RE: [ActiveDir] Creating a backlink and forwardlink
Eric is from Microsoft. He was an AD CPR engineer (recently changed) which means he was actually debugging AD failures like looking at the actual bits and bytes flying about. There are quite a few things available that aren't fully documented or documented at all. Just having a 2K3 DC as the schema master should be enough though I haven't tried this yet. If it was a requirement I expect Eric would have mentioned it. I do trust Eric almost implicitely which I don't with a lot of people. If you are seriously concerned, it is a guess, but you could spin up AD/AM and try it there. I would expect it will work there as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, March 09, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ok my LDIF file is done and I'm ready to pull the trigger in my development environment; however, I have a couple of questions. Does anyone know what functional level is required to use this feature? 2K3 Forest or Domain? Or is having a 2K3 DC enough. I'm also a little worried about the lack of documentation from Microsoft. I always get a wee bit worried when it comes to undocumented features :) Has anyone actually done this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink My blog had documentation innovation I tell you. I'm on the bleeding edge. Be careful, or you might get a papercut just reading it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 8:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Got it. I love magical programming features :) You guys rock! I did a bunch of googles on this subject and came up with nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I think the question was, the number that I used as my sample linkID, is that a special numberor should you use your own. The answer is yes, it is. Use the exact linkID value I used for the creation of the forward link. That value triggers this special code path which will create link IDs for you. Don't think of the linkID value I used as an OID, think of it as magical and special. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 6:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sure, but if you are on Windows 2003 or AD/AM you don't have to. That is the beauty of this, that OID causes AD to autogenerate a link ID that is guaranteed unique. The only reasons you should really use linkids you get from MS anymore is if you do make decisions based on linkid values (not just the existence of) or you need to use the schema mods on Windows 2000 AD. BTW, I believe I do recall you from DEC even with my old failing memory. :oP joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink One more question about autolinking. In the example that is shown on the blog you sent, the forward LinkID appears to be an OID. Is that correct? Can I select an OID from my pool and use it as the LinkID for the forward link? Thanks Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sorry I missed the link to the info in your first message. Thanks joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I do have an OID from Microsoft. I knew that picking my own LinkID had to be a bad thing, but I didn't know of any other way to get it. Can you expand on autolinking? Thanks Joe, BTW this is the Joe that you met at DEC in Virginia. This is my first Post! Thanks for letting me know about this distribution list. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 1:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Small correction, you will
RE: [ActiveDir] OT: Command shell under RUNAS
This appears to be an issue with the backend API call that is used, CreateProcessWithLogonW because my cpau tool has the same issue, I saw that quite a while ago and didn't see a quick way around it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, March 09, 2005 5:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Command shell under RUNAS I hadn't noticed this before but I can confirm that with the ping test. Not a XP SP2 issue though, that was on W2K workstation. Likely a runas issue. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, March 09, 2005 5:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Command shell under RUNAS To give two examples...I started a continuous ping within one of them and a w32tm -stripchart in the other. Since I didn't specify a finite count in either, they ran forever, and CTRL-C or CTRL-BREAK had no effect. -DaveC Reuters AITS Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Wednesday, March 09, 2005 5:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Command shell under RUNAS I do this, but I hadn't notice that behavior. What situation are you seeing this with? Any particular app? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, March 09, 2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command shell under RUNAS For those that run command shells under different security contexts with RUNAS...(XP SP2) ...do you notice that interrupt handling does not work as expected (CTRL-C/BREAK)? -DaveC Reuters Infrastructure - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Have fun at DEC
At least I heard the chicken this year, I never had heard it. I was pretty well toasted at the time and thought a goose was running around the conference room. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Saturday, March 12, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Have fun at DEC I believe I am the proud owner of the last DEC chicken. Gil gave it to me at DEC in Ontario. Sure wish I could have made it to DEC this year. Dan Original Message Subject: RE: [ActiveDir] Have fun at DEC From: joe [EMAIL PROTECTED] Date: Fri, March 11, 2005 5:16 pm To: ActiveDir@mail.activedir.org Unfortunately Gil doesn't do that anymore. He did the last chicken I think 2 years back I think. I know for sure he didn't do one last year. He needs T-Shirts that say... I went to DEC to get a rubber chicken but all I got was this lousy t-shirt. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Friday, March 11, 2005 6:51 PM To: activedir@mail.activedir.org Subject: [ActiveDir] Have fun at DEC For all you folks who are going to DEC, have a great time and good luck getting the rubber chicken. Phil (re-subscribed with new address) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can you expire a computer account in AD
Several things 1. Yes computer accounts can be expired (do not confuse with password expiration), in fact, oldcmp will expire accounts for you as well with the -stamp option. You use it with disable though the help is screwed up on it so if you weren't aware, don't worry, my fault. The intent is to mark it so you know when the account was disabled. ADUC doesn't expose the ability to expire. However it can be done. The computer account will be unavailable when the computer tries to auth as well. You could also just disable the account and get the same effect. 2. Computer account password do not expire. The computers reset them on their own time frame. By default, NT will do it every 7 days. 2K+ will do it every 30 days. However, it isn't required. 3. lastLogonTimeStamp does indeed work on computers, use -llts in oldcmp to use it. 4. lastLogonTimeStamp is updated based on a value setting on the NC head object, specifically the msDS-LogonTimeSyncInterval attribute. The default is not set and I believe that translates, as Al indicated to 7 days, but for some reason I sometimes think 10 days. This can be modified, for instance I have my test lab set to 4 days right now. Replication of that attribute is normal replication, it is the updating of it that is staggered. You don't just want to arbitrarily crank this value down because it could cause considerable replication if you have lots of machines. 5. Definitely disable and possible move to a different location. If you are just starting I would recommend creating a report of all machines over say 180 days old for passwords or lastLogonTimeStamp. Look at the range and if you have stuff way out there like 200+ days slowly start working with those and work your way back to say 90 or so days. Keep the help desk in the loop to let them know this is happening, maybe even supplying them the reports that oldcmp generates. Tell users they need to hook up to the corporate network every 90 or so days at least or risk having to contact the help desk to get their machine readded to the domain. You don't want to be held hostage and be unable to clean up because it could get to be quite a mess. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, March 17, 2005 9:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Can you expire a computer account in AD I suppose the limitations should be pointed out, so here goes. The reason you wouldn't want just lastlogontimestamp is something that was discussed here a little while back. Basically, it's that as a datapoint, it's not enough information to accurately figure out which objects are not being used. To make it worse, LLTStamp is a replicated and latent attribute. Put another way, it's accuracy is only within 7 days which is the replication schedule for that attribute. Comp accounts are 30 day intervals, but you run the risk of disabling/removing something that is a valid account if you rely on this soley. Using this in conjunction with password last set should reduce the error rate exponentially as it's yet another indicator of activity. Keep in mind that a valid computer account neither has to log on nor change their password on that schedule to be valid. Consider laptops as an example, especially laptops that stay off the network for long periods of time (year at a time?). I can honestly say that I think it's ridiculous to have a corporate resource that stays off the network for extended periods, but they do exist and have to be accounted for in some fashion. I believe that's why the requirement to disable vs. remove entirely came into the picture. Just something to be aware of when using this information. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Singler Sent: Thursday, March 17, 2005 9:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can you expire a computer account in AD it is in oldcmp: oldcmp -llts [EMAIL PROTECTED] wrote: I read this somewhere and had to confirm. Looks like if you're 2003 domain functional - lastLogonTimestamp works for computers as well. Unfortunately, it's not exposed in tools like DSGET. Maybe joe will add this as a switch to oldcmp - as well as user accounts. -m -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of P West Sent: Tuesday, March 15, 2005 3:24 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Can you expire a computer account in AD That's exacctly what i intend to do. Disable those suckers. thanks all - Original Message - From: Mulnick, Al [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, March 15, 2005 2:44 PM Subject: RE: [ActiveDir] Can you expire a computer account in AD Because it derives from the User class, I can't think of a reason why you couldn't set that value. I'm not
RE: [spam] RE: [ActiveDir] Workstation Add User
Yes, if the value is populated, adfind will decode it to a friendly format SID string. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Monday, March 14, 2005 3:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [spam] RE: [ActiveDir] Workstation Add User I have found the security log to be the most reliable source for this type of info. Of course if you're not using MOM, or some other event log mining utility, it makes this particular solution kind of difficult. The alternate way (not pleasing either): dsquery * cn=ComputerName,dc=company,dc=com -attr ms-ds-creatorsid This should spit out the SID of the security principal that created the object. It only does this in HEX though. The last two bytes are the RID of the user, which, after making into WORD order and then changing to decimal, you then prepend with your domain SID in order to translate into a user name! (the domain SID is in the output too, but hopefully that is already known to you) Sorry that the last paragraph is a mess! I can try to clarify with an example, but maybe Joe's ADFIND already goes one or two better than this and does some translating? I haven't had a chance to play with it yet. -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 14, 2005 2:43 PM To: ActiveDir@mail.activedir.org Subject: [spam] RE: [ActiveDir] Workstation Add User Owner of the computer? I see no such attribute, what am I missing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thorbjörn Sjövold Sent: Monday, March 14, 2005 2:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User When the computer object is created the Owner of the computer object is the user that added the computer, but of course this is a value that can be changed if someone have the correct permissions. And another thing that might spoil your statistics is that if a member of Domain Admins add the computer then Domain Admins is the owner and not the specific administrator. Thorbjörn Sjövold Special Operations Software www.specopssoft.com thorbjorn.sjovold a t specopssoft.com Specops Deploy, Takes Group Policy Based Software Deployment to the next level -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 14, 2005 7:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Workstation Add User Is there a way to tell who added a machine to the domain? I would like to do this to get some statistics on who is actually adding machines. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Most Common Problems Encountered through Day to Day operations
I think as with many things with AD, the answer is... it depends. If you have a lot of people with access they shouldn't have you could have a lot of data integrity and configuration issues for instance where someone who locked down to a minimal set of people with rights may have a very small issue with this or possibly no issue at all with it. I am trying to think back to when I did ops (I got out of it almost a year ago now) and we really didn't have any common AD problems that were encountered on a day to day or even week to week basis. We had lots of requests to handle because we didn't let people create many things but the scripts made that a breeze. In actuality I spent my days consulting to vendors, internal developers/integrators, etc and my two co-workers handled the tickets that rolled in which numbered in many thousands a year plus we always had email and phone call requests coming in, it is standard fare in a 250,000 user environment. Our AD was very solid and just sort of cruised along which wasn't always the case. When I first took it over it was a train wreck from mismanagement and configuration issues. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott HicksSent: Sunday, March 13, 2005 1:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Most Common Problems Encountered through Day to Day operations Hello All, Wanted to introduce myself and ask a question. What are the most common AD problems you encounter on the day to day with AD? I wanted to say thanks also for the insightful info. I am learning through this post as well. Thanks, Scott Do you Yahoo!?Make Yahoo! your home page
RE: [ActiveDir] Event Log
Just to be specific, event viewer is a simple client tool used to view entries in the event log. It is like notepad reading a file. If you need to get alerts like that, you will need to use a third party tool or script. WMI tends to be good in this space, take a look at some of the WMI web sites or books. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, March 14, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event Log Please is there any way to make the event viewer trigger an email? Thanks r.c. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Workstation Add User
You want to look at security and look at the ACL Owner. Also if you just look at the DACL portion of the ACL you may see an ACE or multiple ACE's for the specific user who created the object. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 14, 2005 2:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User Owner of the computer? I see no such attribute, what am I missing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thorbjörn Sjövold Sent: Monday, March 14, 2005 2:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User When the computer object is created the Owner of the computer object is the user that added the computer, but of course this is a value that can be changed if someone have the correct permissions. And another thing that might spoil your statistics is that if a member of Domain Admins add the computer then Domain Admins is the owner and not the specific administrator. Thorbjörn Sjövold Special Operations Software www.specopssoft.com thorbjorn.sjovold a t specopssoft.com Specops Deploy, Takes Group Policy Based Software Deployment to the next level -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 14, 2005 7:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Workstation Add User Is there a way to tell who added a machine to the domain? I would like to do this to get some statistics on who is actually adding machines. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] New AD tool hits the web
Interesting, does anyone know what it uses for its back end store to keep that info? I hope it isn't AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, March 15, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New AD tool hits the web FYI, Hello, You are receiving this email as you've participated in the LimitLogin beta program. We are happy to announce the availability of LimitLogin v1.0, an application that adds the ability to limit concurrent interactive user logons in an Active Directory domain. It can also keep track of all logins information in Active Directory domains (without necessarily enforcing logons quotas). The challenge of limiting concurrent logons in a distributed environment is huge, and although LimitLogin is not a bullet proof solution to all the aspects of this challenge, many customers might still find this tool helpful, as this capability has been highly requested by different customers (banks, ISPs, libraries etc) in numerous RFPs etc. LimitLogin capabilities include: - Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions. - Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to). - Easy management and configuration by integrating to the Active Directory MMC snap-ins. - Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in. - Generating Login information reports in CSV (Excel) and XML formats. Please keep in mind that this tool is Not Supported (similar to a resource kit or support tool). The public download location is: http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359 cc0842/limitlogin.exe Please send any feedback and questions to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] We would like to thank you for taking part in this beta program and helping us to improve the final bits. Thanks The LimitLogin Team -Original Message- From: Matt Brown [EMAIL PROTECTED] Date: Tue, 15 Mar 2005 09:07:24 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Isn't that link from the Beta? There is no information on Microsoft's site regarding the product other than through the Beta Site. You can find the beast here: http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f7 1-8546-25c359cc0842/limitlogin.exe Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS MS ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Sent from my blackberry. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Locate and/or Remove Duplicate Computer Accounts in a W2K AD Ente rprise.
Title: Locate and/or Remove Duplicate Computer Accounts in a W2K AD Enterprise. A duplicate computer name in the same domain would result in a duped samaccountname attributes as well as duped SPN's. You should be seeing events in the error log that could help narrow that down. I would be concerned how these dupes are being created. If you get errors in the event log, then you can search for those specific machines pretty quickly and easily. If not, then you will have to use a script like what Jonathan has provided to find them. But again, this is a pretty big deal to be getting something like that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miller Carol L Contr DYN/ITSSent: Friday, March 11, 2005 12:20 PMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Locate and/or Remove Duplicate Computer Accounts in a W2K AD Ente rprise. No, I am finding duplicate "Computer Names" located in different OUs within our Domain. I am trying to identify them, and after I have created a list of the duplicates, I want to confirm which of the "Computer Accounts" are Active/Current, and then remove the Unused/Duplicates to clean up our Active Directory domain. Thanks!!! Carol :: //SIGNED// Mr. Carol L. Miller, MCP, Contractor Vance Network Administrator Analyst, System Administrator DYN/ITS Vance Support Division DynCorp - A CSC Company Vance AFB, OK DSN: 448-7143, Com: (580) 213-7143 E-Mail: [EMAIL PROTECTED] https://www.vance.af.mil/ Official Disclaimer Notice This is a PRIVATE message. If you are not the intended recipient,please delete without copying and kindly advise us by e-mail ofthe mistake in delivery. NOTE: Regardless of content, this e-mailshall not operate to bind CSC to any order or other contractunless pursuant to explicit written agreement or governmentinitiative expressly permitting the use of e-mail for such purpose. -Original Message-From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 11, 2005 9:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Locate and/or Remove Duplicate Computer Accounts in a W2K AD Ente rprise. Do you mean you are getting the duplicate SPN errors in the event log or ??? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Miller Carol L Contr DYN/ITSSent: Friday, March 11, 2005 9:03 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Locate and/or Remove Duplicate Computer Accounts in a W2K AD Ente rprise. Has anyone found a good method of identifying Duplicate "Computer Account" objects in a Windows 2000 Active Directory Enterprise. I have attempted to use the "DSQUERY" command from the "Windows 2003 Admin Pak" but I receive error messages indicating that the program is not compatible with the specified domain. I would greatly appreciate any ideas that you may have regarding this topic. I also, have confirmed that the duplicate "Computer Account" objects all appear to have unique SIDs. I am still unclear how they are getting created, but I need to identify them, and remove the ones that are not in use.. Again, Thanks for any insight you may be able to share regarding this issue. Thanks!!! Carol :: //SIGNED// Mr. Carol L. Miller, MCP, Contractor Vance Network Administrator Analyst, System Administrator DYN/ITS Vance Support Division DynCorp - A CSC Company Vance AFB, OK DSN: 448-7143, Com: (580) 213-7143 E-Mail: [EMAIL PROTECTED] https://www.vance.af.mil/ Official Disclaimer Notice This is a PRIVATE message. If you are not the intended recipient,please delete without copying and kindly advise us by e-mail ofthe mistake in delivery. NOTE: Regardless of content, this e-mailshall not operate to bind CSC to any order or other contractunless pursuant to explicit written agreement or governmentinitiative expressly permitting the use of e-mail for such purpose.
RE: [ActiveDir] Active Directory and LDAP
I saw a couple of these given out by Gil himself at DEC Wednesday... I didn't get one though. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Sunday, March 13, 2005 9:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Active Directory and LDAP Late in replying - been at the Publisher's Conference this week. I recommend your book a lot as well, in fact there is at least one list member that has been trying to buy the darn thing based on my recommendation but can't find it anywhere I have pointed at a couple of resources, it was actually ordered from one resource (ebay) and the member got a note back saying, oh sorry, I haven't had that in stock for over a year So get with it Gil! Reprints! And don't forget about getting me royalties for people I send that way. ;oP Uhhh...yeah, that list member would be me. :-) Reprints! Reprints! REPRINTS! :-) Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] cant join domain
LOL. The ActiveDir.org list has become a trouble ticketing system... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John WitasickSent: Monday, March 14, 2005 1:27 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] cant join domain Please contact me directlysoI can assist with this issue. Thanks. John WitasickManager - Windows Networking Services Computer Operations Group NJ Department of Human Services Office of Information Systems - Network Operations - Original Message - From: [EMAIL PROTECTED] To: activedir@mail.activedir.org Sent: Saturday, March 12, 2005 6:45 AM Subject: [ActiveDir] cant join domain Having problem in configuring workstation to join Domain error message:Your computer could not join to the domain because the following error has occured: " the network path was not found " Status:1. workstation can PING the server2. workstation can ping other workstation13. workstation currently join to workgroup Other workstation did not encountered this error same running o/s thank ucyrus List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient(s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the Department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail.
