RE: [ActiveDir] Active Directory Backup

[Sergio Sánchez Trujillo]

Thanks for all, fantastic
help.

 

Sergio Sánchez

 









De: Jorge de Almeida
Pinto [mailto:[EMAIL PROTECTED] 
Enviado el: lunes, 07 de febrero
de 2005 11:04
Para: ActiveDir@mail.activedir.org
Asunto: RE: [ActiveDir] Active
Directory Backup



 

Hi
Sergio,

 

You can
use whatever tool that's Windows 2000/2003 compliant to backup Active
Directory. Windows 2000/2003 itself has NTBACKUP that gives you the possibility
to backup to TAPE or FILE.

To backup
Active Directory you must at a minimum backup the SYSTEM STATE (I always also
backup the system drive -> drive with the WINDOWS dir). 

 

See also
the following resources for more info on this:

* http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/maintain/opsguide/part1/adogd03.mspx (Active
Directory Operations Guide - Active Directory Backup and Restore)

* http://www.windowsitlibrary.com/ebooks/administeringad/Index.cfm (chapter
6)

 



Cheers





Jorge









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez Trujillo
Sent: Monday, February 07, 2005
10:50
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] Active
Directory Backup

Hello, 

 

Could i do a backup of the Active Directory? How? 

 

We have a tape library backup and ARCServer Software
Backup... but it's not necessary to use this library.

 

Thanks

 

Sergio Sánchez


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.

RE: [ActiveDir] Built-in Defragger and Clustering

[Rick Kingslan]

Nah – Defrag Manager from
Winternals.  However, I’ve used Diskkeeper in the past, too.

 

-rtk

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Wednesday, February 09, 2005
8:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Built-in
Defragger and Clustering



 

That did sound like a silly superstition
to me. Anyway, do you use the built-in defragger to defragment your shared
cluster drives?

 

Dan

 

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, February 09, 2005
12:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Built-in
Defragger and Clustering



 

Dan,

 

Been working with
Clusters for a number of years, and I have never heard of this.  I can
ping a couple folks, but I can’t surmise what the problem would be. 
If data is re-ordered, the disk is going to work fine one way or another.

 

-rtk

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano
Sent: Tuesday, February 08, 2005
10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Built-in
Defragger and Clustering



 

It has been suggested to me that
W2k’s built-in defragger should not be used to defrag a shared disk in a
MSCS cluster. I am hesitant to believe this since the fact that the servers are
clustered does not change how the data is written to the disk, correct? So, is
there any foundation for this belief?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via
e-mail.



 



 

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Dean Wells]

I'm compelled to yell on this topic, it just doesn't work.  Implement
something practical comparable to 5-second worth of tweaking NDS rights and
send me the instructions as I've yet to be close to satisfied with the
results of this particular feature.

That said, AD still makes me happy! :)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 4:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Yes, Access-based Directory Enumeration is just what I described in my
dream. Thanks to Eric and Jimmy for the clarification. And thanks to
Microsoft for implementing it. Now my dream list contains only the other
features listed in the messages from me and Jorge, and a Ferrari and the
other usual stuff, of course.

About AD. Yes, the List Object mode was there from the beginning, but it is
manual, while the NDS approach is automatic.

Yours, Sakari
  

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
> Fleischman
> Sent: Wednesday, February 09, 2005 5:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to 
> W2K3/AD with NDS migra tor
> 
> It seems Sakari's dream has come true.
> 
> The SP1 docs cover this.
> http://www.microsoft.com/windowsserver2003/downloads/servicepa
> cks/sp1/ov
> erview.mspx
> Look at 02_accessenum.doc
> 
> AD you could have done this before though (if I understand the ask
> correctly) by removing list_contents from the parent, giving explicit 
> perms to the child and enabling list object mode with the appropriate 
> mod. For AD, this is old news.
> 
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
> Sent: Wednesday, February 09, 2005 6:19 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to 
> W2K3/AD with NDS migra tor
> 
> Isn't that what Access-based Directory Enumeration do? This feature is 
> not enabled by default in SP1, though. I haven't tried the feature yet 
> so I can't verify it.
> 
> Regards,
> /Jimmy
> 
> - 
> Jimmy Andersson, Q Advice AB 
>  Principal Advisor 
>  Microsoft MVP - Directory Services
> -- www.qadvice.com --
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
> Sent: Wednesday, February 09, 2005 12:17 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to 
> W2K3/AD with NDS migra tor
> 
> 
> It's been my dream over ten years that NTFS would get similar 
> permission feature to what has been in NetWare all these years. When a 
> user has permissions to a given subfolder, it's almost always most 
> logical that this subfolder (automatically or implicitly up to the 
> root) would become visible to her. And vice versa, when she has no 
> permissions to a subfolder, it would be logical that this subfolder is 
> invisible to her.
>  
> And it has been my dream for six years that the same would apply to 
> AD, as has always been with NDS.
>  
> While we are on the subject, another extremely handy feature of NDS 
> would be most welcome in AD. That is, each OU would be a sec prin, so 
> if you want to grant permissions to all people in the Sales OU, you 
> wouldn't have to create a paraller sec group for that.
>  
> Yours, Sakari
>  
> 
> 
> 
> 
> 
>   From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de 
> Almeida Pinto
>   Sent: Wednesday, February 09, 2005 10:18 AM
>   To: ActiveDir@mail.activedir.org
>   Subject: [ActiveDir] Migrating access rights from Novell/NDS to 
> W2K3/AD with NDS migra tor
>   
>   
> 
> Hi,
> 
>   clipclipclip
> 
>   Regards, 
>   Jorge
> 
>   PS.: I'm glad MS is going toward the permissions structure (with
> W2K3 SP1) like Novell has. It is still not perfect, but it's a begin.
> AND
> maybe some day (Windows 2011?) will be able to configure file system 
> permissions through AD like that is possible with the NDS. The 
> possibility of configuring permissions for the file system through 
> GPOs is a nice feature but far from perfect. Also any thoughts on this 
> are welcome.
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www

Re: [ActiveDir] Licensing/asset management tools

[Robert Mezzone]

Title: Re: [ActiveDir] Licensing/asset management tools






CDW software license tracker. Excel for hardware inventory.


Robert


-Original Message-
From: Brian Desmond <[EMAIL PROTECTED]>
To: ActiveDir@mail.activedir.org 
Sent: Wed Feb 09 18:28:53 2005
Subject: RE: [ActiveDir] Licensing/asset management tools

Excel and Access, respectively.

--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org

v - 773.534.0034 x135
f - 773.534.8101

  _ 

From: [EMAIL PROTECTED] on behalf of John Parker
Sent: Wed 2/9/2005 1:05 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Licensing/asset management tools



Hey all...

What are you using to manage licenses and hardware/software inventory?

Thank you



John Parker, MCSE
IS Admin.
Senior Technical Specialist
Alpha Display Systems.
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS(again)

[Marcus.Oh]

Hey now... don't take this offline.  I was just getting interested!  :)

marcus c. oh
\\.\core technologies\cox communications, inc.
\\.\mvp\windows server systems\management
[v] 404.847.6117 [c] 404.391.7097


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS(again)

Are you on IM?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Wed 2/9/2005 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS(again)



> you mean an A record for sales.charmer.com NS?
Sales.charmer.com is the domain. why would i need an A record(unless you mean
for the name server which should be in charmer.com as glue records).

Yeah, i changed the config and added a bind secondary just to see the result.
sorry.

uunet does not support us though they are listed as secondaries in tld. i'm
working to correct that.

can you get an mx record from sales.charmer.com with nslookup from where you
are?

I am using PAT outgoing but no port address transaltion incoming. Those NS
servers have real routable ip,s. I use a watchguard DNS filter(NOT the proxy,
i'm aware of the issues with that).

all my internal private dns servers use webserver1 as a forwarder.


ipconfig output-

C:\dnslint>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : TOMWORK
Primary Dns Suffix  . . . . . . . : CHARMERNYDOM.CSG-IT.NET
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : CHARMERNYDOM.CSG-IT.NET
CSG-IT.NET

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . : charmernydom.csg-it.net
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated
Cont
roller
Physical Address. . . . . . . . . : 00-0F-FE-00-F2-89
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.21.177
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.21.15
DHCP Server . . . . . . . . . . . : 208.234.241.10
DNS Servers . . . . . . . . . . . : 208.234.241.65
208.234.241.11
Primary WINS Server . . . . . . . : 208.234.241.109
Lease Obtained. . . . . . . . . . : Tuesday, February 08, 2005
9:03:17 P
M
Lease Expires . . . . . . . . . . : Friday, February 11, 2005 9:03:17
PM




i recreated the zone twice already. Dns manager-new zone
wizard-"sales.charmer.com"
delegation wizard-"sales.charmer.com", pick webserver1 as nameserver.
enter mx and A records for mailserver.
update data files on server.

anything else.


I still don't understand why i can't query the mx record(or dnsreport or
exchange, for that matter).

Also, i don't know what you mean by A record for sales.charmer.com.

thanks alot





[EMAIL PROTECTED] wrote:
> Top-posting, bottom-posting, I think it's all a matter of preference.
> I, for one, don't find bottom-posting useful, and I am not one to
> flame anyone for doing either. I just mentioned it to you because it
> makes it easier for me to follow the thread properly.
>
> Now, the output you gave me for sales.charmer.com is not identical to
> the one I am pulling from webserver1.charmer.com
>
>> server webserver1.charmer.com
> Default Server:  webserver1.charmer.com
> Address:  208.234.241.10
>> set q=all
>> sales.charmer.com
> Server:  webserver1.charmer.com
> Address:  208.234.241.10
> sales.charmer.com   nameserver = webserver1.charmer.com
> sales.charmer.com   nameserver = mta1.charmer.com
> sales.charmer.com
> primary name server = webserver1.charmer.com
> responsible mail addr = admin.charmernydom.csg-it.net
> serial  = 14
> refresh = 900 (15 mins)
> retry   = 600 (10 mins)
> expire  = 86400 (1 day)
> default TTL = 3600 (1 hour)
> webserver1.charmer.com  internet address = 208.234.241.10
> mta1.charmer.cominternet address = 208.234.241.112
>
>
> According to the above, you have 2 NS. Both NS have the same config
> info for sales.charmer.com and they indicate that you do not have any
> A record for sales.
>
> As to why you are getting timeouts, I do not get any time out
> querying your NS. I can only speculate that there is NATting going on
> there. IPconfig /all from the client would be useful here.
>
> We still have the issue of you zone file not corresponding to wha

RE: [ActiveDir] Licensing/asset management tools

[Brian Desmond]

Excel and Access, respectively. 
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101



From: [EMAIL PROTECTED] on behalf of John Parker
Sent: Wed 2/9/2005 1:05 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Licensing/asset management tools



Hey all...

What are you using to manage licenses and hardware/software inventory?

Thank you



John Parker, MCSE
IS Admin.
Senior Technical Specialist
Alpha Display Systems.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] MOM

[Brian Desmond]

MS newsgroups - microsoft.public.mom.*. I hang out there as do a bunch of MS 
folks and a coupel other MVPs. 
 
--Brian Desmond
[EMAIL PROTECTED]
Payton on the web! www.wpcp.org
 
v - 773.534.0034 x135
f - 773.534.8101



From: [EMAIL PROTECTED] on behalf of Oluwaseyi Owoeye
Sent: Wed 2/9/2005 10:28 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MOM



Does anyone know any effective discussion group that covers MOM?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

RE: [ActiveDir] Add Computer to Domain

[Salandra, Justin A.]

Would this work?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paul Wilkinson
Sent: Wednesday, February 09, 2005 2:15 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Add Computer to Domain

It should be in a GPO over the OU the computers are in that you want 
people to be able to add. The default domain policy applies to all 
domain computers, so you could just set it there to cover everything.

Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville



Salandra, Justin A. wrote:

>If I wanted to grant a group the rights to join computers to the domain
>should I configure the User Assignment setting of a GPO to do that and
>if so should I create that GPO on the OU I want them to join computers
>to or do I have to do it at the domain level or within the Domain
>Controllers Policy? 
>
>Justin A. Salandra
>MCSE Windows 2000 & 2003
>Network and Technology Services Manager
>Catholic Healthcare System
>212.752.7300 - office
>917.455.0110 - cell
>[EMAIL PROTECTED]
>
>
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
>  
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Add Computer to Domain

[Salandra, Justin A.]

Would that be the best way to do this?

If I delegate it on that OU then when they join computers to the domain
the computer accounts will then be created in that OU?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Becker, Jim
Sent: Wednesday, February 09, 2005 1:25 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Add Computer to Domain

Why not just use the Delegate Control wizard on that OU to allow that
group to do that function?

Jim Becker

Asst. Dir. of Administrative Systems
State University of New York
System Administration
[EMAIL PROTECTED]


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Wednesday, February 09, 2005 1:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Add Computer to Domain
> 
> If I wanted to grant a group the rights to join computers to 
> the domain
> should I configure the User Assignment setting of a GPO to do that and
> if so should I create that GPO on the OU I want them to join computers
> to or do I have to do it at the domain level or within the Domain
> Controllers Policy? 
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Sakari Kouti]

Yes, Access-based Directory Enumeration is just what I described in my dream. 
Thanks to Eric and Jimmy for the clarification. And thanks to Microsoft for 
implementing it. Now my dream list contains only the other features listed in 
the messages from me and Jorge, and a Ferrari and the other usual stuff, of 
course.

About AD. Yes, the List Object mode was there from the beginning, but it is 
manual, while the NDS approach is automatic.

