North America, I've
spent a lot of time skiing and Whistler is the best place that I have ever
skied. Even if you aren't a skier it's worth going and checking out, even if
it is just for the views. A sunny day at the top of Whistler is pretty
incredible.

Did I hear someone mention geeks skiing? That sounds like fun ;)

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Monday, January 31, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

If you are a skier then Whistler/Blackcomb is not to be missed.  IMHO it is
simply the best, extraordinary, largest, most varied terrain, (insert your
own gushing adjective here)... ski area in North America.  Maybe Gil needs
to organize a NetPro ski trip...

-Stuart Fuller

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, January 31, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell you
more stuff.

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this...
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys that
are also visiting DEC. Besides visiting DEC I'm staying a few days longer
hopefully to see very nice things in the region. Does any of you know what's
worth visiting/seeing in the region of Vancouver?

Regards,
Jorge

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto
Infrastructure Consultant
__

<<...OLE_Obj...>>

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T) Kennedyplein 248,
5611 ZT, Eindhoven
*   Postbus 7089
5605 JB Eindhoven
*   Tel : +31-(0)40-29.57.777
*   Fax : +31-(0)40-29.57.709
*   Mobile  : +31-(0)6-26.26.62.80
*   E-mail  : [EMAIL PR

Re: [ActiveDir] DC Unattended Restart

2005-01-31 Thread Kevin Gent




That'll do it, Thanks Dan the Man !

  - Original Message - 
  From: 
  Dan 
  DeStefano 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Monday, January 31, 2005 4:44 
  PM
  Subject: RE: [ActiveDir] DC Unattended 
  Restart
  
  
  You can probably do 
  this using the shutdown utility from the W2k Resource Kit (this utility is 
  included with Server 2k3)
   
  
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kevin GentSent: Monday, January 31, 2005 4:08 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC Unattended 
  Restart
   
  
  Is there any way to schedule an 
  unattended restart, warm or cold boot, of a DC 
  ?

RE: [ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Darren Mar-Elia

Are you checking the "Grant Exclusive rights to the folder..." option
when you set up redirection? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:31 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

There are only errors when the user is not the owner of the folder.
Once they are the owner then all is good.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 31, 2005 3:36 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

Justin-
This should not be the case. Are there any Folder Redirection errors in
the application event log? If not you might try enabling verbose FR
logging. Check out my gpolog.adm for details. 

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

How can I get it so that when I create the home directory through ADU&C
the redirecting of the My Documents works correctly.. I have found that
it doesn't work unless the user account is the owner of the folder and
you can imagine how much of a pain that is.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO My Documents Redirect Question

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC Unattended Restart

2005-01-31 Thread Brian Desmond

Shutdown -r -t 5 -m \\mydc 
 
that will reboot mydc in five seconds using the interactive user's credentials. 
The utility is inc w/ 2003, in the 2k res kit. It needs to be on teh client 
machine, not the server.
 
If you want to cold boot it, and you have Compaq hardware, you can do this with 
the iLo board. Not sure if the Dell DRAC or other vendors have a similiar 
facility. 
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101



From: [EMAIL PROTECTED] on behalf of Kevin Gent
Sent: Mon 1/31/2005 3:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Unattended Restart


Is there any way to schedule an unattended restart, warm or cold boot, of a DC ?
<>

RE: [ActiveDir] new 2003 domain controller in windows 200 forest.

2005-01-31 Thread Jeff Kraus




physical security is not an issue. locked computer room 
only pt admin and manager has access. this office will eventully become a 
disaster recovery location housing  a bunch of blade servers and replicated 
disk. The need for a domain controller is like you said -- network 
connectivity and access- this office supports a few key personel 
( money makers !!) so the cost of a few servers a some 
2003 licenses and an exchange server is not a big deal speed and relibility 
are more important.
 
but i'm still dealing with the question of
 
 


1: we are planning to upgrade our 
headquarters the 2003 in about 3 -4 months. can we setup the 
new server with 2003 as domain controllers so we won't have to upgrade them 
later ?

if so 
anything special we need to do ? IE: forest prep ?
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
ReijndersSent: Monday, January 31, 2005 3:50 PMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] new 2003 
domain controller in windows 200 forest.


Hi,
 
I could not agree more 
with Guido! The security aspect is the most important reason to go for the 
suggested solution. However, there's one thing to keep in mind in this scenario 
namely the trustworthiness of your network. If you're not placing a DC in the 
remote location, network connectivity becomes a must to enable a user to do 
his/her work. Sure, there's a thing as cached credentials on a client, but logon 
on to a domain is important for a lot of services.
 
Cheers!
John Reijnders (soon to 
change his e-mail address into a MSFT one)
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grillenmeier, 
GuidoSent: maandag 31 januari 
2005 21:18To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] new 2003 domain 
controller in windows 200 forest.
 
definitely give them 
an OU and I'd also urgently suggest you don't make the machine in that remote 
office a DC at all 
=> first of all 
it's not required for 15 folks - you'll need it for other things such as 
file/print (they should easily be able to authenticate to your main office; 
assuming NW connectivity - which you'd also need to setup 
replication...)
=> secondly, it's 
much more secure, as you will likely not have much physical security in an 
office of 15 people and if you're using the one box for everything it's unsecure 
from a delegation perspective
 
/Guido
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jeff 
KrausSent: Monday, January 31, 
2005 7:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] new 2003 domain 
controller in windows 200 forest.

Hi,

we are setting up a remote office if 
about 15 people that will be linked by a vpn.

we are buying new servers that have 
win2003 on them.

 

 

I have a coupe of questions,I 
hope you would indulge me with your opinions.

 

1: we are planning to upgrade our 
headquarters the 2003 in about 3 -4 months. can we setup the 
new server with 2003 as domain controllers so we won't have to upgrade them 
later ?

if so 
anything special we need to do ? IE: forest prep 
?

 

2: We have a raging 
debate weather  to set  them up as a domain or a org unit in 
their own site. we have a part time adiminstrator there htat we need to give 
right to  for day to day admin work. 

 

thanks for your 
help.

 

 
Jeff 
Kraus
 
Network Manger 

NIC Holding 
Corp.
25 Melville Park 
Rd
Melville NY, 11747
Voice: 
631.753.4272
Fax:    
631.753.4305
 
 

 This 
e-mail and any attachment is for authorised use by the intended recipient(s) 
only. It may contain proprietary material, confidential information and/or be 
subject to legal privilege. It should not be copied, disclosed to, retained or 
used by, any other party. If you are not an intended recipient then please 
promptly delete this e-mail and any attachment and all copies and inform the 
sender. Thank you.

RE: [ActiveDir] DC Unattended Restart

2005-01-31 Thread Dan DeStefano









You can probably do this using the “shutdown”
utility from the W2k Resource Kit (this utility is included with Server 2k3)

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Gent
Sent: Monday, January 31, 2005
4:08 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DC Unattended
Restart



 



Is there any way to schedule an
unattended restart, warm or cold boot, of a DC ?

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread Free, Bob

>As you can see in the notes, no TS CAL is required, but the terminal
services are only open to admins.

I would submit that the notes are wrong. As long as the user has the
requisite permissions and is a member of the Remote Desktop Users group
a non-administrator can connect just fine to a 2003 Server in RA mode.. 

I'd go along with the notes if they appended a {by default}

Notes* 

You do not have to have a Terminal Server Client Access License to use
Remote Desktop for Administration. However, only members of the
Administrators group can gain access to the server. 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul van
Geldrop
Sent: Monday, January 31, 2005 6:57 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Terminal server licenses



Also check out this specific article:

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;814590

 

As you can see in the notes, no TS CAL is required, but the terminal
services are only open to admins.

 

Regards,

 

Paul

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: maandag 31 januari 2005 15:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal server licenses

 

Yes, I am quite aware of the new licensing in Windows 2003. However, I
am more annoyed at the fact that I need to purchase TS licenses just for
daily admin stuff. What the heck is the point of offering Terminal
services as a tool for admins, I may be better off buying 3rd party
software (Remote Admin). I really wish someone from the MVP services
would jump in and explain why offer terminal services for admin purposes
only to be forced to spend money on a TS license? 

George

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005 2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal server licenses

 

Yes, the licensing has changed. In 2003 Terminal Services, you need a
CAL for every user or device (depending on the model you choose). The
'unlimited pool' we had in 2000 for 2000/XP clients is no more. Details
here:

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.msp
x

 

There is also a CAL transition program for XP machines you purchased
before the release of 2003 in April 2003. Details are here:

http://licensecode.one.microsoft.com/transition/default.asp

 

Hope this helps!

 

--Dave

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005 06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal server licenses

Hi folks,

Can anyone verify that under Windows 2003 TS server, even Windows XP
clients need to purchase a TS license? I was under the impression that
Windows XP clients did not need to purchase the TS license, but what do
you know, they showed up in my temporary license tab in TS Licensing
GUI.

Thanx

 

George 

 


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog
medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili
povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim
putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija
ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj
email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D.
Novi Sad via e-mail is not binding. Declarations regarding legal
transactions must not be exchanged via this medium. The information
contained in this e-mail message is confidential and intended
exclusively for the addressee. Persons receiving this e-mail message who
are not the named addressee (or his/her co-workers, or persons
authorized to take delivery) must not use, forward or reproduce its
contents. If you have received this e-mail message by mistake, please
contact us immediately and delete this email message beyond retrieval.


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog
medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili
povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim
putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija
ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj
email,

RE: [ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Salandra, Justin A.

There are only errors when the user is not the owner of the folder.
Once they are the owner then all is good.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 31, 2005 3:36 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

Justin-
This should not be the case. Are there any Folder Redirection errors in
the application event log? If not you might try enabling verbose FR
logging. Check out my gpolog.adm for details. 

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

How can I get it so that when I create the home directory through ADU&C
the redirecting of the My Documents works correctly.. I have found that
it doesn't work unless the user account is the owner of the folder and
you can imagine how much of a pain that is.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO My Documents Redirect Question

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sites VS domains in a distributed global environm ent.

2005-01-31 Thread frank . carroll

Mike,

Sorry for the late reply

Given the number of people/objects that you are dealing with and the state
of your networks (1200 people & good, high speed connections) I think that a
single domain would work well. Keep the existing root domain and migrate
everyone to that domain. This ultimately gives you the simplest setup to
carry forward and is the ideal case (IMO).

The only other thing that I would consider is looking at your existing
domains and seeing if one of them has a large percentage of your existing
users. If one of your user domains currently has a large pecentage of your
users you might want to consider keeping two domains - the current domain
with most of the users and the existing Exchange domain. If the percentage
is big enough you end up migrating a lot fewer users/groups/machine
accounts/etc. You end up with a little more complicated setup but you don't
have to move the users that are already in the user domain that is kept. If
you have a bunch of domains that each have 5-10% of your users I would not
keep any of them - migrate everybody to the single domain.

Good luck

Frank

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Thursday, January 27, 2005 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites VS domains in a distributed global environm
ent.

Hello Frank,
You're correct; SQL and Exchange are in the NOT SO EMPTY root domain, I
should have been clearer on that. That domain also has the Enterprise Admins
group in it. All other domains are separate tree domains, big hassle to
support.

I think my best option if I'm reading you correctly, is to migrate everyone
into the same domain as the exchange and SQL and end up having a single
domain. Do you agree?

BTW I don't envy my position either but... ;-)

Thanks again for the MUCH appreciated help.

Mike Newell
Information Systems Manager
OSI Systems
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, January 26, 2005 1:08 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites VS domains in a distributed global environm
ent.

Mike,

Ok - now I think I understand most of the setup ;-)

One question - is Exchange/SQL in the "empty root 2003 domain" that you
mentioned in the original message? If this is the case keep reading. If not,
that brings up other questions ;-)

Either case (child domain or separate tree in the same forest) would put you
in a better position than where you are now. IMO, I think that the issue is
going to boil down to a DNS namespace issue. If you go the child domain
route you have a contiguous DNS namespace while the separate tree route
leads to a non-contiguous namespace. I like the contiguous namespace because
I am a KISS person and I think that the DNS setup is much simpler (child DCs
forward to the root domain, root domain delegates to child).

One thing that you need to confirm is that the forest root domain is the
existing exchange domain (i.e. it contains the Enterprise Admins universal
group). If the Exchange domain is not the forest root domain, you are in a
corner because you are at least going to have to keep both the Exc domain
and whatever domain is the forest root domain.

Back to the question. Going back and re-doing a DNS/AD namespace is a major
PITA. In your case I would look for the following:

Keep the Exc domain and check to see if it is also the forest root domain
(contains the Enterprise Admins group). Hopefully it is. Keep this domain.

If the forest root is not the existing Exc domain, find the forest root
domain. Keep this domain.

-or-

If the Exc domain is also the forest root, find the domain that currenly has
most of your objects. Keep this domain and migrate the remaining users to
this domain. 

You end up keeping the Exc domain and (ideally) the domain that already has
most of your users/servers/etc. The forest ends up being a two tree forest
where each tree is a single domain. This is probably as good as you are
going to get from a trust tree viewpoint.

Hopefully this helps. I don't envy your position...

Frank



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Newell
Sent: Tuesday, January 25, 2005 5:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Sites VS domains in a distributed global environm
ent.

Not to confuse the issue but what I would end up with is a root domain with
Exchange and SQL in it (already set up this way) and a separate domain tree,
not a child domain of the root. I don't really have much choice regarding
Exchange unless I want to rebuild in a different domain.

Its setup this way now, the only difference would be I'd only have one
domain and the root, instead of 25 or 30 separate domain trees for each
company we own. DNS is AD integrated.

Again, I inherited this and I am looking for a better way to build our
environment. Would a

RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol fol der

2005-01-31 Thread Jorge de Almeida Pinto

Hi,

With W2K3 use can use DCGPOFIX to restore the original domain and DC GPOs
just after the first DCPROMO. There are some issues though! (e.g. see
http://support.microsoft.com/default.aspx?scid=kb;en-us;833783 and
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan
dard/proddocs/en-us/dcgpofix.asp and
http://www.winnetmag.com/Article/ArticleID/41878/41878.html) 

For W2K there's a tool to restore the default contents of the default GPOs
in a domain when it's first created (running the first Dcpromo for the
particular domain)
To dload the tool goto:
http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b685ae-b7dd-4bb5-
ab2a-976d6873129d&DisplayLang=en

But... Always test first before implementing/using it!

Greetz,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: maandag 31 januari 2005 11:27
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

Hi,

Running Windows 2000 sp4 Active Directory.
Domain concerned is a child domain off the root domain.

I cannot edit the default domain policy object through ADUC or GPO edit.  I
get a Group Policy Error:

"Failed to open the Group Policy Object. You may not have appropriate
rights."

I followed KB 294275, however it occurred to me that the actual folder is
missing in \Sysvol\Domain\Policies\ "{6AC1786C-016F-11D2-945F-00C04fB984F9}"

There are no backups or copies of the directories anywhere.  This is a
domain without users (yet) and was set-up by another 3rd party under the
control of the toot domain admins.

Can I regenerate the default domain gpo or is there another option to
recreate this?

TIA

Adam

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows 2000 logon

2005-01-31 Thread Jorge de Almeida Pinto

Title: Message



The grouping of the PCs will be 
handled by the DNS server. This is accomplished by DNS priorities and weights. 
If the priority and the weight of both DCs are the same than the load will be 
devided eventually amongst the 2 DCs.
 
DNS Priority: I like to call 
this COST because the lowest value takes precedence of the higher one. This 
simply means: Always take the lowest value and only use the higher when the DC 
with the lowest value does not respond (in other words: is 
dead)
 
DNS Weight: The servers with 
higher values are "stronger" and thus can handle more authentication requests. 
E.g. DC1 has w. of 40 and DC2 has w. of 60. The end result will be that DC1 
handles 40% of the Auth.reqs. and DC2 handles 40% of the 
Auth.reqs.
 
One of the examples to use these 
is to offload the PDC emulator if needed
 
As some other people already 
said it is not possible (at least as I know of) to assign PCs 1-10 to DC1 and 
PCs 11-20 to DC2. The only two accomplish that is by defining separate sites 
with accompanying sites
 
greetzJorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, 
Dinesh (Cognizant)Sent: maandag 31 januari 2005 10:10To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2000 
logon

Got it... but this is fine, in case if you have single DC 
in a site. Lets say, if I have 2 DC in a site and I wanted group of PC should 
get authentication from DC1 and other from DC2 then how can I tell PC's 
?
 
Note : I know we can achieve this by creating a separate 
sites for single DC and assign subnet's to it. I am looking for some other 
solution, which will not disturb sites and subnet 
settings.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mohammed 
TantawiSent: Monday, January 31, 2005 2:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2000 
logon


As far as I know , the authentication 
Method done with using DNS Server , 
 
I mean , when you type your user name 
& password , it take it and it ask the DNS and tell him  the following 
( ok, DNS, I have this user name & password from this PC in the Network , 
Please I want to validate the user name & password for this , then DNS Reply 
.
 