RE: [ActiveDir] SNMP Traps for bad logon attempt !!
This is strictly a guess but I would say no, there is nothing you can turn on in the native OS to enable SNMP notifications on failed auths or other event log entries. You will need something that scrapes the event log and transmits it via SNMP. I am sure there are a slew of third party for sale products that would do this as well as tools that could be thrown into scripts to do it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Senthil KumarSent: Monday, March 14, 2005 2:48 AMTo: Active directory groupSubject: [ActiveDir] SNMP Traps for bad logon attempt !! Hi all, We are having windows 2003 Dc and windows 2000 XP prof client environment. Basically I want to convert bad login security logs in to SNMP Traps and send that to a compaq server loaded with Insight Manager XE. I have enabled SNMP protocols in client and server. Is windows having inbuilt agents for this job or should I have to load any additional agents for that. Which MIB I need to load in Insight Manager to understand the traps generated by client for bad logon attempts.If anybody knows more details about this please share it with me. Thanks in advance Regards, K.SENTHIL KUMAR Do you Yahoo!?Make Yahoo! your home page
RE: [ActiveDir] New AD tool hits the web
Hey Joe, Hope you are well, from what I can see I think it does use AD to store information, during install it requires to modify/extend the schema. Interesting step if you ask me. You have to modify your schema but the tool is: Please keep in mind that this tool is Not Supported (similar to a resource kit or support tool). So after your non reversible (and yes I know about defunct) schema modification if something goes wrong which PSS wont support you can be pretty screwed. C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 18 March 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Interesting, does anyone know what it uses for its back end store to keep that info? I hope it isn't AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, March 15, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New AD tool hits the web FYI, Hello, You are receiving this email as you've participated in the LimitLogin beta program. We are happy to announce the availability of LimitLogin v1.0, an application that adds the ability to limit concurrent interactive user logons in an Active Directory domain. It can also keep track of all logins information in Active Directory domains (without necessarily enforcing logons quotas). The challenge of limiting concurrent logons in a distributed environment is huge, and although LimitLogin is not a bullet proof solution to all the aspects of this challenge, many customers might still find this tool helpful, as this capability has been highly requested by different customers (banks, ISPs, libraries etc) in numerous RFPs etc. LimitLogin capabilities include: - Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions. - Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to). - Easy management and configuration by integrating to the Active Directory MMC snap-ins. - Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in. - Generating Login information reports in CSV (Excel) and XML formats. Please keep in mind that this tool is Not Supported (similar to a resource kit or support tool). The public download location is: http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25 c359 cc0842/limitlogin.exe Please send any feedback and questions to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] We would like to thank you for taking part in this beta program and helping us to improve the final bits. Thanks The LimitLogin Team -Original Message- From: Matt Brown [EMAIL PROTECTED] Date: Tue, 15 Mar 2005 09:07:24 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Isn't that link from the Beta? There is no information on Microsoft's site regarding the product other than through the Beta Site. You can find the beast here: http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f7 1-8546-25c359cc0842/limitlogin.exe Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS MS ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Sent from my blackberry. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] not able to access xp machine
Hi all, I am facing a porblem while accessing two xp systems with each other inspite of both are member of same domain. when i try to access it is showing access denied otherwise an access blank page. both systems are able to access any other systems in the domain. Please m looking for a response Thanks, Rakesh Jakhar Do you Yahoo!? Yahoo! Small Business - Try our new resources site!
RE: [ActiveDir] cant join domain
Thank you Joe, Your ticket number is de5b8c61-9db5-4eeb-8d28-934e66f4d9de. A consultant will contact you to help you with your query. (Sorry Tony I just had to do that :P) C From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 18 March 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] cant join domain LOL. The ActiveDir.org list has become a trouble ticketing system... joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Witasick Sent: Monday, March 14, 2005 1:27 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] cant join domain Please contact me directlysoI can assist with this issue. Thanks. John Witasick Manager - Windows Networking Services Computer Operations Group NJ Department of Human Services Office of Information Systems - Network Operations - Original Message - From: [EMAIL PROTECTED] To: activedir@mail.activedir.org Sent: Saturday, March 12, 2005 6:45 AM Subject: [ActiveDir] cant join domain Having problem in configuring workstation to join Domain error message: Your computer could not join to the domain because the following error has occured: the network path was not found Status: 1. workstation can PING the server 2. workstation can ping other workstation1 3. workstation currently join to workgroup Other workstation did not encountered this error same running o/s thank u cyrus List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient(s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the Department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail.
RE: [ActiveDir] not able to access xp machine
Check which service pack you have on those boxes. If its Windows XP SP2 then defiantly firewall in ON. Go to control panel switched off firewall. Regards, Dinesh Tashildar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakharSent: Friday, March 18, 2005 2:21 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] not able to access xp machine Hi all, I am facing a porblem while accessing two xp systems with each other inspite of both are member of same domain. when i try to access it is showing access denied otherwise an access blank page. both systems are able to access any other systems in the domain. Please m looking for a response Thanks, Rakesh Jakhar Do you Yahoo!?Yahoo! Small Business - Try our new resources site! This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
RE: [ActiveDir] not able to access xp machine
Well switching it off is a bit hefty if you just trying to trouble shoot. What exactly are you trying to access on that XP machine, maybe you just need a simple rule on that firewall to allow you to connect to that recourse. C Need AD programming help: http://groups.yahoo.com/group/adsianddirectoryservices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: 18 March 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine Check which service pack you have on those boxes. If its Windows XP SP2 then defiantly firewall in ON. Go to control panel switched off firewall. Regards, Dinesh Tashildar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: Friday, March 18, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] not able to access xp machine Hi all, I am facing a porblem while accessing two xp systems with each other inspite of both are member of same domain. when i try to access it is showing access denied otherwise an access blank page. both systems are able to access any other systems in the domain. Please m looking for a response Thanks, Rakesh Jakhar Do you Yahoo!? Yahoo! Small Business - Try our new resources site! This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com
[ActiveDir] USB storage devices in Windows Terminal Server
Hi, Does someone know how to connect USB storage devices in a TS session? Is it possible to connect this device without connecting all other local disk drives? Thanks, Stijn.
RE: [ActiveDir] not able to access xp machine
there is no service pack 2 on that machine so no firewall. --- Carlos Magalhaes [EMAIL PROTECTED] wrote: Well switching it off is a bit hefty if you just trying to trouble shoot. What exactly are you trying to access on that XP machine, maybe you just need a simple rule on that firewall to allow you to connect to that recourse. C Need AD programming help: http://groups.yahoo.com/group/adsianddirectoryservices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: 18 March 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine Check which service pack you have on those boxes. If its Windows XP SP2 then defiantly firewall in ON. Go to control panel switched off firewall. Regards, Dinesh Tashildar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: Friday, March 18, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] not able to access xp machine Hi all, I am facing a porblem while accessing two xp systems with each other inspite of both are member of same domain. when i try to access it is showing access denied otherwise an access blank page. both systems are able to access any other systems in the domain. Please m looking for a response Thanks, Rakesh Jakhar Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://us.rd.yahoo.com/evt=31637/*http:/smallbusiness.yahoo.com/resourc es/ This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] not able to access xp machine
Do you have any other firewalls or antivirus software that come bundled with firewall software? What resource are you trying to access exactly? C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: 18 March 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine there is no service pack 2 on that machine so no firewall. --- Carlos Magalhaes [EMAIL PROTECTED] wrote: Well switching it off is a bit hefty if you just trying to trouble shoot. What exactly are you trying to access on that XP machine, maybe you just need a simple rule on that firewall to allow you to connect to that recourse. C Need AD programming help: http://groups.yahoo.com/group/adsianddirectoryservices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: 18 March 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine Check which service pack you have on those boxes. If its Windows XP SP2 then defiantly firewall in ON. Go to control panel switched off firewall. Regards, Dinesh Tashildar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: Friday, March 18, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] not able to access xp machine Hi all, I am facing a porblem while accessing two xp systems with each other inspite of both are member of same domain. when i try to access it is showing access denied otherwise an access blank page. both systems are able to access any other systems in the domain. Please m looking for a response Thanks, Rakesh Jakhar Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://us.rd.yahoo.com/evt=31637/*http:/smallbusiness.yahoo.com/resourc es/ This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Continuity planning and AD
Dear All I am a bit of AD newbie so I am not even sure if this is an AD issue; so apologies in advance. Anyway, we have a disaster recovery server which we plan to store off site. This will be switched off while in storage. Our live server is a Windows 2000 server running AD. The backup software is Veritas Backup Exec. We do not use one button recovery. The plan is this at the moment: when our server cathes fire, is flooded or stolen, we take a recent tape from off site with all our data and another tape with our 'system' and restore. Well that was easy!! Well aside from many likely problems this I the one I want to ask about here: The system tape is derived from a Veritas backup called System backup. I believe this backs up all the registry settings and I assume the user databse, the DNS, DHCP setting and other services settings also. The recovery server is not a hardware duplicate of the live server, but it does run Windows 2000 server and Veritas. Question: I have been told a systemn restore will result in the recovery server crashing as it is not a hardware duplicate. How do I backup (and restore) all the software and operating system settings and the AD settings without requiring a hardware duplicate? Can anyone point to resources that state how to do this and what to be aware of? Many thanks for any help on this Jonny _ Jonathan Feldman ICT Manager NACVS 177 Arundel Street Sheffield, S1 2NU Tel:0114 278 6636 Fax:0114 278 7004 Textphone: 0114 278 7025 Email: [EMAIL PROTECTED] Web:http://www.nacvs.org.uk __ Registered charity no. 1001635 Registered company no. 2575306 Registered office as above --- Dates for your diary === Chief Officers' Residential Event 2005 Royal Court Hotel, Coventry 6-7 April http://www.nacvs.org.uk/nacvs/events/core/index.shtm If you take my advice...getting HR support right Age Concern, Birmingham 21st March http://www.nacvs.org.uk/nacvs/events/hr/index.shtm Local Public Service Agreements: engaging communities Novotel Birmingham Centre 19 May 2005 http://www.nacvs.org.uk/nacvs/events/lpsa List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Continuity planning and AD
Hi Johnny In theory, you should be able to do your restore to the different hardware, and then boot to the CD, choose setup, and choose repair existing version of Windows to redetect all hardware. I am not sure this is supported but we were able to do it in our forest recovery test with no real problems besides time time time and more time. Make sure you test the solution well before deciding that an identical box is not the answer. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] jonny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: [ActiveDir] Continuity planning and AD tivedir.org 03/18/2005 10:03 AM GMT Please respond to ActiveDir Dear All I am a bit of AD newbie so I am not even sure if this is an AD issue; so apologies in advance. Anyway, we have a disaster recovery server which we plan to store off site. This will be switched off while in storage. Our live server is a Windows 2000 server running AD. The backup software is Veritas Backup Exec. We do not use one button recovery. The plan is this at the moment: when our server cathes fire, is flooded or stolen, we take a recent tape from off site with all our data and another tape with our 'system' and restore. Well that was easy!! Well aside from many likely problems this I the one I want to ask about here: The system tape is derived from a Veritas backup called System backup. I believe this backs up all the registry settings and I assume the user databse, the DNS, DHCP setting and other services settings also. The recovery server is not a hardware duplicate of the live server, but it does run Windows 2000 server and Veritas. Question: I have been told a systemn restore will result in the recovery server crashing as it is not a hardware duplicate. How do I backup (and restore) all the software and operating system settings and the AD settings without requiring a hardware duplicate? Can anyone point to resources that state how to do this and what to be aware of? Many thanks for any help on this Jonny _ Jonathan Feldman ICT Manager NACVS 177 Arundel Street Sheffield, S1 2NU Tel: 0114 278 6636 Fax: 0114 278 7004 Textphone: 0114 278 7025 Email: [EMAIL PROTECTED] Web: http://www.nacvs.org.uk __ Registered charity no. 1001635 Registered company no. 2575306 Registered office as above --- Dates for your diary === Chief Officers' Residential Event 2005 Royal Court Hotel, Coventry 6-7 April http://www.nacvs.org.uk/nacvs/events/core/index.shtm If you take my advice...getting HR support right Age Concern, Birmingham 21st March http://www.nacvs.org.uk/nacvs/events/hr/index.shtm Local Public Service Agreements: engaging communities Novotel Birmingham Centre 19 May 2005 http://www.nacvs.org.uk/nacvs/events/lpsa List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] not able to access xp machine
Dear thans for the prompt response i am trying to access some shared folder what we used to access from from today itself it is showing denied access permission, nothing has been changed. i dont know how it is happening. we are using norton antivirus version 7.6 Thanks, Rakesh --- Carlos Magalhaes [EMAIL PROTECTED] wrote: Do you have any other firewalls or antivirus software that come bundled with firewall software? What resource are you trying to access exactly? C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: 18 March 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine there is no service pack 2 on that machine so no firewall. --- Carlos Magalhaes [EMAIL PROTECTED] wrote: Well switching it off is a bit hefty if you just trying to trouble shoot. What exactly are you trying to access on that XP machine, maybe you just need a simple rule on that firewall to allow you to connect to that recourse. C Need AD programming help: http://groups.yahoo.com/group/adsianddirectoryservices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: 18 March 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine Check which service pack you have on those boxes. If its Windows XP SP2 then defiantly firewall in ON. Go to control panel switched off firewall. Regards, Dinesh Tashildar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: Friday, March 18, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] not able to access xp machine Hi all, I am facing a porblem while accessing two xp systems with each other inspite of both are member of same domain. when i try to access it is showing access denied otherwise an access blank page. both systems are able to access any other systems in the domain. Please m looking for a response Thanks, Rakesh Jakhar Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://us.rd.yahoo.com/evt=31637/*http:/smallbusiness.yahoo.com/resourc es/ This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] not able to access xp machine
Ok so lets walk through this, 1. Can you ***double*** check that the permissions on that windows xp share is still working as they should be and the user account you are using to access that share has permissions both NTFS and on the Share. 2. I am not that familiar with Norton does it come bundled with a personal firewall. C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: 18 March 2005 01:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine Dear thans for the prompt response i am trying to access some shared folder what we used to access from from today itself it is showing denied access permission, nothing has been changed. i dont know how it is happening. we are using norton antivirus version 7.6 Thanks, Rakesh --- Carlos Magalhaes [EMAIL PROTECTED] wrote: Do you have any other firewalls or antivirus software that come bundled with firewall software? What resource are you trying to access exactly? C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: 18 March 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine there is no service pack 2 on that machine so no firewall. --- Carlos Magalhaes [EMAIL PROTECTED] wrote: Well switching it off is a bit hefty if you just trying to trouble shoot. What exactly are you trying to access on that XP machine, maybe you just need a simple rule on that firewall to allow you to connect to that recourse. C Need AD programming help: http://groups.yahoo.com/group/adsianddirectoryservices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: 18 March 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine Check which service pack you have on those boxes. If its Windows XP SP2 then defiantly firewall in ON. Go to control panel switched off firewall. Regards, Dinesh Tashildar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: Friday, March 18, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] not able to access xp machine Hi all, I am facing a porblem while accessing two xp systems with each other inspite of both are member of same domain. when i try to access it is showing access denied otherwise an access blank page. both systems are able to access any other systems in the domain. Please m looking for a response Thanks, Rakesh Jakhar Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://us.rd.yahoo.com/evt=31637/*http:/smallbusiness.yahoo.com/resourc es/ This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Any unauthorised review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. Visit us at http://www.cognizant.com __ Do you Yahoo!? Take Yahoo! Mail with you! Get it on your mobile phone. http://mobile.yahoo.com/maildemo List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Continuity planning and AD
I run into this a lot; we go to Sungard twice a year to do DR testing and we never -ever- get identical hardware. It becomes a voodoo dance of running a repair, occasionally doing an in-place upgrade, and getting rid of now-extinct metadata and replication entries with ntdsutil and repadmin. FWIW, it works better on 2003 than 2000, since sometimes the TCP/IP stack gets hosed and it's easier to delete/recreate in 2003 than 2000 - it's a 3-step KB article instead of a 3 -page- one. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 5:37 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Continuity planning and AD Hi Johnny In theory, you should be able to do your restore to the different hardware, and then boot to the CD, choose setup, and choose repair existing version of Windows to redetect all hardware. I am not sure this is supported but we were able to do it in our forest recovery test with no real problems besides time time time and more time. Make sure you test the solution well before deciding that an identical box is not the answer. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] jonny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: [ActiveDir] Continuity planning and AD tivedir.org 03/18/2005 10:03 AM GMT Please respond to ActiveDir Dear All I am a bit of AD newbie so I am not even sure if this is an AD issue; so apologies in advance. Anyway, we have a disaster recovery server which we plan to store off site. This will be switched off while in storage. Our live server is a Windows 2000 server running AD. The backup software is Veritas Backup Exec. We do not use one button recovery. The plan is this at the moment: when our server cathes fire, is flooded or stolen, we take a recent tape from off site with all our data and another tape with our 'system' and restore. Well that was easy!! Well aside from many likely problems this I the one I want to ask about here: The system tape is derived from a Veritas backup called System backup. I believe this backs up all the registry settings and I assume the user databse, the DNS, DHCP setting and other services settings also. The recovery server is not a hardware duplicate of the live server, but it does run Windows 2000 server and Veritas. Question: I have been told a systemn restore will result in the recovery server crashing as it is not a hardware duplicate. How do I backup (and restore) all the software and operating system settings and the AD settings without requiring a hardware duplicate? Can anyone point to resources that state how to do this and what to be aware of? Many thanks for any help on this Jonny _ Jonathan Feldman ICT Manager NACVS 177 Arundel Street Sheffield, S1 2NU Tel: 0114 278 6636 Fax: 0114 278 7004 Textphone: 0114 278 7025 Email: [EMAIL PROTECTED] Web: http://www.nacvs.org.uk __ Registered charity no. 1001635 Registered
[ActiveDir] Scripting DC cleanup?