Yours, Sakari
  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric 
> Fleischman
> Sent: Wednesday, February 09, 2005 5:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Migrating access rights from 
> Novell/NDS to W2K3/AD with NDS migra tor
> 
> It seems Sakari's dream has come true.
> 
> The SP1 docs cover this.
> http://www.microsoft.com/windowsserver2003/downloads/servicepa
> cks/sp1/ov
> erview.mspx 
> Look at 02_accessenum.doc
> 
> AD you could have done this before though (if I understand the ask
> correctly) by removing list_contents from the parent, giving explicit
> perms to the child and enabling list object mode with the appropriate
> mod. For AD, this is old news.
> 
> ~Eric
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
> Sent: Wednesday, February 09, 2005 6:19 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to
> W2K3/AD with NDS migra tor
> 
> Isn't that what Access-based Directory Enumeration do? This feature is
> not
> enabled by default in SP1, though. I haven't tried the 
> feature yet so I
> can't verify it.
> 
> Regards,
> /Jimmy
> 
> - 
> Jimmy Andersson, Q Advice AB 
>  Principal Advisor 
>  Microsoft MVP - Directory Services 
> -- www.qadvice.com -- 
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
> Sent: Wednesday, February 09, 2005 12:17 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to
> W2K3/AD
> with NDS migra tor
> 
> 
> It's been my dream over ten years that NTFS would get similar 
> permission
> feature to what has been in NetWare all these years. When a user has
> permissions to a given subfolder, it's almost always most logical that
> this
> subfolder (automatically or implicitly up to the root) would become
> visible
> to her. And vice versa, when she has no permissions to a subfolder, it
> would
> be logical that this subfolder is invisible to her.
>  
> And it has been my dream for six years that the same would 
> apply to AD,
> as
> has always been with NDS.
>  
> While we are on the subject, another extremely handy feature of NDS
> would be
> most welcome in AD. That is, each OU would be a sec prin, so 
> if you want
> to
> grant permissions to all people in the Sales OU, you wouldn't have to
> create
> a paraller sec group for that.
>  
> Yours, Sakari
>  
> 
> 
> 
> 
> 
>   From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
> Almeida
> Pinto
>   Sent: Wednesday, February 09, 2005 10:18 AM
>   To: ActiveDir@mail.activedir.org
>   Subject: [ActiveDir] Migrating access rights from Novell/NDS to
> W2K3/AD with NDS migra tor
>   
>   
> 
> Hi,  
> 
>   clipclipclip 
> 
>   Regards, 
>   Jorge 
> 
>   PS.: I'm glad MS is going toward the permissions structure (with
> W2K3 SP1) like Novell has. It is still not perfect, but it's a begin.
> AND
> maybe some day (Windows 2011?) will be able to configure file system
> permissions through AD like that is possible with the NDS. The
> possibility
> of configuring permissions for the file system through GPOs is a nice
> feature but far from perfect. Also any thoughts on this are welcome.
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] MOM

[Malcolm Reitz]

Here's a few sources I've found useful.

http://myitforum.techtarget.com (message board, articles, mail list)
http://www.momanswers.com (message board, articles, scripts)
http://www.faqshop.com
http://www.momcommunity.com
news:microsoft.public.mom

Malcolm
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Oluwaseyi
Owoeye
Sent: Wednesday, February 09, 2005 4:29 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] MOM

Does anyone know any effective discussion group that covers MOM?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS(again)

[deji]

Are you on IM?
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Wed 2/9/2005 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS(again)



> you mean an A record for sales.charmer.com NS?
Sales.charmer.com is the domain. why would i need an A record(unless you mean
for the name server which should be in charmer.com as glue records).

Yeah, i changed the config and added a bind secondary just to see the result.
sorry.

uunet does not support us though they are listed as secondaries in tld. i'm
working to correct that.

can you get an mx record from sales.charmer.com with nslookup from where you
are?

I am using PAT outgoing but no port address transaltion incoming. Those NS
servers have real routable ip,s. I use a watchguard DNS filter(NOT the proxy,
i'm aware of the issues with that).

all my internal private dns servers use webserver1 as a forwarder.


ipconfig output-

C:\dnslint>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : TOMWORK
Primary Dns Suffix  . . . . . . . : CHARMERNYDOM.CSG-IT.NET
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : CHARMERNYDOM.CSG-IT.NET
CSG-IT.NET

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . : charmernydom.csg-it.net
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated
Cont
roller
Physical Address. . . . . . . . . : 00-0F-FE-00-F2-89
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.21.177
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.21.15
DHCP Server . . . . . . . . . . . : 208.234.241.10
DNS Servers . . . . . . . . . . . : 208.234.241.65
208.234.241.11
Primary WINS Server . . . . . . . : 208.234.241.109
Lease Obtained. . . . . . . . . . : Tuesday, February 08, 2005
9:03:17 P
M
Lease Expires . . . . . . . . . . : Friday, February 11, 2005 9:03:17
PM




i recreated the zone twice already. Dns manager-new zone
wizard-"sales.charmer.com"
delegation wizard-"sales.charmer.com", pick webserver1 as nameserver.
enter mx and A records for mailserver.
update data files on server.

anything else.


I still don't understand why i can't query the mx record(or dnsreport or
exchange, for that matter).

Also, i don't know what you mean by A record for sales.charmer.com.

thanks alot





[EMAIL PROTECTED] wrote:
> Top-posting, bottom-posting, I think it's all a matter of preference.
> I, for one, don't find bottom-posting useful, and I am not one to
> flame anyone for doing either. I just mentioned it to you because it
> makes it easier for me to follow the thread properly.
>
> Now, the output you gave me for sales.charmer.com is not identical to
> the one I am pulling from webserver1.charmer.com
>
>> server webserver1.charmer.com
> Default Server:  webserver1.charmer.com
> Address:  208.234.241.10
>> set q=all
>> sales.charmer.com
> Server:  webserver1.charmer.com
> Address:  208.234.241.10
> sales.charmer.com   nameserver = webserver1.charmer.com
> sales.charmer.com   nameserver = mta1.charmer.com
> sales.charmer.com
> primary name server = webserver1.charmer.com
> responsible mail addr = admin.charmernydom.csg-it.net
> serial  = 14
> refresh = 900 (15 mins)
> retry   = 600 (10 mins)
> expire  = 86400 (1 day)
> default TTL = 3600 (1 hour)
> webserver1.charmer.com  internet address = 208.234.241.10
> mta1.charmer.cominternet address = 208.234.241.112
>
>
> According to the above, you have 2 NS. Both NS have the same config
> info for sales.charmer.com and they indicate that you do not have any
> A record for sales.
>
> As to why you are getting timeouts, I do not get any time out
> querying your NS. I can only speculate that there is NATting going on
> there. IPconfig /all from the client would be useful here.
>
> We still have the issue of you zone file not corresponding to what
> your servers are advertising. Are you willing to delete the whole
> sales.charmer.com (both zone and file) and start over? I'd do that
> first. Also, I see that UUNET is supposed to be doing secondary for
> you, at least from the output you posted. However, UUNET servers are
> telling me they know nothing about you or your zones. Why are they
> there, and are you able to remove them?
>
>
>
> Sincerely,
>
> Dèjì Akómöláfé, MCSE+M

RE: [ActiveDir] DNS(again)

[deji]

> sales.charmer.com
Server:  ns1.akomolafe.com
Address:  66.92.14.146
sales.charmer.com   MX preference = 10, mail exchanger =
mta1.sales.charmer.com
mta1.sales.charmer.com  internet address = 208.234.241.112
>
 
I can get an A record now as well, and I can get them from webserver1
 
I think you are making progress ;)
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Wed 2/9/2005 11:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS(again)



> you mean an A record for sales.charmer.com NS?
Sales.charmer.com is the domain. why would i need an A record(unless you mean
for the name server which should be in charmer.com as glue records).

Yeah, i changed the config and added a bind secondary just to see the result.
sorry.

uunet does not support us though they are listed as secondaries in tld. i'm
working to correct that.

can you get an mx record from sales.charmer.com with nslookup from where you
are?

I am using PAT outgoing but no port address transaltion incoming. Those NS
servers have real routable ip,s. I use a watchguard DNS filter(NOT the proxy,
i'm aware of the issues with that).

all my internal private dns servers use webserver1 as a forwarder.


ipconfig output-

C:\dnslint>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : TOMWORK
Primary Dns Suffix  . . . . . . . : CHARMERNYDOM.CSG-IT.NET
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : CHARMERNYDOM.CSG-IT.NET
CSG-IT.NET

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . : charmernydom.csg-it.net
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated
Cont
roller
Physical Address. . . . . . . . . : 00-0F-FE-00-F2-89
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.21.177
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.21.15
DHCP Server . . . . . . . . . . . : 208.234.241.10
DNS Servers . . . . . . . . . . . : 208.234.241.65
208.234.241.11
Primary WINS Server . . . . . . . : 208.234.241.109
Lease Obtained. . . . . . . . . . : Tuesday, February 08, 2005
9:03:17 P
M
Lease Expires . . . . . . . . . . : Friday, February 11, 2005 9:03:17
PM




i recreated the zone twice already. Dns manager-new zone
wizard-"sales.charmer.com"
delegation wizard-"sales.charmer.com", pick webserver1 as nameserver.
enter mx and A records for mailserver.
update data files on server.

anything else.


I still don't understand why i can't query the mx record(or dnsreport or
exchange, for that matter).

Also, i don't know what you mean by A record for sales.charmer.com.

thanks alot





[EMAIL PROTECTED] wrote:
> Top-posting, bottom-posting, I think it's all a matter of preference.
> I, for one, don't find bottom-posting useful, and I am not one to
> flame anyone for doing either. I just mentioned it to you because it
> makes it easier for me to follow the thread properly.
>
> Now, the output you gave me for sales.charmer.com is not identical to
> the one I am pulling from webserver1.charmer.com
>
>> server webserver1.charmer.com
> Default Server:  webserver1.charmer.com
> Address:  208.234.241.10
>> set q=all
>> sales.charmer.com
> Server:  webserver1.charmer.com
> Address:  208.234.241.10
> sales.charmer.com   nameserver = webserver1.charmer.com
> sales.charmer.com   nameserver = mta1.charmer.com
> sales.charmer.com
> primary name server = webserver1.charmer.com
> responsible mail addr = admin.charmernydom.csg-it.net
> serial  = 14
> refresh = 900 (15 mins)
> retry   = 600 (10 mins)
> expire  = 86400 (1 day)
> default TTL = 3600 (1 hour)
> webserver1.charmer.com  internet address = 208.234.241.10
> mta1.charmer.cominternet address = 208.234.241.112
>
>
> According to the above, you have 2 NS. Both NS have the same config
> info for sales.charmer.com and they indicate that you do not have any
> A record for sales.
>
> As to why you are getting timeouts, I do not get any time out
> querying your NS. I can only speculate that there is NATting going on
> there. IPconfig /all from the client would be useful here.
>
> We still have the issue of you zone file not corresponding to what
> your servers are advertising. Are you willing to delete the whole
> sales.charmer.com (both zone and file) and start over? I'

RE: [ActiveDir] Remote Assistance

[Creamer, Mark]

I just figured that was the Queen's English. Like colour or biscuit (the cookie 
kind). BTW, I love my
little British car www.6-pack.org. That's me in trying to flip it around the 
cones.


Windows at work, SuSE at home. And never the twain shall meet


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean
Wells
Sent: Wednesday, February 09, 2005 2:19 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Remote Assistance

Oh dear, I said 'passed' not 'past' ... I hope my Mum didn't see that :(

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, February 09, 2005 2:06 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Remote Assistance

 
# ls -l
'ls' is not recognized as an internal or external command, operable program
or batch file.

# ps -ax
'ls' is not recognized as an internal or external command, operable program
or batch file.

# vi .profile
'vi' is not recognized as an internal or external command, operable program
or batch file.

# dmesg | grep -i unix
'dmesg' is not recognized as an internal or external command, operable
program or batch file.

# edlin autoexec.bat
End of input file
*

 guess not, haven't made it passed DOS 3.31 yet.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, February 09, 2005 1:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Is it true that Dean's laptop runs Red Hat though? :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Joe is just being  well  Joe. I don't think it's so much because he
can't "think" of what to present as it is deciding on which of the numerous
things he CAN present he should present.
 
Something tells me, though, that if you can get Dean over to DEC (and make
sure he brings his laptop), Joe will lose all his resistance. Dean with a
Laptop full of hidden Windows gems is irresistible.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 2/9/2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



Sounds like a great DEC topic to me. And joe says he can't think of anything
to present ;)

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, February 09, 2005 10:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remote Assistance

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.

So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried ab

RE: [ActiveDir] DNS(again)

[Kern, Tom]

> you mean an A record for sales.charmer.com NS?
Sales.charmer.com is the domain. why would i need an A record(unless you mean 
for the name server which should be in charmer.com as glue records).

Yeah, i changed the config and added a bind secondary just to see the result. 
sorry.

uunet does not support us though they are listed as secondaries in tld. i'm 
working to correct that.

can you get an mx record from sales.charmer.com with nslookup from where you 
are?

I am using PAT outgoing but no port address transaltion incoming. Those NS 
servers have real routable ip,s. I use a watchguard DNS filter(NOT the proxy, 
i'm aware of the issues with that).

all my internal private dns servers use webserver1 as a forwarder.


ipconfig output-

C:\dnslint>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : TOMWORK
Primary Dns Suffix  . . . . . . . : CHARMERNYDOM.CSG-IT.NET
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : CHARMERNYDOM.CSG-IT.NET
CSG-IT.NET

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . : charmernydom.csg-it.net
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Cont
roller
Physical Address. . . . . . . . . : 00-0F-FE-00-F2-89
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.21.177
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.21.15
DHCP Server . . . . . . . . . . . : 208.234.241.10
DNS Servers . . . . . . . . . . . : 208.234.241.65
208.234.241.11
Primary WINS Server . . . . . . . : 208.234.241.109
Lease Obtained. . . . . . . . . . : Tuesday, February 08, 2005 9:03:17 P
M
Lease Expires . . . . . . . . . . : Friday, February 11, 2005 9:03:17 PM




i recreated the zone twice already. Dns manager-new zone 
wizard-"sales.charmer.com"
delegation wizard-"sales.charmer.com", pick webserver1 as nameserver.
enter mx and A records for mailserver.
update data files on server.

anything else.


I still don't understand why i can't query the mx record(or dnsreport or 
exchange, for that matter).

Also, i don't know what you mean by A record for sales.charmer.com.

thanks alot





[EMAIL PROTECTED] wrote:
> Top-posting, bottom-posting, I think it's all a matter of preference.
> I, for one, don't find bottom-posting useful, and I am not one to
> flame anyone for doing either. I just mentioned it to you because it
> makes it easier for me to follow the thread properly.
> 
> Now, the output you gave me for sales.charmer.com is not identical to
> the one I am pulling from webserver1.charmer.com
> 
>> server webserver1.charmer.com
> Default Server:  webserver1.charmer.com
> Address:  208.234.241.10
>> set q=all
>> sales.charmer.com
> Server:  webserver1.charmer.com
> Address:  208.234.241.10
> sales.charmer.com   nameserver = webserver1.charmer.com
> sales.charmer.com   nameserver = mta1.charmer.com
> sales.charmer.com
> primary name server = webserver1.charmer.com
> responsible mail addr = admin.charmernydom.csg-it.net
> serial  = 14
> refresh = 900 (15 mins)
> retry   = 600 (10 mins)
> expire  = 86400 (1 day)
> default TTL = 3600 (1 hour)
> webserver1.charmer.com  internet address = 208.234.241.10
> mta1.charmer.cominternet address = 208.234.241.112
> 
> 
> According to the above, you have 2 NS. Both NS have the same config
> info for sales.charmer.com and they indicate that you do not have any
> A record for sales.
> 
> As to why you are getting timeouts, I do not get any time out
> querying your NS. I can only speculate that there is NATting going on
> there. IPconfig /all from the client would be useful here.
> 
> We still have the issue of you zone file not corresponding to what
> your servers are advertising. Are you willing to delete the whole
> sales.charmer.com (both zone and file) and start over? I'd do that
> first. Also, I see that UUNET is supposed to be doing secondary for
> you, at least from the output you posted. However, UUNET servers are
> telling me they know nothing about you or your zones. Why are they
> there, and are you able to remove them?
> 
> 
> 
> Sincerely,
> 
> Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday?  -anon
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Kern, Tom
> Sent: Wed 2/9/2005 10:53 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS(again)
> 
> 
> 
> I'm

RE: [ActiveDir] DNS(again)

[deji]

Top-posting, bottom-posting, I think it's all a matter of preference. I, for
one, don't find bottom-posting useful, and I am not one to flame anyone for
doing either. I just mentioned it to you because it makes it easier for me to
follow the thread properly.
 