DNS reply : ok pc, I have here in My 
records in the Zone , this Server is making the authentaction , Take His 
AP-Address and take to him .
PC 
: ok, 
DNS , please give me this IP-Address.
DNS:   
ok, IP-address is  
192.168.1.1
PC:  
ok, thanks , I will take to this Server now.
 
PC – To- Server 
:   dear Server, 
Please  I have this user name & Password , Please Authenticate it 
.
 
 
So this is the Process as I know , 

 
So , if you change the IP-Address of the 
server which is making Kerbroes Service , I think you will be able to make it, 
Please tell me if this enough for you . 
 
 




From: Yakir, 
Ronen [mailto:[EMAIL PROTECTED] Sent: 21 ذو الحجة, 
1425 11:47 صTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2000 
logon
 

Hi

 

As far As I know, there 
is no way to force a pc to authenticate with a specific 
server.

 

 

 
 
Ronen 
Yakir
Customer 
Support Engineer


  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Mohammed TantawiSent: Monday, January 31, 2005 8:11 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2000 
  logon
  What do you mean ? Can you explain More 
  details to help you 
   
  Mohammed
   
   
  
  
  
  
  From: 
  Tashildar, Dinesh (Cognizant) [mailto:[EMAIL PROTECTED] Sent: 21 ذو 
  الحجة, 
  1425 08:44 صTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Windows 2000 
  logon
   
  Hi, 
  Does anyone know how to 
  force a Windows 2000 Pro PC to logon to a specific Windows 2000 Server rather 
  than just using any old server that can authenticate? 
  
  I have tried by changing 
  LOGONSERVER environment variable to force logon to DC, but its not 
  working. 
  Regards,Dinesh 
  Tashildar

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

[ActiveDir] DC Unattended Restart

2005-01-31 Thread Kevin Gent




Is there any way to schedule an unattended restart, 
warm or cold boot, of a DC ?

RE: [ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Darren Mar-Elia

Sorry, I guess that would help huh? http://www.gpoguy.com/Tools.htm 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, January 31, 2005 12:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

Hmm where would that gpolog.adm be found?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 31, 2005 3:36 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

Justin-
This should not be the case. Are there any Folder Redirection errors in
the application event log? If not you might try enabling verbose FR
logging. Check out my gpolog.adm for details. 

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

How can I get it so that when I create the home directory through ADU&C
the redirecting of the My Documents works correctly.. I have found that
it doesn't work unless the user account is the owner of the folder and
you can imagine how much of a pain that is.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO My Documents Redirect Question

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] new 2003 domain controller in windows 200 forest.

2005-01-31 Thread John Reijnders









Hi,

 

I could not agree more with Guido! The
security aspect is the most important reason to go for the suggested solution. However,
there's one thing to keep in mind in this scenario namely the
trustworthiness of your network. If you're not placing a DC in the remote
location, network connectivity becomes a must to enable a user to do his/her
work. Sure, there's a thing as cached credentials on a client, but logon
on to a domain is important for a lot of services.

 

Cheers!

John Reijnders (soon to change his e-mail
address into a MSFT one)

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: maandag 31 januari 2005
21:18
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] new 2003
domain controller in windows 200 forest.



 

definitely give them an OU and I'd also
urgently suggest you don't make the machine in that remote office a DC at all 

=> first of all it's not required for
15 folks - you'll need it for other things such as file/print (they should easily
be able to authenticate to your main office; assuming NW connectivity - which
you'd also need to setup replication...)

=> secondly, it's much more secure,
as you will likely not have much physical security in an office of 15 people
and if you're using the one box for everything it's unsecure from a delegation
perspective

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Kraus
Sent: Monday, January 31, 2005
7:19 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] new 2003
domain controller in windows 200 forest.



Hi,





we are setting up a remote office if about 15 people that
will be linked by a vpn.





we are buying new servers that have win2003 on them.





 





 





I have a coupe of questions,I hope you would indulge me
with your opinions.





 





1: we are planning to upgrade our headquarters the 2003 in
about 3 -4 months. can we setup the new server with 2003 as domain
controllers so we won't have to upgrade them later ?





if so anything special we need to do
? IE: forest prep ?





 





2: We have a raging debate weather  to
set  them up as a domain or a org unit in their own site. we have a part
time adiminstrator there htat we need to give right to  for day to day
admin work. 





 





thanks for your help.





 





 



Jeff Kraus

 

Network Manger 

NIC Holding Corp.

25 Melville Park
  Rd

Melville NY, 11747

Voice: 631.753.4272

Fax:    631.753.4305

 

 



 







This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Cothern Jeff D. Team EITC

Hmm where would that gpolog.adm be found?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, January 31, 2005 3:36 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

Justin-
This should not be the case. Are there any Folder Redirection errors in
the application event log? If not you might try enabling verbose FR
logging. Check out my gpolog.adm for details. 

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

How can I get it so that when I create the home directory through ADU&C
the redirecting of the My Documents works correctly.. I have found that
it doesn't work unless the user account is the owner of the folder and
you can imagine how much of a pain that is.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO My Documents Redirect Question

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows 2000 logon

2005-01-31 Thread Jorge de Almeida Pinto

Title: Message



Hi,
 
I have two documents on 
Authentication (one from Jan De Clerq and one from Darren Mar-Elia). The first 
document concerns about "Windows 2000 authentication under the hood" (if I saw 
correctly Jan is presenting the Windows 2003 version on the DEC!) and the second 
is an article Darren wrote for WIndows & .NET Magazine (now WIndows IT Pro). 
If anyone is interested contact be offline
 
Regards,
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mohammed 
TantawiSent: maandag 31 januari 2005 10:01To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2000 
logon


As far as I know , the authentication 
Method done with using DNS Server , 
 
I mean , when you type your user name 
& password , it take it and it ask the DNS and tell him  the following 
( ok, DNS, I have this user name & password from this PC in the Network , 
Please I want to validate the user name & password for this , then DNS Reply 
.
 
DNS reply : ok pc, I have here in My 
records in the Zone , this Server is making the authentaction , Take His 
AP-Address and take to him .
PC 
: ok, 
DNS , please give me this IP-Address.
DNS:   
ok, IP-address is  
192.168.1.1
PC:  
ok, thanks , I will take to this Server now.
 
PC – To- Server 
:   dear Server, 
Please  I have this user name & Password , Please Authenticate it 
.
 
 
So this is the Process as I know , 

 
So , if you change the IP-Address of the 
server which is making Kerbroes Service , I think you will be able to make it, 
Please tell me if this enough for you . 
 
 




From: Yakir, 
Ronen [mailto:[EMAIL PROTECTED] Sent: 21 ذو الحجة, 
1425 11:47 صTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2000 
logon
 

Hi

 

As far As I know, there 
is no way to force a pc to authenticate with a specific 
server.

 

 

 
 
Ronen 
Yakir
Customer 
Support Engineer


  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Mohammed TantawiSent: Monday, January 31, 2005 8:11 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Windows 2000 
  logon
  What do you mean ? Can you explain More 
  details to help you 
   
  Mohammed
   
   
  
  
  
  
  From: 
  Tashildar, Dinesh (Cognizant) [mailto:[EMAIL PROTECTED] Sent: 21 ذو 
  الحجة, 
  1425 08:44 صTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Windows 2000 
  logon
   
  Hi, 
  Does anyone know how to 
  force a Windows 2000 Pro PC to logon to a specific Windows 2000 Server rather 
  than just using any old server that can authenticate? 
  
  I have tried by changing 
  LOGONSERVER environment variable to force logon to DC, but its not 
  working. 
  Regards,Dinesh 
  Tashildar

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Darren Mar-Elia

Justin-
This should not be the case. Are there any Folder Redirection errors in
the application event log? If not you might try enabling verbose FR
logging. Check out my gpolog.adm for details. 

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 12:03 PM
To: ActiveDir@mail.activedir.org
Cc: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO My Documents Redirect Question

How can I get it so that when I create the home directory through ADU&C
the redirecting of the My Documents works correctly.. I have found that
it doesn't work unless the user account is the owner of the folder and
you can imagine how much of a pain that is.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO My Documents Redirect Question

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] new 2003 domain controller in windows 200 forest.

2005-01-31 Thread Grillenmeier, Guido




definitely give them an OU and I'd also urgently suggest 
you don't make the machine in that remote office a DC at all 

=> first of all it's not required for 15 folks - you'll 
need it for other things such as file/print (they should 
easily be able to authenticate to your main office; assuming NW connectivity - 
which you'd also need to setup replication...)
=> secondly, it's much more secure, as you will likely 
not have much physical security in an office of 15 people and if you're using 
the one box for everything it's unsecure from a delegation 
perspective
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jeff 
KrausSent: Monday, January 31, 2005 7:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] new 2003 domain 
controller in windows 200 forest.

Hi,
we are setting up a 
remote office if about 15 people that will be linked by a 
vpn.
we are buying new 
servers that have win2003 on them.
 
 
I have a coupe 
of questions,I hope you would indulge me with your opinions.
 
1: we are planning 
to upgrade our headquarters the 2003 in about 3 -4 months. can we setup the 
new server with 2003 as domain controllers so we won't have to upgrade them 
later ?
if so anything special we need 
to do ? IE: forest prep ?
 
2: We have 
a raging debate weather  to set  them up as a domain or a 
org unit in their own site. we have a part time adiminstrator there htat we need 
to give right to  for day to day admin work. 
 
thanks for your 
help.
 
 
Jeff Kraus
 
Network Manger 
NIC Holding Corp.
25 Melville Park Rd
Melville NY, 11747
Voice: 631.753.4272
Fax:    
631.753.4305

RE: [ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Grillenmeier, Guido

Charles, I've had a similar issue with another customer and here the
reason was due to a configuration of the VPN router.

Our situation was that the package size sent by Win2000 DCs was larger
than the one allowed by the router, however, the MS packages have the DF
flag (don't fragment), so that the router wasn't allowed to fragment the
packages.  

The size of the default packets sent by Microsoft was 1482 byte - and
the VPN router allowed a max of 1476 bytes.  In our case the problem was
that the router's "IP unreachable" feature was turned off => turning on
this feature resolved our problem as the ICMP message back to the DC
told it to use a differnt package size which it then did much quicker
than before, where it waited on a timeout.  I'm not a network guy - so
don't ask me if it would have also been sufficient to increase the max
package size on the router...

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Monday, January 31, 2005 8:30 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs

We have been monitoring the traffic from there and it only seems to be
using from 5 to 10% of their line.  They have a 512 DSL line and there
are only 10 users at that site so it isn't big enough for me to place a
DC there. 

They do a lot of printing and we are using Exchange 5.5 right now.  

I don't know. But we have also been experience some SSL issues with our
internet traffic that might be part of this cause.  

I guess for now I might be able to eliminate the VPN connection from the
problem as the DNS and network traffic seems steady.  The only other
thing that I could think of checking on the VPN is the packet size.

Thanks for the suggestions.  

-Original Message-
From: Chandra Burra [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 1:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs



I had seen a similar issue, this was resolved after placing a DC in the
local site and also configuring it as a local print server.

Major hits were with the print server, each time user prints it goes to
the spooler in HQ and then comes back to print in local office, later
the notification is expected by the client from the print server on
completion of the print.

Other traffic might also be going through same tunnel...like other
business applications, E2K and so on...

have the n/w team monitor the link or use netmon to get the same
yourself...that might give you more insight...


Regards,
Chandra




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul van Geldrop
Sent: 31 January 2005 17:14
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Are there still NT4 machines at the site ?

You seem to have symptoms of timeouts and/or DNS misconfiguration.

Any errors in the DNS server logs ? Have you ran DNSdiag yet by any
chance ?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Monday, January 31, 2005 5:53 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs

This site goes back to our main location that houses this sites DNS, DC,
GC and other server related sites.  The VPN concentrator at this
location grants DHCP servers to the location and uses a routing table
for security.
All of the ISA and other firewall issues are dealt with at the main
location as the routing table only allows communication through here.

We are using AD integrated DNS (which is housed on our DCs) and all DCs
are GCs.

The odd thing is that if you are at that location and are using a
workstation on the NT domain then all web services as well as
workstation boot up and logon times are normally.  Only AD related
workstations are affected.

We are using Cisco VPN concentrators on both ends.

Does this cover the information that you were looking for.  If you need
something else, let me know.

Charlie

-Original Message-
From: Paul van Geldrop [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 10:36 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Some more info might be good.. such as location of DCs, GCs, DNS
configuration, etc. I presume you're setting up the VPN with firewalls..
or
are you using ISA Server ?

Regards,

Paul

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: maandag 31 januari 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] VPN Connections with 2003 ADs

I am working on a NT to 2003 AD migration where I have a lot of remote
locations.  I have just completed the migration of our of my sites that
is using a VPN connection to our central hub.  Before the migration they
were not experiencing any issues, however after the migration they are
not

RE: [ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Salandra, Justin A.

How can I get it so that when I create the home directory through ADU&C
the redirecting of the My Documents works correctly.. I have found that
it doesn't work unless the user account is the owner of the folder and
you can imagine how much of a pain that is.

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO My Documents Redirect Question

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Darren Mar-Elia

Justin-
By root path, do you mean specifying a UNC like \\server\home\%username%
? If so, then I that should work, without having to specify a home
folder on the user object.

Darren 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Monday, January 31, 2005 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO My Documents Redirect Question

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ldap

2005-01-31 Thread Cothern Jeff D. Team EITC

I was afraid you were going to say that.  Lets just say my scripting leaves 
much to desire. 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Monday, January 31, 2005 12:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ldap

For the home drives, read their homeDirectory path and then go with a vbscript 
and recurse through the folder. 

Thanks.
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC
> Sent: Sunday, January 30, 2005 8:38 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] ldap
> 
> Unfortunately we haven't updated exchange to 2003.  That is coming but I
> was able to get the exchange infor easy enough manually in a way.  I just
> opened system manager and connected to the mailstore and exported the list
> which shows the information I needed except the mailstore name.  Which I
> just did a simple copy paste fill in within excel and in a few hours had
> the portion of users I needed with the mailstore and size information.
> That actually wasn't that bad.  Home drive size though could be much more
> difficult seeing as the people are in different file share areas.
> 
> I will definatley keep this information though for when we go to 2003 will
> make some reports easier to compile.
> 
> Thanks
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Michael B. Smith
> Sent: Sunday, January 30, 2005 7:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] ldap
> 
> CDO/MAPI for mailbox size is moderately easy and can certainly be done in
> VBScript. See:
> 
> http://blogs.brnets.com/michael/archive/2004/07/07/172.aspx
> 
> It does have a couple of issues (revolving around permissions and updating
> the last login date of a mailbox). The WMI solution is much better, IMHO.
> 
> I have a sample online for that at:
> 
> http://blogs.brnets.com/michael/archive/2004/07/26/181.aspx
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Brian Desmond
> Sent: Sunday, January 30, 2005 1:36 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] ldap
> 
> AS far as mailbox size, don't even try to tackle the CDO for it. You need
> some hardcore C++ fun, and I heard somewhere that it doesn't even compile
> right unless you've got some weird stuff setup.
> 
> Since you have E2k3, you can query WMI for mailbox size, so it's really
> easy. So is folder size - just make yourself a VBS that recurses through
> folders with FileSystemObject summing the size of the files. If you need a
> sample lemme know.
> 
> Thanks.
> 
> --Brian Desmond
> [EMAIL PROTECTED]
> Payton on the web! www.wpcp.org
> 
> v - 773.534.0034 x135
> f - 773.534.8101
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:ActiveDir-
> > [EMAIL PROTECTED] On Behalf Of joe
> > Sent: Saturday, January 29, 2005 11:24 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: RE: [ActiveDir] ldap
> >
> > Depends on which name attribute. If you know the attribute and the
> > format of the name you set up the simple filter to do it and return
> > the proper attributes. Without specifics you can't be given a specific
> > answer.
> >
> > But assuming you mean display name it could be something like
> >
> > Adfind -default -f "displayname=blah blah" samaccountname
> > userPrincipalName homeDirectory homeMDB
> >
> > You can't get directory size or mailbox size from AD, that info isn't
> > stored in AD.
> >
> >   joe
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
> > Team EITC
> > Sent: Saturday, January 29, 2005 3:38 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] ldap
> >
> > Say I have a list of names and I want to query AD to get back their
> > user name, Home directory, mail store.  What would be the command to
> > or way to more efficiently get this information.
> >
> > Eventually I need their Home directory size and mailbox size too but
> > figure that I gotta do more manually.
> >
> > Jeff
> >
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive:
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.actived

RE: [ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Carerros, Charles

We have been monitoring the traffic from there and it only seems to be using
from 5 to 10% of their line.  They have a 512 DSL line and there are only 10
users at that site so it isn't big enough for me to place a DC there. 