Title: Message It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work.
RE: [ActiveDir] Continuity planning and AD
My organization just moved to a W2K3 AD and we have one of our offsite DR tests coming up. I was wondering if someone wouldn't mind sharing any step by step documentation that you have generated to perform this restore (basically so I don't have to go and draft one from scratch)? If not, is there any other interesting tid-bits that we need to know. (I will probably end up restoring two Domain Controllers, one for the Forest and one for my domain during this test plan) so any and all help will be nice. Thanks. -Original Message- From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 6:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I run into this a lot; we go to Sungard twice a year to do DR testing and we never -ever- get identical hardware. It becomes a voodoo dance of running a repair, occasionally doing an in-place upgrade, and getting rid of now-extinct metadata and replication entries with ntdsutil and repadmin. FWIW, it works better on 2003 than 2000, since sometimes the TCP/IP stack gets hosed and it's easier to delete/recreate in 2003 than 2000 - it's a 3-step KB article instead of a 3 -page- one. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 5:37 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Continuity planning and AD Hi Johnny In theory, you should be able to do your restore to the different hardware, and then boot to the CD, choose setup, and choose repair existing version of Windows to redetect all hardware. I am not sure this is supported but we were able to do it in our forest recovery test with no real problems besides time time time and more time. Make sure you test the solution well before deciding that an identical box is not the answer. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] jonny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: [ActiveDir] Continuity planning and AD tivedir.org 03/18/2005 10:03 AM GMT Please respond to ActiveDir Dear All I am a bit of AD newbie so I am not even sure if this is an AD issue; so apologies in advance. Anyway, we have a disaster recovery server which we plan to store off site. This will be switched off while in storage. Our live server is a Windows 2000 server running AD. The backup software is Veritas Backup Exec. We do not use one button recovery. The plan is this at the moment: when our server cathes fire, is flooded or stolen, we take a recent tape from off site with all our data and another tape with our 'system' and restore. Well that was easy!! Well aside from many likely problems this I the one I want to ask about here: The system tape is derived from a Veritas backup called System backup. I believe this backs up all the registry settings and I assume the user databse, the DNS, DHCP setting and other services settings also. The recovery server is not a hardware duplicate of the live server, but it does run Windows 2000 server and Veritas. Question: I have been told a systemn restore will result in the
RE: [ActiveDir] License services
well it must stop logons because i kept getting errors that my dc could not connect to the master license server and alot of user accounts could not logon to the domain. when i stopped the license server, everything was fine. Mick Putley wrote: No it will not stop anything, just through an event into the system log -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, March 17, 2005 12:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] License services any idea if a windows dc will deny logons if the master lisence server cannot be contacted after a certain time period? thanks Free, Bob wrote: is the License server used by Windows to track cals, the same one that is used for terminal services app mode? Nope, that would be the Terminal Services Licensing Service, different beast -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, March 17, 2005 10:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] License services sorry to reply to my own email- is the License server used by Windows to track cals, the same one that is used for terminal services app mode? i ask these questions because i demoted a dc that happened to be a license server and about 3 weeks later i got event id 213 errors in my app log on my pdc/rid/infra master and some users were unable to log into the domain. in ad sites and services, the old dc is still listed with no ntds object(i assume its still ther because a devloper installed msmq for AD and never uninstalled it). i demoted it clean using dcpromo. no errors. is the licensing server always a dc by default? do the other dc's cache license info for a period of time so things function for awhile even if they don't communicate with the master license server? and if so, what is the time period? i apologize for all the questions but i can't seem to find much in depth info on this service from MS or google. thanks Kern, Tom wrote: If I'm using the license service to keep track of licenses and i go over the alloted amount, will windows DC's prvent users from logging into the domain? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting DC cleanup?
Can't imagine why that wouldn't be possible. NTDSUTIL is similar to NETSH in that you can run the commands from a single call. i.e. ntdsutil command command command command. Etc http://www.jsifaq.com/SUBJ/tip4600/rh4675.htm And http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/p roddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/stan dard/proddocs/en-us/sag_ntdsutil_using.asp Will give some information about what that looks like. You can even abbreviate it. My advice for this though? Practice it several times before actually relying on it. As for Scripting it, I suppose you could, but it would likely be less effort to write it manually once. I mean, you don't build your infrastructure on roller-skates anyway right? :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Friday, March 18, 2005 8:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called metacleaner.vbs written by a gentleman at microsoft, but it did not appear to work. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting DC cleanup?
You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapce between each command and put them in quotes: ntdsutil connect to domain 1 do something cool build an arc ntdsutil connect to domain 2 do something cool build an arc etc etc --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Fri 3/18/2005 7:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have to perform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called metacleaner.vbs written by a gentleman at microsoft, but it did not appear to work. attachment: winmail.dat
[ActiveDir] Opinions on Profile Maker?
I was eyeing sciptlogic for some admin proposes (auto printer stuff, auto this, auto that) but at the last moment decided to look at Profile Maker by Desktopstandard. It adds extensions and logic to AD. I have yet to try it in a networking environment, but am ready to pull the trigger on the purchase. It seems to good to be true? Does it add a lot of overhead to the login process? Etc. Yes, I know most of the stuff can be done for free using scripting, but hey I am an admin not a code guy and I am a one person IT dept Anyone use it? Thanks, Bob Williamson, MCSE Eisenhower and Carlson NOTICE: This is a private and confidential communication for the sole viewing and use of the intended recipient. This communication may contain information protected by the attorney/client privilege or work product doctrine. If you are not the intended recipient of this communication, please immediately notify the sender and delete and destroy all copies of this communication. The unauthorized disclosure, distribution, copying, or use of information contained in this communication may violate the Electronic Communications Privacy Act, 18 U.S.C. 2510 et seq., the Washington Privacy Act, RCW 9.73, and Article I, section 7 of the Washington Constitution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Opinions on Profile Maker?
I am about to evaluate it but I have a friend at another firm who absolutely loves. He cannot say enough about it. He says he has seen no adverse affects on the login process. There is a agent that is deployed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 9:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Opinions on Profile Maker? I was eyeing sciptlogic for some admin proposes (auto printer stuff, auto this, auto that) but at the last moment decided to look at Profile Maker by Desktopstandard. It adds extensions and logic to AD. I have yet to try it in a networking environment, but am ready to pull the trigger on the purchase. It seems to good to be true? Does it add a lot of overhead to the login process? Etc. Yes, I know most of the stuff can be done for free using scripting, but hey I am an admin not a code guy and I am a one person IT dept Anyone use it? Thanks, Bob Williamson, MCSE Eisenhower and Carlson NOTICE: This is a private and confidential communication for the sole viewing and use of the intended recipient. This communication may contain information protected by the attorney/client privilege or work product doctrine. If you are not the intended recipient of this communication, please immediately notify the sender and delete and destroy all copies of this communication. The unauthorized disclosure, distribution, copying, or use of information contained in this communication may violate the Electronic Communications Privacy Act, 18 U.S.C. 2510 et seq., the Washington Privacy Act, RCW 9.73, and Article I, section 7 of the Washington Constitution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] not able to access xp machine
Norton Internet security 2005 comes with a firewall, However i believe it binds to the windows firewall and uses it custom interface. How this would react on a preSP2 machine i don't know. Recently i have had a peer to peer sharing issue that sounded very familiar to what your experiencing. The solution was based on Login rights of the user logged in, who in turn created the share. I.E.. user a is admin User 'B' power user or less. I set the share as B. Apply security settings. user c can see share but cannot access it even thought the security was set to everyone. I log in as b and can read write blah blah blah. I founds that creating the share as admin works for all users as long as the everyone has complete access. Well to the level actually needed. this way both A and B users can read write blah blah blah. perhaps this is by design. But even if the user A was in the Admin group. Any share created as user A was accessible only as user A. however all users could see share. I'm not sure exactly how this would apply to a Actdir security scheme. With a little imagination i could plausibly draw connecting lines. This is the closest resemblance to the scenario described below i have witnessed. Being that security is granted from the DC it maybe of litte help. Are you running policy. If so make sure your CU is not pushing out any non sharing policy to the group. if you discover this to be true remember the gpupdate command otherwise it may not update to lessened security settings. Or make take up to several days before it volunteers to replicate those policies locally. Ultimately it sounds security related. SIDS and PIDS if there are duplicates throughout your network may cause this unusual behavior. If so you have greater issues to deal with than shares. Curious as to how this turns out. Glen Miller Payflex System USA, Inc. Desktop management Evolution Administration 402 231 8666 402 231 4357 402 650 2949 [EMAIL PROTECTED] -Original Message- From: Carlos Magalhaes [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Date: Fri, 18 Mar 2005 13:47:29 +0200 Subject: RE: [ActiveDir] not able to access xp machine Ok so lets walk through this, 1. Can you ***double*** check that the permissions on that windows xp share is still working as they should be and the user account you are using to access that share has permissions both NTFS and on the Share. 2. I am not that familiar with Norton does it come bundled with a personal firewall. C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: 18 March 2005 01:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine Dear thans for the prompt response i am trying to access some shared folder what we used to access from from today itself it is showing denied access permission, nothing has been changed. i dont know how it is happening. we are using norton antivirus version 7.6 Thanks, Rakesh --- Carlos Magalhaes [EMAIL PROTECTED] wrote: Do you have any other firewalls or antivirus software that come bundled with firewall software? What resource are you trying to access exactly? C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: 18 March 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine there is no service pack 2 on that machine so no firewall. --- Carlos Magalhaes [EMAIL PROTECTED] wrote: Well switching it off is a bit hefty if you just trying to trouble shoot. What exactly are you trying to access on that XP machine, maybe you just need a simple rule on that firewall to allow you to connect to that recourse. C Need AD programming help: http://groups.yahoo.com/group/adsianddirectoryservices From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tashildar, Dinesh (Cognizant) Sent: 18 March 2005 10:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] not able to access xp machine Check which service pack you have on those boxes. If its Windows XP SP2 then defiantly firewall in ON. Go to control panel switched off firewall. Regards, Dinesh Tashildar From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar Sent: Friday, March 18, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] not able to access xp machine Hi all, I am facing a porblem while accessing two xp systems with each other inspite of both are member of same domain. when i try to access it is
RE: [ActiveDir] Opinions on Profile Maker?
Sorry, that should have been POLICYmaker.not profile maker. Bob Williamson, MCSE Eisenhower and Carlson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 6:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? I am about to evaluate it but I have a friend at another firm who absolutely loves. He cannot say enough about it. He says he has seen no adverse affects on the login process. There is a agent that is deployed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 9:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Opinions on Profile Maker? I was eyeing sciptlogic for some admin proposes (auto printer stuff, auto this, auto that) but at the last moment decided to look at Profile Maker by Desktopstandard. It adds extensions and logic to AD. I have yet to try it in a networking environment, but am ready to pull the trigger on the purchase. It seems to good to be true? Does it add a lot of overhead to the login process? Etc. Yes, I know most of the stuff can be done for free using scripting, but hey I am an admin not a code guy and I am a one person IT dept Anyone use it? Thanks, Bob Williamson, MCSE Eisenhower and Carlson NOTICE: This is a private and confidential communication for the sole viewing and use of the intended recipient. This communication may contain information protected by the attorney/client privilege or work product doctrine. If you are not the intended recipient of this communication, please immediately notify the sender and delete and destroy all copies of this communication. The unauthorized disclosure, distribution, copying, or use of information contained in this communication may violate the Electronic Communications Privacy Act, 18 U.S.C. 2510 et seq., the Washington Privacy Act, RCW 9.73, and Article I, section 7 of the Washington Constitution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Continuity planning and AD
You can pull the disaster docs at Microsoft (should be off of http://www.microsoft.com/ad ) and re-use a lot of that. There are KB articles as well. As for the original poster's question, The plan is this at the moment: when our server cathes fire, is flooded or stolen, we take a recent tape from off site with all our data and another tape with our 'system' and restore. Well that was easy!! That is great for things such as physical site issues but doesn't cover any issues with logical corruption. You may want to include that in your scenario. Another thought is one that has been kicked around a lot. Since you need system state to get your DC back up and running, and since system state restores almost require you to use duplicate hardware, have you considered what a virtual instance can do for you? You could introduce a second DC running in a virtual instance and then your hardware issues are abstracted. So when you do the restore, you would have two choices: put back the entire virtual machine (binary blob that you backed up (shut down the VM instance, backup the blob, restart sort of thing) and restore the blob in your DR site. Perform metadata cleanup, seize the roles, and move ahead. Or you could restore the data via tape to a VM instance. Either way, your duplicate hardware requirement goes away because virtual server technology abstracts the hardware from the physical hardware you use. Can be much faster, more reliable, and easier under pressure. Just wanted to throw that out there. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, March 18, 2005 8:46 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Continuity planning and AD My organization just moved to a W2K3 AD and we have one of our offsite DR tests coming up. I was wondering if someone wouldn't mind sharing any step by step documentation that you have generated to perform this restore (basically so I don't have to go and draft one from scratch)? If not, is there any other interesting tid-bits that we need to know. (I will probably end up restoring two Domain Controllers, one for the Forest and one for my domain during this test plan) so any and all help will be nice. Thanks. -Original Message- From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 6:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I run into this a lot; we go to Sungard twice a year to do DR testing and we never -ever- get identical hardware. It becomes a voodoo dance of running a repair, occasionally doing an in-place upgrade, and getting rid of now-extinct metadata and replication entries with ntdsutil and repadmin. FWIW, it works better on 2003 than 2000, since sometimes the TCP/IP stack gets hosed and it's easier to delete/recreate in 2003 than 2000 - it's a 3-step KB article instead of a 3 -page- one. Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 5:37 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] Continuity planning and AD Hi Johnny In theory, you should be able to do your restore to the different hardware, and then boot to the CD, choose setup, and choose repair existing version of Windows to redetect all hardware. I am not sure this is supported but we were able to do it in our forest recovery test with no real problems besides time time time and more time. Make sure you test the solution well before deciding that an identical box is not the answer. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] jonny [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent by: cc: (bcc: James Day/Contractor/NPS) [EMAIL PROTECTED]Subject: [ActiveDir] Continuity planning and AD tivedir.org
RE: [ActiveDir] Event Log
Absolutely! WMI is a good way to do this. The WMIWatcher script does this for you. You can download the the script from http://users.skynet.be/alain.lissoir/temp/WMIWatcher.zip You can find other script samples doing this at http://www.lissware.net (Volume 1 samples): Sample 6.13 - SynchronousEventConsumer.wsf to Sample 6.17 - GenericEventAsyncConsumer.wsf show the basic mechanic to catch events from WMI. and Sample 6.22 to 6.23 - EventLogTimeDiffMonitor.wsf to Sample 6.25 to 6.27 - EventLogTimeDiffMonitorWithNonEvent.wsf show how to catch events from the NT event log and calculate the time between two events (or no event after a timeout). It also sends an email alert. However, you don't necessarily have to run a script to do this. You can also leverage the SMTP Permanent Event Consumer Provider. It requires a MOF file compilation. You can find a sample at http://www.lissware.net (Volume 1 samples): Sample 2.03 - SMTPConsumerInstanceReg.mof For non-WMI people, this will be a bit more complex to setup, however. It described in my WMI books but MSDN has also some information about it at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wmisdk/wmi/ smtpeventconsumer.asp This WMI provider consumes any WMI events and send an SMTP email to a relay of your choice. The WQL query you submit makes the WMI event selection. HTH /Alain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Event Log Just to be specific, event viewer is a simple client tool used to view entries in the event log. It is like notepad reading a file. If you need to get alerts like that, you will need to use a third party tool or script. WMI tends to be good in this space, take a look at some of the WMI web sites or books. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube Sent: Monday, March 14, 2005 5:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event Log Please is there any way to make the event viewer trigger an email? Thanks r.c. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Opinions on Profile Maker?
Bob- I think you will find that products like PolicyMaker, and others on the market which extend Group Policy natively with additional configuration functionality, to be a much better way to go in AD environments than relying on scripts or a scripting infrastructure. Because of the fact that they plug right into the GP infrastructure, you don't have to learn anything new and can use many of the same management tools (e.g. GPMC, etc.) that you probably use today. I'm a little biased, of course, towards anything that uses and improves Group Policy, but I think you'll find it a good way to go. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 7:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? Sorry, that should have been POLICYmaker.not profile maker. Bob Williamson, MCSE Eisenhower and Carlson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 6:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? I am about to evaluate it but I have a friend at another firm who absolutely loves. He cannot say enough about it. He says he has seen no adverse affects on the login process. There is a agent that is deployed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 9:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Opinions on Profile Maker? I was eyeing sciptlogic for some admin proposes (auto printer stuff, auto this, auto that) but at the last moment decided to look at Profile Maker by Desktopstandard. It adds extensions and logic to AD. I have yet to try it in a networking environment, but am ready to pull the trigger on the purchase. It seems to good to be true? Does it add a lot of overhead to the login process? Etc. Yes, I know most of the stuff can be done for free using scripting, but hey I am an admin not a code guy and I am a one person IT dept Anyone use it? Thanks, Bob Williamson, MCSE Eisenhower and Carlson NOTICE: This is a private and confidential communication for the sole viewing and use of the intended recipient. This communication may contain information protected by the attorney/client privilege or work product doctrine. If you are not the intended recipient of this communication, please immediately notify the sender and delete and destroy all copies of this communication. The unauthorized disclosure, distribution, copying, or use of information contained in this communication may violate the Electronic Communications Privacy Act, 18 U.S.C. 2510 et seq., the Washington Privacy Act, RCW 9.73, and Article I, section 7 of the Washington Constitution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Scripting DC cleanup?