Now, the output you gave me for sales.charmer.com is not identical to the one
I am pulling from webserver1.charmer.com
 
> server webserver1.charmer.com
Default Server:  webserver1.charmer.com
Address:  208.234.241.10
> set q=all
> sales.charmer.com
Server:  webserver1.charmer.com
Address:  208.234.241.10
sales.charmer.com   nameserver = webserver1.charmer.com
sales.charmer.com   nameserver = mta1.charmer.com
sales.charmer.com
primary name server = webserver1.charmer.com
responsible mail addr = admin.charmernydom.csg-it.net
serial  = 14
refresh = 900 (15 mins)
retry   = 600 (10 mins)
expire  = 86400 (1 day)
default TTL = 3600 (1 hour)
webserver1.charmer.com  internet address = 208.234.241.10
mta1.charmer.cominternet address = 208.234.241.112
 
 
According to the above, you have 2 NS. Both NS have the same config info for
sales.charmer.com and they indicate that you do not have any A record for
sales.
 
As to why you are getting timeouts, I do not get any time out querying your
NS. I can only speculate that there is NATting going on there. IPconfig /all
from the client would be useful here.
 
We still have the issue of you zone file not corresponding to what your
servers are advertising. Are you willing to delete the whole
sales.charmer.com (both zone and file) and start over? I'd do that first.
Also, I see that UUNET is supposed to be doing secondary for you, at least
from the output you posted. However, UUNET servers are telling me they know
nothing about you or your zones. Why are they there, and are you able to
remove them?
 
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Wed 2/9/2005 10:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS(again)



I'm trying to set up a new public internet(non-AD) zone called
sales.charmer.com. charmer.com is my registered domain.


NS- webserver1.charmer.com. this is the primary for charmer.com and
sales.charmer.com
when i ping with fqdn from a windows client(pointing to this dns server OR
not)  i get a response. same for linux


nslookup output-
"dns request timed out
timeout was 2 seconds
name: sales.charmer.com"

if i do set q=soa, i get a time out error but i do get the soa rr.

When i run a test on dnsreport.com, it says i have no mx record(which i do)

I cannot send mail from exchange to the smtp server listed in the mx record
for sales.charmer.com so clearly, exchange can't read any of the rr's either.
And yes, i allow relaying from exchange to this server.


sorry for appending my responses to the bottom but i just got chewed out on a
linux mailling list for something called "top-posting"

Thanks and i appreciate your patience with me.
here are the zone files for charmer.com and sales.charmer.com, respectively-

-

;
;  Database file charmer.com.dns for charmer.com zone.
;  Zone version:  202
;

@   IN  SOA webserver1.charmer.com.
administrator.charmer.com. (
202  ; serial number
3600 ; refresh
600  ; retry
5400 ; expire
3600   ) ; minimum TTL

;
;  Zone NS records
;

@   NS  webserver1.charmer.com.
@   NS  auth110.ns.uu.net.
auth110.ns.uu.net.  A   198.6.1.114
@   NS  auth100.ns.uu.net.
auth100.ns.uu.net.  A   198.6.1.202

;
;  Zone records
;

@   A   208.234.241.10
@   MX  5   mta1.charmer.com.
@   MX  30  ea02web.indcorp.com.
@   MX  20  ea01web.indcorp.com.
dc  A   208.234.241.33
exchange1   A   208.234.241.48
exchange2   A   208.234.241.49
ftp A   208.234.241.10
ftp2A   208.234.241.8
guardianA   208.234.241.35
ind A   208.234.241.7
ipmonitor   A   208.234.241.35
mailCNAME   mail2.charmer.com.
mail2   A   208.234.241.49
mailer  A   208.234.241.18
mailserver1 A  

RE: [ActiveDir] Remote Assistance

[Dean Wells]

Oh dear, I said 'passed' not 'past' ... I hope my Mum didn't see that :(

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Wednesday, February 09, 2005 2:06 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Remote Assistance

 
# ls -l
'ls' is not recognized as an internal or external command, operable program
or batch file.

# ps -ax
'ls' is not recognized as an internal or external command, operable program
or batch file.

# vi .profile
'vi' is not recognized as an internal or external command, operable program
or batch file.

# dmesg | grep -i unix
'dmesg' is not recognized as an internal or external command, operable
program or batch file.

# edlin autoexec.bat
End of input file
*

 guess not, haven't made it passed DOS 3.31 yet.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, February 09, 2005 1:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Is it true that Dean's laptop runs Red Hat though? :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Joe is just being  well  Joe. I don't think it's so much because he
can't "think" of what to present as it is deciding on which of the numerous
things he CAN present he should present.
 
Something tells me, though, that if you can get Dean over to DEC (and make
sure he brings his laptop), Joe will lose all his resistance. Dean with a
Laptop full of hidden Windows gems is irresistible.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 2/9/2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



Sounds like a great DEC topic to me. And joe says he can't think of anything
to present ;)

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, February 09, 2005 10:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remote Assistance

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.

So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.
Filter on the names / IPs of the two machines involved, just to reduce the
noise to just the important bits.



I suspect this will most likely uncover the problem much quicker than
any

Re: [ActiveDir] Licensing/asset management tools

[Paul Wilkinson]

Keyserver
Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville

John Parker wrote:
Hey all...
What are you using to manage licenses and hardware/software inventory?
Thank you

John Parker, MCSE
IS Admin.
Senior Technical Specialist
Alpha Display Systems.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Add Computer to Domain

[Paul Wilkinson]

It should be in a GPO over the OU the computers are in that you want 
people to be able to add. The default domain policy applies to all 
domain computers, so you could just set it there to cover everything.

Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville

Salandra, Justin A. wrote:
If I wanted to grant a group the rights to join computers to the domain
should I configure the User Assignment setting of a GPO to do that and
if so should I create that GPO on the OU I want them to join computers
to or do I have to do it at the domain level or within the Domain
Controllers Policy? 

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Assistance

[Gil Kirkpatrick]

Even better, its running a Linux port of AD... 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, February 09, 2005 11:56 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Is it true that Dean's laptop runs Red Hat though? :-)


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Joe is just being  well  Joe. I don't think it's so much because he
can't "think" of what to present as it is deciding on which of the numerous
things he CAN present he should present.
 
Something tells me, though, that if you can get Dean over to DEC (and make
sure he brings his laptop), Joe will lose all his resistance. Dean with a
Laptop full of hidden Windows gems is irresistible.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 2/9/2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



Sounds like a great DEC topic to me. And joe says he can't think of anything
to present ;)

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, February 09, 2005 10:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remote Assistance

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.

So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.
Filter on the names / IPs of the two machines involved, just to reduce the
noise to just the important bits.



I suspect this will most likely uncover the problem much quicker than
anything else you could likely do.



-rtk





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, February 08, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Assistance



Windows XP SP2 machines



I have followed the guidance in kb301527




The windows Firewall is turned off completely.  Both machines are in the
same domain.  A Domain admin on one XP machine is trying to offer assistance
to another XP machine.  I put the machine name in and hit connect and it
errors out saying connection failed. Cannot find any information in the
event log.
I am able to connect to \\machinename\C$   so
definitely have admin rights. 



Anyone have any other ideas not put into the above KB article?









List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.

RE: [ActiveDir] Remote Assistance

[Dean Wells]

 
# ls -l
'ls' is not recognized as an internal or external command,
operable program or batch file.

# ps -ax
'ls' is not recognized as an internal or external command,
operable program or batch file.

# vi .profile
'vi' is not recognized as an internal or external command,
operable program or batch file.

# dmesg | grep -i unix
'dmesg' is not recognized as an internal or external command,
operable program or batch file.

# edlin autoexec.bat
End of input file
*

 guess not, haven't made it passed DOS 3.31 yet.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Wednesday, February 09, 2005 1:56 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Is it true that Dean's laptop runs Red Hat though? :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Joe is just being  well  Joe. I don't think it's so much because he
can't "think" of what to present as it is deciding on which of the numerous
things he CAN present he should present.
 
Something tells me, though, that if you can get Dean over to DEC (and make
sure he brings his laptop), Joe will lose all his resistance. Dean with a
Laptop full of hidden Windows gems is irresistible.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 2/9/2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



Sounds like a great DEC topic to me. And joe says he can't think of anything
to present ;)

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, February 09, 2005 10:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remote Assistance

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.

So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.
Filter on the names / IPs of the two machines involved, just to reduce the
noise to just the important bits.



I suspect this will most likely uncover the problem much quicker than
anything else you could likely do.



-rtk





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, February 08, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Assistance



Windows XP SP2 machines



I have followed the guidance in kb301527

RE: [ActiveDir] Add Computer to Domain

[Grillenmeier, Guido]

depends on what you wish to achieve: 

1. if you want to grant specific users the general rights to add
computers to the default "Computers" container of the domain, then you'd
do so by configuring the "Add workstations to Domain" user right in the
Default Domain Controllers GPO.  These users do not need any special
rights on OUs, but depending on your OU structure and other rights you
give them, they're also unable to move the computer objects to the OU
they should be located in.

2. if you just want them to be able to add computers to a specific OU,
then you'd delegate permissions as ACLs directly on the OU (not via
GPO). At a minimum they'll need the rights to create computer accounts.
Before being able to join clients to the domain via the UI, they'll now
need to create the computer account in the target OU. You can also use
the NETDOM reskit tool to join a computer to a domain directly into a
given OU, in which case you don't need to pre-create the computer
account in the OU.

In general you should also remove the Userright "Add workstations to
Domain" for Authenticated Users as otherwise every user will be able to
join up to 10 clients to the AD domain (into the default Computer
container).

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, February 09, 2005 7:15 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Add Computer to Domain

If I wanted to grant a group the rights to join computers to the domain
should I configure the User Assignment setting of a GPO to do that and
if so should I create that GPO on the OU I want them to join computers
to or do I have to do it at the domain level or within the Domain
Controllers Policy? 

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Licensing/asset management tools

[John Parker]

Hey all...

What are you using to manage licenses and hardware/software inventory?

Thank you



John Parker, MCSE
IS Admin.
Senior Technical Specialist
Alpha Display Systems.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Assistance

[deji]

Red Wine (and Steak), maybe. Definitely NOT RedHat :0
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Creamer, Mark
Sent: Wed 2/9/2005 10:55 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



Is it true that Dean's laptop runs Red Hat though? :-)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Joe is just being  well  Joe. I don't think it's so much because he
can't "think" of what to present as it is deciding on which of the numerous
things he CAN present he should present.

Something tells me, though, that if you can get Dean over to DEC (and make
sure he brings his laptop), Joe will lose all his resistance. Dean with a
Laptop full of hidden Windows gems is irresistible.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 2/9/2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



Sounds like a great DEC topic to me. And joe says he can't think of anything
to present ;)

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, February 09, 2005 10:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remote Assistance

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.

So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.
Filter on the names / IPs of the two machines involved, just to reduce the
noise to just the important bits.



I suspect this will most likely uncover the problem much quicker than
anything else you could likely do.



-rtk





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, February 08, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Assistance



Windows XP SP2 machines



I have followed the guidance in kb301527




The windows Firewall is turned off completely.  Both machines are in the
same domain.  A Domain admin on one XP machine is trying to offer assistance
to another XP machine.  I put the machine name in and hit connect and it
errors out saying connection failed. Cannot find any information in the
event log.
I am able to connect to \\machin

RE: [ActiveDir] Remote Assistance

[Creamer, Mark]

Is it true that Dean's laptop runs Red Hat though? :-)


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Joe is just being  well  Joe. I don't think it's so much because he
can't "think" of what to present as it is deciding on which of the numerous
things he CAN present he should present.
 
Something tells me, though, that if you can get Dean over to DEC (and make
sure he brings his laptop), Joe will lose all his resistance. Dean with a
Laptop full of hidden Windows gems is irresistible.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 2/9/2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



Sounds like a great DEC topic to me. And joe says he can't think of anything
to present ;)

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, February 09, 2005 10:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remote Assistance

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.

So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.
Filter on the names / IPs of the two machines involved, just to reduce the
noise to just the important bits.



I suspect this will most likely uncover the problem much quicker than
anything else you could likely do.



-rtk





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, February 08, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Assistance



Windows XP SP2 machines



I have followed the guidance in kb301527




The windows Firewall is turned off completely.  Both machines are in the
same domain.  A Domain admin on one XP machine is trying to offer assistance
to another XP machine.  I put the machine name in and hit connect and it
errors out saying connection failed. Cannot find any information in the
event log.
I am able to connect to \\machinename\C$   so
definitely have admin rights. 



Anyone have any other ideas not put into the above KB article?









List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org

RE: [ActiveDir] DNS(again)

[Kern, Tom]

I'm trying to set up a new public internet(non-AD) zone called 
sales.charmer.com. charmer.com is my registered domain.


NS- webserver1.charmer.com. this is the primary for charmer.com and 
sales.charmer.com
when i ping with fqdn from a windows client(pointing to this dns server OR not) 
 i get a response. same for linux


nslookup output-
"dns request timed out
timeout was 2 seconds
name: sales.charmer.com"

if i do set q=soa, i get a time out error but i do get the soa rr.