They do a lot of printing and we are using Exchange 5.5 right now.  

I don't know. But we have also been experience some SSL issues with our
internet traffic that might be part of this cause.  

I guess for now I might be able to eliminate the VPN connection from the
problem as the DNS and network traffic seems steady.  The only other thing
that I could think of checking on the VPN is the packet size.

Thanks for the suggestions.  

-Original Message-
From: Chandra Burra [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 1:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs



I had seen a similar issue, this was resolved after placing a DC in the
local site and also configuring it as a local print server.

Major hits were with the print server, each time user prints it goes to the
spooler in HQ and then comes back to print in local office, later the
notification is expected by the client from the print server on completion
of the print.

Other traffic might also be going through same tunnel...like other business
applications, E2K and so on...

have the n/w team monitor the link or use netmon to get the same
yourself...that might give you more insight...


Regards,
Chandra




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul van Geldrop
Sent: 31 January 2005 17:14
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Are there still NT4 machines at the site ?

You seem to have symptoms of timeouts and/or DNS misconfiguration.

Any errors in the DNS server logs ? Have you ran DNSdiag yet by any
chance ?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Monday, January 31, 2005 5:53 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs

This site goes back to our main location that houses this sites DNS, DC,
GC
and other server related sites.  The VPN concentrator at this location
grants DHCP servers to the location and uses a routing table for
security.
All of the ISA and other firewall issues are dealt with at the main
location
as the routing table only allows communication through here.

We are using AD integrated DNS (which is housed on our DCs) and all DCs
are
GCs.

The odd thing is that if you are at that location and are using a
workstation on the NT domain then all web services as well as
workstation
boot up and logon times are normally.  Only AD related workstations are
affected.

We are using Cisco VPN concentrators on both ends.

Does this cover the information that you were looking for.  If you need
something else, let me know.

Charlie

-Original Message-
From: Paul van Geldrop [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 10:36 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Some more info might be good.. such as location of DCs, GCs, DNS
configuration, etc. I presume you're setting up the VPN with firewalls..
or
are you using ISA Server ?

Regards,

Paul

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: maandag 31 januari 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] VPN Connections with 2003 ADs

I am working on a NT to 2003 AD migration where I have a lot of remote
locations.  I have just completed the migration of our of my sites that
is
using a VPN connection to our central hub.  Before the migration they
were
not experiencing any issues, however after the migration they are not
seeing
large lag times in starting up their machines and logging in.

Also, when they browse the internet and they try to access pages that
require authentication they get stuck (the page never loads completely
and
they do not receive an error message and this includes sites such as
mail.yahoo and gmail.com).

Has anyone seen an issue like this where the migration of the network
kills
the VPN?

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www

RE: [ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Chandra Burra


I had seen a similar issue, this was resolved after placing a DC in the
local site and also configuring it as a local print server.

Major hits were with the print server, each time user prints it goes to the
spooler in HQ and then comes back to print in local office, later the
notification is expected by the client from the print server on completion
of the print.

Other traffic might also be going through same tunnel...like other business
applications, E2K and so on...

have the n/w team monitor the link or use netmon to get the same
yourself...that might give you more insight...


Regards,
Chandra




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Paul van Geldrop
Sent: 31 January 2005 17:14
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Are there still NT4 machines at the site ?

You seem to have symptoms of timeouts and/or DNS misconfiguration.

Any errors in the DNS server logs ? Have you ran DNSdiag yet by any
chance ?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Monday, January 31, 2005 5:53 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs

This site goes back to our main location that houses this sites DNS, DC,
GC
and other server related sites.  The VPN concentrator at this location
grants DHCP servers to the location and uses a routing table for
security.
All of the ISA and other firewall issues are dealt with at the main
location
as the routing table only allows communication through here.

We are using AD integrated DNS (which is housed on our DCs) and all DCs
are
GCs.

The odd thing is that if you are at that location and are using a
workstation on the NT domain then all web services as well as
workstation
boot up and logon times are normally.  Only AD related workstations are
affected.

We are using Cisco VPN concentrators on both ends.

Does this cover the information that you were looking for.  If you need
something else, let me know.

Charlie

-Original Message-
From: Paul van Geldrop [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 10:36 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Some more info might be good.. such as location of DCs, GCs, DNS
configuration, etc. I presume you're setting up the VPN with firewalls..
or
are you using ISA Server ?

Regards,

Paul

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: maandag 31 januari 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] VPN Connections with 2003 ADs

I am working on a NT to 2003 AD migration where I have a lot of remote
locations.  I have just completed the migration of our of my sites that
is
using a VPN connection to our central hub.  Before the migration they
were
not experiencing any issues, however after the migration they are not
seeing
large lag times in starting up their machines and logging in.

Also, when they browse the internet and they try to access pages that
require authentication they get stuck (the page never loads completely
and
they do not receive an error message and this includes sites such as
mail.yahoo and gmail.com).

Has anyone seen an issue like this where the migration of the network
kills
the VPN?

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] GPO My Documents Redirect Question

2005-01-31 Thread Salandra, Justin A.

If I do not set the home folder in ADU&C for each user, but I configure
the group policy to create a folder under the root path and I specify
what the root path is, the GPO will auto create the location when they
login right?  And that folder will be the owner of the directory?

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] new 2003 domain controller in windows 200 forest.

2005-01-31 Thread Jeff Kraus




Hi,
we are setting up a 
remote office if about 15 people that will be linked by a 
vpn.
we are buying new 
servers that have win2003 on them.
 
 
I have a coupe 
of questions,I hope you would indulge me with your opinions.
 
1: we are planning 
to upgrade our headquarters the 2003 in about 3 -4 months. can we setup the 
new server with 2003 as domain controllers so we won't have to upgrade them 
later ?
if so anything special we need 
to do ? IE: forest prep ?
 
2: We have 
a raging debate weather  to set  them up as a domain or a 
org unit in their own site. we have a part time adiminstrator there htat we need 
to give right to  for day to day admin work. 
 
thanks for your 
help.
 
 
Jeff Kraus
 
Network Manger 
NIC Holding Corp.
25 Melville Park Rd
Melville NY, 11747
Voice: 631.753.4272
Fax:    
631.753.4305

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread Renouf, Phil

So you're saying you like to wear pants?

I know what you're saying about winter...it is highly over-rated. If I
had my choice I would be sitting by the beach except when I wanted to go
skiing. If I can't be skiing then I don't see much point in the snow.

Snowboarding is where I hurt myself. Once I did that I switched right
back to skiing :)

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, January 31, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

I broke my leg one year, a wrist another year, and sprained an ankle
really bad yet another year when skiing when I was young and more dumb
and thought I was invincible. I have since learned that the best part of
skiing is sitting about 5 feet from the fire with some nice smooth
alcoholic beverage and talking to the snow bunnies. My overall
preference though is to be somewhere where snow is not. Growing up in
Northern Lower Michigan I had seen far more than enough snow by the time
I was 10. If going down a hill at high speed I rather it be on a
mountain bike with shorts on. If fishing I rather it be on a nice big
boat with shorts on. If snowmobiling, I rather do it in a videogame
while sitting on a beach with shorts on. A perfect day for me is 76-80
degrees, sunny blue sky, top off the wrangler putzing around the
boonies With shorts on. 

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Didn't all geeks grow up on skateboards, and then graduate to snowboards
in a desperate attempt to fit in?

Snowboards on the X-Box I mean of course.

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


 

  "Renouf, Phil"

  <[EMAIL PROTECTED]To:


  es.com>cc:   (bcc:
James
Day/Contractor/NPS)   
  Sent by:   Subject:  RE:
[ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

  [EMAIL PROTECTED]

  tivedir.org

 

 

  01/31/2005 11:34 AM EST

  Please respond to

  ActiveDir

 





Sorry for turning the list into a ski slope Joe :)

Whistler is hands down one of the best ski areas in North America, I've
spent a lot of time skiing and Whistler is the best place that I have
ever skied. Even if you aren't a skier it's worth going and checking
out, even if it is just for the views. A sunny day at the top of
Whistler is pretty incredible.

Did I hear someone mention geeks skiing? That sounds like fun ;)

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Monday, January 31, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

If you are a skier then Whistler/Blackcomb is not to be missed.  IMHO it
is simply the best, extraordinary, largest, most varied terrain, (insert
your own gushing adjective here)... ski area in North America.  Maybe
Gil needs to organize a NetPro ski trip...

-Stuart Fuller

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, January 31, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art
Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell
you more stuff.

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this...
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys
that are also visiting DEC. Besides visiting DEC I'm staying a few days
longer hopefully to see very nice things in the region. Does any of you
know what's worth visiting/seeing in the region of Vancouver?

Regards,
Jorge

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto
Infrastructure Consultant
__

<<...OLE_Obj...>>

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T) Kennedyplein 248,
5611 ZT, Eindhoven
*   Postbus 7089
5605 JB Eindhoven
*   Tel : +31-(0)40-29.57.777
*   Fax : +31-(0)40-29.57.709
*   Mob

RE: [ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Justin_Leney

Return Receipt

   Your   RE: [ActiveDir] VPN Connections with 2003 ADs
   document:

   wasJustin Leney/US/DCI
   received
   by:

   at:01/31/2005 12:58:49 PM






This e-mail, and any attachment, is intended only for the person or entity to 
which it is addressed and may contain confidential and/or privileged material. 
Any review, re-transmission, copying, dissemination or other use of this 
information by persons or entities other than the intended recipient is 
prohibited. If you received this in error, please contact the sender and delete 
the material from any computer. The contents of this message may contain 
personal views which are not the views of Discovery Communications, Inc. (DCI).

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Mmview_101.dll

2005-01-31 Thread Za Vue

 
Off topic...

Anyone encountered this annoying spyware, MMVIEW_101.DLL? I can't seem to
get rid of it. The path pointed to the IE cache folder, but that folder has
been deleted. The cookies and history for IE cleaned and system rebooted.
"HiJack This" doesn't seem to help either.

Thank you ..
Z.V.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Paul van Geldrop

Are there still NT4 machines at the site ?

You seem to have symptoms of timeouts and/or DNS misconfiguration.

Any errors in the DNS server logs ? Have you ran DNSdiag yet by any
chance ? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: Monday, January 31, 2005 5:53 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs

This site goes back to our main location that houses this sites DNS, DC,
GC
and other server related sites.  The VPN concentrator at this location
grants DHCP servers to the location and uses a routing table for
security.
All of the ISA and other firewall issues are dealt with at the main
location
as the routing table only allows communication through here.

We are using AD integrated DNS (which is housed on our DCs) and all DCs
are
GCs.  

The odd thing is that if you are at that location and are using a
workstation on the NT domain then all web services as well as
workstation
boot up and logon times are normally.  Only AD related workstations are
affected.

We are using Cisco VPN concentrators on both ends.

Does this cover the information that you were looking for.  If you need
something else, let me know.

Charlie

-Original Message-
From: Paul van Geldrop [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 10:36 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Some more info might be good.. such as location of DCs, GCs, DNS
configuration, etc. I presume you're setting up the VPN with firewalls..
or
are you using ISA Server ? 

Regards,

Paul

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: maandag 31 januari 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] VPN Connections with 2003 ADs

I am working on a NT to 2003 AD migration where I have a lot of remote
locations.  I have just completed the migration of our of my sites that
is
using a VPN connection to our central hub.  Before the migration they
were
not experiencing any issues, however after the migration they are not
seeing
large lag times in starting up their machines and logging in.

Also, when they browse the internet and they try to access pages that
require authentication they get stuck (the page never loads completely
and
they do not receive an error message and this includes sites such as
mail.yahoo and gmail.com).

Has anyone seen an issue like this where the migration of the network
kills
the VPN?

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread joe

I broke my leg one year, a wrist another year, and sprained an ankle really
bad yet another year when skiing when I was young and more dumb and thought
I was invincible. I have since learned that the best part of skiing is
sitting about 5 feet from the fire with some nice smooth alcoholic beverage
and talking to the snow bunnies. My overall preference though is to be
somewhere where snow is not. Growing up in Northern Lower Michigan I had
seen far more than enough snow by the time I was 10. If going down a hill at
high speed I rather it be on a mountain bike with shorts on. If fishing I
rather it be on a nice big boat with shorts on. If snowmobiling, I rather do
it in a videogame while sitting on a beach with shorts on. A perfect day for
me is 76-80 degrees, sunny blue sky, top off the wrangler putzing around the
boonies With shorts on. 

   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Didn't all geeks grow up on skateboards, and then graduate to snowboards in
a desperate attempt to fit in?

Snowboards on the X-Box I mean of course.

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


 

  "Renouf, Phil"

  <[EMAIL PROTECTED]To:


  es.com>cc:   (bcc: James
Day/Contractor/NPS)   
  Sent by:   Subject:  RE:
[ActiveDir] VERY VERY OT: DEC and Vancouver/Canada
  [EMAIL PROTECTED]

  tivedir.org

 

 

  01/31/2005 11:34 AM EST

  Please respond to

  ActiveDir

 





Sorry for turning the list into a ski slope Joe :)

Whistler is hands down one of the best ski areas in North America, I've
spent a lot of time skiing and Whistler is the best place that I have ever
skied. Even if you aren't a skier it's worth going and checking out, even if
it is just for the views. A sunny day at the top of Whistler is pretty
incredible.

Did I hear someone mention geeks skiing? That sounds like fun ;)

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Monday, January 31, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

If you are a skier then Whistler/Blackcomb is not to be missed.  IMHO it is
simply the best, extraordinary, largest, most varied terrain, (insert your
own gushing adjective here)... ski area in North America.  Maybe Gil needs
to organize a NetPro ski trip...

-Stuart Fuller

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, January 31, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell you
more stuff.

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this...
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys that
are also visiting DEC. Besides visiting DEC I'm staying a few days longer
hopefully to see very nice things in the region. Does any of you know what's
worth visiting/seeing in the region of Vancouver?

Regards,
Jorge

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto
Infrastructure Consultant
__

<<...OLE_Obj...>>

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T) Kennedyplein 248,
5611 ZT, Eindhoven
*   Postbus 7089
5605 JB Eindhoven
*   Tel : +31-(0)40-29.57.777
*   Fax : +31-(0)40-29.57.709
*   Mobile  : +31-(0)6-26.26.62.80
*   E-mail  : [EMAIL PROTECTED]
"    > -
Solutions that matter -


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank

RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

2005-01-31 Thread Darren Mar-Elia

FYI:

There is a Win2k version of this tool for re-creating the DDCP and DDP
here:
http://download.microsoft.com/download/6/1/8/618ecc9d-2edd-42fe-9a53-7f1
971154697/RecreateDefpol.EXE 




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 8:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder

Hi Adam,

you are right. DCGPOfix is only for Windows 2003.

In this case I would agree to the procedure Guido described.
If you have different domains you can copy the default domain policy
from any other domain (as long as you didn't modify this policy). You do
not need to create a new domain.
A new DC wouldn't recreate the default domain policy. It would just
replicate the current domain policies...

Volker

> Hi Guido, thanks for you reply.
>
> The target domain is a child from the root.  I will build a lab domain

> (as
> root) and replicate the server name, then copy over the GPO folder.  
> Do you think that will be okay?
>
> Would introducing a DC to this damaged domain recreate the default 
> domain gpo?
>
> Regards
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,

> Guido
> Sent: 31 January 2005 13:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol

> folder
>
> as this is a default GPO with a well-known ID, you can copy the 
> {6AC1786C-016F-11D2-945F-00C04fB984F9} folder from the SYSVOL of 
> another AD installation (e.g. from your test-lab or from virtual 
> machine etc.).
> Just make sure, that source's GPO isn't configured with anything 
> specific to that domain.
>
> The safest way would be to install a new single-domain AD forest in 
> your lab and then copy the folder from there to your production DC.
>
> /Guido
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
> Sent: Monday, January 31, 2005 1:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol

> folder
>
> I have the KB for the security settings, but I cannot find anything on

> actually regenerating the GPO other than a restore.  Restore is not an

> option.
>
> Thanks
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
> Sent: 31 January 2005 12:38
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol

> folder
>
> IIRC there is a MS doc on recovering the default GPO and security 
> settings.
> This might apply in this scenario?
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
> Sent: 31 January 2005 14:23
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol

> folder
>
> There is one more domain controller in this domain, and that too has 
> the files missing.
>
> I will look at the file recovery, but I doubt very much that I will 
> recover it.
>
> Thanks for your help so far.
>
> Anyone else got any ideas?
>
> Regards
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: 31 January 2005 12:15
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol

> folder
>
> Do that domain has a replication partner.if yes can you check on 
> that server if you can copy that folder off...
>
> others i can think of is the tool to restore the deleted items from 
> the harddisk - like File restore from winternals
>
>
> On Mon, 31 Jan 2005 11:48:14 -, knighTslayer 
> <[EMAIL PROTECTED]> wrote:
>> The GPO GUID is missing from the sysvol directory.  I understand your

>> suggestion about the permissions and I followed the KB which relates 
>> to this, but simply, the object (folder) is missing from the sysvol
> folder.
>>
>> I am unable to edit it, because it is missing.
>>
>> Adam
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra 
>> Burra
>>
>> Sent: 31 January 2005 11:36
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in 
>> sysvol
>
>> folder
>>
>> Adam.,
>>
>> If i understood the problem correct --> you are able to c the GP In 
>> the GPUC
>> --> but are not able to edit.
>>
>> then can you confirm that the object exisit. Go to GPUC--> System -->

>> Polocies and check for the GP SID u r mentionging.
>>
>> If that exisits and you are not able to edit that GP then its simply 
>> issue with permissions on that child domain.
>>
>> Regards,
>> Chandra
>>
>> On Mon, 31 Jan 2005 11:14:14 -, knighTslayer 
>> <[EMAIL PROTECTED]> wrote:
>> > Chandra, thanks for your response.  I

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread Gil Kirkpatrick

All the MSFT guys have indicated that Whistler is the place to go. I'll
see if we can set up something for right after the conference. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Monday, January 31, 2005 9:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

If you are a skier then Whistler/Blackcomb is not to be missed.  IMHO it
is simply the best, extraordinary, largest, most varied terrain, (insert
your own gushing adjective here)... ski area in North America.  Maybe
Gil needs to organize a NetPro ski trip... 