Title: Message I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work.
RE: [ActiveDir] Continuity planning and AD
Most back up software have a disaster recover built in. In that you can build recovery CD from tapes (OS Speaking). There are variation on this theme For example. backup exec has this feature however it requires that you RECREATE the cd after every change to a server. It cannot be built from a tape, Thus you must keep an up to date recovery CD. this is the fastest recover method although if your CD are not up to date your back to square one. The typical trade off between efficiency and manageability. The Cd should be boot able. Retrospect software. Allows you to do this from tape eliminating the need to have up-to-date recovery CD's. I'm still demoing this software. It has lived up to it's claims although if your not familiar with its process. it is convoluted and very order dependent. one misstep and square one. Coolness about this is you can Boot from tape. well first the CD but it attaches easily to the tape drives for expedited recovery times. As anyone who has done disaster recovery implementation knows. There is truly no one solution to this issue. once you step from the realm of indifferent hardware. The beast changes shape. Windows is typically forgiving when it encounters dissimilar hardware in that if it has access to the I386 Director all should turn out fine. this hold water as long as the Processors are within the same family. try doing this from a ZEON to a Itanium or pentium and you blue screen at start up and have had little luck running the recovery. I believe this is tied to the NTLDR file. When considering a palatable DR strategy. Its not just is the data safe and recoverable. But in what time frame can this be completed. If it takes a week to get back up. Thats a disaster. Giving a typical turn around time of 24 hours can this accomplished using above methods. To a degree' based on size of company total data load and blah blah blah. What im getting to is this. it may be easier cheaper faster. to replicate data real time. Identify critical systems replicate hardware. and do real time replication across say dedicate T1 to your offsite DR. up to the minuet and available immediately. Windows handled this through DCOM however i have heard that was replaced by clustering service new to 2003. Very expensive i have a payroll system. which handle several tens of thousand checks to people every week. I replicate all changed data in real time. If we were to lose our Internet connection. the software through the Dedicated T1 drops the change queue to the Off site system then once that is complete initiates the RAS services. The client has a heart beat built in in that if after 7 minuets it cannot reach the primary RAS server. It then queries the secondary address. this is completely transparent to the user with the exception that everything PAUSED for the allocated time. once back up the reverse happens in that it coordinates the transition per client as the new queue request are handled from the DR server and migrated back to the Primary system. Complete invisible to user as long as an outage does not occur again. Sorry so long winded. DR was a serious and still is to a degree a thorn in an IT person side. Just remember the ROSE it is attached to. If ever you need it. Nothing like looking exceptional to the CEO CFO and all the other people ho have that alphabet in their names. I hoped this helped I realize it doesn't address the step by step request. the only way you'll get that is to develope and repeat the process till it work 4 out of 5 times. then you can sleep with only one eye open Glen Miller Payflex System USA, Inc. Desktop management Evolution Administration 402 231 8666 402 231 4357 402 650 2949 [EMAIL PROTECTED] -Original Message- From: Carerros, Charles [EMAIL PROTECTED] To: 'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Date: Fri, 18 Mar 2005 07:45:33 -0600 Subject: RE: [ActiveDir] Continuity planning and AD My organization just moved to a W2K3 AD and we have one of our offsite DR tests coming up. I was wondering if someone wouldn't mind sharing any step by step documentation that you have generated to perform this restore (basically so I don't have to go and draft one from scratch)? If not, is there any other interesting tid-bits that we need to know. (I will probably end up restoring two Domain Controllers, one for the Forest and one for my domain during this test plan) so any and all help will be nice. Thanks. -Original Message- From: Hunter, Laura E. [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 6:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I run into this a lot; we go to Sungard twice a year to do DR testing and we never -ever- get identical hardware. It becomes a voodoo dance of running a repair, occasionally doing an in-place
RE: [ActiveDir] Opinions on Profile Maker?
You say others...what others are there? Thanks, Bob Williamson MCSE Eisenhower Carlson, PLLC [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, March 18, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? Bob- I think you will find that products like PolicyMaker, and others on the market which extend Group Policy natively with additional configuration functionality, to be a much better way to go in AD environments than relying on scripts or a scripting infrastructure. Because of the fact that they plug right into the GP infrastructure, you don't have to learn anything new and can use many of the same management tools (e.g. GPMC, etc.) that you probably use today. I'm a little biased, of course, towards anything that uses and improves Group Policy, but I think you'll find it a good way to go. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 7:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? Sorry, that should have been POLICYmaker.not profile maker. Bob Williamson, MCSE Eisenhower and Carlson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 6:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? I am about to evaluate it but I have a friend at another firm who absolutely loves. He cannot say enough about it. He says he has seen no adverse affects on the login process. There is a agent that is deployed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 9:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Opinions on Profile Maker? I was eyeing sciptlogic for some admin proposes (auto printer stuff, auto this, auto that) but at the last moment decided to look at Profile Maker by Desktopstandard. It adds extensions and logic to AD. I have yet to try it in a networking environment, but am ready to pull the trigger on the purchase. It seems to good to be true? Does it add a lot of overhead to the login process? Etc. Yes, I know most of the stuff can be done for free using scripting, but hey I am an admin not a code guy and I am a one person IT dept Anyone use it? Thanks, Bob Williamson, MCSE Eisenhower and Carlson NOTICE: This is a private and confidential communication for the sole viewing and use of the intended recipient. This communication may contain information protected by the attorney/client privilege or work product doctrine. If you are not the intended recipient of this communication, please immediately notify the sender and delete and destroy all copies of this communication. The unauthorized disclosure, distribution, copying, or use of information contained in this communication may violate the Electronic Communications Privacy Act, 18 U.S.C. 2510 et seq., the Washington Privacy Act, RCW 9.73, and Article I, section 7 of the Washington Constitution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Opinions on Profile Maker?
Full Armor has their IntelliPolicy product and Quest has Group Policy Extensions for Desktops. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 7:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? You say others...what others are there? Thanks, Bob Williamson MCSE Eisenhower Carlson, PLLC [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, March 18, 2005 7:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? Bob- I think you will find that products like PolicyMaker, and others on the market which extend Group Policy natively with additional configuration functionality, to be a much better way to go in AD environments than relying on scripts or a scripting infrastructure. Because of the fact that they plug right into the GP infrastructure, you don't have to learn anything new and can use many of the same management tools (e.g. GPMC, etc.) that you probably use today. I'm a little biased, of course, towards anything that uses and improves Group Policy, but I think you'll find it a good way to go. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 7:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? Sorry, that should have been POLICYmaker.not profile maker. Bob Williamson, MCSE Eisenhower and Carlson -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 6:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Opinions on Profile Maker? I am about to evaluate it but I have a friend at another firm who absolutely loves. He cannot say enough about it. He says he has seen no adverse affects on the login process. There is a agent that is deployed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williamson, Bob Sent: Friday, March 18, 2005 9:42 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Opinions on Profile Maker? I was eyeing sciptlogic for some admin proposes (auto printer stuff, auto this, auto that) but at the last moment decided to look at Profile Maker by Desktopstandard. It adds extensions and logic to AD. I have yet to try it in a networking environment, but am ready to pull the trigger on the purchase. It seems to good to be true? Does it add a lot of overhead to the login process? Etc. Yes, I know most of the stuff can be done for free using scripting, but hey I am an admin not a code guy and I am a one person IT dept Anyone use it? Thanks, Bob Williamson, MCSE Eisenhower and Carlson NOTICE: This is a private and confidential communication for the sole viewing and use of the intended recipient. This communication may contain information protected by the attorney/client privilege or work product doctrine. If you are not the intended recipient of this communication, please immediately notify the sender and delete and destroy all copies of this communication. The unauthorized disclosure, distribution, copying, or use of information contained in this communication may violate the Electronic Communications Privacy Act, 18 U.S.C. 2510 et seq., the Washington Privacy Act, RCW 9.73, and Article I, section 7 of the Washington Constitution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Creating a backlink and forwardlink
There's an offline thread on this, we should be all set. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink Eric is from Microsoft. He was an AD CPR engineer (recently changed) which means he was actually debugging AD failures like looking at the actual bits and bytes flying about. There are quite a few things available that aren't fully documented or documented at all. Just having a 2K3 DC as the schema master should be enough though I haven't tried this yet. If it was a requirement I expect Eric would have mentioned it. I do trust Eric almost implicitely which I don't with a lot of people. If you are seriously concerned, it is a guess, but you could spin up AD/AM and try it there. I would expect it will work there as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, March 09, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ok my LDIF file is done and I'm ready to pull the trigger in my development environment; however, I have a couple of questions. Does anyone know what functional level is required to use this feature? 2K3 Forest or Domain? Or is having a 2K3 DC enough. I'm also a little worried about the lack of documentation from Microsoft. I always get a wee bit worried when it comes to undocumented features :) Has anyone actually done this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink My blog had documentation innovation I tell you. I'm on the bleeding edge. Be careful, or you might get a papercut just reading it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 8:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Got it. I love magical programming features :) You guys rock! I did a bunch of googles on this subject and came up with nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I think the question was, the number that I used as my sample linkID, is that a special numberor should you use your own. The answer is yes, it is. Use the exact linkID value I used for the creation of the forward link. That value triggers this special code path which will create link IDs for you. Don't think of the linkID value I used as an OID, think of it as magical and special. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 6:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sure, but if you are on Windows 2003 or AD/AM you don't have to. That is the beauty of this, that OID causes AD to autogenerate a link ID that is guaranteed unique. The only reasons you should really use linkids you get from MS anymore is if you do make decisions based on linkid values (not just the existence of) or you need to use the schema mods on Windows 2000 AD. BTW, I believe I do recall you from DEC even with my old failing memory. :oP joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink One more question about autolinking. In the example that is shown on the blog you sent, the forward LinkID appears to be an OID. Is that correct? Can I select an OID from my pool and use it as the LinkID for the forward link? Thanks Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sorry I missed the link to the info in your first message. Thanks joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I do have an OID from Microsoft. I knew that picking my own LinkID had to be a bad thing, but I didn't know of any other way to get it. Can you expand on autolinking? Thanks Joe, BTW this is the Joe that you met at DEC in Virginia. This is my first Post! Thanks for letting me know
RE: [ActiveDir] New AD tool hits the web
Great! So I guess I will probably look at this to check out the actual implementation. If the data store is AD I can forsee a couple of failure points not to mention the fact that if AD Dev thought up to the minute updates of user logon info in AD was a good thing, they probably would have done it when they added lastLogonTimeStamp. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, March 18, 2005 3:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Hey Joe, Hope you are well, from what I can see I think it does use AD to store information, during install it requires to modify/extend the schema. Interesting step if you ask me. You have to modify your schema but the tool is: Please keep in mind that this tool is Not Supported (similar to a resource kit or support tool). So after your non reversible (and yes I know about defunct) schema modification if something goes wrong which PSS wont support you can be pretty screwed. C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 18 March 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Interesting, does anyone know what it uses for its back end store to keep that info? I hope it isn't AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, March 15, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New AD tool hits the web FYI, Hello, You are receiving this email as you've participated in the LimitLogin beta program. We are happy to announce the availability of LimitLogin v1.0, an application that adds the ability to limit concurrent interactive user logons in an Active Directory domain. It can also keep track of all logins information in Active Directory domains (without necessarily enforcing logons quotas). The challenge of limiting concurrent logons in a distributed environment is huge, and although LimitLogin is not a bullet proof solution to all the aspects of this challenge, many customers might still find this tool helpful, as this capability has been highly requested by different customers (banks, ISPs, libraries etc) in numerous RFPs etc. LimitLogin capabilities include: - Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions. - Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to). - Easy management and configuration by integrating to the Active Directory MMC snap-ins. - Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in. - Generating Login information reports in CSV (Excel) and XML formats. Please keep in mind that this tool is Not Supported (similar to a resource kit or support tool). The public download location is: http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25 c359 cc0842/limitlogin.exe Please send any feedback and questions to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] We would like to thank you for taking part in this beta program and helping us to improve the final bits. Thanks The LimitLogin Team -Original Message- From: Matt Brown [EMAIL PROTECTED] Date: Tue, 15 Mar 2005 09:07:24 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Isn't that link from the Beta? There is no information on Microsoft's site regarding the product other than through the Beta Site. You can find the beast here: http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f7 1-8546-25c359cc0842/limitlogin.exe Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS MS ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Sent from my blackberry. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Continuity planning and AD
I am 150% behind this mechanism. Your up and functioning again time is drastically reduced as you can recover to any machine that has your virtualization software up and running. This is technology that I have been recommending to the list for probably a couple of years now along with many others. Basically you spin up a little site with virtuals of all of your domains, you script their daily (or more often) shutdown and backup. If you get really cute you have multiple DCs of each domain and stagger their shutdown and backup times and maybe even their replication schedules. This also helps with establishing lab forests or safe harbor (aka Life Boat) forests to do real data tests for things like schema updates and such. If MS would get off their butt and support VMWARE ESX officially as a hardware platform this would open up even more possibilities such as near immediate full forest recovery even with X domains where X is some crazy number like 20+. In fact, now that I have heard of Server Foundation Architecture at DEC[1] from Stuart Kwan, my battle with IE on DCs is pretty much wrapped up (unless I hear the idea dying) and I appear to have won so I am going to see if I can take on getting MS to support ESX since they have no competing product. I believe the idea is as solid and just as the idea to get IE/GUI off of servers if you want to run that way. So anyway, if this is something you are interested in as well, getting ESX server supported as a hardware platform, feel free to ping me offline about it and let me know the kind of business you represent (size, how much MS, etc) so when I start my email compaign and start making a nuisance of myself in the various forums and face to face times with MS Execs I have some numbers and company names behind me. Virtualization is truly where we are going and MS and Virtual Server is no where near the capability of ESX and I haven't heard anything that would lead me to believe MS is anywhere near to announcing anything like that. This seems to be good for everyone from what I can see, good for the customer as their life will probably become easier and more secure, good for MS because people will buy more product licenses because they can fit more in the data center, good for hardware vendors because they sell better higher end hardware instead of a bunch of the lower end small margin stuff. Some very large orgs (no names please) I talked to at DEC are all moving forward with ESX solutions even though MS doesn't officially support the platform. They have looked at it and determined that the solution justifies going outside the realm of guaranteed MS Support. That doesn't look good for MS, it is inability to admit to reality. Sure don't support vmware workstation or GSX, we understand, it competes with your own productlines, but you don't have a product like ESX... period. And larger customers are going to want to go ESX versus GSX or Virtual Server. Heck if you really look at it, you could come up with some pretty good cookie cutter Small Business ESX solutions as well. joe [1] When Stuart announced having a DC up and running in the lab on this platform with no GUI/IE there was big time applause from the audience and a tear came to my eye. People were buzzing about it the whole rest of the week. Rick tried to get me in trouble by indicating I could now drop death threats I had out against various MS people which was completely untrue and of course he was only joking. Luckily he only embarassed me as I got a shout out from Stuart from the podium, I don't think many people really knew who he was referring to though because most people don't know my full name. Anyway, I have been exceedingly vocal about this issue to every level of MS Management I have come into contact with for some time now. I mentioned it a little here occasionally but that wasn't even the tip of the iceberg because I didn't think this list had much power to invoke that change. I was sending notes to folks like Allchin and Nash about it and posting heavily on an MS and MSMVP Security DL about it and was a broken record at the MVP Security Summit last fall and tended to bring it up in nearly every session for several days. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 18, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD You can pull the disaster docs at Microsoft (should be off of http://www.microsoft.com/ad ) and re-use a lot of that. There are KB articles as well. As for the original poster's question, The plan is this at the moment: when our server cathes fire, is flooded or stolen, we take a recent tape from off site with all our data and another tape with our 'system' and restore. Well that was easy!! That is great for things such as physical site issues but doesn't cover any issues with logical corruption. You may want to include that in your
RE: [ActiveDir] Scripting DC cleanup?
Title: Message I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work.