When i run a test on dnsreport.com, it says i have no mx record(which i do)

I cannot send mail from exchange to the smtp server listed in the mx record for 
sales.charmer.com so clearly, exchange can't read any of the rr's either.
And yes, i allow relaying from exchange to this server.


sorry for appending my responses to the bottom but i just got chewed out on a 
linux mailling list for something called "top-posting"

Thanks and i appreciate your patience with me.
here are the zone files for charmer.com and sales.charmer.com, respectively-

-
;
;  Database file charmer.com.dns for charmer.com zone.
;  Zone version:  202
;

@   IN  SOA webserver1.charmer.com.  
administrator.charmer.com. (
202  ; serial number
3600 ; refresh
600  ; retry
5400 ; expire
3600   ) ; minimum TTL

;
;  Zone NS records
;

@   NS  webserver1.charmer.com.
@   NS  auth110.ns.uu.net.
auth110.ns.uu.net.  A   198.6.1.114
@   NS  auth100.ns.uu.net.
auth100.ns.uu.net.  A   198.6.1.202

;
;  Zone records
;

@   A   208.234.241.10
@   MX  5   mta1.charmer.com.
@   MX  30  ea02web.indcorp.com.
@   MX  20  ea01web.indcorp.com.
dc  A   208.234.241.33
exchange1   A   208.234.241.48
exchange2   A   208.234.241.49
ftp A   208.234.241.10
ftp2A   208.234.241.8
guardianA   208.234.241.35
ind A   208.234.241.7
ipmonitor   A   208.234.241.35
mailCNAME   mail2.charmer.com.
mail2   A   208.234.241.49
mailer  A   208.234.241.18
mailserver1 A   208.234.241.12
mta1A   208.234.241.112
ny-diversrv1A   208.234.241.155
ny-diversrv2A   208.234.241.89
owa A   208.234.241.52
priorityA   208.234.241.7

;
;  Delegated sub-zone:  sales.charmer.com.
;
sales   NS  webserver1.charmer.com.
;  End delegation

testA   208.234.241.10
utilities   A   208.234.241.9
webdiverA   208.234.241.63
webserver1  A   208.234.241.10
www A   208.234.241.10
www2A   208.234.241.9

-

;
;  Database file sales.charmer.com.dns for sales.charmer.com zone.
;  Zone version:  11
;

@   IN  SOA webserver1.charmer.com.  
admin.charmernydom.csg-it.net. (
11   ; serial number
900  ; refresh
600  ; retry
86400; expire
3600   ) ; minimum TTL

;
;  Zone NS records
;

@   NS  webserver1.charmer.com.
webserver1.charmer.com. 203 A   208.234.241.10

;
;  Zone records
;

mta1A   208.234.241.112
MX  5   mta1.sales.charmer.com.












[EMAIL PROTECTED] wrote:
> Let's reboot.
> 
> Describe what you are trying to do
> Describe your setup (who is the NS? Which client are you testing
> from, what is the output of ipconfig /all from that client?)
> What do you get, and how is that different from your expectation?
> What is the response when you do the following:
> nslookup
> server webserver1.charmer.com
> set q=a
> sales.charmer.com
> 
> Please put your response at the top of the reply.
> 
> 
> Sincerely,
> 
> Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday?  -anon
> List info   : http:/

RE: [ActiveDir] Remote Assistance

[deji]

Joe is just being  well  Joe. I don't think it's so much because he
can't "think" of what to present as it is deciding on which of the numerous
things he CAN present he should present.
 
Something tells me, though, that if you can get Dean over to DEC (and make
sure he brings his laptop), Joe will lose all his resistance. Dean with a
Laptop full of hidden Windows gems is irresistible.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Gil Kirkpatrick
Sent: Wed 2/9/2005 9:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



Sounds like a great DEC topic to me. And joe says he can't think of anything
to present ;)

-gil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, February 09, 2005 10:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remote Assistance

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc
Comm: (805) 606-4597DSN: 276-4597


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.

So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.
Filter on the names / IPs of the two machines involved, just to reduce the
noise to just the important bits.



I suspect this will most likely uncover the problem much quicker than
anything else you could likely do.



-rtk





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, February 08, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Assistance



Windows XP SP2 machines



I have followed the guidance in kb301527




The windows Firewall is turned off completely.  Both machines are in the
same domain.  A Domain admin on one XP machine is trying to offer assistance
to another XP machine.  I put the machine name in and hit connect and it
errors out saying connection failed. Cannot find any information in the
event log.
I am able to connect to \\machinename\C$   so
definitely have admin rights. 



Anyone have any other ideas not put into the above KB article?









List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List ar

RE: [ActiveDir] DNS(again)

[deji]

Let's reboot.
 
Describe what you are trying to do
Describe your setup (who is the NS? Which client are you testing from, what
is the output of ipconfig /all from that client?)
What do you get, and how is that different from your expectation?
What is the response when you do the following:
nslookup
server webserver1.charmer.com
set q=a
sales.charmer.com
 
Please put your response at the top of the reply.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Add Computer to Domain

[Becker, Jim]

Why not just use the Delegate Control wizard on that OU to allow that
group to do that function?

Jim Becker

Asst. Dir. of Administrative Systems
State University of New York
System Administration
[EMAIL PROTECTED]


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Salandra, Justin A.
> Sent: Wednesday, February 09, 2005 1:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Add Computer to Domain
> 
> If I wanted to grant a group the rights to join computers to 
> the domain
> should I configure the User Assignment setting of a GPO to do that and
> if so should I create that GPO on the OU I want them to join computers
> to or do I have to do it at the domain level or within the Domain
> Controllers Policy? 
> 
> Justin A. Salandra
> MCSE Windows 2000 & 2003
> Network and Technology Services Manager
> Catholic Healthcare System
> 212.752.7300 - office
> 917.455.0110 - cell
> [EMAIL PROTECTED]
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Add Computer to Domain

[Salandra, Justin A.]

If I wanted to grant a group the rights to join computers to the domain
should I configure the User Assignment setting of a GPO to do that and
if so should I create that GPO on the OU I want them to join computers
to or do I have to do it at the domain level or within the Domain
Controllers Policy? 

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PDC emulator in Native mode

[Renouf, Phil]

Yeah, that's why I noted that it tends to use the DC that authenticated
the client. It doesn't _have_ to, but in common practice that is where a
client gets it's time sync.


Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
Sent: Wednesday, February 09, 2005 11:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC emulator in Native mode

Regarding 2, a DC will occasionally peer up with another DC in it's own
domain. I see it all the time.

1 also seems a little off since client time is supposed to synchronize
over the secure channel with it's authenticating DC. I have not
observered otherwise.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Wednesday, February 09, 2005 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC emulator in Native mode

The time sync thing is incorrect according to information provided to us
by PSS the last time we had a time issue. We thought the same thing but
were told that the process is actually:

1. A client will use any DC in it's domain for synchronization, but will
tend to use the DC that authenticated it. 
2. A DC will use the PDCe of it's domain, or any DC of the parent
domain. 
3. The PDCe of a child domain will use the PDCe, or any DC of it's
parent domain.  

Phil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Wednesday, February 09, 2005 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC emulator in Native mode

Hi,
 
The PDC Emulator FSMO is required in both modes! In mixed mode the
replication model is different (LAN MAnager) when replicating with older
DCs (BDCs)
 
In both mixed and native mode:
* Time sync for the domain/forest
* Primary source for GPO edits
* Pwd change for legacy clients without the directory services client
* Central repository for passwords when another DC needs to check the
password when a user provided a wrong password against that DC
* Participates in immediate replication for certain events through an
RPC call
* Acts as the master DC for BDCs (only in mixed mode) for replication
* Provides directory updates to DFS root servers when Root Scalability
is disabled
 
At the moment I can't think of anything else, but I'm sure if there's
more the other guys will add comments
 
Cheers,
jorge



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Sent: woensdag 9 februari 2005 16:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] PDC emulator in Native mode


Hi,
 
What happened to the PDC Emulator Role if we move from mixed mode to
native mode.
 
Is the PDC Emulator is required in Native mode... ?
 
and if required then what will it do  and what changes in the functional
behaviour of it ?
 
 
Best-
Manjeet



Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Assistance

[Gil Kirkpatrick]

Sounds like a great DEC topic to me. And joe says he can't think of anything to 
present ;)

-gil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Wednesday, February 09, 2005 10:31 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remote Assistance

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc 
Comm: (805) 606-4597DSN: 276-4597 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.
 
So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.
Filter on the names / IPs of the two machines involved, just to reduce the
noise to just the important bits.

 

I suspect this will most likely uncover the problem much quicker than
anything else you could likely do.

 

-rtk

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, February 08, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Assistance

 

Windows XP SP2 machines

 

I have followed the guidance in kb301527
 

 

The windows Firewall is turned off completely.  Both machines are in the
same domain.  A Domain admin on one XP machine is trying to offer assistance
to another XP machine.  I put the machine name in and hit connect and it
errors out saying connection failed. Cannot find any information in the
event log.
I am able to connect to \\machinename\C$   so
definitely have admin rights.  

 

Anyone have any other ideas not put into the above KB article?

 

 

 

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Installing Office Through GPO to Citrix Servers

[Salandra, Justin A.]

And those are things I do today.  I was curious if there was anything
else.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Wednesday, February 09, 2005 12:16 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Installing Office Through GPO to Citrix Servers

A few obvious points. Install it using machine assignment, rather than
per-user assignment or publishing. Install from an administrative
install rather than a copy of the CD, so you can patch the
administrative install point later on. Don't check the box that says to
remove the app if the GPO is no longer in scope. Those are the big ones
that come to mind.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, February 09, 2005 8:41 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Installing Office Through GPO to Citrix Servers

Is there anything special I need to do to install Office XP on Citrix
Servers?  I am using a MST file when pushing out Office through GPO so I
don't think there is anything else I have to do.  A little help would be
appreciated.  Thanks

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Assistance

[Carerros, Charles]

I would like to be on this list as well.

Charlie

-Original Message-
From: Perdue David J Contr InDyne/Enterprise IT
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 10:51 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance


Sorry to not add anything of import to your thread, Jeff; but I'd love to be
on the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc 
Comm: (805) 606-4597DSN: 276-4597 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you
are looking for. Merely firing up Netmon/Ethereal and such will not be
productive without the necessary capabilities to discern and interpret the
traffic. I know, because I was a victim. Took me a 3-hour call and
escalations to MS before I could resolve a whacky (OK, unique) problem where
Exchange insisted on doing NetBIOS name calls when I expected it to do FQDN
during a migration project. RASDIAG saved my life, thanks to the MS dude.
 
So, is there any interest in putting together something along the line of
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an
active participant in the project. I think this will help many of our
audience on this list and beyond.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.
Filter on the names / IPs of the two machines involved, just to reduce the
noise to just the important bits.

 

I suspect this will most likely uncover the problem much quicker than
anything else you could likely do.

 

-rtk

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, February 08, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Assistance

 

Windows XP SP2 machines

 

I have followed the guidance in kb301527
 

 

The windows Firewall is turned off completely.  Both machines are in the
same domain.  A Domain admin on one XP machine is trying to offer assistance
to another XP machine.  I put the machine name in and hit connect and it
errors out saying connection failed. Cannot find any information in the
event log.
I am able to connect to \\machinename\C$   so
definitely have admin rights.  

 

Anyone have any other ideas not put into the above KB article?

 

 

 

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS(again)

[Kern, Tom]

Kern, Tom wrote:
> [EMAIL PROTECTED] wrote:
>> According to webserver1.charmer.com, webserver1.charmer.com is THE NS
>> for both Charmer.com and sales.charmer.com
>> 
>> According to the output you've just posted
>> webserver1.charmernydom.csg-it.net
>> 
>> According to the world, webserver1.charmernydom.csg-it.net does not
>> exist 
>> 
>> According to webserver1.charmer.com, there is no A record whatsoever
>> defined for anything in sales.charmer.com
>> 
>> According to my research, you need to tell us more about
>> webserver1.charmer.com and webserver1.charmernydom.csg-it.net and the
>> relationship between them and what you EXPECT to see happen.
>> 
>> 
>> Sincerely,
>> 
>> Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
>> Microsoft MVP - Directory Services
>> www.readymaids.com - we know IT
>> www.akomolafe.com
>> Do you now realize that Today is the Tomorrow you were worried about
>> Yesterday?  -anon 
>> 
>> 
>> 
>> From: [EMAIL PROTECTED] on behalf of Kern, Tom
>> Sent: Wed 2/9/2005 6:36 AM To: ActiveDir@mail.activedir.org
>> Subject: RE: [ActiveDir] DNS(again)
>> 
>> 
>> 
>> Rick Kingslan wrote:
>>> Tom,
>>> 
>>> If I do an nslookup against sales.charmer.com, I get the SOA with no
>>> problem.  There are no other records in that zone, but it responds.
>>> 
>>> Are you running AD integrated?  If so, can you temporarily change it
>>> back to Primary and cut and paste the .dns file for
>>> sales.charmer.com out to us to take a look at?  It's text, much
>>> like the BIND files you've seen, so just put it right into the body
>>> of the message. 
>>> 
>>> You'll find these (if memory servers) in %systemroot%\System32\DNS
>>> 
>>> -rtk
>>> 
>>> -Original Message-
>>> From: [EMAIL PROTECTED]
>>> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
>>> Sent: Wednesday, February 09, 2005 8:20 AM
>>> To: ActiveDir (E-mail)
>>> Subject: [ActiveDir] DNS(again)
>>> 
>>> Hi, i posted earlier so i aplogize for reposting but this dns issue
>>> is driving me to distraction- 
>>> 
>>> I have a registered  internet domain called charmer.com running on a
>>> win2k sp4 dns server. everything is fine with that. however created
>>> a new zone called sales.charmer.com and delegated auth for that
>>> zone to the same server creating all the glue records. it also
>>> contains an mx/A record to my mail gateway.
>>> Howvever mail never arrives because no one can find this
>>> domain(including my mailserver)
>>> When i run a report on dnsreports.com, i get an error that the
>>> nameserver did not respond(it passes all the other tests). When i
>>> run nslookup on a windows box, it retrieves the zone. however when
>>> i run nslookup on a linux box(my mailserver), it times out.
>>> 
>>> there is nothing in the dns event log or the dns log.
>>> What am i doing wrong? how can i troubleshoot this further? is there
>>> something really different about MS dns over bind?
>>> thanks
>>> 
>>> List info   : http://www.activedir.org/List.aspx
>>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>>> List archive:
>>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>>> 
>>> List info   : http://www.activedir.org/List.aspx
>>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>>> List archive:
>>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> its a primary zone-
>> 
>> 
>> ;
>> ;  Database file sales.charmer.com.dns for sales.charmer.com zone. ;
>> Zone version:  3 ;
>> 
>> @   IN  SOA webserver1.charmernydom.csg-it.net.
>> admin.charmernydom.csg-it.net. (
>> 3; serial number
>> 900  ; refresh
>> 600  ; retry
>> 86400; expire
>> 3600   ) ; minimum TTL
>> 
>> ;
>> ;  Zone NS records
>> ;
>> 
>> @   NS  webserver1.charmernydom.csg-it.net.
>> 
>> ;
>> ;  Zone records
>> ;
>> 
>> mta1A   208.234.241.112
>> MX  10  mta1.sales.charmer.com.
>> 
>> 
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>> 
>> 
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> 
> 
> i just changed it to webserver1.charmer.com(charmernydom.csg-it.net
> is the AD name internally). sorry for the goof up. 
> 
> There is an A record for my mailserver.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 




Yes, i'm responding to my own post :)


When i do an nslookup with 

RE: [ActiveDir] Installing Office Through GPO to Citrix Servers

[Darren Mar-Elia]

A few obvious points. Install it using machine assignment, rather than
per-user assignment or publishing. Install from an administrative
install rather than a copy of the CD, so you can patch the
administrative install point later on. Don't check the box that says to
remove the app if the GPO is no longer in scope. Those are the big ones
that come to mind.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra,
Justin A.
Sent: Wednesday, February 09, 2005 8:41 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Installing Office Through GPO to Citrix Servers

Is there anything special I need to do to install Office XP on Citrix
Servers?  I am using a MST file when pushing out Office through GPO so I
don't think there is anything else I have to do.  A little help would be
appreciated.  Thanks

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PDC emulator in Native mode

[Jorge de Almeida Pinto]

Hi,

You're right and I really meant time sync for the domain/forest -->
specifically for the DCs and  not for the clients
Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: woensdag 9 februari 2005 17:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC emulator in Native mode

The time sync thing is incorrect according to information provided to us by
PSS the last time we had a time issue. We thought the same thing but were
told that the process is actually:

1. A client will use any DC in it's domain for synchronization, but will
tend to use the DC that authenticated it. 
2. A DC will use the PDCe of it's domain, or any DC of the parent domain. 
3. The PDCe of a child domain will use the PDCe, or any DC of it's parent
domain.  