-Stuart Fuller

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, January 31, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art
Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell
you more stuff.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this... 
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys
that are also visiting DEC. Besides visiting DEC I'm staying a few days
longer hopefully to see very nice things in the region. Does any of you
know what's worth visiting/seeing in the region of Vancouver?

Regards,
Jorge 

Met vriendelijke groet / Kind regards, 

Jorge de Almeida Pinto
Infrastructure Consultant
__ 

<<...OLE_Obj...>> 

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T) Kennedyplein 248,
5611 ZT, Eindhoven 
*   Postbus 7089 
5605 JB Eindhoven 
*   Tel : +31-(0)40-29.57.777 
*   Fax : +31-(0)40-29.57.709 
*   Mobile  : +31-(0)6-26.26.62.80 
*   E-mail  : [EMAIL PROTECTED] 
"    > -
Solutions that matter - 

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Lucia Washaya


Return Receipt
   
Your  RE: [ActiveDir] VPN Connections with 2003 ADs
document   
:  
   
was   Lucia Washaya/UNAMSIL
received   
by:
   
at:   31/01/2005 17:00:55 GMT  
   





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Windows 2000 logon

2005-01-31 Thread Lucia Washaya


Return Receipt
   
Your  RE: [ActiveDir] Windows 2000 logon   
document   
:  
   
was   Lucia Washaya/UNAMSIL
received   
by:
   
at:   31/01/2005 16:59:49 GMT  
   





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD startup scripts problem

2005-01-31 Thread joe

Title: Message



Have you done a network trace yet? If you are getting an 
access denied, you will see it in the trace.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: Monday, January 31, 2005 4:09 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup 
scripts problem

Just 
to follow up on this problem, I would like to clarify my current situation 
:
 
I have 
now determined the script is actually running during startup. The problem 
however remains that I am not able to run the executable from the network share 
location. Everything works fine if I re-code the batch command and put the 
EXE locally on the computer. But using UNC addresses in the batch does not 
work.
 
On the 
network share and all sub-folders I have ensured that "Domain Computer" accounts 
have full access.
 
If I 
log on to the computer with a normal domain user account and then run the batch 
file that is coded with UNC references, the whole process works 
wonderfully.
 
So 
where can I look to see what has failed when I configure the script to run 
during startup and the batch file is using UNC paths ? I have looked in the 
standard places (event viewer) but dont see any error 
messages.
 
Many 
thanks
 
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Rocky HabeebSent: Freitag, 28. Januar 2005 
  17:47To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] AD startup scripts problem
  Put it in 
  SYSVOL
   
  RH
  ___
   
  
-Original Message-From: Robert Rutherford 
[mailto:[EMAIL PROTECTED]On Behalf Of Robert 
RutherfordSent: Friday, January 28, 2005 11:31 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup 
scripts problem

the local computer's system account 
does process the script but here it looks like it doesnt 
have permissions to read the script on the 'servers' share 

From: [EMAIL PROTECTED] on 
behalf of Rocky HabeebSent: Fri 28/01/2005 16:26To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] AD startup 
scripts problem

Correct me if I'm wrong, but doesn't the Local System 
account have fullcontrol of the entire boot operation?  And isn't 
it responsible to processthe complete range of operations including 
network authentication and domainbased GPO processing?  And if not 
who is?  And if so, doesn't that mean >it I think this is it in a nutshell. When I put everything 
locally on the> machine the script ran and created the 
report.>> As you say, I have no network connectivity when in 
the startup phase.>> Or is there a workaround 
?>> Thanks for all the input>>> 
Original Message Follows> From: 
<[EMAIL PROTECTED]>> Reply-To: 
ActiveDir@mail.activedir.org> To: 
ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] AD startup 
scripts problem> Date: Fri, 28 Jan 2005 08:05:12 
-0600>> Hi Mark...>> I believe it's running at 
system level on startup, and i believe> system has> no network 
rights.>> 
John>>  
"Mark 
Abbiss">  
<[EMAIL PROTECTED]>> 
ail.com>   
To>  
Sent 
by:  
ActiveDir@mail.activedir.org>> 
[EMAIL PROTECTED]  
cc>  
ail.activedir.org>> 
Subject>    
[ActiveDir] AD startup 
scripts>  
01/28/2005 07:07  
problem>  
AM>>>  
Please respond 
to>  
[EMAIL PROTECTED]> 
tivedir.org>>> I have 
tried ev

RE: [ActiveDir] OT:unusual exchange restore

2005-01-31 Thread Mulnick, Al

The uninstall should take it out clean, but as with anything else, be
careful.  The problem I would be most concerned about is the store names
(it's supposed to be by GUID with a display name the same as the previous.
Because it was a restore, it would be a good idea to make sure that the
GUIDs are indeed different. Not sure how it would have started if it wasn't,
but..)

They should be located under different paths in the directory, but just to
be sure, you may want to ensure you have good AD and Exchange backups.  

FWIW, this is similar in concept to dial-tone recoverability.  It's
something that's talked about in E2K3 DR papers.  Might be worth a read to
see what gets hooked and what doesn't in the directory before proceeding.

Al 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 10:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

The  logical name of the mailstore is the same as the name of the old
mailstore(same for storage group). I thought it has to be for a successful
restore.



I removed exchange attributes for the user i'm trying to exmerge and i was
able to reconnect with another user and ran exmerge succesfully.
Thanks for all your help, Al.


i know i was venturing into uncharted and potentially bad territory here as
this is NOT a documented way of restoring a mailbox/info store.
I understand you should create a seperate recovery forest(or RSG, if running
exchange2k3). However, my company wanted this done now and we had no scsi
adapter or tape drive on the recovery server and they didn't want to wait to
oder one(though now i realize too late, i might have been able to do this
via VMware).
I realize thats not a good answer, but its all i've got. I certainly don't
want to encourage such bad practices.

On a side note, do you know the best method for uninstalling an exchange
server cleanly from AD(will it clean up after itself and remove all objects
and attributes pointing to itself?).

Thanks again. And i would understand if you didn't want to help me earlier
as i could've intentionally fubar'ed my AD/Exchange due to my giving in to
management so easily.
So, thanks alot!


-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


What is the mailstore name being reported in AD for the restored server?

Al  

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

there is not one error in my logs.
i bounced the server.

mailstores maybe independent, but it is all in AD. the mailstore object is
in AD. Its getting this info from somewhere that a user is still connected
to a mailbox(AD).
when i use ESM, i'm connected to AD. so logic tells me this error i'm
getting is from an attribute in AD still referencing the wrong object.

thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


I wouldn't think so.  Have you tried bouncing the store service on that
restored server?  

I don't recall if the restore programs are smart enough to try to recover
the mailstores, but the stores themselves are independent of the directory
objects.  That said, it's a matter of getting the reconnect to a new object.


What's in the application event log during all of this on the restored
machine?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

i have run the cleanup agent and i have new users to connect them to,
however when i try to reconnect, i get the error that the mailbox is already
connected.
i think the problem is, when i redirected the restore, the mailboxes or the
info store on the new server still references the old users in AD.
Then when exmerge runs it checks a gc to get AD users based on the mailbox
attribute and gets nothing for that server.

As i said, i redirected the restore to a new server in the same forest. so
the redirected mailboxes are referencing users that still exist but point to
different mailboxes.


my idea is- since the user i'm trying to pst is gone, maybe if i delete
exchange attributes for that user AND then use an account to reconnect to?


thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


Do you have new user objects to connect them to? Have you run mailbox
cleanup agent

RE: [ActiveDir] GPO doesnt apply

2005-01-31 Thread Bruyere, Michel

You're right... its my bad... 

> -Message d'origine-
> De : [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] De la part de [EMAIL PROTECTED]
> Envoyé : Monday, January 31, 2005 9:55 AM
> À : ActiveDir@mail.activedir.org
> Objet : Re: [ActiveDir] GPO doesnt apply
> 
> Hi Michel...
> 
> Is MSN supposed to be MSN messenger?  I dont think the policies are for
> that, but for Windows Messenger.Or maybe I'm just not reading this
> right.
> 
> Not that it would make applying them any differently, but you might be
> able
> to just eliminate that policy, if that's the case.
> 
> John
> 
> 
> 
> 
> 
>  "Bruyere, Michel"
>  <[EMAIL PROTECTED]
>  ada.com>   To
>  Sent by:  
>  [EMAIL PROTECTED]  cc
>  ail.activedir.org
>Subject
>[ActiveDir] GPO doesnt apply
>  01/31/2005 08:40
>  AM
> 
> 
>  Please respond to
>  [EMAIL PROTECTED]
> tivedir.org
> 
> 
> 
> 
> 
> 
> Hi,
>  I'm actually facing a strange problem... I can't seem to make
> 2
> policies apply simultaneously.
> 
> Here is the configuration:
> 
> Domain
>  - Users_ou1
>  - Users_ou2
>  - Users_ou3
>  - Users_ou4
>  - Users_ou5
>  - Users_ou1
>  - Computers_ou1
>  - Computers_ou2
>  - Computers_ou3
>  - Computers_ou4
>  - Computers_ou5
> 
>  The OUs are different departments and they contain user's accounts for
> the users OUs and computer's accounts for the Computers_ou.
> 
> I created a GPO using the Windows XP sp2 adm templates. I
> applied/modified them from a station with the 2k3 admin pack and GPMC.
> The GPOs that I wanna apply are quite basics.
> 1- MSN -  I deny the launch of msn at windows start and prevent running
> the program.
> 2- unwanted programs -  I denied the exe for the latest version of MSN
> (for some reasons, the MSN gpo doesn't catch it up)
> 
> 
> The result that I have is the following:
> 
> Applied Group Policy Objects
>  -
>  screensaver
>  unwanted
>  Default Domain Policy
> OR
> 
> Applied Group Policy Objects
>  -
>  screensaver
>  MSN
>  Default Domain Policy
> 
> 
> And what I would like is:
> 
> Applied Group Policy Objects
>  -
>  screensaver
>  unwanted
>  MSN
>  Default Domain Policy
> 
> 
> Note that the MSN is applied to the computers_ou and the unwanted on the
> users_ou
> 
> 
> Anyone can share a thought about it?
> 
> Thanks!
> 
> 
> M.Bruyere
> Network/systems administrator
> CompTIA A+, Network+
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Carerros, Charles

This site goes back to our main location that houses this sites DNS, DC, GC
and other server related sites.  The VPN concentrator at this location
grants DHCP servers to the location and uses a routing table for security.
All of the ISA and other firewall issues are dealt with at the main location
as the routing table only allows communication through here.

We are using AD integrated DNS (which is housed on our DCs) and all DCs are
GCs.  

The odd thing is that if you are at that location and are using a
workstation on the NT domain then all web services as well as workstation
boot up and logon times are normally.  Only AD related workstations are
affected.

We are using Cisco VPN concentrators on both ends.

Does this cover the information that you were looking for.  If you need
something else, let me know.

Charlie

-Original Message-
From: Paul van Geldrop [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 10:36 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] VPN Connections with 2003 ADs


Some more info might be good.. such as location of DCs, GCs, DNS
configuration, etc. I presume you're setting up the VPN with firewalls.. or
are you using ISA Server ? 

Regards,

Paul

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: maandag 31 januari 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] VPN Connections with 2003 ADs

I am working on a NT to 2003 AD migration where I have a lot of remote
locations.  I have just completed the migration of our of my sites that is
using a VPN connection to our central hub.  Before the migration they were
not experiencing any issues, however after the migration they are not seeing
large lag times in starting up their machines and logging in.

Also, when they browse the internet and they try to access pages that
require authentication they get stuck (the page never loads completely and
they do not receive an error message and this includes sites such as
mail.yahoo and gmail.com).

Has anyone seen an issue like this where the migration of the network kills
the VPN?

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread James_Day

Didn't all geeks grow up on skateboards, and then graduate to snowboards in
a desperate attempt to fit in?

Snowboards on the X-Box I mean of course.

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]



 
  "Renouf, Phil"
 
  <[EMAIL PROTECTED]To:   

  es.com>cc:   (bcc: James 
Day/Contractor/NPS)   
  Sent by:   Subject:  RE: [ActiveDir] 
VERY VERY OT: DEC and Vancouver/Canada
  [EMAIL PROTECTED] 
   
  tivedir.org   
 

 

 
  01/31/2005 11:34 AM EST   
 
  Please respond to 
 
  ActiveDir 
 

 




Sorry for turning the list into a ski slope Joe :)

Whistler is hands down one of the best ski areas in North America, I've
spent a lot of time skiing and Whistler is the best place that I have
ever skied. Even if you aren't a skier it's worth going and checking
out, even if it is just for the views. A sunny day at the top of
Whistler is pretty incredible.

Did I hear someone mention geeks skiing? That sounds like fun ;)

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Monday, January 31, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

If you are a skier then Whistler/Blackcomb is not to be missed.  IMHO it
is simply the best, extraordinary, largest, most varied terrain, (insert
your own gushing adjective here)... ski area in North America.  Maybe
Gil needs to organize a NetPro ski trip...

-Stuart Fuller

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, January 31, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art
Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell
you more stuff.

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this...
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys
that are also visiting DEC. Besides visiting DEC I'm staying a few days
longer hopefully to see very nice things in the region. Does any of you
know what's worth visiting/seeing in the region of Vancouver?

Regards,
Jorge

Met vriendelijke groet / Kind regards,

Jorge de Almeida Pinto
Infrastructure Consultant
__

<<...OLE_Obj...>>

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T) Kennedyplein 248,
5611 ZT, Eindhoven
*   Postbus 7089
5605 JB Eindhoven
*   Tel : +31-(0)40-29.57.777
*   Fax : +31-(0)40-29.57.709
*   Mobile  : +31-(0)6-26.26.62.80
*   E-mail  : [EMAIL PROTECTED]
"    > -
Solutions that matter -


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this

Re: [ActiveDir] OT: logging level

2005-01-31 Thread ASB

More Info, please: http://tinyurl.com/ghwv



-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On Mon, 31 Jan 2005 10:10:31 -0500, Douglas M. Long <[EMAIL PROTECTED]> wrote:
> How in the world do you increase the logging level in XP? I see pages
> that say "verbose audit level" and "verbose logging level" and "verbose
> API level" and I don't have a clue what is what anymore...and it doesn't
> seem any of these references ever reference the same key in the
> registry. This is all in attempt to troubleshoot an outlook problem.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

2005-01-31 Thread knighTslayer

Volker,

That is what I am going to do.  I'll report back with the result.

Thanks again all,

Adam 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 31 January 2005 16:33
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder

Hi Adam,

you are right. DCGPOfix is only for Windows 2003.

In this case I would agree to the procedure Guido described.
If you have different domains you can copy the default domain policy from
any other domain (as long as you didn't modify this policy). You do not need
to create a new domain.
A new DC wouldn't recreate the default domain policy. It would just
replicate the current domain policies...