RE: [ActiveDir] Creating a backlink and forwardlink
I am guessing you mean an offline thread to get this officially documented? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 18, 2005 11:06 AM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink There's an offline thread on this, we should be all set. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink Eric is from Microsoft. He was an AD CPR engineer (recently changed) which means he was actually debugging AD failures like looking at the actual bits and bytes flying about. There are quite a few things available that aren't fully documented or documented at all. Just having a 2K3 DC as the schema master should be enough though I haven't tried this yet. If it was a requirement I expect Eric would have mentioned it. I do trust Eric almost implicitely which I don't with a lot of people. If you are seriously concerned, it is a guess, but you could spin up AD/AM and try it there. I would expect it will work there as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, March 09, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ok my LDIF file is done and I'm ready to pull the trigger in my development environment; however, I have a couple of questions. Does anyone know what functional level is required to use this feature? 2K3 Forest or Domain? Or is having a 2K3 DC enough. I'm also a little worried about the lack of documentation from Microsoft. I always get a wee bit worried when it comes to undocumented features :) Has anyone actually done this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink My blog had documentation innovation I tell you. I'm on the bleeding edge. Be careful, or you might get a papercut just reading it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 8:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Got it. I love magical programming features :) You guys rock! I did a bunch of googles on this subject and came up with nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I think the question was, the number that I used as my sample linkID, is that a special numberor should you use your own. The answer is yes, it is. Use the exact linkID value I used for the creation of the forward link. That value triggers this special code path which will create link IDs for you. Don't think of the linkID value I used as an OID, think of it as magical and special. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 6:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sure, but if you are on Windows 2003 or AD/AM you don't have to. That is the beauty of this, that OID causes AD to autogenerate a link ID that is guaranteed unique. The only reasons you should really use linkids you get from MS anymore is if you do make decisions based on linkid values (not just the existence of) or you need to use the schema mods on Windows 2000 AD. BTW, I believe I do recall you from DEC even with my old failing memory. :oP joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink One more question about autolinking. In the example that is shown on the blog you sent, the forward LinkID appears to be an OID. Is that correct? Can I select an OID from my pool and use it as the LinkID for the forward link? Thanks Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sorry I missed the link to the info in your first message. Thanks joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: RE:
RE: [ActiveDir] Creating a backlink and forwardlink
I actually meant with this customer about their particular schema extension. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 9:02 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink I am guessing you mean an offline thread to get this officially documented? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 18, 2005 11:06 AM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink There's an offline thread on this, we should be all set. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink Eric is from Microsoft. He was an AD CPR engineer (recently changed) which means he was actually debugging AD failures like looking at the actual bits and bytes flying about. There are quite a few things available that aren't fully documented or documented at all. Just having a 2K3 DC as the schema master should be enough though I haven't tried this yet. If it was a requirement I expect Eric would have mentioned it. I do trust Eric almost implicitely which I don't with a lot of people. If you are seriously concerned, it is a guess, but you could spin up AD/AM and try it there. I would expect it will work there as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, March 09, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ok my LDIF file is done and I'm ready to pull the trigger in my development environment; however, I have a couple of questions. Does anyone know what functional level is required to use this feature? 2K3 Forest or Domain? Or is having a 2K3 DC enough. I'm also a little worried about the lack of documentation from Microsoft. I always get a wee bit worried when it comes to undocumented features :) Has anyone actually done this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink My blog had documentation innovation I tell you. I'm on the bleeding edge. Be careful, or you might get a papercut just reading it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 8:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Got it. I love magical programming features :) You guys rock! I did a bunch of googles on this subject and came up with nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I think the question was, the number that I used as my sample linkID, is that a special numberor should you use your own. The answer is yes, it is. Use the exact linkID value I used for the creation of the forward link. That value triggers this special code path which will create link IDs for you. Don't think of the linkID value I used as an OID, think of it as magical and special. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 6:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sure, but if you are on Windows 2003 or AD/AM you don't have to. That is the beauty of this, that OID causes AD to autogenerate a link ID that is guaranteed unique. The only reasons you should really use linkids you get from MS anymore is if you do make decisions based on linkid values (not just the existence of) or you need to use the schema mods on Windows 2000 AD. BTW, I believe I do recall you from DEC even with my old failing memory. :oP joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink One more question about autolinking. In the example that is shown on the blog you sent, the forward LinkID appears to be an OID. Is that correct? Can I select an OID from my pool and use it as the LinkID for the forward link? Thanks Joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir]
RE: [ActiveDir] Creating a backlink and forwardlink
Ah. Ok, I have submitted a request to MSDN to get the linkID schema attribute page updated with some info on this functionalty and also submitted a request to the MSKB people to get it documented as well. joe -Original Message- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:05 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I actually meant with this customer about their particular schema extension. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 9:02 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink I am guessing you mean an offline thread to get this officially documented? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 18, 2005 11:06 AM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink There's an offline thread on this, we should be all set. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink Eric is from Microsoft. He was an AD CPR engineer (recently changed) which means he was actually debugging AD failures like looking at the actual bits and bytes flying about. There are quite a few things available that aren't fully documented or documented at all. Just having a 2K3 DC as the schema master should be enough though I haven't tried this yet. If it was a requirement I expect Eric would have mentioned it. I do trust Eric almost implicitely which I don't with a lot of people. If you are seriously concerned, it is a guess, but you could spin up AD/AM and try it there. I would expect it will work there as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, March 09, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ok my LDIF file is done and I'm ready to pull the trigger in my development environment; however, I have a couple of questions. Does anyone know what functional level is required to use this feature? 2K3 Forest or Domain? Or is having a 2K3 DC enough. I'm also a little worried about the lack of documentation from Microsoft. I always get a wee bit worried when it comes to undocumented features :) Has anyone actually done this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink My blog had documentation innovation I tell you. I'm on the bleeding edge. Be careful, or you might get a papercut just reading it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 8:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Got it. I love magical programming features :) You guys rock! I did a bunch of googles on this subject and came up with nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I think the question was, the number that I used as my sample linkID, is that a special numberor should you use your own. The answer is yes, it is. Use the exact linkID value I used for the creation of the forward link. That value triggers this special code path which will create link IDs for you. Don't think of the linkID value I used as an OID, think of it as magical and special. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 6:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sure, but if you are on Windows 2003 or AD/AM you don't have to. That is the beauty of this, that OID causes AD to autogenerate a link ID that is guaranteed unique. The only reasons you should really use linkids you get from MS anymore is if you do make decisions based on linkid values (not just the existence of) or you need to use the schema mods on Windows 2000 AD. BTW, I believe I do recall you from DEC even with my old failing memory. :oP joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 7:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink One more question about
RE: [ActiveDir] Continuity planning and AD
Thanks to everyone who has responded to this. Some great suggestions and founts of knowledge Jonny -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glen Miller Sent: 18 March 2005 15:52 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD Most back up software have a disaster recover built in. In that you can build recovery CD from tapes (OS Speaking). There are variation on this theme For example. backup exec has this feature however it requires that you RECREATE the cd after every change to a server. It cannot be built from a tape, Thus you must keep an up to date recovery CD. this is the fastest recover method although if your CD are not up to date your back to square one. The typical trade off between efficiency and manageability. The Cd should be boot able. Retrospect software. Allows you to do this from tape eliminating the need to have up-to-date recovery CD's. I'm still demoing this software. It has lived up to it's claims although if your not familiar with its process. it is convoluted and very order dependent. one misstep and square one. Coolness about this is you can Boot from tape. well first the CD but it attaches easily to the tape drives for expedited recovery times. As anyone who has done disaster recovery implementation knows. There is truly no one solution to this issue. once you step from the realm of indifferent hardware. The beast changes shape. Windows is typically forgiving when it encounters dissimilar hardware in that if it has access to the I386 Director all should turn out fine. this hold water as long as the Processors are within the same family. try doing this from a ZEON to a Itanium or pentium and you blue screen at start up and have had little luck running the recovery. I believe this is tied to the NTLDR file. When considering a palatable DR strategy. Its not just is the data safe and recoverable. But in what time frame can this be completed. If it takes a week to get back up. Thats a disaster. Giving a typical turn around time of 24 hours can this accomplished using above methods. To a degree' based on size of company total data load and blah blah blah. What im getting to is this. it may be easier cheaper faster. to replicate data real time. Identify critical systems replicate hardware. and do real time replication across say dedicate T1 to your offsite DR. up to the minuet and available immediately. Windows handled this through DCOM however i have heard that was replaced by clustering service new to 2003. Very expensive i have a payroll system. which handle several tens of thousand checks to people every week. I replicate all changed data in real time. If we were to lose our Internet connection. the software through the Dedicated T1 drops the change queue to the Off site system then once that is complete initiates the RAS services. The client has a heart beat built in in that if after 7 minuets it cannot reach the primary RAS server. It then queries the secondary address. this is completely transparent to the user with the exception that everything PAUSED for the allocated time. once back up the reverse happens in that it coordinates the transition per client as the new queue request are handled from the DR server and migrated back to the Primary system. Complete invisible to user as long as an outage does not occur again. Sorry so long winded. DR was a serious and still is to a degree a thorn in an IT person side. Just remember the ROSE it is attached to. If ever you need it. Nothing like looking exceptional to the CEO CFO and all the other people ho have that alphabet in their names. I hoped this helped I realize it doesn't address the step by step request. the only way you'll get that is to develope and repeat the process till it work 4 out of 5 times. then you can sleep with only one eye open Glen Miller Payflex System USA, Inc. Desktop management Evolution Administration 402 231 8666 402 231 4357 402 650 2949 [EMAIL PROTECTED] -Original Message- From: Carerros, Charles [EMAIL PROTECTED] To: 'ActiveDir@mail.activedir.org' ActiveDir@mail.activedir.org Date: Fri, 18 Mar 2005 07:45:33 -0600 Subject: RE: [ActiveDir] Continuity planning and AD My organization just moved to a W2K3 AD and we have one of our offsite DR tests coming up. I was wondering if someone wouldn't mind sharing any step by step documentation that you have generated to perform this restore (basically so I don't have to go and draft one from scratch)? If not, is there any other interesting tid-bits that we need to know. (I will probably end up restoring two Domain Controllers, one for the
[ActiveDir] AD Database size questions.
Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every 5 minutes that adds, updates, removes users that are used by a program that does LDAP look-ups. This is about the only thing because it runs so often I can contribute to it but not sure. There are no errors in the event log but the growth of 500 meg in a few days concerns me. I looked around and didn't find much pertaining to this subject. Any thoughts, suggestions on determining whitespace in the AD database? Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Continuity planning and AD
Wouldn't it just be easier to expect them to put that ESX functionality in virtual server? ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I am 150% behind this mechanism. Your up and functioning again time is drastically reduced as you can recover to any machine that has your virtualization software up and running. This is technology that I have been recommending to the list for probably a couple of years now along with many others. Basically you spin up a little site with virtuals of all of your domains, you script their daily (or more often) shutdown and backup. If you get really cute you have multiple DCs of each domain and stagger their shutdown and backup times and maybe even their replication schedules. This also helps with establishing lab forests or safe harbor (aka Life Boat) forests to do real data tests for things like schema updates and such. If MS would get off their butt and support VMWARE ESX officially as a hardware platform this would open up even more possibilities such as near immediate full forest recovery even with X domains where X is some crazy number like 20+. In fact, now that I have heard of Server Foundation Architecture at DEC[1] from Stuart Kwan, my battle with IE on DCs is pretty much wrapped up (unless I hear the idea dying) and I appear to have won so I am going to see if I can take on getting MS to support ESX since they have no competing product. I believe the idea is as solid and just as the idea to get IE/GUI off of servers if you want to run that way. So anyway, if this is something you are interested in as well, getting ESX server supported as a hardware platform, feel free to ping me offline about it and let me know the kind of business you represent (size, how much MS, etc) so when I start my email compaign and start making a nuisance of myself in the various forums and face to face times with MS Execs I have some numbers and company names behind me. Virtualization is truly where we are going and MS and Virtual Server is no where near the capability of ESX and I haven't heard anything that would lead me to believe MS is anywhere near to announcing anything like that. This seems to be good for everyone from what I can see, good for the customer as their life will probably become easier and more secure, good for MS because people will buy more product licenses because they can fit more in the data center, good for hardware vendors because they sell better higher end hardware instead of a bunch of the lower end small margin stuff. Some very large orgs (no names please) I talked to at DEC are all moving forward with ESX solutions even though MS doesn't officially support the platform. They have looked at it and determined that the solution justifies going outside the realm of guaranteed MS Support. That doesn't look good for MS, it is inability to admit to reality. Sure don't support vmware workstation or GSX, we understand, it competes with your own productlines, but you don't have a product like ESX... period. And larger customers are going to want to go ESX versus GSX or Virtual Server. Heck if you really look at it, you could come up with some pretty good cookie cutter Small Business ESX solutions as well. joe [1] When Stuart announced having a DC up and running in the lab on this platform with no GUI/IE there was big time applause from the audience and a tear came to my eye. People were buzzing about it the whole rest of the week. Rick tried to get me in trouble by indicating I could now drop death threats I had out against various MS people which was completely untrue and of course he was only joking. Luckily he only embarassed me as I got a shout out from Stuart from the podium, I don't think many people really knew who he was referring to though because most people don't know my full name. Anyway, I have been exceedingly vocal about this issue to every level of MS Management I have come into contact with for some time now. I mentioned it a little here occasionally but that wasn't even the tip of the iceberg because I didn't think this list had much power to invoke that change. I was sending notes to folks like Allchin and Nash about it and posting heavily on an MS and MSMVP Security DL about it and was a broken record at the MVP Security Summit last fall and tended to bring it up in nearly every session for several days. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 18, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD You can pull the disaster docs at Microsoft (should be off of http://www.microsoft.com/ad ) and re-use a lot of that. There are KB articles as well. As for the original poster's question, The plan is this at the moment: when our
RE: [ActiveDir] AD Database size questions.
Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every 5 minutes that adds, updates, removes users that are used by a program that does LDAP look-ups. This is about the only thing because it runs so often I can contribute to it but not sure. There are no errors in the event log but the growth of 500 meg in a few days concerns me. I looked around and didn't find much pertaining to this subject. Any thoughts, suggestions on determining whitespace in the AD database? Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] User Migration...twice
Has anyone successfully migrated user accounts twice, while maintaining SID history both times? We had a group of users migrated from an NT domain to a W2K domain (with SID history, Quest Migrator). We now need to migrate them again from the (now) W2K3 domain to another W2K3 domain. Can we keep both SIDs as SID History? Thanks, rb
Re: [ActiveDir] AD Database size questions.
All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every 5 minutes that adds, updates, removes users that are used by a program that does LDAP look-ups. This is about the only thing because it runs so often I can contribute to it but not sure. There are no errors in the event log but the growth of 500 meg in a few days concerns me. I looked around and didn't find much pertaining to this subject. Any thoughts, suggestions on determining whitespace in the AD database? Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Domain Groups / users in lab
Hi, Im run a domain in a University environment. I currently have 1 domain with all accounts in it: students, faculty, and staff. We have computer labs that any users (students, fac/staff) can use. These computers do not offer roaming profiles and we allow accounts local administrative access. Each lab has its own profile that is specific to their lab and not the user. What I would also like to do is allow faculty/staff members to use the domain for their personal workstations but I dont want them to have the same GPO as they would have if they were using a computer lab. Do I need to setup a separate domain? Or a child domain? Or is it possible for user OUs to apply to computer groups rather than applying them on the User OU? Current domain structure example mydomain.edu mycomputers lab1 lab2 human resources Information Technology people employees students Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS MS ] Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] Continuity planning and AD
To duplicate ESX, you would have to develop a very stripped and efficient kernel. ESX is actually running a proprietary kernel running underneath the hosts and it uses a Linux console OS to control the kernel. This is one of the main reasons why ESX is so much more efficient than VPC or GSX where the underlying OS is normal Windows. ESX also uses a specialized and very efficient disk format (VMFS) for the actual host files. Here is the map: VPC = VM workstation Virtual Server = GSX ??? = ESX Hardware virtualization idea is a HUGE thing and Microsoft needs to get more on board and should have bought Vmware when they had the chance. As the to the DR scenario (e.g. SunGard), we are in the same boat and ESX and Virtual Hosts solves all of the mucking about with dissimilar hardware restores. In fact, because ESX emulates common drivers on the OS install CD you can actually do a physical to virtual restore with a lot less trouble than one would think. In our specific case we are able to use Ntbackup to restore directly a Windows 2000 Dell 2550 to a virtual server on ESX with no special steps. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 18, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD Wouldn't it just be easier to expect them to put that ESX functionality in virtual server? ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I am 150% behind this mechanism. Your up and functioning again time is drastically reduced as you can recover to any machine that has your virtualization software up and running. This is technology that I have been recommending to the list for probably a couple of years now along with many others. Basically you spin up a little site with virtuals of all of your domains, you script their daily (or more often) shutdown and backup. If you get really cute you have multiple DCs of each domain and stagger their shutdown and backup times and maybe even their replication schedules. This also helps with establishing lab forests or safe harbor (aka Life Boat) forests to do real data tests for things like schema updates and such. If MS would get off their butt and support VMWARE ESX officially as a hardware platform this would open up even more possibilities such as near immediate full forest recovery even with X domains where X is some crazy number like 20+. In fact, now that I have heard of Server Foundation Architecture at DEC[1] from Stuart Kwan, my battle with IE on DCs is pretty much wrapped up (unless I hear the idea dying) and I appear to have won so I am going to see if I can take on getting MS to support ESX since they have no competing product. I believe the idea is as solid and just as the idea to get IE/GUI off of servers if you want to run that way. So anyway, if this is something you are interested in as well, getting ESX server supported as a hardware platform, feel free to ping me offline about it and let me know the kind of business you represent (size, how much MS, etc) so when I start my email compaign and start making a nuisance of myself in the various forums and face to face times with MS Execs I have some numbers and company names behind me. Virtualization is truly where we are going and MS and Virtual Server is no where near the capability of ESX and I haven't heard anything that would lead me to believe MS is anywhere near to announcing anything like that. This seems to be good for everyone from what I can see, good for the customer as their life will probably become easier and more secure, good for MS because people will buy more product licenses because they can fit more in the data center, good for hardware vendors because they sell better higher end hardware instead of a bunch of the lower end small margin stuff. Some very large orgs (no names please) I talked to at DEC are all moving forward with ESX solutions even though MS doesn't officially support the platform. They have looked at it and determined that the solution justifies going outside the realm of guaranteed MS Support. That doesn't look good for MS, it is inability to admit to reality. Sure don't support vmware workstation or GSX, we understand, it competes with your own productlines, but you don't have a product like ESX... period. And larger customers are going to want to go ESX versus GSX or Virtual Server. Heck if you really look at it, you could come up with some pretty good cookie cutter Small Business ESX solutions as well. joe [1] When Stuart announced having a DC up and running in the lab on this platform with no GUI/IE there was big time applause from the audience and a tear came to my eye. People were buzzing about it the whole rest of the week. Rick tried to get
RE: [ActiveDir] User Migration...twice
Raymond, I apologizein advance for... a) not answering your question b) selfishly replying with another question for my own benefit Along these lines, is thepremise behind sidHistory that it should be somewhat temporary in nature? Shouldn't the organization go back and redo all ACLs (if possible!) and then clean out sidHistory afterwards? Or have I got the concept all wrong and the notion of fixing up so many ACLs absurd? Thanks! -DaveC ReutersCIO Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 18, 2005 1:59 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User Migration...twice Has anyone successfully migrated user accounts twice, while maintaining SID history both times? We had a group of users migrated from an NT domain to a W2K domain (with SID history, Quest Migrator). We now need to migrate them again from the (now) W2K3 domain to another W2K3 domain. Can we keep both SIDs as SID History? Thanks, rb - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] AD Database size questions.