Phil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC emulator in Native mode

Hi,
 
The PDC Emulator FSMO is required in both modes! In mixed mode the
replication model is different (LAN MAnager) when replicating with older DCs
(BDCs)
 
In both mixed and native mode:
* Time sync for the domain/forest
* Primary source for GPO edits
* Pwd change for legacy clients without the directory services client
* Central repository for passwords when another DC needs to check the
password when a user provided a wrong password against that DC
* Participates in immediate replication for certain events through an RPC
call
* Acts as the master DC for BDCs (only in mixed mode) for replication
* Provides directory updates to DFS root servers when Root Scalability is
disabled
 
At the moment I can't think of anything else, but I'm sure if there's more
the other guys will add comments
 
Cheers,
jorge



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Sent: woensdag 9 februari 2005 16:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] PDC emulator in Native mode


Hi,
 
What happened to the PDC Emulator Role if we move from mixed mode to native
mode.
 
Is the PDC Emulator is required in Native mode... ?
 
and if required then what will it do  and what changes in the functional
behaviour of it ?
 
 
Best-
Manjeet



Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remote Assistance

[Perdue David J Contr InDyne/Enterprise IT]

Sorry to not add anything of import to your thread, Jeff; but I'd love to be on 
the list for the "Capturing and Interpreting Network Traffic 101".

Dave


//SIGNED//

David J. Perdue
Network Security Engineer, InDyne Inc 
Comm: (805) 606-4597DSN: 276-4597 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, February 08, 2005 22:18 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance

Without pointing fingers, or mentioning "short" names, here's my stance on 
sniffing traffic for diagnosis. It is a GREAT concept IF you know what you are 
looking for. Merely firing up Netmon/Ethereal and such will not be productive 
without the necessary capabilities to discern and interpret the traffic. I 
know, because I was a victim. Took me a 3-hour call and escalations to MS 
before I could resolve a whacky (OK, unique) problem where Exchange insisted on 
doing NetBIOS name calls when I expected it to do FQDN during a migration 
project. RASDIAG saved my life, thanks to the MS dude.
 
So, is there any interest in putting together something along the line of 
"Capturing and Interpreting Network Traffic 101"? I volunteer to be an active 
participant in the project. I think this will help many of our audience on this 
list and beyond.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Remote Assistance



I'd load NetMon or Ethereal on both machines and capture the traffic.  Filter 
on the names / IPs of the two machines involved, just to reduce the noise to 
just the important bits.

 

I suspect this will most likely uncover the problem much quicker than anything 
else you could likely do.

 

-rtk

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC
Sent: Tuesday, February 08, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Remote Assistance

 

Windows XP SP2 machines

 

I have followed the guidance in kb301527 
 

 

The windows Firewall is turned off completely.  Both machines are in the same 
domain.  A Domain admin on one XP machine is trying to offer assistance to 
another XP machine.  I put the machine name in and hit connect and it errors 
out saying connection failed. Cannot find any information in the event log.
I am able to connect to \\machinename\C$   so 
definitely have admin rights.  

 

Anyone have any other ideas not put into the above KB article?

 

 

 

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PDC emulator in Native mode

[Free, Bob]

Regarding 2, a DC will occasionally peer up with another DC in it's own
domain. I see it all the time.

1 also seems a little off since client time is supposed to synchronize
over the secure channel with it's authenticating DC. I have not
observered otherwise.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Renouf, Phil
Sent: Wednesday, February 09, 2005 8:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC emulator in Native mode

The time sync thing is incorrect according to information provided to us
by PSS the last time we had a time issue. We thought the same thing but
were told that the process is actually:

1. A client will use any DC in it's domain for synchronization, but will
tend to use the DC that authenticated it. 
2. A DC will use the PDCe of it's domain, or any DC of the parent
domain. 
3. The PDCe of a child domain will use the PDCe, or any DC of it's
parent domain.  

Phil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Wednesday, February 09, 2005 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC emulator in Native mode

Hi,
 
The PDC Emulator FSMO is required in both modes! In mixed mode the
replication model is different (LAN MAnager) when replicating with older
DCs (BDCs)
 
In both mixed and native mode:
* Time sync for the domain/forest
* Primary source for GPO edits
* Pwd change for legacy clients without the directory services client
* Central repository for passwords when another DC needs to check the
password when a user provided a wrong password against that DC
* Participates in immediate replication for certain events through an
RPC call
* Acts as the master DC for BDCs (only in mixed mode) for replication
* Provides directory updates to DFS root servers when Root Scalability
is disabled
 
At the moment I can't think of anything else, but I'm sure if there's
more the other guys will add comments
 
Cheers,
jorge



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Sent: woensdag 9 februari 2005 16:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] PDC emulator in Native mode


Hi,
 
What happened to the PDC Emulator Role if we move from mixed mode to
native mode.
 
Is the PDC Emulator is required in Native mode... ?
 
and if required then what will it do  and what changes in the functional
behaviour of it ?
 
 
Best-
Manjeet



Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Installing Office Through GPO to Citrix Servers

[Salandra, Justin A.]

Is there anything special I need to do to install Office XP on Citrix
Servers?  I am using a MST file when pushing out Office through GPO so I
don't think there is anything else I have to do.  A little help would be
appreciated.  Thanks

Justin A. Salandra
MCSE Windows 2000 & 2003
Network and Technology Services Manager
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Lucia Washaya]

Return Receipt
   
Your  RE: [ActiveDir] Migrating access rights from Novell/NDS to   
document  W2K3/AD with NDS migra tor   
:  
   
was   Lucia Washaya/UNAMSIL
received   
by:
   
at:   09/02/2005 16:34:39 GMT  
   





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Lucia Washaya]

Return Receipt
   
Your  RE: [ActiveDir] Migrating access rights from Novell/NDS to   
document  W2K3/AD with NDS migra tor   
:  
   
was   Lucia Washaya/UNAMSIL
received   
by:
   
at:   09/02/2005 16:34:48 GMT  
   





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PDC emulator in Native mode

[Rod Simmons]

PDCe also runs the adminSDHolder thread on
hourly basis 

see http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, February 09, 2005
10:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC
emulator in Native mode



 

Hi,

 

The PDC
Emulator FSMO is required in both modes! In mixed mode the replication model is
different (LAN MAnager) when replicating with older DCs (BDCs)

 

In both
mixed and native mode:

* Time
sync for the domain/forest

* Primary
source for GPO edits

* Pwd
change for legacy clients without the directory services client

* Central
repository for passwords when another DC needs to check the password when a
user provided a wrong password against that DC

*
Participates in immediate replication for certain events through an RPC call

* Acts as
the master DC for BDCs (only in mixed mode) for replication

*
Provides directory updates to DFS root servers when Root Scalability is
disabled

 

At the
moment I can't think of anything else, but I'm sure if there's more the other
guys will add comments

 

Cheers,

jorge

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Sent: woensdag 9 februari 2005
16:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] PDC emulator
in Native mode



Hi,





 





What happened to the PDC Emulator Role if we move from mixed mode to
native mode.





 





Is the PDC Emulator is required in Native mode... ?





 





and if required then what will it do  and what changes in the
functional behaviour of it ?





 





 





Best-





Manjeet









Do you Yahoo!?
Yahoo! Search presents - Jib
Jab's 'Second Term' 
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Grillenmeier, Guido]

Title: Migrating access rights from Novell/NDS to W2K3/AD with NDS migrator



Hey Jorge - I see you've already got a whole list of 
replies with great tips on how to get around this ;-))
 
Fact is, it's a well known restriction. 

Sure, NDS migrator could maybe add some more logic to 
figure out the correct permissions you really need, but as there is no real 
match to so many permissions that you have on the Novell FileSystem, 
this is a tough one for larger and more complex environments truly 
leveraging the Novell OS's capabilities. 
 
As such I typically didn't use the ACL migration features 
and instead analysed the real security needs of the customer. Then 
I created the permissions as they make sense in NTFS via script. This also 
allows you to leverage inheritance on the NTFS side (as NDS migrator would 
typically just set explicit rights). Makes sense to do set the rights into an 
empy folder structure prior to copying the data, so that the files recieve 
the correct permissions.
 
> "By the way the following really is fun: Let's have a 
file with path U:\DIR1\SUBDIR1\README.TXT (from the example above)... Users that 
have explicit change or read permissions on the file README.TXT can not navigate 
to file with explorer BUT if they insert U:\DIR1\SUBDIR1\README.TXT into the RUN 
dialog box (start menu -> run) NOTEPAD opens the 
file."
 
=> that's exactly what the "Bypass traverse checking" 
option is all about => the OS doesn't check permissions on the folders in the 
path, when you enter the full path to a file... (i.e. it 
skips/bybasses the security check... until it has 
traversed all folders and reaches the target 
object...)
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida 
PintoSent: Wednesday, February 09, 2005 9:18 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migrating access 
rights from Novell/NDS to W2K3/AD with NDS migra tor

Hi, 
We are migrating from 
Novell and NT4 (single domain) to Windows 2003/AD. 
We are using Quest NDS 
Migrator to migrate files (INCL. permissions) from Novell File Server to Windows 
2003 file server.
SOURCE 
ENVIRONMENT: * 
Novell File Servers with Novell NDS * Windows NT4 domain * Windows 95/98 clients with the 
Novell client authenticate to the NDS and to the Windows NT4 domain 
TARGET 
ENVIRONMENT: * 
Windows 2003 AD domain * Windows 2003 File servers * ACLs on migrated data are assigned to AD domain local 
groups * AD 
users are members of the AD domain local groups and corresponding NT4 users are 
also members of the AD domain local groups
We are experiencing the 
following issue: 
Take a Novell server 
with with a volume called VOL1 so that the UNC path is \\NOVELLSRV\VOL1 
Beneath VOL1 the 
following directory structure exists: \\NOVELLSRV\VOL1\   
DATA\  
COMMON\ --> no trustees assigned!   
DIR1\ --> no trustees assigned!    
SUBDIR1 --> explicitely assigned trustee = GROUP1
   
SUBDIR2 --> explicitely assigned trustee = GROUP2
  
DIR2\ --> no trustees assigned!    
SUBDIR3 --> explicitely assigned trustee = GROUP3
   
SUBDIR4 --> explicitely assigned trustee = GROUP4
Users have a mapping U: 
to \\NOVELLSRV\VOL1\DATA\COMMON (the contents of COMMON is the 
same as U:) 
USER 1 is a member of 
GROUP1 USER 2 
is a member of GROUP1 and GROUP4 Neither USER1 or USER2 is a member of GROUP2 or 
GROUP3!!! 
* When USER1 connects 
to U: he sees:  
U:\   
DIR1\ --> no trustees assigned!    
SUBDIR1 --> explicitely assigned trustee = GROUP1 
USER1 implicitely has 
the right to enter DIR1 (he sees nothing else) so that he's able to access the 
contents of SUBDIR1
* When USER2 connects 
to U: he sees:  
U:\   
DIR1\ --> no trustees assigned!    
SUBDIR1 --> explicitely assigned trustee = GROUP1   
DIR2\ --> no trustees assigned!    
SUBDIR4 --> explicitely assigned trustee = GROUP4 
USER2 implicitely has 
the right (I think in Novell it is called File Scan) to enter DIR1 (he sees 
nothing else) so that he's able to access the contents of SUBDIR1
USER2 implicitely has 
the right (I think in Novell it is called File Scan) to enter DIR2 (he sees 
nothing else) so that he's able to access the contents of SUBDIR4
Quest NDS Migrator has 
not been configured with default ACLs so that NDS Migrator uses as default ACL 
DOMAIN ADMINS with Full Control
USER1 and USER2

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/A D with NDS migra tor

[deji]

You get all the docs if you download SP1. 
 
If you are not into that, then you can get it here:
http://www.microsoft.com/downloads/details.aspx?familyid=C3C26254-8CE3-46E2-B
1B6-3659B92B2CDE&displaylang=en
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Ruston, Neil
Sent: Wed 2/9/2005 8:14 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/A D
with NDS migra tor



Am I the only person who cannot access anything more than the 'overview' doc?

I cannot see the doc which Eric references, below, for example.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: 09 February 2005 15:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It seems Sakari's dream has come true.

The SP1 docs cover this.
http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/ov
erview.mspx
Look at 02_accessenum.doc

AD you could have done this before though (if I understand the ask
correctly) by removing list_contents from the parent, giving explicit perms
to
the child and enabling list object mode with the appropriate mod. For AD,
this
is old news.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I can't
verify it.

Regards,
/Jimmy

-
Jimmy Andersson, Q Advice AB
 Principal Advisor
 Microsoft MVP - Directory Services
-- www.qadvice.com --





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible
to
her. And vice versa, when she has no permissions to a subfolder, it would be
logical that this subfolder is invisible to her.

And it has been my dream for six years that the same would apply to AD, as
has
always been with NDS.

While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create
a
paraller sec group for that.

Yours, Sakari






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with
NDS migra tor
   
   

  Hi, 

clipclipclip

Regards,
Jorge

PS.: I'm glad MS is going toward the permissions structure (with W2K3
SP1)
like Novell has. It is still not perfect, but it's a begin. AND maybe some
day
(Windows 2011?) will be able to configure file system permissions through AD
like that is possible with the NDS. The possibility of configuring
permissions
for the file system through GPOs is a nice feature but far from perfect. Also
any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

=
=
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
===

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/A D with NDS migra tor

[Eric Fleischman]

Sorry. I had that link in an old mail, so I was lazy, and fished the
link out of my sent items. Things have moved.

Just searched the site and found this new fresh link:
http://www.microsoft.com/downloads/details.aspx?FamilyId=C3C26254-8CE3-4
6E2-B1B6-3659B92B2CDE&displaylang=en

In that zip should be the doc I referenced below (02_accessnum.doc)

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Wednesday, February 09, 2005 10:14 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/A D with NDS migra tor

Am I the only person who cannot access anything more than the 'overview'
doc?