Volker

> Hi Guido, thanks for you reply.
>
> The target domain is a child from the root.  I will build a lab domain 
> (as
> root) and replicate the server name, then copy over the GPO folder.  
> Do you think that will be okay?
>
> Would introducing a DC to this damaged domain recreate the default 
> domain gpo?
>
> Regards
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
> Guido
> Sent: 31 January 2005 13:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol 
> folder
>
> as this is a default GPO with a well-known ID, you can copy the 
> {6AC1786C-016F-11D2-945F-00C04fB984F9} folder from the SYSVOL of 
> another AD installation (e.g. from your test-lab or from virtual 
> machine etc.).
> Just make sure, that source's GPO isn't configured with anything 
> specific to that domain.
>
> The safest way would be to install a new single-domain AD forest in 
> your lab and then copy the folder from there to your production DC.
>
> /Guido
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
> Sent: Monday, January 31, 2005 1:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol 
> folder
>
> I have the KB for the security settings, but I cannot find anything on 
> actually regenerating the GPO other than a restore.  Restore is not an 
> option.
>
> Thanks
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
> Sent: 31 January 2005 12:38
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol 
> folder
>
> IIRC there is a MS doc on recovering the default GPO and security 
> settings.
> This might apply in this scenario?
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
> Sent: 31 January 2005 14:23
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol 
> folder
>
> There is one more domain controller in this domain, and that too has 
> the files missing.
>
> I will look at the file recovery, but I doubt very much that I will 
> recover it.
>
> Thanks for your help so far.
>
> Anyone else got any ideas?
>
> Regards
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: 31 January 2005 12:15
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol 
> folder
>
> Do that domain has a replication partner.if yes can you check on 
> that server if you can copy that folder off...
>
> others i can think of is the tool to restore the deleted items from 
> the harddisk - like File restore from winternals
>
>
> On Mon, 31 Jan 2005 11:48:14 -, knighTslayer 
> <[EMAIL PROTECTED]> wrote:
>> The GPO GUID is missing from the sysvol directory.  I understand your 
>> suggestion about the permissions and I followed the KB which relates 
>> to this, but simply, the object (folder) is missing from the sysvol
> folder.
>>
>> I am unable to edit it, because it is missing.
>>
>> Adam
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra 
>> Burra
>>
>> Sent: 31 January 2005 11:36
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in 
>> sysvol
>
>> folder
>>
>> Adam.,
>>
>> If i understood the problem correct --> you are able to c the GP In 
>> the GPUC
>> --> but are not able to edit.
>>
>> then can you confirm that the object exisit. Go to GPUC--> System --> 
>> Polocies and check for the GP SID u r mentionging.
>>
>> If that exisits and you are not able to edit that GP then its simply 
>> issue with permissions on that child domain.
>>
>> Regards,
>> Chandra
>>
>> On Mon, 31 Jan 2005 11:14:14 -, knighTslayer 
>> <[EMAIL PROTECTED]> wrote:
>> > Chandra, thanks for your response.  I looked in Lost and found and 
>> > it is empty.
>> >
>> > Regards
>> >
>> > Adam
>> >
>> > -Or

RE: [ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Paul van Geldrop

Some more info might be good.. such as location of DCs, GCs, DNS
configuration, etc. I presume you're setting up the VPN with firewalls.. or
are you using ISA Server ? 

Regards,

Paul

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: maandag 31 januari 2005 17:27
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] VPN Connections with 2003 ADs

I am working on a NT to 2003 AD migration where I have a lot of remote
locations.  I have just completed the migration of our of my sites that is
using a VPN connection to our central hub.  Before the migration they were
not experiencing any issues, however after the migration they are not seeing
large lag times in starting up their machines and logging in.

Also, when they browse the internet and they try to access pages that
require authentication they get stuck (the page never loads completely and
they do not receive an error message and this includes sites such as
mail.yahoo and gmail.com).

Has anyone seen an issue like this where the migration of the network kills
the VPN?

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread Renouf, Phil

Sorry for turning the list into a ski slope Joe :)

Whistler is hands down one of the best ski areas in North America, I've
spent a lot of time skiing and Whistler is the best place that I have
ever skied. Even if you aren't a skier it's worth going and checking
out, even if it is just for the views. A sunny day at the top of
Whistler is pretty incredible.

Did I hear someone mention geeks skiing? That sounds like fun ;)

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart
Sent: Monday, January 31, 2005 11:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

If you are a skier then Whistler/Blackcomb is not to be missed.  IMHO it
is simply the best, extraordinary, largest, most varied terrain, (insert
your own gushing adjective here)... ski area in North America.  Maybe
Gil needs to organize a NetPro ski trip... 

-Stuart Fuller

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, January 31, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art
Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell
you more stuff.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this... 
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys
that are also visiting DEC. Besides visiting DEC I'm staying a few days
longer hopefully to see very nice things in the region. Does any of you
know what's worth visiting/seeing in the region of Vancouver?

Regards,
Jorge 

Met vriendelijke groet / Kind regards, 

Jorge de Almeida Pinto
Infrastructure Consultant
__ 

<<...OLE_Obj...>> 

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T) Kennedyplein 248,
5611 ZT, Eindhoven 
*   Postbus 7089 
5605 JB Eindhoven 
*   Tel : +31-(0)40-29.57.777 
*   Fax : +31-(0)40-29.57.709 
*   Mobile  : +31-(0)6-26.26.62.80 
*   E-mail  : [EMAIL PROTECTED] 
"    > -
Solutions that matter - 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

2005-01-31 Thread volker . seyboldt

Hi Adam,

you are right. DCGPOfix is only for Windows 2003.

In this case I would agree to the procedure Guido described.
If you have different domains you can copy the default domain policy from
any other domain (as long as you didn't modify this policy). You do not
need to create a new domain.
A new DC wouldn't recreate the default domain policy. It would just
replicate the current domain policies...

Volker

> Hi Guido, thanks for you reply.
>
> The target domain is a child from the root.  I will build a lab domain (as
> root) and replicate the server name, then copy over the GPO folder.  Do
> you
> think that will be okay?
>
> Would introducing a DC to this damaged domain recreate the default domain
> gpo?
>
> Regards
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
> Guido
> Sent: 31 January 2005 13:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
> folder
>
> as this is a default GPO with a well-known ID, you can copy the
> {6AC1786C-016F-11D2-945F-00C04fB984F9} folder from the SYSVOL of another
> AD
> installation (e.g. from your test-lab or from virtual machine etc.).
> Just make sure, that source's GPO isn't configured with anything specific
> to
> that domain.
>
> The safest way would be to install a new single-domain AD forest in your
> lab
> and then copy the folder from there to your production DC.
>
> /Guido
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
> Sent: Monday, January 31, 2005 1:50 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
> folder
>
> I have the KB for the security settings, but I cannot find anything on
> actually regenerating the GPO other than a restore.  Restore is not an
> option.
>
> Thanks
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
> Sent: 31 January 2005 12:38
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
> folder
>
> IIRC there is a MS doc on recovering the default GPO and security
> settings.
> This might apply in this scenario?
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
> Sent: 31 January 2005 14:23
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
> folder
>
> There is one more domain controller in this domain, and that too has the
> files missing.
>
> I will look at the file recovery, but I doubt very much that I will
> recover
> it.
>
> Thanks for your help so far.
>
> Anyone else got any ideas?
>
> Regards
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: 31 January 2005 12:15
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol
> folder
>
> Do that domain has a replication partner.if yes can you check on that
> server if you can copy that folder off...
>
> others i can think of is the tool to restore the deleted items from the
> harddisk - like File restore from winternals
>
>
> On Mon, 31 Jan 2005 11:48:14 -, knighTslayer
> <[EMAIL PROTECTED]> wrote:
>> The GPO GUID is missing from the sysvol directory.  I understand your
>> suggestion about the permissions and I followed the KB which relates
>> to this, but simply, the object (folder) is missing from the sysvol
> folder.
>>
>> I am unable to edit it, because it is missing.
>>
>> Adam
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
>>
>> Sent: 31 January 2005 11:36
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol
>
>> folder
>>
>> Adam.,
>>
>> If i understood the problem correct --> you are able to c the GP In
>> the GPUC
>> --> but are not able to edit.
>>
>> then can you confirm that the object exisit. Go to GPUC--> System -->
>> Polocies and check for the GP SID u r mentionging.
>>
>> If that exisits and you are not able to edit that GP then its simply
>> issue with permissions on that child domain.
>>
>> Regards,
>> Chandra
>>
>> On Mon, 31 Jan 2005 11:14:14 -, knighTslayer
>> <[EMAIL PROTECTED]> wrote:
>> > Chandra, thanks for your response.  I looked in Lost and found and
>> > it is empty.
>> >
>> > Regards
>> >
>> > Adam
>> >
>> > -Original Message-
>> > From: [EMAIL PROTECTED]
>> > [mailto:[EMAIL PROTECTED] On Behalf Of Chandra
>> > Burra
>> > Sent: 31 January 2005 11:08
>> > To: ActiveDir@mail.activedir.org
>> > Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in
>> > sysvol folder
>> >
>> > did u try in Lost and Found
>> >
>> > AD users & Computes --> View --> Advanced Features ( check thi

[ActiveDir] VPN Connections with 2003 ADs

2005-01-31 Thread Carerros, Charles

I am working on a NT to 2003 AD migration where I have a lot of remote
locations.  I have just completed the migration of our of my sites that is
using a VPN connection to our central hub.  Before the migration they were
not experiencing any issues, however after the migration they are not seeing
large lag times in starting up their machines and logging in.

Also, when they browse the internet and they try to access pages that
require authentication they get stuck (the page never loads completely and
they do not receive an error message and this includes sites such as
mail.yahoo and gmail.com).

Has anyone seen an issue like this where the migration of the network kills
the VPN?

Thanks,

Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread Fuller, Stuart

If you are a skier then Whistler/Blackcomb is not to be missed.  IMHO it
is simply the best, extraordinary, largest, most varied terrain, (insert
your own gushing adjective here)... ski area in North America.  Maybe
Gil needs to organize a NetPro ski trip... 

-Stuart Fuller

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Monday, January 31, 2005 8:43 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art
Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell
you more stuff.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this... 
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys
that are also visiting DEC. Besides visiting DEC I'm staying a few days
longer hopefully to see very nice things in the region. Does any of you
know what's worth visiting/seeing in the region of Vancouver?

Regards,
Jorge 

Met vriendelijke groet / Kind regards, 

Jorge de Almeida Pinto
Infrastructure Consultant
__ 

<<...OLE_Obj...>> 

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T) Kennedyplein 248,
5611 ZT, Eindhoven 
*   Postbus 7089 
5605 JB Eindhoven 
*   Tel : +31-(0)40-29.57.777 
*   Fax : +31-(0)40-29.57.709 
*   Mobile  : +31-(0)6-26.26.62.80 
*   E-mail  : [EMAIL PROTECTED] 
"    > -
Solutions that matter - 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

2005-01-31 Thread knighTslayer

Hi Guido, thanks for you reply.

The target domain is a child from the root.  I will build a lab domain (as
root) and replicate the server name, then copy over the GPO folder.  Do you
think that will be okay?

Would introducing a DC to this damaged domain recreate the default domain
gpo?

Regards

Adam

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: 31 January 2005 13:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder

as this is a default GPO with a well-known ID, you can copy the
{6AC1786C-016F-11D2-945F-00C04fB984F9} folder from the SYSVOL of another AD
installation (e.g. from your test-lab or from virtual machine etc.).
Just make sure, that source's GPO isn't configured with anything specific to
that domain.  

The safest way would be to install a new single-domain AD forest in your lab
and then copy the folder from there to your production DC.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: Monday, January 31, 2005 1:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder

I have the KB for the security settings, but I cannot find anything on
actually regenerating the GPO other than a restore.  Restore is not an
option.

Thanks

Adam 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 31 January 2005 12:38
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder

IIRC there is a MS doc on recovering the default GPO and security settings.
This might apply in this scenario?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
Sent: 31 January 2005 14:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder

There is one more domain controller in this domain, and that too has the
files missing.

I will look at the file recovery, but I doubt very much that I will recover
it.

Thanks for your help so far.

Anyone else got any ideas?

Regards

Adam 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
Sent: 31 January 2005 12:15
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder

Do that domain has a replication partner.if yes can you check on that
server if you can copy that folder off...

others i can think of is the tool to restore the deleted items from the
harddisk - like File restore from winternals


On Mon, 31 Jan 2005 11:48:14 -, knighTslayer
<[EMAIL PROTECTED]> wrote:
> The GPO GUID is missing from the sysvol directory.  I understand your 
> suggestion about the permissions and I followed the KB which relates 
> to this, but simply, the object (folder) is missing from the sysvol
folder.
> 
> I am unable to edit it, because it is missing.
> 
> Adam
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> 
> Sent: 31 January 2005 11:36
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol

> folder
> 
> Adam.,
> 
> If i understood the problem correct --> you are able to c the GP In 
> the GPUC
> --> but are not able to edit.
> 
> then can you confirm that the object exisit. Go to GPUC--> System --> 
> Polocies and check for the GP SID u r mentionging.
> 
> If that exisits and you are not able to edit that GP then its simply 
> issue with permissions on that child domain.
> 
> Regards,
> Chandra
> 
> On Mon, 31 Jan 2005 11:14:14 -, knighTslayer 
> <[EMAIL PROTECTED]> wrote:
> > Chandra, thanks for your response.  I looked in Lost and found and 
> > it is empty.
> >
> > Regards
> >
> > Adam
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Chandra 
> > Burra
> > Sent: 31 January 2005 11:08
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in 
> > sysvol folder
> >
> > did u try in Lost and Found
> >
> > AD users & Computes --> View --> Advanced Features ( check this) to 
> > get more folders on the left panel.
> >
> > Regards,
> > Chandra
> >
> > On Mon, 31 Jan 2005 10:26:33 -, knighTslayer 
> > <[EMAIL PROTECTED]> wrote:
> > > Hi,
> > >
> > > Running Windows 2000 sp4 Active Directory.
> > > Domain concerned is a child domain off the root domain.
> > >
> > > I cannot edit the default domain policy object through ADUC or GPO

> > > edit.  I get a Group Policy Error:
> > >
> > > "Failed to open the Group Policy Object. You may not have 
> > > appropriate rights."
> > >
> > > I followed KB 294275, however it occurred to me that the actual 
> > > folder is missing in \Sysvol\Domain\Poli

Re: [ActiveDir] VB Script

2005-01-31 Thread Ertug Gurhan




Yes, figured that one out, that was in fact the 
issue, but Thank you.
 
Ertug

  - Original Message - 
  From: 
  joe 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, January 28, 2005 5:10 
  PM
  Subject: RE: [ActiveDir] VB Script
  
  By any chance is domain admins the primary group of the 
  user who is absent? If so, this is by design. Primary group membership i snot 
  maintained like normal group membership, it is held in a specific attribute of 
  the user, not the groups.
   
    joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Ertug 
  GurhanSent: Friday, January 28, 2005 10:43 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] VB 
  Script
  
  I have a VB script that queries the Domain Admins 
  group for memebership, but when I run it, it fails to extract all memebers, 1 
  user n specific, any ideas?
   
  Thank you
   
  
  strComputer = "."
  Set objGroup = GetObject("LDAP://cn=Domain 
  Admins,ou=Groups,ou=Firm,dc=xyx,dc=corp")
  For each objMember in objGroup.Members
  Wscript.Echo objMember.DistinguishedName
  Next

RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol folder

2005-01-31 Thread knighTslayer

Volker,

Thanks for your response:

1. - Already tried this, didn't work.
2. - dcgpofix - is this a windows 2003 only tool?  I am running 2000.