Can you give us some insight in to the environment more generally: 1) OS/SP of the DCs 2) AD integrated DNS vs. non-AD integrated 3) # of domains 4) Is this happening on DCs in all domains or just one (if more than one domain) I'd probably start with the obviousI'd inspect my CN=Deleted Objects container in the affected naming contexts, and see if there were new tombstones appearing. If so, well, you have the culprit. :) Just identify the creation/deletion mechanism and squash it. If there are no tombstones appearing over hours/days, we'd need to investigate a bit further. But if I were playing the odds, that's where I would start. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every 5 minutes that adds, updates, removes users that are used by a program that does LDAP look-ups. This is about the only thing because it runs so often I can contribute to it but not sure. There are no errors in the event log but the growth of 500 meg in a few days concerns me. I looked around and didn't find much pertaining to this subject. Any thoughts, suggestions on determining whitespace in the AD database? Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Migration...twice
To answer both questions: Yes, sidHistory is supposed to be temporary but for some that's the lifetime of the product. It's all temporary in the scheme of things right? As for can you hold more than one sid in the sidHistory attribute, yes you can. Additional sIDHistory Information The sIDHistory is a multivalued attribute of security principals in the Active Directory that may hold up to 850 values (I believe it's gone up hasn't it?) http://support.microsoft.com/default.aspx?scid=kb;en-us;322970Product=winsv r2003 Next logical question to ask: Is it a good idea? I don't think so. Makes troubleshooting a nightmare to say the least. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Friday, March 18, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Migration...twice Raymond, I apologize in advance for... a) not answering your question b) selfishly replying with another question for my own benefit Along these lines, is the premise behind sidHistory that it should be somewhat temporary in nature? Shouldn't the organization go back and redo all ACLs (if possible!) and then clean out sidHistory afterwards? Or have I got the concept all wrong and the notion of fixing up so many ACLs absurd? Thanks! -DaveC Reuters CIO Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Migration...twice Has anyone successfully migrated user accounts twice, while maintaining SID history both times? We had a group of users migrated from an NT domain to a W2K domain (with SID history, Quest Migrator). We now need to migrate them again from the (now) W2K3 domain to another W2K3 domain. Can we keep both SIDs as SID History? Thanks, rb - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Domain Groups / users in lab
All you want is that certain teachers should not have the teachers have the same GPO applied as the labs? You should be able to do this in several different ways. Are you saying that you do not want the default domain GPO to apply to these teachers? If so then you may want to think about restructuring your GPOs so that any lab policies are not applied at the domain level, but rather to the specific lab OUs themselves. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Friday, March 18, 2005 2:12 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Groups / users in lab Hi, Im run a domain in a University environment. I currently have 1 domain with all accounts in it: students, faculty, and staff. We have computer labs that any users (students, fac/staff) can use. These computers do not offer roaming profiles and we allow accounts local administrative access. Each lab has its own profile that is specific to their lab and not the user. What I would also like to do is allow faculty/staff members to use the domain for their personal workstations but I dont want them to have the same GPO as they would have if they were using a computer lab. Do I need to setup a separate domain? Or a child domain? Or is it possible for user OUs to apply to computer groups rather than applying them on the User OU? Current domain structure example mydomain.edu mycomputers lab1 lab2 human resources Information Technology people employees students Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS MS ] Information Technology System Specialist Eastern Washington University
RE: [ActiveDir] New AD tool hits the web
http://bink.nu/files/limitlogonfaq.htm joe [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/18/2005 11:10 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] New AD tool hits the web Great! So I guess I will probably look at this to check out the actual implementation. If the data store is AD I can forsee a couple of failure points not to mention the fact that if AD Dev thought up to the minute updates of user logon info in AD was a good thing, they probably would have done it when they added lastLogonTimeStamp. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, March 18, 2005 3:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Hey Joe, Hope you are well, from what I can see I think it does use AD to store information, during install it requires to modify/extend the schema. Interesting step if you ask me. You have to modify your schema but the tool is: Please keep in mind that this tool is Not Supported (similar to a resource kit or support tool). So after your non reversible (and yes I know about defunct) schema modification if something goes wrong which PSS wont support you can be pretty screwed. C -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 18 March 2005 10:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Interesting, does anyone know what it uses for its back end store to keep that info? I hope it isn't AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Tuesday, March 15, 2005 12:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New AD tool hits the web FYI, Hello, You are receiving this email as you've participated in the LimitLogin beta program. We are happy to announce the availability of LimitLogin v1.0, an application that adds the ability to limit concurrent interactive user logons in an Active Directory domain. It can also keep track of all logins information in Active Directory domains (without necessarily enforcing logons quotas). The challenge of limiting concurrent logons in a distributed environment is huge, and although LimitLogin is not a bullet proof solution to all the aspects of this challenge, many customers might still find this tool helpful, as this capability has been highly requested by different customers (banks, ISPs, libraries etc) in numerous RFPs etc. LimitLogin capabilities include: - Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions. - Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to). - Easy management and configuration by integrating to the Active Directory MMC snap-ins. - Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in. - Generating Login information reports in CSV (Excel) and XML formats. Please keep in mind that this tool is Not Supported (similar to a resource kit or support tool). The public download location is: http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25 c359 cc0842/limitlogin.exe Please send any feedback and questions to [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] We would like to thank you for taking part in this beta program and helping us to improve the final bits. Thanks The LimitLogin Team -Original Message- From: Matt Brown [EMAIL PROTECTED] Date: Tue, 15 Mar 2005 09:07:24 To:ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New AD tool hits the web Isn't that link from the Beta? There is no information on Microsoft's site regarding the product other than through the Beta Site. You can find the beast here: http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f7 1-8546-25c359cc0842/limitlogin.exe Thanks, -- Matt Brown [ SELECT * FROM computers WHERE OS MS ] Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Sent from my blackberry. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] AD Database size questions.
I would initially say take a peek at your deleted objects and see if you have a ton of stuff in there. You can use ldp or adfind to do this. Adfind is probably friendlier, you simply specify the -showdel option and look for objects with isdeleted=TRUE or look in the deleted objects container. Note that by default, you need to have admin rights to see into the deleted objects container in Active Directory. Something like Adfind -b cn=deleted objects,dc=domain,dc=com -showdel Will dump all objects (and their attributes) of all tombstoned objects in the domain.com nc. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:08 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every 5 minutes that adds, updates, removes users that are used by a program that does LDAP look-ups. This is about the only thing because it runs so often I can contribute to it but not sure. There are no errors in the event log but the growth of 500 meg in a few days concerns me. I looked around and didn't find much pertaining to this subject. Any thoughts, suggestions on determining whitespace in the AD database? Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] User Migration...twice
To field the 850 question In a forest where forest functional level is still 0, the value of roughly 800 is out there. I say roughly as you'll never hit 800, that's the max # of values on the object more generally. And there are lots of other values already there. When you increase forest functional level to at least 1, that'll jump to ~1300. Again, that's max on the object, so with other values there it'll be less for you. Finally, I'd point out that more sidHistory values means more SIDs in tokens and such. So if you get too bloated, you have the large token troubleshooting path to go down. That's pretty well understood, but can still be painful for some environments, so I'd consider it before stuffing 200 values in there or something. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 18, 2005 11:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Migration...twice To answer both questions: Yes, sidHistory is supposed to be temporary but for some that's the lifetime of the product. It's all temporary in the scheme of things right? As for can you hold more than one sid in the sidHistory attribute, yes you can. Additional sIDHistory Information The sIDHistory is a multivalued attribute of security principals in the Active Directory that may hold up to 850 values (I believe it's gone up hasn't it?) http://support.microsoft.com/default.aspx?scid=kb;en-us;322970Product=w insv r2003 Next logical question to ask: Is it a good idea? I don't think so. Makes troubleshooting a nightmare to say the least. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Friday, March 18, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Migration...twice Raymond, I apologize in advance for... a) not answering your question b) selfishly replying with another question for my own benefit Along these lines, is the premise behind sidHistory that it should be somewhat temporary in nature? Shouldn't the organization go back and redo all ACLs (if possible!) and then clean out sidHistory afterwards? Or have I got the concept all wrong and the notion of fixing up so many ACLs absurd? Thanks! -DaveC Reuters CIO Infrastructure From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Migration...twice Has anyone successfully migrated user accounts twice, while maintaining SID history both times? We had a group of users migrated from an NT domain to a W2K domain (with SID history, Quest Migrator). We now need to migrate them again from the (now) W2K3 domain to another W2K3 domain. Can we keep both SIDs as SID History? Thanks, rb - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] can anyone help
Can anyone help?? I'm Running 2000server, I seem to have a problem with files replicating them self's. If I move a document in to a folder the next day I have the document in the folder and a new one where the original was. Please advise,
RE: [ActiveDir] Continuity planning and AD
Agreed. While it would be nice to see something like this out of MS it isn't something they can put together very quickly, VMWARE has spent years and years on making this work. People have been deploying AD in droves and are now maturing and hitting several different things that ESX would make much easier to deal with, especially in the DR Realm. Once someone has AD Deployed and running fairly well they start considering how do I recover if I blow up and how can I duplicate for a lab environment. While this can be done with Virtual Server, it still doesn't have the gains and performance that you can get with ESX due to the fact that ESX is so well optimized for this. Consider, as Stuart pointed out, Virtual Server and GSX are solutions built on top of an OS. The OS isn't optimized for virtualizing other machines upon itself. It is a full normal user interface OS that has an App running on it which can run other virtual machines. ESX is an OS that is designed from the ground up to only host virtual machines. Take for instance, a poor analogy. You have say a BMW X5 which is a hot rod SUV. It is a great all around vehicle and handles offroad ok and hot rodding ok. However if you are really serious about hot rodding or offroading, you will find other products that will blow the X5 off the map for you for the thing you are interested in. Say a ferrari or a jeep wrangler? If you want to see a truly amazing display, poke Dean (yes the Dean that posts here) and get him to show you the little automated recovery system he has come up with for ESX that allows very quick rollback of a seed environment or even a full forest if everything is on ESX. He has been working on these mechanisms for a couple of years for his work that he does and the beauty of it is it can be extended to fully account for a complete intel DR solution for an entire company. When it truly comes down it. Vmware ESX is simply something that should be considered a piece of hardware from the viewpoint of MS and VMWare should be able to hear from MS how to get onto the HCL and be fully supported. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fuller, Stuart Sent: Friday, March 18, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD To duplicate ESX, you would have to develop a very stripped and efficient kernel. ESX is actually running a proprietary kernel running underneath the hosts and it uses a Linux console OS to control the kernel. This is one of the main reasons why ESX is so much more efficient than VPC or GSX where the underlying OS is normal Windows. ESX also uses a specialized and very efficient disk format (VMFS) for the actual host files. Here is the map: VPC = VM workstation Virtual Server = GSX ??? = ESX Hardware virtualization idea is a HUGE thing and Microsoft needs to get more on board and should have bought Vmware when they had the chance. As the to the DR scenario (e.g. SunGard), we are in the same boat and ESX and Virtual Hosts solves all of the mucking about with dissimilar hardware restores. In fact, because ESX emulates common drivers on the OS install CD you can actually do a physical to virtual restore with a lot less trouble than one would think. In our specific case we are able to use Ntbackup to restore directly a Windows 2000 Dell 2550 to a virtual server on ESX with no special steps. -Stuart Fuller -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 18, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD Wouldn't it just be easier to expect them to put that ESX functionality in virtual server? ;) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 11:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Continuity planning and AD I am 150% behind this mechanism. Your up and functioning again time is drastically reduced as you can recover to any machine that has your virtualization software up and running. This is technology that I have been recommending to the list for probably a couple of years now along with many others. Basically you spin up a little site with virtuals of all of your domains, you script their daily (or more often) shutdown and backup. If you get really cute you have multiple DCs of each domain and stagger their shutdown and backup times and maybe even their replication schedules. This also helps with establishing lab forests or safe harbor (aka Life Boat) forests to do real data tests for things like schema updates and such. If MS would get off their butt and support VMWARE ESX officially as a hardware platform this would open up even more possibilities such as near immediate full forest recovery even with X domains where X is some crazy number like 20+. In fact, now that I have
RE: [ActiveDir] AD Database size questions.
I had a conversation with someone this week (name withheld) who mentioned running into an issue with unexpected DIT growth due to the increase in the default tombstone period I believe in K3 SP1. It was especially relevant to integrated DNS entries. You may not be running SP1, but is there possibility of lots of new registrations getting added/deleted in DNS since you are integrated? Hopefully a deleted objects scan would show that off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. I'll also look at the delete objects. Thanks for the heads-up about the deleted objects. 1) OS/SP of the DCs Windows 2003 Standard all security hotfixes up-to-date 2) AD integrated DNS vs. non-AD integrated ADIntegrated DNS 3) # of domains 1 domain (2 DC's) 4) Is this happening on DCs in all domains or just one (if more than one domain) This is happening on both domain controllers. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:17 PM Subject: RE: [ActiveDir] AD Database size questions. Can you give us some insight in to the environment more generally: 1) OS/SP of the DCs 2) AD integrated DNS vs. non-AD integrated 3) # of domains 4) Is this happening on DCs in all domains or just one (if more than one domain) I'd probably start with the obviousI'd inspect my CN=Deleted Objects container in the affected naming contexts, and see if there were new tombstones appearing. If so, well, you have the culprit. :) Just identify the creation/deletion mechanism and squash it. If there are no tombstones appearing over hours/days, we'd need to investigate a bit further. But if I were playing the odds, that's where I would start. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every 5 minutes that adds, updates, removes users that are used by a program that does LDAP look-ups. This is about the only thing because it runs so often I can contribute to it but not sure. There are no errors in the event log but the growth of 500 meg in a few days concerns me. I looked around and didn't find much pertaining to this subject. Any thoughts, suggestions on determining whitespace in the AD database? Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] New AD tool hits the web
Cool thanks for posting that. The hibernate scenerio was one I immediately thought of when I started thinking about how this would be implemented and indeed, it is a concern. I don't see this solution as being much better than cconnect based on what is in that FAQ though I intend to still look over the package. I don't like the fact that the info is getting jammed into AD, even if it is an app partition. They would do better to allow you to specify the store,sayAD/AM, SQL Server, or an app partition if you understand the implications of the possible churn and replication involved. Possibly one could fake out the tool and use AD/AM and just publish the appriate DNS entries and set up the proper crossref values. In a smaller environment I expect this isprettysafe. The larger the environment the more concerned I would be. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 18, 2005 2:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New AD tool hits the web http://bink.nu/files/limitlogonfaq.htm "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/18/2005 11:10 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] New AD tool hits the web Great!So I guess I will probably look at this to check out the actualimplementation. If the data store is AD I can forsee a couple of failurepoints not to mention the fact that if AD Dev thought up to the minuteupdates of user logon info in AD was a good thing, they probably would havedone it when they added lastLogonTimeStamp.joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Friday, March 18, 2005 3:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New AD tool hits the webHey Joe,Hope you are well, from what I can see I think it does use AD to storeinformation, during install it requires to modify/extend the schema.Interesting step if you ask me. You have to modify your schema but the toolis: "Please keep in mind that this tool is Not Supported (similar to aresource kit or support tool)."So after your non reversible (and yes I know about defunct) schemamodification if something goes wrong which PSS wont support you can bepretty screwed.C-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 March 2005 10:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New AD tool hits the webInteresting, does anyone know what it uses for its back end store to keepthat info? I hope it isn't AD.joe -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Tuesday, March 15, 2005 12:27 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] New AD tool hits the webFYI,Hello,You are receiving this email as you've participated in the LimitLogin betaprogram.We are happy to announce the availability of LimitLogin v1.0, an applicationthat adds the ability to limit concurrent interactive user logons in anActive Directory domain. It can also keep track of all logins information inActive Directory domains (without necessarily enforcing logons quotas). The challenge of limiting concurrent logons in a distributed environment ishuge, and although LimitLogin is not a "bullet proof" solution to all theaspects of this challenge, many customers might still find this toolhelpful, as this capability has been highly requested by different customers(banks, ISPs, libraries etc) in numerous RFPs etc.LimitLogin capabilities include: - Limiting the number of logins per user from any machine in the domain,including Terminal Server sessions. - Displaying the logins information of any user in the domain according to aspecific criterion (e.g. all the logged-on sessions to a specific clientmachine or Domain Controller, or all the machines a certain user iscurrently logged on to). - Easy management and configuration by integrating to the Active DirectoryMMC snap-ins. - Ability to delete and log off user session remotely straight from theActive Directory Users and Computers MMC snap-in. - Generating Login information reports in CSV (Excel) and XML formats.Please keep in mind that this tool is Not Supported (similar to a resourcekit or support tool).The public download location is:http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exePlease send any feedback and questions to [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]We would like to thank you for taking part in this beta program and helpingus to improve the final
Re: [ActiveDir] New AD tool hits the web
Can anyone help?? I'm Running 2000server,w/Raid 5 I seem to have a problem with files replicating them self's. If I move a document in to a folder the next day I have the document in the folder and a new one where the original was. Any thoughts ? Please advise, Ryan Gallegos McMath,Woods P.A - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:18 PM Subject: RE: [ActiveDir] New AD tool hits the web Cool thanks for posting that. The hibernate scenerio was one I immediately thought of when I started thinking about how this would be implemented and indeed, it is a concern. I don't see this solution as being much better than cconnect based on what is in that FAQ though I intend to still look over the package. I don't like the fact that the info is getting jammed into AD, even if it is an app partition. They would do better to allow you to specify the store,sayAD/AM, SQL Server, or an app partition if you understand the implications of the possible churn and replication involved. Possibly one could fake out the tool and use AD/AM and just publish the appriate DNS entries and set up the proper crossref values. In a smaller environment I expect this isprettysafe. The larger the environment the more concerned I would be. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 18, 2005 2:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New AD tool hits the web http://bink.nu/files/limitlogonfaq.htm "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/18/2005 11:10 AM Please respond toActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] New AD tool hits the web Great!So I guess I will probably look at this to check out the actualimplementation. If the data store is AD I can forsee a couple of failurepoints not to mention the fact that if AD Dev thought up to the minuteupdates of user logon info in AD was a good thing, they probably would havedone it when they added lastLogonTimeStamp.joe-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Carlos MagalhaesSent: Friday, March 18, 2005 3:48 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New AD tool hits the webHey Joe,Hope you are well, from what I can see I think it does use AD to storeinformation, during install it requires to modify/extend the schema.Interesting step if you ask me. You have to modify your schema but the toolis: "Please keep in mind that this tool is Not Supported (similar to aresource kit or support tool)."So after your non reversible (and yes I know about defunct) schemamodification if something goes wrong which PSS wont support you can bepretty screwed.C-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of joeSent: 18 March 2005 10:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] New AD tool hits the webInteresting, does anyone know what it uses for its back end store to keepthat info? I hope it isn't AD.joe -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Mark ParrisSent: Tuesday, March 15, 2005 12:27 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] New AD tool hits the webFYI,Hello,You are receiving this email as you've participated in the LimitLogin betaprogram.We are happy to announce the availability of LimitLogin v1.0, an applicationthat adds the ability to limit concurrent interactive user logons in anActive Directory domain. It can also keep track of all logins information inActive Directory domains (without necessarily enforcing logons quotas). The challenge of limiting concurrent logons in a distributed environment ishuge, and although LimitLogin is not a "bullet proof" solution to all theaspects of this challenge, many customers might still find this toolhelpful, as this capability has been highly requested by different customers(banks, ISPs, libraries etc) in numerous RFPs etc.LimitLogin capabilities include: - Limiting the number of logins per user from any machine in the domain,including Terminal Server sessions. - Displaying the logins information of any user in the domain according to aspecific criterion (e.g. all the logged-on sessions to a specific clientmachine or Domain Controller, or all the machines a certain user
RE: [ActiveDir] AD Database size questions.