I cannot see the doc which Eric references, below, for example.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: 09 February 2005 15:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD
with NDS migra tor


It seems Sakari's dream has come true.

The SP1 docs cover this.
http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/ov
erview.mspx 
Look at 02_accessenum.doc

AD you could have done this before though (if I understand the ask
correctly) by removing list_contents from the parent, giving explicit
perms to
the child and enabling list object mode with the appropriate mod. For
AD, this
is old news.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is
not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't
verify it.

Regards,
/Jimmy

- 
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services 
-- www.qadvice.com -- 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that
this
subfolder (automatically or implicitly up to the root) would become
visible to
her. And vice versa, when she has no permissions to a subfolder, it
would be
logical that this subfolder is invisible to her.
 
And it has been my dream for six years that the same would apply to AD,
as has
always been with NDS.
 
While we are on the subject, another extremely handy feature of NDS
would be
most welcome in AD. That is, each OU would be a sec prin, so if you want
to
grant permissions to all people in the Sales OU, you wouldn't have to
create a
paraller sec group for that.
 
Yours, Sakari
 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with
NDS migra tor



  Hi,  

clipclipclip 

Regards, 
Jorge 

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1)
like Novell has. It is still not perfect, but it's a begin. AND maybe
some day
(Windows 2011?) will be able to configure file system permissions
through AD
like that is possible with the NDS. The possibility of configuring
permissions
for the file system through GPOs is a nice feature but far from perfect.
Also
any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you
received
this message in error please delete it and notify us. If this message
was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until
they
are confirmed by us. Message transmission is not guaranteed to be
secure.
==

[ActiveDir] MOM

[Oluwaseyi Owoeye]

Does anyone know any effective discussion group that covers MOM?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PDC emulator in Native mode

[Renouf, Phil]

The time sync thing is incorrect according to information provided to us
by PSS the last time we had a time issue. We thought the same thing but
were told that the process is actually:

1. A client will use any DC in it's domain for synchronization, but will
tend to use the DC that authenticated it. 
2. A DC will use the PDCe of it's domain, or any DC of the parent
domain. 
3. The PDCe of a child domain will use the PDCe, or any DC of it's
parent domain.  

Phil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Wednesday, February 09, 2005 10:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] PDC emulator in Native mode

Hi,
 
The PDC Emulator FSMO is required in both modes! In mixed mode the
replication model is different (LAN MAnager) when replicating with older
DCs (BDCs)
 
In both mixed and native mode:
* Time sync for the domain/forest
* Primary source for GPO edits
* Pwd change for legacy clients without the directory services client
* Central repository for passwords when another DC needs to check the
password when a user provided a wrong password against that DC
* Participates in immediate replication for certain events through an
RPC call
* Acts as the master DC for BDCs (only in mixed mode) for replication
* Provides directory updates to DFS root servers when Root Scalability
is disabled
 
At the moment I can't think of anything else, but I'm sure if there's
more the other guys will add comments
 
Cheers,
jorge



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Sent: woensdag 9 februari 2005 16:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] PDC emulator in Native mode


Hi,
 
What happened to the PDC Emulator Role if we move from mixed mode to
native mode.
 
Is the PDC Emulator is required in Native mode... ?
 
and if required then what will it do  and what changes in the functional
behaviour of it ?
 
 
Best-
Manjeet



Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Remote Assistance

[Paul Wilkinson]

RA doesn't always work the first time I try it.  Sometimes I have to try 
twice to get it working.  When I originally set up RA in our computer 
labs I found that it would attempt to log in but then fail to connect 
after it looked like it was going to finish logging in.  After some 
troubleshooting, I discovered that I had group policy security setting 
that was interfering with it.  I can't remember what the setting was,  
but  I remember that it was obscure and didn't really seem like it had 
anything to do with remote assistance. You can see if that's your 
problem by removing the GP settings from a test machine.  

Paul Wilkinson
865-974-0649
2422 Dunford Hall
OIT Lab Services
University of TN, Knoxville

Cothern Jeff D. Team EITC wrote:
Windows XP SP2 machines

I have followed the guidance in kb301527
 


The windows Firewall is turned off completely.  Both machines are in the
same domain.  A Domain admin on one XP machine is trying to offer
assistance to another XP machine.  I put the machine name in and hit
connect and it errors out saying connection failed. Cannot find any
information in the event log.  I am able to connect to \\machinename\C$
  so definitely have admin rights.  


Anyone have any other ideas not put into the above KB article?




 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/A D with NDS migra tor

[Ruston, Neil]

Am I the only person who cannot access anything more than the 'overview' doc?

I cannot see the doc which Eric references, below, for example.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: 09 February 2005 15:53
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It seems Sakari's dream has come true.

The SP1 docs cover this.
http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/ov
erview.mspx 
Look at 02_accessenum.doc

AD you could have done this before though (if I understand the ask
correctly) by removing list_contents from the parent, giving explicit perms to
the child and enabling list object mode with the appropriate mod. For AD, this
is old news.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I can't
verify it.

Regards,
/Jimmy

- 
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services 
-- www.qadvice.com -- 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible to
her. And vice versa, when she has no permissions to a subfolder, it would be
logical that this subfolder is invisible to her.
 
And it has been my dream for six years that the same would apply to AD, as has
always been with NDS.
 
While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create a
paraller sec group for that.
 
Yours, Sakari
 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD 
with
NDS migra tor



  Hi,  

clipclipclip 

Regards, 
Jorge 

PS.: I'm glad MS is going toward the permissions structure (with W2K3 
SP1)
like Novell has. It is still not perfect, but it's a begin. AND maybe some day
(Windows 2011?) will be able to configure file system permissions through AD
like that is possible with the NDS. The possibility of configuring permissions
for the file system through GPOs is a nice feature but far from perfect. Also
any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PDC emulator in Native mode

[Jorge de Almeida Pinto]

Hi,
 
The PDC Emulator FSMO is 
required in both modes! In mixed mode the replication model is different (LAN 
MAnager) when replicating with older DCs (BDCs)
 
In both mixed and native 
mode:
* Time sync for the 
domain/forest
* Primary source for GPO 
edits
* Pwd change for legacy clients 
without the directory services client
* Central repository for 
passwords when another DC needs to check the password when a user provided a 
wrong password against that DC
* Participates in immediate 
replication for certain events through an RPC call
* Acts as the master DC for BDCs 
(only in mixed mode) for replication
* Provides directory updates to 
DFS root servers when Root Scalability is disabled
 
At the moment I can't think of 
anything else, but I'm sure if there's more the other guys will add 
comments
 
Cheers,
jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ManjeetSent: woensdag 9 februari 2005 16:44To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] PDC emulator in 
Native mode

Hi,
 
What happened to the PDC Emulator Role if we move from mixed mode to native 
mode.
 
Is the PDC Emulator is required in Native mode... ?
 
and if required then what will it do  and what changes in the 
functional behaviour of it ?
 
 
Best-
Manjeet


Do you Yahoo!?Yahoo! Search presents - Jib 
Jab's 'Second Term'

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] PDC emulator in Native mode

[John Reijnders]

Hi Manjeet,

 

Yep … it is required, because the PDC Em processes all password
updates from clients not running the ADirectory client software. In addition, he
(is the PDC Em masculine?) is checked on an authentication failure to see if a
password has been changed but has not had a chance to replicate to all the
domain controllers at that point in time.

 

Cheers!

John

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Manjeet
Sent: woensdag 9 februari 2005
16:44
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] PDC emulator
in Native mode



 



Hi,





 





What happened to the PDC Emulator Role if we move from mixed mode to
native mode.





 





Is the PDC Emulator is required in Native mode... ?





 





and if required then what will it do  and what changes in the
functional behaviour of it ?





 





 





Best-





Manjeet









Do you Yahoo!?
Yahoo! Search presents - Jib
Jab's 'Second Term'





This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [ActiveDir] DNS resoltuion Issue

[Ertug Gurhan]

ï


I ended up having the same issue with the same 
domain again today, this time, I deleted the cached entry in DNS and all 
was resolved, no restart.
Any thoughts on how I would look at preventing this 
from happening again, assuming clearing the cache on a regular basis would be 
one option?
 
Thank you.
 
E

  - Original Message - 
  From: 
  Ertug 
  Gurhan 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, February 09, 2005 9:03 
  AM
  Subject: Re: [ActiveDir] DNS resoltuion 
  Issue
  
  No I havent, but unfortunatley this issue has 
  been around, pre-2K3 upgrade as well. Was hoping it would go away, post 2K, 
  but to no avail.
   
  TY
   
  E
  
- Original Message - 
From: 
John Shukovsky 
To: ActiveDir@mail.activedir.org 

Sent: Wednesday, February 09, 2005 8:41 
AM
Subject: Re: [ActiveDir] DNS resoltuion 
Issue

Have you seen this?
http://support.microsoft.com/default.aspx?scid=kb;en-us;832223

  - Original Message - 
  From: 
  Ertug 
  Gurhan 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, February 08, 2005 1:07 
  PM
  Subject: [ActiveDir] DNS resoltuion 
  Issue
  
  Guys, have been having a sporadic issue, on 
  my network, both when it was a 2K Domain and now since the upgrade to 
  2K3.
   
  Basic Config is: 7 sites - DC - GC - DNS 
  server in each site - WINS in each site etc. All DC's are 2K3 AD 
  integrated DNS.
   
  DC's are configured to use internal addresses 
  for DNS.
   
  From time to time, we have issues resolving a 
  domain name, the name is not the same one every time, for example today it 
  was.
  
  http://www.registrefoncier.gouv.qc.ca/
  No clients are able to browse to this site, (site not 
  found) my only fix so far is to restart the DNS service on the DC for 
  the site having the issue, and away goes the problem.
  If a client statically enters the 
  external ISP address for DNS resolution, it works.
   
  No forwarders specified in DNS.
  It is not client/os specific, mix of NT4 - 2K and 
  XP
  Anyone seen this before?
  Thank you
  Ertug
   
   



This E-mail, including any attachments, may be intended solely for the 
personal and confidential use of the sender and recipient(s) named 
above. This message may include advisory, consultative and/or 
deliberative material and, as such, would be privileged and confidential 
and not a public document. Any Information in this e-mail identifying a 
client of the Department of Human Services is confidential. If you have 
received this e-mail in error, you must not review, transmit, convert to 
hard copy, copy, use or disseminate this e-mail or any attachments to it 
and you must delete this message. You are requested to notify the sender 
by return e-mail. 

RE: [ActiveDir] PDC emulator in Native mode

[Renouf, Phil]

The PDCe is still required in Native mode as it performs a number of
functions that don't have anything to do with downlevel clients. Check
out this KB article for a good explaination of the functions the PDCe
provides:

http://support.microsoft.com/default.aspx/kb/197132

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Sent: Wednesday, February 09, 2005 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] PDC emulator in Native mode

Hi,
 
What happened to the PDC Emulator Role if we move from mixed mode to
native mode.
 
Is the PDC Emulator is required in Native mode... ?
 
and if required then what will it do  and what changes in the functional
behaviour of it ?
 
 
Best-
Manjeet



Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] PDC emulator in Native mode

[Jimmy Andersson]

Well, for one thing it will handle account lockouts due to 
the PDC chaining operation.
 
Regards,
/Jimmy
-     Jimmy Andersson, Q Advice 
AB  Principal 
Advisor  Microsoft MVP - Directory Services 
-- www.qadvice.com 
-- 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
ManjeetSent: Wednesday, February 09, 2005 4:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] PDC emulator in 
Native mode

Hi,
 
What happened to the PDC Emulator Role if we move from mixed mode to native 
mode.
 
Is the PDC Emulator is required in Native mode... ?
 
and if required then what will it do  and what changes in the 
functional behaviour of it ?
 
 
Best-
Manjeet


Do you Yahoo!?Yahoo! Search presents - Jib 
Jab's 'Second Term'

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Eric Fleischman]

It seems Sakari's dream has come true.

The SP1 docs cover this.
http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/ov
erview.mspx 
Look at 02_accessenum.doc

AD you could have done this before though (if I understand the ask
correctly) by removing list_contents from the parent, giving explicit
perms to the child and enabling list object mode with the appropriate
mod. For AD, this is old news.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is
not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't verify it.

Regards,
/Jimmy

- 
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services 
-- www.qadvice.com -- 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that
this
subfolder (automatically or implicitly up to the root) would become
visible
to her. And vice versa, when she has no permissions to a subfolder, it
would
be logical that this subfolder is invisible to her.
 
And it has been my dream for six years that the same would apply to AD,
as
has always been with NDS.
 
While we are on the subject, another extremely handy feature of NDS
would be
most welcome in AD. That is, each OU would be a sec prin, so if you want
to
grant permissions to all people in the Sales OU, you wouldn't have to
create
a paraller sec group for that.
 
Yours, Sakari
 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor



  Hi,  

clipclipclip 

Regards, 
Jorge 

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1) like Novell has. It is still not perfect, but it's a begin.
AND
maybe some day (Windows 2011?) will be able to configure file system
permissions through AD like that is possible with the NDS. The
possibility
of configuring permissions for the file system through GPOs is a nice
feature but far from perfect. Also any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] PDC emulator in Native mode

[Manjeet]

Hi,
 
What happened to the PDC Emulator Role if we move from mixed mode to native mode.
 
Is the PDC Emulator is required in Native mode... ?
 
and if required then what will it do  and what changes in the functional behaviour of it ?
 