Regards

Adam

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 31 January 2005 13:06
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol
folder

Hi,

check two things (I'm not sure if this works if the policy is deleted, but
maybe the dcgpofix tool can help):
1. check http://support.microsoft.com/?kbid=226243
2. use the tool dcgpofix
Log on as a domain administrator to a DC.
Start a command session.
To reset the Domain GPO, type
dcgpofix /target:Domain
To reset the Default DC GPO, type
dcgpofix /target:DC
To reset both the Domain and Default DC GPOs, type dcgpofix /target:both
After you enter the appropriate command in Step 3, enter Y to both prompts.
Close the command window.

regards
Volker


> I have the KB for the security settings, but I cannot find anything on 
> actually regenerating the GPO other than a restore.  Restore is not an 
> option.
>
> Thanks
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
> Sent: 31 January 2005 12:38
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol 
> folder
>
> IIRC there is a MS doc on recovering the default GPO and security 
> settings.
> This might apply in this scenario?
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer
> Sent: 31 January 2005 14:23
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Missing 'default domain policy gpo' in sysvol 
> folder
>
> There is one more domain controller in this domain, and that too has 
> the files missing.
>
> I will look at the file recovery, but I doubt very much that I will 
> recover it.
>
> Thanks for your help so far.
>
> Anyone else got any ideas?
>
> Regards
>
> Adam
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra Burra
> Sent: 31 January 2005 12:15
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in sysvol 
> folder
>
> Do that domain has a replication partner.if yes can you check on 
> that server if you can copy that folder off...
>
> others i can think of is the tool to restore the deleted items from 
> the harddisk - like File restore from winternals
>
>
> On Mon, 31 Jan 2005 11:48:14 -, knighTslayer 
> <[EMAIL PROTECTED]> wrote:
>> The GPO GUID is missing from the sysvol directory.  I understand your 
>> suggestion about the permissions and I followed the KB which relates 
>> to this, but simply, the object (folder) is missing from the sysvol
> folder.
>>
>> I am unable to edit it, because it is missing.
>>
>> Adam
>>
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Chandra 
>> Burra
>>
>> Sent: 31 January 2005 11:36
>> To: ActiveDir@mail.activedir.org
>> Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in 
>> sysvol
>
>> folder
>>
>> Adam.,
>>
>> If i understood the problem correct --> you are able to c the GP In 
>> the GPUC
>> --> but are not able to edit.
>>
>> then can you confirm that the object exisit. Go to GPUC--> System --> 
>> Polocies and check for the GP SID u r mentionging.
>>
>> If that exisits and you are not able to edit that GP then its simply 
>> issue with permissions on that child domain.
>>
>> Regards,
>> Chandra
>>
>> On Mon, 31 Jan 2005 11:14:14 -, knighTslayer 
>> <[EMAIL PROTECTED]> wrote:
>> > Chandra, thanks for your response.  I looked in Lost and found and 
>> > it is empty.
>> >
>> > Regards
>> >
>> > Adam
>> >
>> > -Original Message-
>> > From: [EMAIL PROTECTED]
>> > [mailto:[EMAIL PROTECTED] On Behalf Of Chandra 
>> > Burra
>> > Sent: 31 January 2005 11:08
>> > To: ActiveDir@mail.activedir.org
>> > Subject: Re: [ActiveDir] Missing 'default domain policy gpo' in 
>> > sysvol folder
>> >
>> > did u try in Lost and Found
>> >
>> > AD users & Computes --> View --> Advanced Features ( check this) to 
>> > get more folders on the left panel.
>> >
>> > Regards,
>> > Chandra
>> >
>> > On Mon, 31 Jan 2005 10:26:33 -, knighTslayer 
>> > <[EMAIL PROTECTED]> wrote:
>> > > Hi,
>> > >
>> > > Running Windows 2000 sp4 Active Directory.
>> > > Domain concerned is a child domain off the root domain.
>> > >
>> > > I cannot edit the default domain policy object through ADUC or 
>> > > GPO
>
>> > > edit.  I get a Group Policy Error:
>> > >
>> > > "Failed to open the Group Policy Object. You may not have 
>> > > appropriate rights."
>> > >
>> > > I followed KB 294275, however it occurred to me that the actual 
>> > > folder is missing in \Sysvol\Domain\Policies\
>> > "{6AC1786C-016F-11D2-945F-00C04fB984F9}"
>> > >
>> > > There are no backups or cop

RE: [ActiveDir] setting robocopy to skip inaccessible files

2005-01-31 Thread Willem Kasdorp









Depending on why the file is inaccessible
you might be better off copying the file in BACKUP mode. This uses the backup
privilege and corresponding API’s to copy files that you have no
permissions to, just as ntbackup does. See the /B switch in the latest
incarnation of robocopy. 

 

--

    Regards, Willem

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lucia Washaya
Sent: Monday, January 31, 2005
1:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] setting
robocopy to skip inaccessible files



 


Collegues, 

I
need to set robocopy to skip those files that are inaccessible. so far if
robocopy comes across an inaccessible file it will keep on retrying. I would
like to skip it and carry on copying. 
I
am using the /MIR switch. Your help will be greatly appreciated. 
Thanks
you in advance 


Regards,
Lucia Washaya
Tel: 5497



=

The cobra will bite whether you call it Cobra or Mr. Cobra.

=

RE: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

2005-01-31 Thread Renouf, Phil

Stanley Park, Junior Hockey games, Whistler/Blackcomb, Vancouver Art
Museum.

I'm sure anyone who's lived in BC longer than I did will be able to tell
you more stuff.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Sunday, January 30, 2005 3:25 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] VERY VERY OT: DEC and Vancouver/Canada

Hi,
I hope you don't mind asking this... 
I'm visiting DEC (AD ttrack) in march and hope to meet some of you guys
that are also visiting DEC. Besides visiting DEC I'm staying a few days
longer hopefully to see very nice things in the region. Does any of you
know what's worth visiting/seeing in the region of Vancouver?

Regards,
Jorge 

Met vriendelijke groet / Kind regards, 

Jorge de Almeida Pinto
Infrastructure Consultant
__ 

<<...OLE_Obj...>> 

LogicaCMG Nederland B.V. (BU SD/AT)
Division Industry, Distribution and Transport (ID&T) Kennedyplein 248,
5611 ZT, Eindhoven 
*   Postbus 7089 
5605 JB Eindhoven 
*   Tel : +31-(0)40-29.57.777 
*   Fax : +31-(0)40-29.57.709 
*   Mobile  : +31-(0)6-26.26.62.80 
*   E-mail  : [EMAIL PROTECTED] 
"    > -
Solutions that matter - 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread George Arezina









Thanks to everyone. I uninstalled TS
licensing server and did not get the error message that I had a few days ago,
saying in order to login to the DC through TS services you needed a TS
licensing server. Configured terminal users through GPO and everything is
working fine. I am curious as to why I got the error message in the first
place, and why force terminal licensing server? I guess one of those MS things……

Thank again to everyone.









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: Monday, January 31, 2005 4:04
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

IIRC if you are running Windows 2003 you
can turn on Remote Desktop access without installing TS and you don’t
have to buy licenses. It limits you to 2 simultaneous connections as did W2K in
Remote Admin mode but you don’t require licenses

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: 31 January 2005 16:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, I am quite aware of the new licensing
in Windows 2003. However, I am more annoyed at the fact that I need to purchase
TS licenses just for daily admin stuff. What the heck is the point of offering
Terminal services as a tool for admins, I may be better off buying 3rd
party software (Remote Admin). I really wish someone from the MVP services
would jump in and explain why offer terminal services for admin purposes only
to be forced to spend money on a TS license? 

George

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005
2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, the licensing has changed. In 2003 Terminal
Services, you need a CAL
for every user or device (depending on the model you choose). The 'unlimited
pool' we had in 2000 for 2000/XP clients is no more. Details here:

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

 

There is also a CAL transition program for XP machines you
purchased before the release of 2003 in April 2003. Details are here:

http://licensecode.one.microsoft.com/transition/default.asp

 

Hope this helps!

 

--Dave

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005
06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal
server licenses

Hi folks,

Can anyone verify that under Windows 2003 TS server, even Windows
XP clients need to purchase a TS license? I was under the impression that
Windows XP clients did not need to purchase the TS license, but what do you
know, they showed up in my temporary license tab in TS Licensing GUI.

Thanx

 

George 

 


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons receiving
this e-mail message who are not the named addressee (or his/her co-workers, or
persons authorized to take delivery) must not use, forward or reproduce its
contents. If you have received this e-mail message by mistake, please contact
us immediately and delete this email message beyond retrieval.


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread Bakker, Jan




Before Microsoft supplied an TSCAL licence with every 
Windows XP licence. Since Windows 2003 they stopped doing that, customers who 
bought Windows XP before a certain data can still use the CALS for free, i u 
purchased the Windows XP licences after that data you'll have to pay for your 
TSCALS. 
 
Off course you only need them with terminal services 
and not with remote desktops. 
 


Van: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Namens Coleman, 
HunterVerzonden: maandag 31 januari 2005 16:05Aan: 
ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] Terminal 
server licenses

If you're talking about the equivalent of Win 2000 Terminal 
Services for Remote Administration, in Win 2003 that becomes Remote Desktop for 
Administration. It doesn't require the client licensing. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url="">
(watch URL wrap)
 
Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of George 
ArezinaSent: Monday, January 31, 2005 7:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Terminal server 
licenses


Yes, I am quite aware 
of the new licensing in Windows 2003. However, I am more annoyed at the fact 
that I need to purchase TS licenses just for daily admin stuff. What the heck is 
the point of offering Terminal services as a tool for admins, I may be better 
off buying 3rd party software (Remote Admin). I really wish someone 
from the MVP services would jump in and explain why offer terminal services for 
admin purposes only to be forced to spend money on a TS license? 

George
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Dave 
LambertySent: Friday, January 
28, 2005 2:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Terminal server 
licenses
 
Yes, the licensing has 
changed. In 2003 Terminal Services, you need a CAL for every user or device (depending on the 
model you choose). The 'unlimited pool' we had in 2000 for 2000/XP clients is no 
more. Details here:
http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx
 
There is also a CAL transition program 
for XP machines you purchased before the release of 2003 in April 2003. Details 
are here:
http://licensecode.one.microsoft.com/transition/default.asp
 
Hope this 
helps!
 
--Dave
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of George 
ArezinaSent: Friday, January 
28, 2005 06:59To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Terminal server 
licenses
Hi 
folks,
Can anyone verify that under Windows 
2003 TS server, even Windows XP clients need to purchase a TS license? I was 
under the impression that Windows XP clients did not need to purchase the TS 
license, but what do you know, they showed up in my temporary license tab in TS 
Licensing GUI.
Thanx
 
George 

 
Informacija sa Stedionica Opportunity International 
A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova 
putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili 
povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas 
obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje 
bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti 
nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah 
obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg 
sistema.The 
exchange of messages with Stedionica Opportunity International A.D. Novi Sad via 
e-mail is not binding. Declarations regarding legal transactions must not be 
exchanged via this medium. The information contained in this e-mail message is 
confidential and intended exclusively for the addressee. Persons receiving this 
e-mail message who are not the named addressee (or his/her co-workers, or 
persons authorized to take delivery) must not use, forward or reproduce its 
contents. If you have received this e-mail message by mistake, please contact us 
immediately and delete this email message beyond 
retrieval.Informacija sa Stedionica 
Opportunity International A.D. Novi Sad putem e-maila je bez garancije. 
Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail 
moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail 
primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, 
distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja 
strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, 
molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a 
zatim ga izbrisite iz vaseg 
sistema.The 
exchange of messages with Stedionica Op

[ActiveDir] OT: logging level

2005-01-31 Thread Douglas M. Long

How in the world do you increase the logging level in XP? I see pages
that say "verbose audit level" and "verbose logging level" and "verbose
API level" and I don't have a clue what is what anymore...and it doesn't
seem any of these references ever reference the same key in the
registry. This is all in attempt to troubleshoot an outlook problem. 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread James_Day

Hi George

Are you running 2003 servers with Terminal Services or Remote Desktop
enabled.  Terminal Services is the old 2000 TS in application mode, while
remote desktop is the old 2K TS in Remote Admin mode - and does not seem to
need licensing beyond your server cals.  Setting remote desktop mode is the
same as in an XP client, and it allows 2 remote connections (like the old
2K)  plus the ability to take over the console (as the XP one does).  IT
also allows multiple people to connect to the same TS remote admin session
so two admins can fight over settings with the same screen.

We have been running it on several servers for 16 months without ever
getting a license warning, although all the servers set up with TS turned
on failed after 120 days with "no license server available messages".

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]



   
  "George Arezina"  
   
  <[EMAIL PROTECTED]>   To:   
  
  Sent by:   cc:   (bcc: James 
Day/Contractor/NPS) 
  [EMAIL PROTECTED]Subject:  RE: [ActiveDir] 
Terminal server licenses
  tivedir.org   
   

   

   
  01/31/2005 03:44 PM CET   
   
  Please respond to 
   
  ActiveDir 
   

   




Yes, I am quite aware of the new licensing in Windows 2003. However, I am
more annoyed at the fact that I need to purchase TS licenses just for daily
admin stuff. What the heck is the point of offering Terminal services as a
tool for admins, I may be better off buying 3rd party software (Remote
Admin). I really wish someone from the MVP services would jump in and
explain why offer terminal services for admin purposes only to be forced to
spend money on a TS license?
George



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005 2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal server licenses

Yes, the licensing has changed. In 2003 Terminal Services, you need a CAL
for every user or device (depending on the model you choose). The
'unlimited pool' we had in 2000 for 2000/XP clients is no more. Details
here:
http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

There is also a CAL transition program for XP machines you purchased before
the release of 2003 in April 2003. Details are here:
http://licensecode.one.microsoft.com/transition/default.asp

Hope this helps!

--Dave


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005 06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal server licenses
Hi folks,
Can anyone verify that under Windows 2003 TS server, even Windows XP
clients need to purchase a TS license? I was under the impression that
Windows XP clients did not need to purchase the TS license, but what do you
know, they showed up in my temporary license tab in TS Licensing GUI.
Thanx

George


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija
nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene
informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas
obavestavamo da je svako otkrivanje, kopiranje, distribucija ili
preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email,
a zatim ga izbrisite iz vaseg sistema.


___

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread Peter Johnson









IIRC if you are running Windows 2003 you
can turn on Remote Desktop access without installing TS and you don’t
have to buy licenses. It limits you to 2 simultaneous connections as did W2K in
Remote Admin mode but you don’t require licenses

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: 31 January 2005 16:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, I am quite aware of the new licensing
in Windows 2003. However, I am more annoyed at the fact that I need to purchase
TS licenses just for daily admin stuff. What the heck is the point of offering
Terminal services as a tool for admins, I may be better off buying 3rd
party software (Remote Admin). I really wish someone from the MVP services
would jump in and explain why offer terminal services for admin purposes only
to be forced to spend money on a TS license? 

George

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005
2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, the licensing has changed. In 2003 Terminal
Services, you need a CAL for every user or device (depending on the model you
choose). The 'unlimited pool' we had in 2000 for 2000/XP clients is no more.
Details here:

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

 

There is also a CAL transition program for XP
machines you purchased before the release of 2003 in April 2003. Details are
here:

http://licensecode.one.microsoft.com/transition/default.asp

 

Hope this helps!

 

--Dave

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005
06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal
server licenses

Hi folks,

Can anyone verify that under Windows 2003 TS server, even
Windows XP clients need to purchase a TS license? I was under the impression
that Windows XP clients did not need to purchase the TS license, but what do
you know, they showed up in my temporary license tab in TS Licensing GUI.

Thanx

 

George 

 


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her co-workers,
or persons authorized to take delivery) must not use, forward or reproduce its
contents. If you have received this e-mail message by mistake, please contact
us immediately and delete this email message beyond retrieval.


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her
co-workers, or persons authorized to take delivery) must not use, forward or
reproduce its contents. If you have received this e-mail message by mistake,
please contact us immediately and delete this email message beyond retrieval.

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread Coleman, Hunter




If you're talking about the equivalent of Win 2000 Terminal 
Services for Remote Administration, in Win 2003 that becomes Remote Desktop for 
Administration. It doesn't require the client licensing. http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/Default.asp?url="">
(watch URL wrap)
 
Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of George 
ArezinaSent: Monday, January 31, 2005 7:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Terminal server 
licenses


Yes, I am quite aware 
of the new licensing in Windows 2003. However, I am more annoyed at the fact 
that I need to purchase TS licenses just for daily admin stuff. What the heck is 
the point of offering Terminal services as a tool for admins, I may be better 
off buying 3rd party software (Remote Admin). I really wish someone 
from the MVP services would jump in and explain why offer terminal services for 
admin purposes only to be forced to spend money on a TS license? 

George
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Dave 
LambertySent: Friday, January 
28, 2005 2:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Terminal server 
licenses
 
Yes, the licensing has 
changed. In 2003 Terminal Services, you need a CAL for every user or device (depending on the 
model you choose). The 'unlimited pool' we had in 2000 for 2000/XP clients is no 
more. Details here:
http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx
 
There is also a CAL transition program 
for XP machines you purchased before the release of 2003 in April 2003. Details 
are here:
http://licensecode.one.microsoft.com/transition/default.asp
 
Hope this 
helps!
 