We didn't change TSL for existing deployments. I'd be interested in hearing more about this issue. And since SP1 isn't RTM'd yet, I hope this unnamed someone hit it in a lab, not in production (unless they are in those beta programs where you run in production). :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I had a conversation with someone this week (name withheld) who mentioned running into an issue with unexpected DIT growth due to the increase in the default tombstone period I believe in K3 SP1. It was especially relevant to integrated DNS entries. You may not be running SP1, but is there possibility of lots of new registrations getting added/deleted in DNS since you are integrated? Hopefully a deleted objects scan would show that off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. I'll also look at the delete objects. Thanks for the heads-up about the deleted objects. 1) OS/SP of the DCs Windows 2003 Standard all security hotfixes up-to-date 2) AD integrated DNS vs. non-AD integrated ADIntegrated DNS 3) # of domains 1 domain (2 DC's) 4) Is this happening on DCs in all domains or just one (if more than one domain) This is happening on both domain controllers. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:17 PM Subject: RE: [ActiveDir] AD Database size questions. Can you give us some insight in to the environment more generally: 1) OS/SP of the DCs 2) AD integrated DNS vs. non-AD integrated 3) # of domains 4) Is this happening on DCs in all domains or just one (if more than one domain) I'd probably start with the obviousI'd inspect my CN=Deleted Objects container in the affected naming contexts, and see if there were new tombstones appearing. If so, well, you have the culprit. :) Just identify the creation/deletion mechanism and squash it. If there are no tombstones appearing over hours/days, we'd need to investigate a bit further. But if I were playing the odds, that's where I would start. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every 5 minutes that adds, updates, removes users that are used by a program that does LDAP look-ups. This is about the only thing because it runs so often I can contribute to it but not sure. There are no errors in the event log but the growth of 500 meg in a few days concerns me. I looked around and didn't find much pertaining to this subject. Any thoughts, suggestions on determining whitespace in the AD database?
RE: [ActiveDir] AD Database size questions.
Actually I was intending to contact you offline about this and some other stuff as they are playing with 64 bit and thought you would like to talk to them. Stay tuned. Trying to catch up in various locations for my DEC outage and then I will start up some new threads on a few things. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 18, 2005 4:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. We didn't change TSL for existing deployments. I'd be interested in hearing more about this issue. And since SP1 isn't RTM'd yet, I hope this unnamed someone hit it in a lab, not in production (unless they are in those beta programs where you run in production). :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I had a conversation with someone this week (name withheld) who mentioned running into an issue with unexpected DIT growth due to the increase in the default tombstone period I believe in K3 SP1. It was especially relevant to integrated DNS entries. You may not be running SP1, but is there possibility of lots of new registrations getting added/deleted in DNS since you are integrated? Hopefully a deleted objects scan would show that off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. I'll also look at the delete objects. Thanks for the heads-up about the deleted objects. 1) OS/SP of the DCs Windows 2003 Standard all security hotfixes up-to-date 2) AD integrated DNS vs. non-AD integrated ADIntegrated DNS 3) # of domains 1 domain (2 DC's) 4) Is this happening on DCs in all domains or just one (if more than one domain) This is happening on both domain controllers. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:17 PM Subject: RE: [ActiveDir] AD Database size questions. Can you give us some insight in to the environment more generally: 1) OS/SP of the DCs 2) AD integrated DNS vs. non-AD integrated 3) # of domains 4) Is this happening on DCs in all domains or just one (if more than one domain) I'd probably start with the obviousI'd inspect my CN=Deleted Objects container in the affected naming contexts, and see if there were new tombstones appearing. If so, well, you have the culprit. :) Just identify the creation/deletion mechanism and squash it. If there are no tombstones appearing over hours/days, we'd need to investigate a bit further. But if I were playing the odds, that's where I would start. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig.
Re: [ActiveDir] AD Database size questions.
Hi Eric This is happening in a production environment. I ran Joe's adfind utility for a while and was piping out to a file before I stopped it. The file was almost 400 meg. If you want to contact me off-list email me at [EMAIL PROTECTED] Let me know if you have another questions. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 4:21 PM Subject: RE: [ActiveDir] AD Database size questions. We didn't change TSL for existing deployments. I'd be interested in hearing more about this issue. And since SP1 isn't RTM'd yet, I hope this unnamed someone hit it in a lab, not in production (unless they are in those beta programs where you run in production). :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I had a conversation with someone this week (name withheld) who mentioned running into an issue with unexpected DIT growth due to the increase in the default tombstone period I believe in K3 SP1. It was especially relevant to integrated DNS entries. You may not be running SP1, but is there possibility of lots of new registrations getting added/deleted in DNS since you are integrated? Hopefully a deleted objects scan would show that off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. I'll also look at the delete objects. Thanks for the heads-up about the deleted objects. 1) OS/SP of the DCs Windows 2003 Standard all security hotfixes up-to-date 2) AD integrated DNS vs. non-AD integrated ADIntegrated DNS 3) # of domains 1 domain (2 DC's) 4) Is this happening on DCs in all domains or just one (if more than one domain) This is happening on both domain controllers. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:17 PM Subject: RE: [ActiveDir] AD Database size questions. Can you give us some insight in to the environment more generally: 1) OS/SP of the DCs 2) AD integrated DNS vs. non-AD integrated 3) # of domains 4) Is this happening on DCs in all domains or just one (if more than one domain) I'd probably start with the obviousI'd inspect my CN=Deleted Objects container in the affected naming contexts, and see if there were new tombstones appearing. If so, well, you have the culprit. :) Just identify the creation/deletion mechanism and squash it. If there are no tombstones appearing over hours/days, we'd need to investigate a bit further. But if I were playing the odds, that's where I would start. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about
RE: [ActiveDir] AD Database size questions.
Safe to say, it is at least in part deleted objects then. :) Perhaps the approach could be, mark your current USN sequence number of a single DC in the environment now. Some time later (after some growth), search deleted objects for all objects with usnChanged that marked number from above. Or you could search the whole NC for deleted objects with that sequence number if you want to catch it all. Repadmin also wraps up this logic quite nicely if you'd like. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Hi Eric This is happening in a production environment. I ran Joe's adfind utility for a while and was piping out to a file before I stopped it. The file was almost 400 meg. If you want to contact me off-list email me at [EMAIL PROTECTED] Let me know if you have another questions. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 4:21 PM Subject: RE: [ActiveDir] AD Database size questions. We didn't change TSL for existing deployments. I'd be interested in hearing more about this issue. And since SP1 isn't RTM'd yet, I hope this unnamed someone hit it in a lab, not in production (unless they are in those beta programs where you run in production). :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I had a conversation with someone this week (name withheld) who mentioned running into an issue with unexpected DIT growth due to the increase in the default tombstone period I believe in K3 SP1. It was especially relevant to integrated DNS entries. You may not be running SP1, but is there possibility of lots of new registrations getting added/deleted in DNS since you are integrated? Hopefully a deleted objects scan would show that off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. I'll also look at the delete objects. Thanks for the heads-up about the deleted objects. 1) OS/SP of the DCs Windows 2003 Standard all security hotfixes up-to-date 2) AD integrated DNS vs. non-AD integrated ADIntegrated DNS 3) # of domains 1 domain (2 DC's) 4) Is this happening on DCs in all domains or just one (if more than one domain) This is happening on both domain controllers. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:17 PM Subject: RE: [ActiveDir] AD Database size questions. Can you give us some insight in to the environment more generally: 1) OS/SP of the DCs 2) AD integrated DNS vs. non-AD integrated 3) # of domains 4) Is this happening on DCs in all domains or just one (if more than one domain) I'd probably start with the obviousI'd inspect my CN=Deleted Objects container in the affected naming contexts, and see if there were new tombstones appearing. If so, well, you have the culprit. :) Just identify the creation/deletion mechanism and squash it. If there are no tombstones appearing over hours/days, we'd need to investigate a bit further. But if I were playing the odds, that's where I would start. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against
Re: [ActiveDir] AD Database size questions.
Hi Eric, Thanks for the follow-up. ONe question if this is left un-checked will the AD database over a course of time correct itself in purging these old records? I'm not sure what you are describing without looking it up. I can look on http://microsoft.com/technet or search the Internet how to do this. If you happen to know an article I can refer to, I would appreciate that. After seeing how big that file was I almost knew that was probably the root problem. This is the first time I've experienced this so I'm taking things slow trying to understand the problem before doing anything crazy that would break AD. At worst case, if I'm still unsure I'll call PSS. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 5:40 PM Subject: RE: [ActiveDir] AD Database size questions. Safe to say, it is at least in part deleted objects then. :) Perhaps the approach could be, mark your current USN sequence number of a single DC in the environment now. Some time later (after some growth), search deleted objects for all objects with usnChanged that marked number from above. Or you could search the whole NC for deleted objects with that sequence number if you want to catch it all. Repadmin also wraps up this logic quite nicely if you'd like. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Hi Eric This is happening in a production environment. I ran Joe's adfind utility for a while and was piping out to a file before I stopped it. The file was almost 400 meg. If you want to contact me off-list email me at [EMAIL PROTECTED] Let me know if you have another questions. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 4:21 PM Subject: RE: [ActiveDir] AD Database size questions. We didn't change TSL for existing deployments. I'd be interested in hearing more about this issue. And since SP1 isn't RTM'd yet, I hope this unnamed someone hit it in a lab, not in production (unless they are in those beta programs where you run in production). :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I had a conversation with someone this week (name withheld) who mentioned running into an issue with unexpected DIT growth due to the increase in the default tombstone period I believe in K3 SP1. It was especially relevant to integrated DNS entries. You may not be running SP1, but is there possibility of lots of new registrations getting added/deleted in DNS since you are integrated? Hopefully a deleted objects scan would show that off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. I'll also look at the delete objects. Thanks for the heads-up about the deleted objects. 1) OS/SP of the DCs Windows 2003 Standard all security hotfixes up-to-date 2) AD integrated DNS vs. non-AD integrated ADIntegrated DNS 3) # of domains 1 domain (2 DC's) 4) Is this happening on DCs in all domains or just one (if more than one domain) This is happening on both domain controllers. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:17 PM Subject: RE: [ActiveDir] AD Database size questions. Can you give us some insight in to the environment more generally: 1) OS/SP of the DCs 2) AD integrated DNS vs. non-AD integrated 3) # of domains 4) Is this happening on DCs in all domains or just one (if more than one domain) I'd probably start with the obviousI'd inspect my CN=Deleted Objects container in the affected naming contexts, and see if there were new tombstones appearing. If so, well, you have the culprit. :) Just identify the creation/deletion mechanism and squash it. If there are no tombstones appearing over hours/days, we'd need to investigate a bit further. But if I were playing the odds, that's where I would start. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]
Re: [ActiveDir] AD Database size questions.
Hi Eric, Just to follow-up on your question about beta software. I haven't installed SP1 and NO beta software is installed on either DC. If I was to install beta software it would be in the lab NOT production. :) Steve - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 4:21 PM Subject: RE: [ActiveDir] AD Database size questions. We didn't change TSL for existing deployments. I'd be interested in hearing more about this issue. And since SP1 isn't RTM'd yet, I hope this unnamed someone hit it in a lab, not in production (unless they are in those beta programs where you run in production). :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I had a conversation with someone this week (name withheld) who mentioned running into an issue with unexpected DIT growth due to the increase in the default tombstone period I believe in K3 SP1. It was especially relevant to integrated DNS entries. You may not be running SP1, but is there possibility of lots of new registrations getting added/deleted in DNS since you are integrated? Hopefully a deleted objects scan would show that off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. I'll also look at the delete objects. Thanks for the heads-up about the deleted objects. 1) OS/SP of the DCs Windows 2003 Standard all security hotfixes up-to-date 2) AD integrated DNS vs. non-AD integrated ADIntegrated DNS 3) # of domains 1 domain (2 DC's) 4) Is this happening on DCs in all domains or just one (if more than one domain) This is happening on both domain controllers. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:17 PM Subject: RE: [ActiveDir] AD Database size questions. Can you give us some insight in to the environment more generally: 1) OS/SP of the DCs 2) AD integrated DNS vs. non-AD integrated 3) # of domains 4) Is this happening on DCs in all domains or just one (if more than one domain) I'd probably start with the obviousI'd inspect my CN=Deleted Objects container in the affected naming contexts, and see if there were new tombstones appearing. If so, well, you have the culprit. :) Just identify the creation/deletion mechanism and squash it. If there are no tombstones appearing over hours/days, we'd need to investigate a bit further. But if I were playing the odds, that's where I would start. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 11:08 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. All the script does is either Adds users (a few at a time), updates one attribute or deletes the user. As far as a lot of transaction are concerned, the system was designed to hit a sql database first and determine what changes need to happen then go to AD and update information. There aren't a lot of transactions per say against AD. Thanks for the heads up. Steve - Original Message - From: Bernard, Aric [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 1:19 PM Subject: RE: [ActiveDir] AD Database size questions. Not knowing what your script does for sure, keep in mind that as objects are deleted they are first 'tombstoned' before being purged. Therefore the space initially used by the object prior to being deleted is not completely available for reuse a portion of it will continue to be consumed by the tombstone object until the tombstone lifetime has expired an the object has purged. I had a customer that was testing scripts against their production AD and saw growth of the DIT to the tune of several GB over the course of a week. Their script created 200,000 user/contact objects in an OU and then processed them in several different ways. After the completion of the script, the results would be analyzed and then the objects would be deleted for another try... Regards, Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 10:02 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every
RE: [ActiveDir] AD Database size questions.