 
Best-
Manjeet
		Do you Yahoo!? 
Yahoo! Search presents - Jib Jab's 'Second Term'

RE: [ActiveDir] DNS(again)

[Kern, Tom]

[EMAIL PROTECTED] wrote:
> According to webserver1.charmer.com, webserver1.charmer.com is THE NS
> for both Charmer.com and sales.charmer.com
> 
> According to the output you've just posted
> webserver1.charmernydom.csg-it.net 
> 
> According to the world, webserver1.charmernydom.csg-it.net does not
> exist 
> 
> According to webserver1.charmer.com, there is no A record whatsoever
> defined for anything in sales.charmer.com
> 
> According to my research, you need to tell us more about
> webserver1.charmer.com and webserver1.charmernydom.csg-it.net and the
> relationship between them and what you EXPECT to see happen.
> 
> 
> Sincerely,
> 
> Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
> Microsoft MVP - Directory Services
> www.readymaids.com - we know IT
> www.akomolafe.com
> Do you now realize that Today is the Tomorrow you were worried about
> Yesterday?  -anon
> 
> 
> 
> From: [EMAIL PROTECTED] on behalf of Kern, Tom
> Sent: Wed 2/9/2005 6:36 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DNS(again)
> 
> 
> 
> Rick Kingslan wrote:
>> Tom,
>> 
>> If I do an nslookup against sales.charmer.com, I get the SOA with no
>> problem.  There are no other records in that zone, but it responds.
>> 
>> Are you running AD integrated?  If so, can you temporarily change it
>> back to Primary and cut and paste the .dns file for sales.charmer.com
>> out to us to take a look at?  It's text, much like the BIND files
>> you've seen, so just put it right into the body of the message.
>> 
>> You'll find these (if memory servers) in %systemroot%\System32\DNS
>> 
>> -rtk
>> 
>> -Original Message-
>> From: [EMAIL PROTECTED]
>> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
>> Sent: Wednesday, February 09, 2005 8:20 AM
>> To: ActiveDir (E-mail)
>> Subject: [ActiveDir] DNS(again)
>> 
>> Hi, i posted earlier so i aplogize for reposting but this dns issue
>> is driving me to distraction- 
>> 
>> I have a registered  internet domain called charmer.com running on a
>> win2k sp4 dns server. everything is fine with that. however created a
>> new zone called sales.charmer.com and delegated auth for that zone to
>> the same server creating all the glue records. it also contains an
>> mx/A record to my mail gateway.
>> Howvever mail never arrives because no one can find this
>> domain(including my mailserver)
>> When i run a report on dnsreports.com, i get an error that the
>> nameserver did not respond(it passes all the other tests). When i run
>> nslookup on a windows box, it retrieves the zone. however when i run
>> nslookup on a linux box(my mailserver), it times out.
>> 
>> there is nothing in the dns event log or the dns log.
>> What am i doing wrong? how can i troubleshoot this further? is there
>> something really different about MS dns over bind?
>> thanks
>> 
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>> 
>> List info   : http://www.activedir.org/List.aspx
>> List FAQ: http://www.activedir.org/ListFAQ.aspx
>> List archive:
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> its a primary zone-
> 
> 
> ;
> ;  Database file sales.charmer.com.dns for sales.charmer.com zone.
> ;  Zone version:  3
> ;
> 
> @   IN  SOA webserver1.charmernydom.csg-it.net.
> admin.charmernydom.csg-it.net. (
> 3; serial number
> 900  ; refresh
> 600  ; retry
> 86400; expire
> 3600   ) ; minimum TTL
> 
> ;
> ;  Zone NS records
> ;
> 
> @   NS  webserver1.charmernydom.csg-it.net.
> 
> ;
> ;  Zone records
> ;
> 
> mta1A   208.234.241.112
> MX  10  mta1.sales.charmer.com.
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 





i just changed it to webserver1.charmer.com(charmernydom.csg-it.net is the AD 
name internally). sorry for the goof up.

There is an A record for my mailserver.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS(again)

[deji]

According to webserver1.charmer.com, webserver1.charmer.com is THE NS for
both Charmer.com and sales.charmer.com
 
According to the output you've just posted webserver1.charmernydom.csg-it.net
 
According to the world, webserver1.charmernydom.csg-it.net does not exist
 
According to webserver1.charmer.com, there is no A record whatsoever defined
for anything in sales.charmer.com
 
According to my research, you need to tell us more about
webserver1.charmer.com and webserver1.charmernydom.csg-it.net and the
relationship between them and what you EXPECT to see happen.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Kern, Tom
Sent: Wed 2/9/2005 6:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS(again)



Rick Kingslan wrote:
> Tom,
>
> If I do an nslookup against sales.charmer.com, I get the SOA with no
> problem.  There are no other records in that zone, but it responds.
>
> Are you running AD integrated?  If so, can you temporarily change it
> back to Primary and cut and paste the .dns file for sales.charmer.com
> out to us to take a look at?  It's text, much like the BIND files
> you've seen, so just put it right into the body of the message.
>
> You'll find these (if memory servers) in %systemroot%\System32\DNS
>
> -rtk
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> Sent: Wednesday, February 09, 2005 8:20 AM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] DNS(again)
>
> Hi, i posted earlier so i aplogize for reposting but this dns issue is
> driving me to distraction-
>
> I have a registered  internet domain called charmer.com running on a
> win2k sp4 dns server. everything is fine with that. however created a
> new zone called sales.charmer.com and delegated auth for that zone to
> the same server creating all the glue records. it also contains an
> mx/A record to my mail gateway.
> Howvever mail never arrives because no one can find this
> domain(including my mailserver)
> When i run a report on dnsreports.com, i get an error that the
> nameserver did not respond(it passes all the other tests). When i run
> nslookup on a windows box, it retrieves the zone. however when i run
> nslookup on a linux box(my mailserver), it times out.
>
> there is nothing in the dns event log or the dns log.
> What am i doing wrong? how can i troubleshoot this further? is there
> something really different about MS dns over bind?
> thanks
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/











its a primary zone-


;
;  Database file sales.charmer.com.dns for sales.charmer.com zone.
;  Zone version:  3
;

@   IN  SOA webserver1.charmernydom.csg-it.net.
admin.charmernydom.csg-it.net. (
3; serial number
900  ; refresh
600  ; retry
86400; expire
3600   ) ; minimum TTL

;
;  Zone NS records
;

@   NS  webserver1.charmernydom.csg-it.net.

;
;  Zone records
;

mta1A   208.234.241.112
MX  10  mta1.sales.charmer.com.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Jimmy Andersson]

LOL! :P

/J 


-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 4:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Jimmy always sees his shadow around this time - Summit must be around the
corner :-p
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Wed 2/9/2005 6:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor



Where the hell have _YOU_ been, you little over-cooked Swede?

:OD  Great to hear from you!

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't verify it.

Regards,
/Jimmy

-
Jimmy Andersson, Q Advice AB
 Principal Advisor
 Microsoft MVP - Directory Services
-- www.qadvice.com --





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible
to her. And vice versa, when she has no permissions to a subfolder, it would
be logical that this subfolder is invisible to her.

And it has been my dream for six years that the same would apply to AD, as
has always been with NDS.

While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create
a paraller sec group for that.

Yours, Sakari






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor
   
   

  Hi, 

clipclipclip

Regards,
Jorge

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND
maybe some day (Windows 2011?) will be able to configure file system
permissions through AD like that is possible with the NDS. The possibility
of configuring permissions for the file system through GPOs is a nice
feature but far from perfect. Also any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[deji]

Jimmy always sees his shadow around this time - Summit must be around the
corner :-p
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Wed 2/9/2005 6:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor



Where the hell have _YOU_ been, you little over-cooked Swede?

:OD  Great to hear from you!

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't verify it.

Regards,
/Jimmy

-
Jimmy Andersson, Q Advice AB
 Principal Advisor
 Microsoft MVP - Directory Services
-- www.qadvice.com --





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible
to her. And vice versa, when she has no permissions to a subfolder, it would
be logical that this subfolder is invisible to her.

And it has been my dream for six years that the same would apply to AD, as
has always been with NDS.

While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create
a paraller sec group for that.

Yours, Sakari






From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor
   
   

  Hi, 

clipclipclip

Regards,
Jorge

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND
maybe some day (Windows 2011?) will be able to configure file system
permissions through AD like that is possible with the NDS. The possibility
of configuring permissions for the file system through GPOs is a nice
feature but far from perfect. Also any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Built-in Defragger and Clustering

[Dan DeStefano]

That did sound like a silly superstition
to me. Anyway, do you use the built-in defragger to defragment your shared
cluster drives?

 

Dan

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, February 09, 2005
12:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Built-in
Defragger and Clustering



 

Dan,

 

Been working with
Clusters for a number of years, and I have never heard of this.  I can
ping a couple folks, but I can’t surmise what the problem would be. 
If data is re-ordered, the disk is going to work fine one way or another.

 

-rtk

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Dan DeStefano
Sent: Tuesday, February 08, 2005
10:24 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Built-in
Defragger and Clustering



 

It has been suggested to me that
W2k’s built-in defragger should not be used to defrag a shared disk in a
MSCS cluster. I am hesitant to believe this since the fact that the servers are
clustered does not change how the data is written to the disk, correct? So, is
there any foundation for this belief?

 

_

 

Daniel DeStefano

PC Support Specialist

 

IAG Research

345 Park Avenue South, 12th Floor

New York, NY
 10010

T. 212.871.5262

F. 212.871.5300

 

www.iagr.net

Measuring Ad Effectiveness on
Television

 

The
information contained in this communication is confidential, may be privileged
and is intended for the exclusive use of the above named addressee(s). If you
are not the intended recipient(s), you are expressly prohibited from copying,
distributing, disseminating, or in any other way using any of the information
contained within this communication. If you have received this communication in
error, please contact the sender by telephone 212.871.5262 or by response via
e-mail.



 



 

RE: [ActiveDir] DNS(again)

[Kern, Tom]

Rick Kingslan wrote:
> Tom,
> 
> If I do an nslookup against sales.charmer.com, I get the SOA with no
> problem.  There are no other records in that zone, but it responds.
> 
> Are you running AD integrated?  If so, can you temporarily change it
> back to Primary and cut and paste the .dns file for sales.charmer.com
> out to us to take a look at?  It's text, much like the BIND files
> you've seen, so just put it right into the body of the message.
> 
> You'll find these (if memory servers) in %systemroot%\System32\DNS
> 
> -rtk
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> Sent: Wednesday, February 09, 2005 8:20 AM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] DNS(again)
> 
> Hi, i posted earlier so i aplogize for reposting but this dns issue is
> driving me to distraction-
> 
> I have a registered  internet domain called charmer.com running on a
> win2k sp4 dns server. everything is fine with that. however created a
> new zone called sales.charmer.com and delegated auth for that zone to
> the same server creating all the glue records. it also contains an
> mx/A record to my mail gateway.
> Howvever mail never arrives because no one can find this
> domain(including my mailserver)
> When i run a report on dnsreports.com, i get an error that the
> nameserver did not respond(it passes all the other tests). When i run
> nslookup on a windows box, it retrieves the zone. however when i run
> nslookup on a linux box(my mailserver), it times out.
> 
> there is nothing in the dns event log or the dns log.
> What am i doing wrong? how can i troubleshoot this further? is there
> something really different about MS dns over bind?
> thanks
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/ 











its a primary zone-


;
;  Database file sales.charmer.com.dns for sales.charmer.com zone.
;  Zone version:  3
;

@   IN  SOA webserver1.charmernydom.csg-it.net.  
admin.charmernydom.csg-it.net. (
3; serial number
900  ; refresh
600  ; retry
86400; expire
3600   ) ; minimum TTL

;
;  Zone NS records
;

@   NS  webserver1.charmernydom.csg-it.net.

;
;  Zone records
;

mta1A   208.234.241.112
MX  10  mta1.sales.charmer.com.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS(again)

[Rick Kingslan]

Tom,

If I do an nslookup against sales.charmer.com, I get the SOA with no
problem.  There are no other records in that zone, but it responds.  

Are you running AD integrated?  If so, can you temporarily change it back to
Primary and cut and paste the .dns file for sales.charmer.com out to us to
take a look at?  It's text, much like the BIND files you've seen, so just
put it right into the body of the message.

You'll find these (if memory servers) in %systemroot%\System32\DNS

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, February 09, 2005 8:20 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] DNS(again)

Hi, i posted earlier so i aplogize for reposting but this dns issue is
driving me to distraction-

I have a registered  internet domain called charmer.com running on a win2k
sp4 dns server. everything is fine with that. however created a new zone
called sales.charmer.com and delegated auth for that zone to the same server
creating all the glue records. it also contains an mx/A record to my mail
gateway.
Howvever mail never arrives because no one can find this domain(including my
mailserver)
When i run a report on dnsreports.com, i get an error that the nameserver
did not respond(it passes all the other tests). When i run nslookup on a
windows box, it retrieves the zone. however when i run nslookup on a linux
box(my mailserver), it times out.

there is nothing in the dns event log or the dns log.
What am i doing wrong? how can i troubleshoot this further? is there
something really different about MS dns over bind?
thanks

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Jimmy Andersson]

I've been somewhere in time... As usual ;)

/The Swede


-
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Wednesday, February 09, 2005 3:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Where the hell have _YOU_ been, you little over-cooked Swede?

:OD  Great to hear from you!

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't verify it.

Regards,
/Jimmy

- 
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services
-- www.qadvice.com -- 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible
to her. And vice versa, when she has no permissions to a subfolder, it would
be logical that this subfolder is invisible to her.
 
And it has been my dream for six years that the same would apply to AD, as
has always been with NDS.
 
While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create
a paraller sec group for that.
 
Yours, Sakari
 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor



  Hi,  

clipclipclip 

Regards, 
Jorge 

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND
maybe some day (Windows 2011?) will be able to configure file system
permissions through AD like that is possible with the NDS. The possibility
of configuring permissions for the file system through GPOs is a nice
feature but far from perfect. Also any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DNS(again)

[Kern, Tom]

Hi, i posted earlier so i aplogize for reposting but this dns issue is driving 
me to distraction-

I have a registered  internet domain called charmer.com running on a win2k sp4 
dns server. everything is fine with that. however created a new zone called 
sales.charmer.com and delegated auth for that zone to the same server creating 
all the glue records. it also contains an mx/A record to my mail gateway.
Howvever mail never arrives because no one can find this domain(including my 
mailserver)
When i run a report on dnsreports.com, i get an error that the nameserver did 
not respond(it passes all the other tests). When i run nslookup on a windows 
box, it retrieves the zone. however when i run nslookup on a linux box(my 
mailserver), it times out.
there is nothing in the dns event log or the dns log.
What am i doing wrong? how can i troubleshoot this further? is there something 
really different about MS dns over bind?
thanks

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Rick Kingslan]

Where the hell have _YOU_ been, you little over-cooked Swede?

:OD  Great to hear from you!

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jimmy
Sent: Wednesday, February 09, 2005 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't verify it.

Regards,
/Jimmy

- 
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services 
-- www.qadvice.com -- 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible
to her. And vice versa, when she has no permissions to a subfolder, it would
be logical that this subfolder is invisible to her.
 
And it has been my dream for six years that the same would apply to AD, as
has always been with NDS.
 
While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create
a paraller sec group for that.
 
Yours, Sakari
 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor



  Hi,  

clipclipclip 

Regards, 
Jorge 

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND
maybe some day (Windows 2011?) will be able to configure file system
permissions through AD like that is possible with the NDS. The possibility
of configuring permissions for the file system through GPOs is a nice
feature but far from perfect. Also any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] users with power user rights

[Rick Kingslan]

Nope - not forgetting it at all - just didn't point that out explicitly.
:o)

Fact of that matter is you can't add users to local groups unless that
_user_ is already a member with the rights and permissions to do so.  

I ran into it as well  Mine was just a brick wall...  :-D

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, February 09, 2005 12:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] users with power user rights

You are forgetting that you can't use the %username% variable in the startup
script successfully since the script is processed before the logon is
initiated and, as such, before that variable holds anything. I ran into this
a while back and smack into the 4-by-clue :)
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Tue 2/8/2005 9:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] users with power user rights



Login script won't work.  It would have to be a Startup script.  Startup
script runs under LocalSystem, while the context of the login script runs
under that of the user who has just logged on - typically with noting more
than Domain User rights.  Of course, Domain User won't be enough (I hope!)
to do what this script dictates.