--Dave
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of George 
ArezinaSent: Friday, January 
28, 2005 06:59To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Terminal server 
licenses
Hi 
folks,
Can anyone verify that under Windows 
2003 TS server, even Windows XP clients need to purchase a TS license? I was 
under the impression that Windows XP clients did not need to purchase the TS 
license, but what do you know, they showed up in my temporary license tab in TS 
Licensing GUI.
Thanx
 
George 

 
Informacija sa Stedionica Opportunity International 
A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova 
putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili 
povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas 
obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje 
bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti 
nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah 
obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg 
sistema.The 
exchange of messages with Stedionica Opportunity International A.D. Novi Sad via 
e-mail is not binding. Declarations regarding legal transactions must not be 
exchanged via this medium. The information contained in this e-mail message is 
confidential and intended exclusively for the addressee. Persons receiving this 
e-mail message who are not the named addressee (or his/her co-workers, or 
persons authorized to take delivery) must not use, forward or reproduce its 
contents. If you have received this e-mail message by mistake, please contact us 
immediately and delete this email message beyond 
retrieval.Informacija sa Stedionica 
Opportunity International A.D. Novi Sad putem e-maila je bez garancije. 
Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail 
moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail 
primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, 
distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja 
strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, 
molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a 
zatim ga izbrisite iz vaseg 
sistema.The 
exchange of messages with Stedionica Opportunity International A.D. Novi Sad via 
e-mail is not binding. Declarations regarding legal transactions must not be 
exchanged via this medium. The information contained in this e-mail message is 
confidential and intended exclusively for the addressee. Persons receiving this 
e-mail message who are not the named addressee (or his/her co-workers, or 
persons authorized to take delivery) must not use, forward or reproduce its 
contents. If you have received this e-mail message by mistake, please contact us 
immediately and delete this email message beyond retrieval.

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread Paul van Geldrop









Also check out this specific article:

 

http://support.microsoft.com/default.aspx?scid=kb;en-us;814590

 

As you can see in the notes, no TS CAL is
required, but the terminal services are only open to admins.

 

Regards,

 

Paul

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: maandag 31 januari 2005
15:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, I am quite aware of the new licensing
in Windows 2003. However, I am more annoyed at the fact that I need to purchase
TS licenses just for daily admin stuff. What the heck is the point of offering
Terminal services as a tool for admins, I may be better off buying 3rd
party software (Remote Admin). I really wish someone from the MVP services
would jump in and explain why offer terminal services for admin purposes only
to be forced to spend money on a TS license? 

George

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005
2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, the licensing has changed. In 2003 Terminal
Services, you need a CAL
for every user or device (depending on the model you choose). The 'unlimited
pool' we had in 2000 for 2000/XP clients is no more. Details here:

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

 

There is also a CAL transition program for XP machines you
purchased before the release of 2003 in April 2003. Details are here:

http://licensecode.one.microsoft.com/transition/default.asp

 

Hope this helps!

 

--Dave

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005
06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal
server licenses

Hi folks,

Can anyone verify that under Windows 2003 TS server, even
Windows XP clients need to purchase a TS license? I was under the impression
that Windows XP clients did not need to purchase the TS license, but what do
you know, they showed up in my temporary license tab in TS Licensing GUI.

Thanx

 

George 

 


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her co-workers,
or persons authorized to take delivery) must not use, forward or reproduce its
contents. If you have received this e-mail message by mistake, please contact
us immediately and delete this email message beyond retrieval.


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her
co-workers, or persons authorized to take delivery) must not use, forward or
reproduce its contents. If you have received this e-mail message by mistake,
please contact us immediately and delete this email message beyond retrieval.





This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprieta

RE: [ActiveDir] OT:unusual exchange restore

2005-01-31 Thread Kern, Tom

The  logical name of the mailstore is the same as the name of the old 
mailstore(same for storage group). I thought it has to be for a successful 
restore.



I removed exchange attributes for the user i'm trying to exmerge and i was able 
to reconnect with another user and ran exmerge succesfully.
Thanks for all your help, Al.


i know i was venturing into uncharted and potentially bad territory here as 
this is NOT a documented way of restoring a mailbox/info store.
I understand you should create a seperate recovery forest(or RSG, if running 
exchange2k3). However, my company wanted this done now and we had no scsi 
adapter or tape drive on the recovery server and they didn't want to wait to 
oder one(though now i realize too late, i might have been able to do this via 
VMware).
I realize thats not a good answer, but its all i've got. I certainly don't want 
to encourage such bad practices.

On a side note, do you know the best method for uninstalling an exchange server 
cleanly from AD(will it clean up after itself and remove all objects and 
attributes pointing to itself?).

Thanks again. And i would understand if you didn't want to help me earlier as i 
could've intentionally fubar'ed my AD/Exchange due to my giving in to 
management so easily.
So, thanks alot!


-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


What is the mailstore name being reported in AD for the restored server?

Al  

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

there is not one error in my logs.
i bounced the server.

mailstores maybe independent, but it is all in AD. the mailstore object is
in AD. Its getting this info from somewhere that a user is still connected
to a mailbox(AD).
when i use ESM, i'm connected to AD. so logic tells me this error i'm
getting is from an attribute in AD still referencing the wrong object.

thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


I wouldn't think so.  Have you tried bouncing the store service on that
restored server?  

I don't recall if the restore programs are smart enough to try to recover
the mailstores, but the stores themselves are independent of the directory
objects.  That said, it's a matter of getting the reconnect to a new object.


What's in the application event log during all of this on the restored
machine?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

i have run the cleanup agent and i have new users to connect them to,
however when i try to reconnect, i get the error that the mailbox is already
connected.
i think the problem is, when i redirected the restore, the mailboxes or the
info store on the new server still references the old users in AD.
Then when exmerge runs it checks a gc to get AD users based on the mailbox
attribute and gets nothing for that server.

As i said, i redirected the restore to a new server in the same forest. so
the redirected mailboxes are referencing users that still exist but point to
different mailboxes.


my idea is- since the user i'm trying to pst is gone, maybe if i delete
exchange attributes for that user AND then use an account to reconnect to?


thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


Do you have new user objects to connect them to? Have you run mailbox
cleanup agent? 

Once restored, these are just data store entries.  There is no DS/IS concept
to automatically create directory objects, so you have to create objects for
them.  

In your case, you *should* be able to create objects and connect one of
these. 

The old users are not relevant really. The error is expected.  

MBCONNECT might be an interesting tool for you as well.

Al

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sunday, January 30, 2005 6:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:unusual exchange restore

Hi. I had to restore my info store from a few months back  for legal
reasons. However, the upper management did not want to shell out for a tape
drive or scsi controller so i tried redirecting a db restore to a new
exchange2k server in the same forest/admin group( i know there are no docs
on this and ms and everyone recommends a new forest).
this worked and everything res

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread volker . seyboldt

you have to differentiate between TS in admin mode (default) and
Application mode.

Volker

> Yes, I am quite aware of the new licensing in Windows 2003. However, I am
> more annoyed at the fact that I need to purchase TS licenses just for
> daily
> admin stuff. What the heck is the point of offering Terminal services as a
> tool for admins, I may be better off buying 3rd party software (Remote
> Admin). I really wish someone from the MVP services would jump in and
> explain why offer terminal services for admin purposes only to be forced
> to
> spend money on a TS license?
>
> George
>
>
>
>
>
>   _
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave Lamberty
> Sent: Friday, January 28, 2005 2:24 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Terminal server licenses
>
>
>
> Yes, the licensing has changed. In 2003 Terminal Services, you need a CAL
> for every user or device (depending on the model you choose). The
> 'unlimited
> pool' we had in 2000 for 2000/XP clients is no more. Details here:
>
> http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx
>
>
>
> There is also a CAL transition program for XP machines you purchased
> before
> the release of 2003 in April 2003. Details are here:
>
> http://licensecode.one.microsoft.com/transition/default.asp
>
>
>
> Hope this helps!
>
>
>
> --Dave
>
>
>
>   _
>
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
> Sent: Friday, January 28, 2005 06:59
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Terminal server licenses
>
> Hi folks,
>
> Can anyone verify that under Windows 2003 TS server, even Windows XP
> clients
> need to purchase a TS license? I was under the impression that Windows XP
> clients did not need to purchase the TS license, but what do you know,
> they
> showed up in my temporary license tab in TS Licensing GUI.
>
> Thanx
>
>
>
> George
>
>
>
>
> Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
> e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija
> nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene
> informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas
> obavestavamo da je svako otkrivanje, kopiranje, distribucija ili
> preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
> zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
> molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email,
> a
> zatim ga izbrisite iz vaseg sistema.
> 
>
> 
> The exchange of messages with Stedionica Opportunity International A.D.
> Novi
> Sad via e-mail is not binding. Declarations regarding legal transactions
> must not be exchanged via this medium. The information contained in this
> e-mail message is confidential and intended exclusively for the addressee.
> Persons receiving this e-mail message who are not the named addressee (or
> his/her co-workers, or persons authorized to take delivery) must not use,
> forward or reproduce its contents. If you have received this e-mail
> message
> by mistake, please contact us immediately and delete this email message
> beyond retrieval.
>
>
>
> Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
> e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija
> nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene
> informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas
> obavestavamo da je svako otkrivanje, kopiranje, distribucija ili
> preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
> zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
> molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email,
> a zatim ga izbrisite iz vaseg sistema.
> 
>
> 
> The exchange of messages with Stedionica Opportunity International A.D.
> Novi Sad via e-mail is not binding. Declarations regarding legal
> transactions must not be exchanged via this medium. The information
> contained in this e-mail message is confidential and intended exclusively
> for the addressee. Persons receiving this e-mail message who are not the
> named addressee (or his/her co-workers, or persons authorized to take
> delivery) must not use, forward or reproduce its contents. If you have
> received this e-mail message by mistake, please contact us immediately and
> delete this email message beyond retrieval.
>


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread Dave Lamberty




In 2003, Microsoft changed the naming used for Terminal Services. What 
was 'Terminal Services for Remote Administration' is now 'Remote Desktop.' What 
was Terminal Services for Application Servers' is now 'Terminal 
Services.'
 
Now, if you're talking about managing terminal servers, you've always 
needed a TS CAL to connect. The difference in 2003 is that those CALs don't come 
from an unlimited pool--you must purchase TS CALs for the user/devices that 
connect to 2003 terminal servers.
 
If you're just connecting to a non-terminal server, you connect via 
Remote Desktop, which doesn't use a TS CAL (or require a license server, for 
that matter). In 2000, you had to install the Terminal Services for Remote 
Administration component in Add/Remove Programs. In 2003, you just enable Remote 
Desktop connections in the System Properties of the 2003 server. If you've 
installed Terminal Services through Add/Remove Programs on your 2003 servers, 
then what you have are the equivalent of 2000 Terminal Services for Application 
Servers,' which do require CALs. In that case, just remove the component, and 
turn on Remote Desktop.
 
--Dave


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of George 
ArezinaSent: Monday, January 31, 2005 08:44To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Terminal server 
licenses


Yes, I am quite aware 
of the new licensing in Windows 2003. However, I am more annoyed at the fact 
that I need to purchase TS licenses just for daily admin stuff. What the heck is 
the point of offering Terminal services as a tool for admins, I may be better 
off buying 3rd party software (Remote Admin). I really wish someone 
from the MVP services would jump in and explain why offer terminal services for 
admin purposes only to be forced to spend money on a TS license? 

George
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Dave 
LambertySent: Friday, January 
28, 2005 2:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Terminal server 
licenses
 
Yes, the licensing has 
changed. In 2003 Terminal Services, you need a CAL for every user or device (depending on the 
model you choose). The 'unlimited pool' we had in 2000 for 2000/XP clients is no 
more. Details here:
http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx
 
There is also a CAL transition program 
for XP machines you purchased before the release of 2003 in April 2003. Details 
are here:
http://licensecode.one.microsoft.com/transition/default.asp
 
Hope this 
helps!
 
--Dave
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of George 
ArezinaSent: Friday, January 
28, 2005 06:59To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Terminal server 
licenses
Hi 
folks,
Can anyone verify that under Windows 
2003 TS server, even Windows XP clients need to purchase a TS license? I was 
under the impression that Windows XP clients did not need to purchase the TS 
license, but what do you know, they showed up in my temporary license tab in TS 
Licensing GUI.
Thanx
 
George 

 
Informacija sa Stedionica Opportunity International 
A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova 
putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili 
povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas 
obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje 
bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti 
nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah 
obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg 
sistema.The 
exchange of messages with Stedionica Opportunity International A.D. Novi Sad via 
e-mail is not binding. Declarations regarding legal transactions must not be 
exchanged via this medium. The information contained in this e-mail message is 
confidential and intended exclusively for the addressee. Persons receiving this 
e-mail message who are not the named addressee (or his/her co-workers, or 
persons authorized to take delivery) must not use, forward or reproduce its 
contents. If you have received this e-mail message by mistake, please contact us 
immediately and delete this email message beyond 
retrieval.Informacija sa Stedionica 
Opportunity International A.D. Novi Sad putem e-maila je bez garancije. 
Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail 
moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail 
primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, 
distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja 
strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, 
molimo Vas da nas odmah obavestite tako sto cete odgovorit

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread George Arezina









Hi Dave,

Good point. I’ll remove the TS
Licensing server through add/remove programs and connect via remote desktop. 

Thanks for the advice

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Lamberty
Sent: Monday, January 31, 2005
3:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

In 2003, Microsoft changed the naming used for
Terminal Services. What was 'Terminal Services for Remote Administration' is
now 'Remote Desktop.' What was Terminal Services for Application Servers' is
now 'Terminal Services.'

 

Now, if you're talking about managing terminal
servers, you've always needed a TS CAL to connect. The difference in 2003 is
that those CALs don't come from an unlimited pool--you must purchase TS CALs
for the user/devices that connect to 2003 terminal servers.

 

If you're just connecting to a non-terminal server,
you connect via Remote Desktop, which doesn't use a TS CAL (or require a
license server, for that matter). In 2000, you had to install the Terminal
Services for Remote Administration component in Add/Remove Programs. In 2003,
you just enable Remote Desktop connections in the System Properties of the 2003
server. If you've installed Terminal Services through Add/Remove Programs on
your 2003 servers, then what you have are the equivalent of 2000 Terminal
Services for Application Servers,' which do require CALs. In that case, just
remove the component, and turn on Remote Desktop.

 

--Dave

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Monday, January 31, 2005
08:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses

Yes, I am quite aware of the new licensing
in Windows 2003. However, I am more annoyed at the fact that I need to purchase
TS licenses just for daily admin stuff. What the heck is the point of offering
Terminal services as a tool for admins, I may be better off buying 3rd
party software (Remote Admin). I really wish someone from the MVP services
would jump in and explain why offer terminal services for admin purposes only
to be forced to spend money on a TS license? 

George

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005
2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, the licensing has changed. In 2003 Terminal
Services, you need a CAL
for every user or device (depending on the model you choose). The 'unlimited
pool' we had in 2000 for 2000/XP clients is no more. Details here:

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

 

There is also a CAL transition program for XP machines you
purchased before the release of 2003 in April 2003. Details are here:

http://licensecode.one.microsoft.com/transition/default.asp

 

Hope this helps!

 

--Dave

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005
06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal
server licenses

Hi folks,

Can anyone verify that under Windows 2003 TS server, even
Windows XP clients need to purchase a TS license? I was under the impression
that Windows XP clients did not need to purchase the TS license, but what do
you know, they showed up in my temporary license tab in TS Licensing GUI.

Thanx

 

George 

 


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her
co-workers, or persons authorized to take delivery) must not use, forward or
reproduce its contents. If you have received this e-mail message by mistake,
please contact us immediately and delete this email message beyond retrieval.


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati pov

Re: [ActiveDir] GPO doesnt apply

2005-01-31 Thread jpsalemi

Hi Michel...

Is MSN supposed to be MSN messenger?  I dont think the policies are for
that, but for Windows Messenger.Or maybe I'm just not reading this
right.

Not that it would make applying them any differently, but you might be able
to just eliminate that policy, if that's the case.

John




   
 "Bruyere, Michel" 
 <[EMAIL PROTECTED] 
 ada.com>   To 
 Sent by:
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   [ActiveDir] GPO doesnt apply
 01/31/2005 08:40  
 AM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




Hi,
 I'm actually facing a strange problem... I can't seem to make
2
policies apply simultaneously.

Here is the configuration:

Domain
 - Users_ou1
 - Users_ou2
 - Users_ou3
 - Users_ou4
 - Users_ou5
 - Users_ou1
 - Computers_ou1
 - Computers_ou2
 - Computers_ou3
 - Computers_ou4
 - Computers_ou5

 The OUs are different departments and they contain user's accounts for
the users OUs and computer's accounts for the Computers_ou.

I created a GPO using the Windows XP sp2 adm templates. I
applied/modified them from a station with the 2k3 admin pack and GPMC.
The GPOs that I wanna apply are quite basics.
1- MSN -  I deny the launch of msn at windows start and prevent running
the program.
2- unwanted programs -  I denied the exe for the latest version of MSN
(for some reasons, the MSN gpo doesn't catch it up)


The result that I have is the following:

Applied Group Policy Objects
 -
 screensaver
 unwanted
 Default Domain Policy
OR

Applied Group Policy Objects
 -
 screensaver
 MSN
 Default Domain Policy


And what I would like is:

Applied Group Policy Objects
 -
 screensaver
 unwanted
 MSN
 Default Domain Policy


Note that the MSN is applied to the computers_ou and the unwanted on the
users_ou


Anyone can share a thought about it?

Thanks!