Hi Steve, Take a look at this article on Tombstoned objects defragging the DIT. http://www.microsoft.com/resources/documentation/Windows/2000/server/res kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r eskit/en-us/distrib/dsbg_dat_namy.asp tinyurl: http://tinyurl.com/4goey Looking at the other threads, I notice you have 2k3. Although these docs are geared towards 2k, I believe the same principals still apply. William -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: 18 March 2005 18:02 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Database size questions. Hi, I'm not sure if this is a problem but something seems not exactly right with the size of my AD database. AD has about 10,000 user id's and a few servers. The size of the AD database over the last few days has grown from 900 meg to 1.4 gig. We haven't added any a lot more objects to cause this type of growth. We do have a script that runs every 5 minutes that adds, updates, removes users that are used by a program that does LDAP look-ups. This is about the only thing because it runs so often I can contribute to it but not sure. There are no errors in the event log but the growth of 500 meg in a few days concerns me. I looked around and didn't find much pertaining to this subject. Any thoughts, suggestions on determining whitespace in the AD database? Steve Schofield [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it. Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message. Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Creating a backlink and forwardlink
Thanks Eric, -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 9:16 AM To: 'Eric Fleischman'; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ah. Ok, I have submitted a request to MSDN to get the linkID schema attribute page updated with some info on this functionalty and also submitted a request to the MSKB people to get it documented as well. joe -Original Message- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:05 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I actually meant with this customer about their particular schema extension. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 9:02 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink I am guessing you mean an offline thread to get this officially documented? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 18, 2005 11:06 AM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink There's an offline thread on this, we should be all set. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink Eric is from Microsoft. He was an AD CPR engineer (recently changed) which means he was actually debugging AD failures like looking at the actual bits and bytes flying about. There are quite a few things available that aren't fully documented or documented at all. Just having a 2K3 DC as the schema master should be enough though I haven't tried this yet. If it was a requirement I expect Eric would have mentioned it. I do trust Eric almost implicitely which I don't with a lot of people. If you are seriously concerned, it is a guess, but you could spin up AD/AM and try it there. I would expect it will work there as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, March 09, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ok my LDIF file is done and I'm ready to pull the trigger in my development environment; however, I have a couple of questions. Does anyone know what functional level is required to use this feature? 2K3 Forest or Domain? Or is having a 2K3 DC enough. I'm also a little worried about the lack of documentation from Microsoft. I always get a wee bit worried when it comes to undocumented features :) Has anyone actually done this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink My blog had documentation innovation I tell you. I'm on the bleeding edge. Be careful, or you might get a papercut just reading it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 8:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Got it. I love magical programming features :) You guys rock! I did a bunch of googles on this subject and came up with nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I think the question was, the number that I used as my sample linkID, is that a special numberor should you use your own. The answer is yes, it is. Use the exact linkID value I used for the creation of the forward link. That value triggers this special code path which will create link IDs for you. Don't think of the linkID value I used as an OID, think of it as magical and special. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 6:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sure, but if you are on Windows 2003 or AD/AM you don't have to. That is the beauty of this, that OID causes AD to autogenerate a link ID that is guaranteed unique. The only reasons you should really use linkids you get from MS anymore is if you do make decisions based on linkid values (not just the existence of) or you need to use the schema mods on Windows 2000 AD. BTW, I believe I do recall you from DEC even with my old failing memory. :oP joe
RE: [ActiveDir] Creating a backlink and forwardlink
Thanks Joe, Out of curiosity. How do you go about submitting a request to MSDN? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 9:16 AM To: 'Eric Fleischman'; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ah. Ok, I have submitted a request to MSDN to get the linkID schema attribute page updated with some info on this functionalty and also submitted a request to the MSKB people to get it documented as well. joe -Original Message- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:05 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I actually meant with this customer about their particular schema extension. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 9:02 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink I am guessing you mean an offline thread to get this officially documented? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 18, 2005 11:06 AM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink There's an offline thread on this, we should be all set. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink Eric is from Microsoft. He was an AD CPR engineer (recently changed) which means he was actually debugging AD failures like looking at the actual bits and bytes flying about. There are quite a few things available that aren't fully documented or documented at all. Just having a 2K3 DC as the schema master should be enough though I haven't tried this yet. If it was a requirement I expect Eric would have mentioned it. I do trust Eric almost implicitely which I don't with a lot of people. If you are seriously concerned, it is a guess, but you could spin up AD/AM and try it there. I would expect it will work there as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, March 09, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ok my LDIF file is done and I'm ready to pull the trigger in my development environment; however, I have a couple of questions. Does anyone know what functional level is required to use this feature? 2K3 Forest or Domain? Or is having a 2K3 DC enough. I'm also a little worried about the lack of documentation from Microsoft. I always get a wee bit worried when it comes to undocumented features :) Has anyone actually done this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink My blog had documentation innovation I tell you. I'm on the bleeding edge. Be careful, or you might get a papercut just reading it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 8:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Got it. I love magical programming features :) You guys rock! I did a bunch of googles on this subject and came up with nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I think the question was, the number that I used as my sample linkID, is that a special numberor should you use your own. The answer is yes, it is. Use the exact linkID value I used for the creation of the forward link. That value triggers this special code path which will create link IDs for you. Don't think of the linkID value I used as an OID, think of it as magical and special. :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 04, 2005 6:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Sure, but if you are on Windows 2003 or AD/AM you don't have to. That is the beauty of this, that OID causes AD to autogenerate a link ID that is guaranteed unique. The only reasons you should really use linkids you get from MS anymore is if you do make decisions based on linkid values (not just the existence of) or you need to use the schema mods on Windows 2000 AD. BTW, I believe I do
[ActiveDir] Active Directory Lab Recommendations
Wondering what others use for a Active Directory Lab environment. Would like to build a AD lab for our QA people that can easily be rolled back prior to testing changes. Currently considering options such as Ghost, and/or full restores. Anybody got any good ideas ? Thank You ! And have a nice day ! ** Mark Lunsford KAISER PERMANENTE Directory Services Identify Management (DSIM/NOS) Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-0047 Remedy Group: NOPS SCRTY DSIM NOS **
RE: [ActiveDir] Active Directory Lab Recommendations
How about MSVS 2005, MSVPC 2004, or VMWare (pick your flavor) with undo disks? From my experience this a lot faster and typically cheaper than using a disk imaging utility and a slew of physical machines. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 18, 2005 4:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Active Directory Lab Recommendations Wondering what others use for a Active Directory Lab environment. Would like to build a AD lab for our QA people that can easily be rolled back prior to testing changes. Currently considering options such as Ghost, and/or full restores. Anybody got any good ideas ? Thank You ! And have a nice day ! ** Mark Lunsford KAISER PERMANENTE Directory Services Identify Management (DSIM/NOS) Email: [EMAIL PROTECTED] Outside Phone: 925-926-5898 Tie Line Phone: 8-473-5898 C ell: 925-200-0047 Remedy Group: NOPS SCRTY DSIM NOS **
RE: [ActiveDir] Creating a backlink and forwardlink
MSDN requests are pretty easy, just go to one of the MSDN pages, preferably something closely related, and click the What do you think of this topic which will either create an email or open a web page. For this particular item, I clicked the button from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/a_linkid.asp For MSKB items, if you find an issue contact your local MVP as they can all go to a special newsgroup and request updates. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 18, 2005 7:41 PM To: ActiveDir@mail.activedir.org; Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink Thanks Joe, Out of curiosity. How do you go about submitting a request to MSDN? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 9:16 AM To: 'Eric Fleischman'; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ah. Ok, I have submitted a request to MSDN to get the linkID schema attribute page updated with some info on this functionalty and also submitted a request to the MSKB people to get it documented as well. joe -Original Message- From: Eric Fleischman [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:05 PM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I actually meant with this customer about their particular schema extension. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 9:02 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink I am guessing you mean an offline thread to get this officially documented? joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 18, 2005 11:06 AM To: joe; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink There's an offline thread on this, we should be all set. ~Eric -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, March 18, 2005 12:15 AM To: ActiveDir@mail.activedir.org Cc: Eric Fleischman Subject: RE: [ActiveDir] Creating a backlink and forwardlink Eric is from Microsoft. He was an AD CPR engineer (recently changed) which means he was actually debugging AD failures like looking at the actual bits and bytes flying about. There are quite a few things available that aren't fully documented or documented at all. Just having a 2K3 DC as the schema master should be enough though I haven't tried this yet. If it was a requirement I expect Eric would have mentioned it. I do trust Eric almost implicitely which I don't with a lot of people. If you are seriously concerned, it is a guess, but you could spin up AD/AM and try it there. I would expect it will work there as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Wednesday, March 09, 2005 12:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Ok my LDIF file is done and I'm ready to pull the trigger in my development environment; however, I have a couple of questions. Does anyone know what functional level is required to use this feature? 2K3 Forest or Domain? Or is having a 2K3 DC enough. I'm also a little worried about the lack of documentation from Microsoft. I always get a wee bit worried when it comes to undocumented features :) Has anyone actually done this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink My blog had documentation innovation I tell you. I'm on the bleeding edge. Be careful, or you might get a papercut just reading it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Friday, March 04, 2005 8:53 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink Got it. I love magical programming features :) You guys rock! I did a bunch of googles on this subject and came up with nothing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 04, 2005 6:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Creating a backlink and forwardlink I think the question was, the number that I used as my sample linkID, is that a special numberor should you use your own. The answer is yes, it is. Use the exact linkID value I used for the creation of the forward link. That value triggers this special code path which
RE: [ActiveDir] Active Directory Lab Recommendations
Absolutely. Done right you can easily script quick rollback or bring in consulting expertise to help with it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Friday, March 18, 2005 8:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations How about MSVS 2005, MSVPC 2004, or VMWare (pick your flavor) with undo disks? From my experience this a lot faster and typically cheaper than using a disk imaging utility and a slew of physical machines. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 18, 2005 4:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Directory Lab Recommendations Wondering what others use for a Active Directory Lab environment. Would like to build a AD lab for our QA people that can easily be rolled back prior to testing changes. Currently considering options such as Ghost, and/or full restores. Anybody got any good ideas ? Thank You ! And have a nice day !**Mark LunsfordKAISER PERMANENTEDirectory Services Identify Management (DSIM/NOS)Email: [EMAIL PROTECTED]Outside Phone: 925-926-5898Tie Line Phone: 8-473-5898C ell: 925-200-0047Remedy Group: NOPS SCRTY DSIM NOS**
RE: [ActiveDir] AD Database size questions.
It'll purge those objects after TSL yes. But note that the db won't shrink w/o an offline defrag. In the absence of an offline defrag, we'll move free space to the side and use it when we really mean to grow. So you'll experience a long period of db consistency in size, but not actual shrinkage. To reclaim the disk space, offline defrag to db. To know how much white space you have (white space == term used to describe free space in the db that would be reclaimed with an offline defrag) you turn up garbage collection logging. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Hi Eric, Thanks for the follow-up. ONe question if this is left un-checked will the AD database over a course of time correct itself in purging these old records? I'm not sure what you are describing without looking it up. I can look on http://microsoft.com/technet or search the Internet how to do this. If you happen to know an article I can refer to, I would appreciate that. After seeing how big that file was I almost knew that was probably the root problem. This is the first time I've experienced this so I'm taking things slow trying to understand the problem before doing anything crazy that would break AD. At worst case, if I'm still unsure I'll call PSS. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 5:40 PM Subject: RE: [ActiveDir] AD Database size questions. Safe to say, it is at least in part deleted objects then. :) Perhaps the approach could be, mark your current USN sequence number of a single DC in the environment now. Some time later (after some growth), search deleted objects for all objects with usnChanged that marked number from above. Or you could search the whole NC for deleted objects with that sequence number if you want to catch it all. Repadmin also wraps up this logic quite nicely if you'd like. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Hi Eric This is happening in a production environment. I ran Joe's adfind utility for a while and was piping out to a file before I stopped it. The file was almost 400 meg. If you want to contact me off-list email me at [EMAIL PROTECTED] Let me know if you have another questions. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 4:21 PM Subject: RE: [ActiveDir] AD Database size questions. We didn't change TSL for existing deployments. I'd be interested in hearing more about this issue. And since SP1 isn't RTM'd yet, I hope this unnamed someone hit it in a lab, not in production (unless they are in those beta programs where you run in production). :) ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 12:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I had a conversation with someone this week (name withheld) who mentioned running into an issue with unexpected DIT growth due to the increase in the default tombstone period I believe in K3 SP1. It was especially relevant to integrated DNS entries. You may not be running SP1, but is there possibility of lots of new registrations getting added/deleted in DNS since you are integrated? Hopefully a deleted objects scan would show that off. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Friday, March 18, 2005 2:57 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. I'll also look at the delete objects. Thanks for the heads-up about the deleted objects. 1) OS/SP of the DCs Windows 2003 Standard all security hotfixes up-to-date 2) AD integrated DNS vs. non-AD integrated ADIntegrated DNS 3) # of domains 1 domain (2 DC's) 4) Is this happening on DCs in all domains or just one (if more than one domain) This is happening on both domain controllers. - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, March 18, 2005 2:17 PM Subject: RE: [ActiveDir] AD Database size questions. Can you give us some insight in to the environment more generally: 1) OS/SP of the
RE: [ActiveDir] Active Directory Lab Recommendations
I've seen a slew of production and lab scenario requests over the past year or so, many of which I've offered non-technology specific recommendations for ... more recently I've focused my efforts on a non-Microsoft solution that I developed for MSEtechnology,used for some time in the RemoteLearning arena,named ECbox (originally defined as "Electronic Classroom in a Box" though more recentlyinternally-colloquially known as "Enterprise Computing in a Box"). The solution was designed from its inception to provide a means of snapshotting a distributed environment whose services impose a potential requirement to roll-back the entire distributed implementation to an earlier point in time (lock, stock and, hopefully not too-smoking, barrel). As I mentioned, the ECbox is used extensively for remote learning but MSEtechnology has also deployed it as a platform around which our own internal technology services are housed. Simply put, the ECbox is a solution built upon VMware ESX Server containing server (and administrative client-side mods.) designed specifically totailor ESX's feature set to the demands of collective groups of dependent computers(e.g. a distributed database such as Active Directory). For the sake of example, MSEtechnology is able to roll its entire Directory, Weband Messaging service (though our requirements are comparatively small, the scale is something of an irrelevant factor in rollback capability and time) back to a multitude of daily earlier points in time (MSEtechnology's current capacity/requirement allows for a couple of weeks). Hope this proves useful. Regards. Dean --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Friday, March 18, 2005 8:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations How about MSVS 2005, MSVPC 2004, or VMWare (pick your flavor) with undo disks? From my experience this a lot faster and typically cheaper than using a disk imaging utility and a slew of physical machines. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 18, 2005 4:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Directory Lab Recommendations Wondering what others use for a Active Directory Lab environment. Would like to build a AD lab for our QA people that can easily be rolled back prior to testing changes. Currently considering options such as Ghost, and/or full restores. Anybody got any good ideas ? Thank You ! And have a nice day !**Mark LunsfordKAISER PERMANENTEDirectory Services Identify Management (DSIM/NOS)Email: [EMAIL PROTECTED]Outside Phone: 925-926-5898Tie Line Phone: 8-473-5898C ell: 925-200-0047Remedy Group: NOPS SCRTY DSIM NOS**
RE: [ActiveDir] Active Directory Lab Recommendations
... forgot to mention that any number of rollbacks within the available timeframe takes (in our configuration) only minutes (the most costly demand on the time to return-to-ready state is the OS's bootstrap). --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Friday, March 18, 2005 8:59 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Active Directory Lab Recommendations I've seen a slew of production and lab scenario requests over the past year or so, many of which I've offered non-technology specific recommendations for ... more recently I've focused my efforts on a non-Microsoft solution that I developed for MSEtechnology,used for some time in the RemoteLearning arena,named ECbox (originally defined as "Electronic Classroom in a Box" though more recentlyinternally-colloquially known as "Enterprise Computing in a Box"). The solution was designed from its inception to provide a means of snapshotting a distributed environment whose services impose a potential requirement to roll-back the entire distributed implementation to an earlier point in time (lock, stock and, hopefully not too-smoking, barrel). As I mentioned, the ECbox is used extensively for remote learning but MSEtechnology has also deployed it as a platform around which our own internal technology services are housed. Simply put, the ECbox is a solution built upon VMware ESX Server containing server (and administrative client-side mods.) designed specifically totailor ESX's feature set to the demands of collective groups of dependent computers(e.g. a distributed database such as Active Directory). For the sake of example, MSEtechnology is able to roll its entire Directory, Weband Messaging service (though our requirements are comparatively small, the scale is something of an irrelevant factor in rollback capability and time) back to a multitude of daily earlier points in time (MSEtechnology's current capacity/requirement allows for a couple of weeks). Hope this proves useful. Regards. Dean --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, AricSent: Friday, March 18, 2005 8:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Active Directory Lab Recommendations How about MSVS 2005, MSVPC 2004, or VMWare (pick your flavor) with undo disks? From my experience this a lot faster and typically cheaper than using a disk imaging utility and a slew of physical machines. Regards, Aric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 18, 2005 4:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Active Directory Lab Recommendations Wondering what others use for a Active Directory Lab environment. Would like to build a AD lab for our QA people that can easily be rolled back prior to testing changes. Currently considering options such as Ghost, and/or full restores. Anybody got any good ideas ? Thank You ! And have a nice day !**Mark LunsfordKAISER PERMANENTEDirectory Services Identify Management (DSIM/NOS)Email: [EMAIL PROTECTED]Outside Phone: 925-926-5898Tie Line Phone: 8-473-5898C ell: 925-200-0047Remedy Group: NOPS SCRTY DSIM NOS**
RE: [ActiveDir] Workstation Add User
Two things I stupidly overlooked. 1. I didn't have advanced options on in ADUC and didn't even think to look for the owner there since the security tab wasn't there...REALLY stupid of me to overlook that 2. I had an older version of ADFIND which didn't have the -owner option. By the way: Joe...you are a GOD for creating that tool!!! Thanks again guys for your help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 3:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User You want to look at security and look at the ACL Owner. Also if you just look at the DACL portion of the ACL you may see an ACE or multiple ACE's for the specific user who created the object. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 14, 2005 2:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User Owner of the computer? I see no such attribute, what am I missing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thorbjörn Sjövold Sent: Monday, March 14, 2005 2:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User When the computer object is created the Owner of the computer object is the user that added the computer, but of course this is a value that can be changed if someone have the correct permissions. And another thing that might spoil your statistics is that if a member of Domain Admins add the computer then Domain Admins is the owner and not the specific administrator. Thorbjörn Sjövold Special Operations Software www.specopssoft.com thorbjorn.sjovold a t specopssoft.com Specops Deploy, Takes Group Policy Based Software Deployment to the next level -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 14, 2005 7:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Workstation Add User Is there a way to tell who added a machine to the domain? I would like to do this to get some statistics on who is actually adding machines. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Workstation Add User
LOL. Glad you find it useful. I have to admit that it is my favorite command line AD query tool. :oP joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Saturday, March 19, 2005 12:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User Two things I stupidly overlooked. 1. I didn't have advanced options on in ADUC and didn't even think to look for the owner there since the security tab wasn't there...REALLY stupid of me to overlook that 2. I had an older version of ADFIND which didn't have the -owner option. By the way: Joe...you are a GOD for creating that tool!!! Thanks again guys for your help -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 18, 2005 3:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User You want to look at security and look at the ACL Owner. Also if you just look at the DACL portion of the ACL you may see an ACE or multiple ACE's for the specific user who created the object. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 14, 2005 2:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User Owner of the computer? I see no such attribute, what am I missing? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thorbjörn Sjövold Sent: Monday, March 14, 2005 2:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Workstation Add User When the computer object is created the Owner of the computer object is the user that added the computer, but of course this is a value that can be changed if someone have the correct permissions. And another thing that might spoil your statistics is that if a member of Domain Admins add the computer then Domain Admins is the owner and not the specific administrator. Thorbjörn Sjövold Special Operations Software www.specopssoft.com thorbjorn.sjovold a t specopssoft.com Specops Deploy, Takes Group Policy Based Software Deployment to the next level -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 14, 2005 7:54 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Workstation Add User Is there a way to tell who added a machine to the domain? I would like to do this to get some statistics on who is actually adding machines. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/