However, the direction is correct - just wrong script location.

-rtk

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason B
Sent: Tuesday, February 08, 2005 8:49 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] users with power user rights

Alternatively, if you use a batch file for a login script, you can just add
something like:

net localgroup "Power Users" /add "domain\ADGroup"
or
net localgroup "administrators" /add "domain\%Username%"

- Original Message -
From: "Tomasz Onyszko" <[EMAIL PROTECTED]>
To: 
Sent: Tuesday, February 08, 2005 6:22 AM
Subject: Re: [ActiveDir] users with power user rights


> Saleem, Mohamed Yunus wrote:
>> Hi everyone
>>
> (..)
>
>>
>> Is it possible to do such policy. Or is there any other way. Please help.
>
> Put this users into some security grou, then configure Restricted groups
> in policy object which affects this workstations:
> http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
> http://www.jsiinc.com/SUBG/TIP3200/rh3251.htm
>
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p
roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan
dard/proddocs/en-us/611.asp
>
>
> --
> Tomasz Onyszko [MVP]
> [EMAIL PROTECTED]
> http://www.w2k.pl
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS resoltuion Issue

[Ertug Gurhan]

ï


No I havent, but unfortunatley this issue has been 
around, pre-2K3 upgrade as well. Was hoping it would go away, post 2K, but to no 
avail.
 
TY
 
E

  - Original Message - 
  From: 
  John Shukovsky 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Wednesday, February 09, 2005 8:41 
  AM
  Subject: Re: [ActiveDir] DNS resoltuion 
  Issue
  
  Have you seen this?
  http://support.microsoft.com/default.aspx?scid=kb;en-us;832223
  
- Original Message - 
From: 
Ertug 
Gurhan 
To: ActiveDir@mail.activedir.org 

Sent: Tuesday, February 08, 2005 1:07 
PM
Subject: [ActiveDir] DNS resoltuion 
Issue

Guys, have been having a sporadic issue, on my 
network, both when it was a 2K Domain and now since the upgrade to 
2K3.
 
Basic Config is: 7 sites - DC - GC - DNS server 
in each site - WINS in each site etc. All DC's are 2K3 AD integrated 
DNS.
 
DC's are configured to use internal addresses 
for DNS.
 
From time to time, we have issues resolving a 
domain name, the name is not the same one every time, for example today it 
was.

http://www.registrefoncier.gouv.qc.ca/
No clients are able to browse to this site, (site not 
found) my only fix so far is to restart the DNS service on the DC for 
the site having the issue, and away goes the problem.
If a client statically enters the 
external ISP address for DNS resolution, it works.
 
No forwarders specified in DNS.
It is not client/os specific, mix of NT4 - 2K and 
XP
Anyone seen this before?
Thank you
Ertug
 
 
  
  
  
  This E-mail, including any attachments, may be intended solely for the 
  personal and confidential use of the sender and recipient(s) named above. 
  This message may include advisory, consultative and/or deliberative 
  material and, as such, would be privileged and confidential and not a 
  public document. Any Information in this e-mail identifying a client of 
  the Department of Human Services is confidential. If you have received 
  this e-mail in error, you must not review, transmit, convert to hard copy, 
  copy, use or disseminate this e-mail or any attachments to it and you must 
  delete this message. You are requested to notify the sender by return 
  e-mail. 
  

Re: [ActiveDir] DNS resoltuion Issue

[John Shukovsky]

Have you seen this?
http://support.microsoft.com/default.aspx?scid=kb;en-us;832223

  - Original Message - 
  From: 
  Ertug 
  Gurhan 
  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, February 08, 2005 1:07 
  PM
  Subject: [ActiveDir] DNS resoltuion 
  Issue
  
  Guys, have been having a sporadic issue, on my 
  network, both when it was a 2K Domain and now since the upgrade to 
  2K3.
   
  Basic Config is: 7 sites - DC - GC - DNS server 
  in each site - WINS in each site etc. All DC's are 2K3 AD integrated 
  DNS.
   
  DC's are configured to use internal addresses for 
  DNS.
   
  From time to time, we have issues resolving a 
  domain name, the name is not the same one every time, for example today it 
  was.
  
  http://www.registrefoncier.gouv.qc.ca/
  No clients are able to browse to this site, (site not 
  found) my only fix so far is to restart the DNS service on the DC for the 
  site having the issue, and away goes the problem.
  If a client statically enters the 
  external ISP address for DNS resolution, it works.
   
  No forwarders specified in DNS.
  It is not client/os specific, mix of NT4 - 2K and 
  XP
  Anyone seen this before?
  Thank you
  Ertug
   
   

This E-mail, including any attachments, may be intended solely for the personal 
and confidential use of the sender and recipient(s) named above. This message 
may include advisory, consultative and/or deliberative material and, as such, 
would be privileged and confidential and not a public document. Any Information 
in this e-mail identifying a client of the Department of Human Services is 
confidential. If you have received this e-mail in error, you must not review, 
transmit, convert to hard copy, copy, use or disseminate this e-mail or any 
attachments to it and you must delete this message. You are requested to notify 
the sender by return e-mail.

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/A D with NDS migra tor

[Jorge de Almeida Pinto]

Title: Migrating access rights from Novell/NDS to W2K3/AD with NDS migrator



Sakari,
 
I personnaly think there are a 
lot of people with the same dreams as yours concerning functionality in Windows 
and/or AD
 
Other possible 
dreams:
* multiple replica's (writable 
partitions) per server
* different password policies 
within a partition (now you need a separate domain for this)
* loginscripts at container 
level and not within a GPO
* ??  and I know 
there's more that I cannot think of right now
 
Cheers,
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari 
KoutiSent: woensdag 9 februari 2005 12:17To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Migrating access 
rights from Novell/NDS to W2K3/AD with NDS migra tor

It's 
been my dream over ten years that NTFS would get similar permission feature to 
what has been in NetWare all these years. When a user has permissions to a given 
subfolder, it's almost always most logical that this subfolder (automatically or 
implicitly up to the root) would become visible to her. And vice versa, when she 
has no permissions to a subfolder, it would be logical that this subfolder is 
invisible to her.
 
And it 
has been my dream for six years that the same would apply to AD, as has always 
been with NDS.
 
While 
we are on the subject, another extremely handy feature of NDS would be most 
welcome in AD. That is, each OU would be a sec prin, so if you want to grant 
permissions to all people in the Sales OU, you wouldn't have to create a 
paraller sec group for that.
 
Yours, 
Sakari
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de 
  Almeida PintoSent: Wednesday, February 09, 2005 10:18 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Migrating access rights from Novell/NDS to W2K3/AD with NDS migra 
  tor
  
    Hi,  
  clipclipclip 
  Regards, 
  Jorge 
  PS.: I'm glad MS is 
  going toward the permissions structure (with W2K3 SP1) like Novell has. It is 
  still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will 
  be able to configure file system permissions through AD like that is possible 
  with the NDS. The possibility of configuring permissions for the file system 
  through GPOs is a nice feature but far from perfect. Also any thoughts on this 
  are welcome.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Jimmy]

Isn't that what Access-based Directory Enumeration do? This feature is not
enabled by default in SP1, though. I haven't tried the feature yet so I
can't verify it.

Regards,
/Jimmy

- 
Jimmy Andersson, Q Advice AB 
 Principal Advisor 
 Microsoft MVP - Directory Services 
-- www.qadvice.com -- 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Wednesday, February 09, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD
with NDS migra tor


It's been my dream over ten years that NTFS would get similar permission
feature to what has been in NetWare all these years. When a user has
permissions to a given subfolder, it's almost always most logical that this
subfolder (automatically or implicitly up to the root) would become visible
to her. And vice versa, when she has no permissions to a subfolder, it would
be logical that this subfolder is invisible to her.
 
And it has been my dream for six years that the same would apply to AD, as
has always been with NDS.
 
While we are on the subject, another extremely handy feature of NDS would be
most welcome in AD. That is, each OU would be a sec prin, so if you want to
grant permissions to all people in the Sales OU, you wouldn't have to create
a paraller sec group for that.
 
Yours, Sakari
 





From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, February 09, 2005 10:18 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Migrating access rights from Novell/NDS to
W2K3/AD with NDS migra tor



  Hi,  

clipclipclip 

Regards, 
Jorge 

PS.: I'm glad MS is going toward the permissions structure (with
W2K3 SP1) like Novell has. It is still not perfect, but it's a begin. AND
maybe some day (Windows 2011?) will be able to configure file system
permissions through AD like that is possible with the NDS. The possibility
of configuring permissions for the file system through GPOs is a nice
feature but far from perfect. Also any thoughts on this are welcome.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Sakari Kouti]

Title: Migrating access rights from Novell/NDS to W2K3/AD with NDS migrator



It's 
been my dream over ten years that NTFS would get similar permission feature to 
what has been in NetWare all these years. When a user has permissions to a given 
subfolder, it's almost always most logical that this subfolder (automatically or 
implicitly up to the root) would become visible to her. And vice versa, when she 
has no permissions to a subfolder, it would be logical that this subfolder is 
invisible to her.
 
And it 
has been my dream for six years that the same would apply to AD, as has always 
been with NDS.
 
While 
we are on the subject, another extremely handy feature of NDS would be most 
welcome in AD. That is, each OU would be a sec prin, so if you want to grant 
permissions to all people in the Sales OU, you wouldn't have to create a 
paraller sec group for that.
 
Yours, 
Sakari
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de 
  Almeida PintoSent: Wednesday, February 09, 2005 10:18 
  AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Migrating access rights from Novell/NDS to W2K3/AD with NDS migra 
  tor
  
    Hi,  
  clipclipclip 
  Regards, 
  Jorge 
  PS.: I'm glad MS is 
  going toward the permissions structure (with W2K3 SP1) like Novell has. It is 
  still not perfect, but it's a begin. AND maybe some day (Windows 2011?) will 
  be able to configure file system permissions through AD like that is possible 
  with the NDS. The possibility of configuring permissions for the file system 
  through GPOs is a nice feature but far from perfect. Also any thoughts on this 
  are welcome.

[ActiveDir] Migrating access rights from Novell/NDS to W2K3/AD with NDS migra tor

[Jorge de Almeida Pinto]

Title: Migrating access rights from Novell/NDS to W2K3/AD with NDS migrator





Hi,


We are migrating from Novell and NT4 (single domain) to Windows 2003/AD.


We are using Quest NDS Migrator to migrate files (INCL. permissions) from Novell File Server to Windows 2003 file server.

SOURCE ENVIRONMENT:
* Novell File Servers with Novell NDS
* Windows NT4 domain
* Windows 95/98 clients with the Novell client authenticate to the NDS and to the Windows NT4 domain


TARGET ENVIRONMENT:
* Windows 2003 AD domain
* Windows 2003 File servers
* ACLs on migrated data are assigned to AD domain local groups
* AD users are members of the AD domain local groups and corresponding NT4 users are also members of the AD domain local groups

We are experiencing the following issue:


Take a Novell server with with a volume called VOL1 so that the UNC path is \\NOVELLSRV\VOL1


Beneath VOL1 the following directory structure exists:
\\NOVELLSRV\VOL1\
  DATA\
 COMMON\ --> no trustees assigned!
  DIR1\ --> no trustees assigned!
   SUBDIR1 --> explicitely assigned trustee = GROUP1

   SUBDIR2 --> explicitely assigned trustee = GROUP2

  DIR2\ --> no trustees assigned!
   SUBDIR3 --> explicitely assigned trustee = GROUP3

   SUBDIR4 --> explicitely assigned trustee = GROUP4

Users have a mapping U: to \\NOVELLSRV\VOL1\DATA\COMMON (the contents of COMMON is the same as U:)


USER 1 is a member of GROUP1
USER 2 is a member of GROUP1 and GROUP4
Neither USER1 or USER2 is a member of GROUP2 or GROUP3!!!


* When USER1 connects to U: he sees:
 U:\
  DIR1\ --> no trustees assigned!
   SUBDIR1 --> explicitely assigned trustee = GROUP1


USER1 implicitely has the right to enter DIR1 (he sees nothing else) so that he's able to access the contents of SUBDIR1

* When USER2 connects to U: he sees:
 U:\
  DIR1\ --> no trustees assigned!
   SUBDIR1 --> explicitely assigned trustee = GROUP1
  DIR2\ --> no trustees assigned!
   SUBDIR4 --> explicitely assigned trustee = GROUP4


USER2 implicitely has the right (I think in Novell it is called File Scan) to enter DIR1 (he sees nothing else) so that he's able to access the contents of SUBDIR1

USER2 implicitely has the right (I think in Novell it is called File Scan) to enter DIR2 (he sees nothing else) so that he's able to access the contents of SUBDIR4

Quest NDS Migrator has not been configured with default ACLs so that NDS Migrator uses as default ACL DOMAIN ADMINS with Full Control

USER1 and USER2 in the NDS has been matched with USER1 and USER2 in AD
GROUP1, GROUP2, GROUP3 and GROUP4 have been migrated to AD including the memberships


After the data is migrated to Windows 2003 the following issue occurs:


The folder SUBDIR1 has an ACE explicitely defined to GROUP1 (equivalent to the permissions assigned to GROUP1 in the NDS)

The folder SUBDIR2 has an ACE explicitely defined to GROUP2 (equivalent to the permissions assigned to GROUP2 in the NDS)

The folder SUBDIR3 has an ACE explicitely defined to GROUP3 (equivalent to the permissions assigned to GROUP3 in the NDS)

The folder SUBDIR4 has an ACE explicitely defined to GROUP4 (equivalent to the permissions assigned to GROUP4 in the NDS)

* When USER1 or USER2 connects to U: (now mapped to a UNC path on the Windows server) they see:
 U:\
  DIR1\ --> ACL = DOMAIN ADMINS with FC
  DIR2\ --> ACL = DOMAIN ADMINS with FC


THE ISSUES:
* USER1 is not able to access SUBDIR1 because it is not able to navigate through DIR1 as it does not have explicit permissiosn defined (this was also the case in Novell)

* USER2 is not able to access SUBDIR1 because it is not able to navigate through DIR1 as it does not have explicit permissiosn defined (this was also the case in Novell)

* USER2 is not able to access SUBDIR4 because it is not able to navigate through DIR2 as it does not have explicit permissiosn defined (this was also the case in Novell)


How can this situation be solved so that USER1 and USER2 can navigate through the folders DIR1 and DIR2?


In Novell permissions do not only flow down the structure but they also go up the structure so that users can access folders on a lower level if permissions have been assigned to that lower level (to a group the user is a member of)

Shouldn't NDS Migrator calculate the permissions that are