M.Bruyere
Network/systems administrator
CompTIA A+, Network+

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread Paul van Geldrop









If it's remote admining you wish to
do on servers, then the administrative mode in 2003 mode (enabled by default)
will do nicely and does not require you to purchase TS licenses.. admins will
be able to connect (2 remote and 1 console) and administer the server. If you
want to use application mode, then, yes, you'll need TS CALs.

 

Regards,

 

Paul

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: maandag 31 januari 2005
15:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, I am quite aware of the new licensing
in Windows 2003. However, I am more annoyed at the fact that I need to purchase
TS licenses just for daily admin stuff. What the heck is the point of offering
Terminal services as a tool for admins, I may be better off buying 3rd
party software (Remote Admin). I really wish someone from the MVP services
would jump in and explain why offer terminal services for admin purposes only
to be forced to spend money on a TS license? 

George

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005
2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, the licensing has changed. In 2003 Terminal
Services, you need a CAL
for every user or device (depending on the model you choose). The 'unlimited
pool' we had in 2000 for 2000/XP clients is no more. Details here:

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

 

There is also a CAL transition program for XP machines you
purchased before the release of 2003 in April 2003. Details are here:

http://licensecode.one.microsoft.com/transition/default.asp

 

Hope this helps!

 

--Dave

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005
06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal
server licenses

Hi folks,

Can anyone verify that under Windows 2003 TS server, even
Windows XP clients need to purchase a TS license? I was under the impression
that Windows XP clients did not need to purchase the TS license, but what do
you know, they showed up in my temporary license tab in TS Licensing GUI.

Thanx

 

George 

 


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her co-workers,
or persons authorized to take delivery) must not use, forward or reproduce its
contents. If you have received this e-mail message by mistake, please contact
us immediately and delete this email message beyond retrieval.


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her
co-workers, or persons authorized to take delivery) must not use, forward or
reproduce its contents. If you have received this e-mail message by mistake,
please contact us immediately and delete this email message beyond retrieva

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread George Arezina









Hi Paul,

What took place is the following:

I try connecting to my DC through RDC
while it is still in default admin mode (just as you describe below), I get a
message saying that I am unable to connect to the DC because I do not have a
terminal licensing server in my domain. I create a terminal licensing server
for the domain, and suddenly found the name of my desktop in the temporary
license issued tab. I’m not sure why that happened, but it very well may
have been due to creating the terminal licensing server for the domain. What I wish
to do is use TS only for admin purposes. I think MS should provide a license to
all people who use TS for admin purposes.

Cheers

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul van Geldrop
Sent: Monday, January 31, 2005
3:52 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Terminal
server licenses



 

If it's remote admining you wish to do on
servers, then the administrative mode in 2003 mode (enabled by default) will do
nicely and does not require you to purchase TS licenses.. admins will be able
to connect (2 remote and 1 console) and administer the server. If you want to
use application mode, then, yes, you'll need TS CALs.

 

Regards,

 

Paul

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: maandag 31 januari 2005
15:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, I am quite aware of the new licensing
in Windows 2003. However, I am more annoyed at the fact that I need to purchase
TS licenses just for daily admin stuff. What the heck is the point of offering
Terminal services as a tool for admins, I may be better off buying 3rd
party software (Remote Admin). I really wish someone from the MVP services
would jump in and explain why offer terminal services for admin purposes only
to be forced to spend money on a TS license? 

George

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005
2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, the licensing has changed. In 2003 Terminal
Services, you need a CAL
for every user or device (depending on the model you choose). The 'unlimited
pool' we had in 2000 for 2000/XP clients is no more. Details here:

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

 

There is also a CAL transition program for XP machines you
purchased before the release of 2003 in April 2003. Details are here:

http://licensecode.one.microsoft.com/transition/default.asp

 

Hope this helps!

 

--Dave

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005
06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal
server licenses

Hi folks,

Can anyone verify that under Windows 2003 TS server, even Windows
XP clients need to purchase a TS license? I was under the impression that
Windows XP clients did not need to purchase the TS license, but what do you
know, they showed up in my temporary license tab in TS Licensing GUI.

Thanx

 

George 

 


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her
co-workers, or persons authorized to take delivery) must not use, forward or
reproduce its contents. If you have received this e-mail message by mistake,
please contact us immediately and delete this email message beyond retrieval.


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze

RE: [ActiveDir] OT:unusual exchange restore

2005-01-31 Thread Mulnick, Al

What is the mailstore name being reported in AD for the restored server?

Al  

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

there is not one error in my logs.
i bounced the server.

mailstores maybe independent, but it is all in AD. the mailstore object is
in AD. Its getting this info from somewhere that a user is still connected
to a mailbox(AD).
when i use ESM, i'm connected to AD. so logic tells me this error i'm
getting is from an attribute in AD still referencing the wrong object.

thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


I wouldn't think so.  Have you tried bouncing the store service on that
restored server?  

I don't recall if the restore programs are smart enough to try to recover
the mailstores, but the stores themselves are independent of the directory
objects.  That said, it's a matter of getting the reconnect to a new object.


What's in the application event log during all of this on the restored
machine?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

i have run the cleanup agent and i have new users to connect them to,
however when i try to reconnect, i get the error that the mailbox is already
connected.
i think the problem is, when i redirected the restore, the mailboxes or the
info store on the new server still references the old users in AD.
Then when exmerge runs it checks a gc to get AD users based on the mailbox
attribute and gets nothing for that server.

As i said, i redirected the restore to a new server in the same forest. so
the redirected mailboxes are referencing users that still exist but point to
different mailboxes.


my idea is- since the user i'm trying to pst is gone, maybe if i delete
exchange attributes for that user AND then use an account to reconnect to?


thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


Do you have new user objects to connect them to? Have you run mailbox
cleanup agent? 

Once restored, these are just data store entries.  There is no DS/IS concept
to automatically create directory objects, so you have to create objects for
them.  

In your case, you *should* be able to create objects and connect one of
these. 

The old users are not relevant really. The error is expected.  

MBCONNECT might be an interesting tool for you as well.

Al

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sunday, January 30, 2005 6:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:unusual exchange restore

Hi. I had to restore my info store from a few months back  for legal
reasons. However, the upper management did not want to shell out for a tape
drive or scsi controller so i tried redirecting a db restore to a new
exchange2k server in the same forest/admin group( i know there are no docs
on this and ms and everyone recommends a new forest).
this worked and everything restored with no issues.
however, i cannot reconnect to the mailboxes thru ESM. I get a "this
operation cannot be performed because this mailbox was reconnected to an
exisiting user".
all the mailboxes have a red X in them, impiling they are not connected to
any users after running the cleanup agent.
And yes, the old users exist and have mailboxes on another server.
i'm unable to run exmerge on these boxes- it gives me a "no users were found
containing mailboxes"
so its a chicken and egg thing now.

any ideas would be great.
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.act

RE: [ActiveDir] Terminal server licenses

2005-01-31 Thread George Arezina









Yes, I am quite aware of the new licensing
in Windows 2003. However, I am more annoyed at the fact that I need to purchase
TS licenses just for daily admin stuff. What the heck is the point of offering
Terminal services as a tool for admins, I may be better off buying 3rd
party software (Remote Admin). I really wish someone from the MVP services
would jump in and explain why offer terminal services for admin purposes only
to be forced to spend money on a TS license? 

George

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Lamberty
Sent: Friday, January 28, 2005
2:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Terminal
server licenses



 

Yes, the licensing has changed. In 2003 Terminal
Services, you need a CAL
for every user or device (depending on the model you choose). The 'unlimited
pool' we had in 2000 for 2000/XP clients is no more. Details here:

http://www.microsoft.com/windowsserver2003/howtobuy/licensing/ts2003.mspx

 

There is also a CAL transition program for XP machines you
purchased before the release of 2003 in April 2003. Details are here:

http://licensecode.one.microsoft.com/transition/default.asp

 

Hope this helps!

 

--Dave

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina
Sent: Friday, January 28, 2005
06:59
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Terminal
server licenses

Hi folks,

Can anyone verify that under Windows 2003 TS server, even
Windows XP clients need to purchase a TS license? I was under the impression
that Windows XP clients did not need to purchase the TS license, but what do
you know, they showed up in my temporary license tab in TS Licensing GUI.

Thanx

 

George 

 


Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila
je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije
dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije.
Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je
svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih
aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito.
Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto
cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi
Sad via e-mail is not binding. Declarations regarding legal transactions must
not be exchanged via this medium. The information contained in this e-mail
message is confidential and intended exclusively for the addressee. Persons
receiving this e-mail message who are not the named addressee (or his/her
co-workers, or persons authorized to take delivery) must not use, forward or
reproduce its contents. If you have received this e-mail message by mistake,
please contact us immediately and delete this email message beyond retrieval.



Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.

[ActiveDir] GPO doesnt apply

2005-01-31 Thread Bruyere, Michel

Hi, 
I'm actually facing a strange problem... I can't seem to make 2
policies apply simultaneously. 

Here is the configuration:

Domain
- Users_ou1
- Users_ou2
- Users_ou3
- Users_ou4
- Users_ou5
- Users_ou1
- Computers_ou1
- Computers_ou2
- Computers_ou3
- Computers_ou4
- Computers_ou5

 The OUs are different departments and they contain user's accounts for
the users OUs and computer's accounts for the Computers_ou. 

I created a GPO using the Windows XP sp2 adm templates. I
applied/modified them from a station with the 2k3 admin pack and GPMC. 
The GPOs that I wanna apply are quite basics. 
1- MSN -  I deny the launch of msn at windows start and prevent running
the program.
2- unwanted programs -  I denied the exe for the latest version of MSN
(for some reasons, the MSN gpo doesn't catch it up) 


The result that I have is the following:

Applied Group Policy Objects
 -
 screensaver
 unwanted
 Default Domain Policy
OR

Applied Group Policy Objects
 -
 screensaver
 MSN
 Default Domain Policy


And what I would like is:

Applied Group Policy Objects
 -
 screensaver
 unwanted
 MSN
 Default Domain Policy


Note that the MSN is applied to the computers_ou and the unwanted on the
users_ou


Anyone can share a thought about it?

Thanks!


M.Bruyere
Network/systems administrator
CompTIA A+, Network+

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:unusual exchange restore

2005-01-31 Thread Kern, Tom

there is not one error in my logs.
i bounced the server.

mailstores maybe independent, but it is all in AD. the mailstore object is in 
AD. Its getting this info from somewhere that a user is still connected to a 
mailbox(AD).
when i use ESM, i'm connected to AD. so logic tells me this error i'm getting 
is from an attribute in AD still referencing the wrong object.

thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:29 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


I wouldn't think so.  Have you tried bouncing the store service on that
restored server?  

I don't recall if the restore programs are smart enough to try to recover
the mailstores, but the stores themselves are independent of the directory
objects.  That said, it's a matter of getting the reconnect to a new object.


What's in the application event log during all of this on the restored
machine?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

i have run the cleanup agent and i have new users to connect them to,
however when i try to reconnect, i get the error that the mailbox is already
connected.
i think the problem is, when i redirected the restore, the mailboxes or the
info store on the new server still references the old users in AD.
Then when exmerge runs it checks a gc to get AD users based on the mailbox
attribute and gets nothing for that server.

As i said, i redirected the restore to a new server in the same forest. so
the redirected mailboxes are referencing users that still exist but point to
different mailboxes.


my idea is- since the user i'm trying to pst is gone, maybe if i delete
exchange attributes for that user AND then use an account to reconnect to?


thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


Do you have new user objects to connect them to? Have you run mailbox
cleanup agent? 

Once restored, these are just data store entries.  There is no DS/IS concept
to automatically create directory objects, so you have to create objects for
them.  

In your case, you *should* be able to create objects and connect one of
these. 

The old users are not relevant really. The error is expected.  

MBCONNECT might be an interesting tool for you as well.

Al

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sunday, January 30, 2005 6:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:unusual exchange restore

Hi. I had to restore my info store from a few months back  for legal
reasons. However, the upper management did not want to shell out for a tape
drive or scsi controller so i tried redirecting a db restore to a new
exchange2k server in the same forest/admin group( i know there are no docs
on this and ms and everyone recommends a new forest).
this worked and everything restored with no issues.
however, i cannot reconnect to the mailboxes thru ESM. I get a "this
operation cannot be performed because this mailbox was reconnected to an
exisiting user".
all the mailboxes have a red X in them, impiling they are not connected to
any users after running the cleanup agent.
And yes, the old users exist and have mailboxes on another server.
i'm unable to run exmerge on these boxes- it gives me a "no users were found
containing mailboxes"
so its a chicken and egg thing now.

any ideas would be great.
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:unusual exchange restore

2005-01-31 Thread Mulnick, Al

I wouldn't think so.  Have you tried bouncing the store service on that
restored server?  

I don't recall if the restore programs are smart enough to try to recover
the mailstores, but the stores themselves are independent of the directory
objects.  That said, it's a matter of getting the reconnect to a new object.


What's in the application event log during all of this on the restored
machine?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Monday, January 31, 2005 9:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore

i have run the cleanup agent and i have new users to connect them to,
however when i try to reconnect, i get the error that the mailbox is already
connected.
i think the problem is, when i redirected the restore, the mailboxes or the
info store on the new server still references the old users in AD.
Then when exmerge runs it checks a gc to get AD users based on the mailbox
attribute and gets nothing for that server.

As i said, i redirected the restore to a new server in the same forest. so
the redirected mailboxes are referencing users that still exist but point to
different mailboxes.


my idea is- since the user i'm trying to pst is gone, maybe if i delete
exchange attributes for that user AND then use an account to reconnect to?


thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


Do you have new user objects to connect them to? Have you run mailbox
cleanup agent? 

Once restored, these are just data store entries.  There is no DS/IS concept
to automatically create directory objects, so you have to create objects for
them.  

In your case, you *should* be able to create objects and connect one of
these. 

The old users are not relevant really. The error is expected.  

MBCONNECT might be an interesting tool for you as well.

Al

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sunday, January 30, 2005 6:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:unusual exchange restore

Hi. I had to restore my info store from a few months back  for legal
reasons. However, the upper management did not want to shell out for a tape
drive or scsi controller so i tried redirecting a db restore to a new
exchange2k server in the same forest/admin group( i know there are no docs
on this and ms and everyone recommends a new forest).
this worked and everything restored with no issues.
however, i cannot reconnect to the mailboxes thru ESM. I get a "this
operation cannot be performed because this mailbox was reconnected to an
exisiting user".
all the mailboxes have a red X in them, impiling they are not connected to
any users after running the cleanup agent.
And yes, the old users exist and have mailboxes on another server.
i'm unable to run exmerge on these boxes- it gives me a "no users were found
containing mailboxes"
so its a chicken and egg thing now.

any ideas would be great.
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT:unusual exchange restore

2005-01-31 Thread Kern, Tom

i have run the cleanup agent and i have new users to connect them to, however 
when i try to reconnect, i get the error that the mailbox is already connected.
i think the problem is, when i redirected the restore, the mailboxes or the 
info store on the new server still references the old users in AD.
Then when exmerge runs it checks a gc to get AD users based on the mailbox 
attribute and gets nothing for that server.

As i said, i redirected the restore to a new server in the same forest. so the 
redirected mailboxes are referencing users that still exist but point to 
different mailboxes.


my idea is- since the user i'm trying to pst is gone, maybe if i delete 
exchange attributes for that user AND then use an account to reconnect to?


thanks

-Original Message-
From: Mulnick, Al [mailto:[EMAIL PROTECTED]
Sent: Monday, January 31, 2005 9:02 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:unusual exchange restore


Do you have new user objects to connect them to? Have you run mailbox
cleanup agent? 

Once restored, these are just data store entries.  There is no DS/IS concept
to automatically create directory objects, so you have to create objects for
them.  

In your case, you *should* be able to create objects and connect one of
these. 

The old users are not relevant really. The error is expected.  

MBCONNECT might be an interesting tool for you as well.

Al

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Sunday, January 30, 2005 6:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] OT:unusual exchange restore

Hi. I had to restore my info store from a few months back  for legal
reasons. However, the upper management did not want to shell out for a tape
drive or scsi controller so i tried redirecting a db restore to a new
exchange2k server in the same forest/admin group( i know there are no docs
on this and ms and everyone recommends a new forest).
this worked and everything restored with no issues.
however, i cannot reconnect to the mailboxes thru ESM. I get a "this
operation cannot be performed because this mailbox was reconnected to an
exisiting user".
all the mailboxes have a red X in them, impiling they are not connected to
any users after running the cleanup agent.
And yes, the old users exist and have mailboxes on another server.
i'm unable to run exmerge on these boxes- it gives me a "no users were found
containing mailboxes"
so its a chicken and egg thing now.

any ideas would be great.
thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

1 2 >

1 - 100 of 125 matches

Mail list logo