RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...

[Glenn Corbett]

Thanks for the quick response Steve, might keep an eye on it.
 
G.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ramsay, Steve
Sent: Thursday, 24 March 2005 11:05 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

The Information Store is set to "No local delivery" so all emails are pushed
up to the MTA.  MTA is set for Site-level journaling.  This issue first
occurred within a few months of introducing Exchange journaling.  It is by
no means conclusive that this is the cause, however I've never seen/heard of
this issue before in any other company I've worked for.

I only noticed it because it happened to a couple of us in the
infrastructure team.  An email was sent to the IT Department DL (which
contains a number of nested DL's) and we didn't receive it.  We were unable
to discover why it happened.  We have had a few calls logged over the last
couple of years where our customers have had the same issue.  I am only
aware of ~5 instances of this happening.

I'm interested to see if anyone else has seen or heard of this issue.

Note - The fact that the emails are removed from the Journal mailboxes by
KVS Ent Vault can't have any bearing on the problem as this happens after
the event.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 24 March 2005 11:39
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

Quoting "Ramsay, Steve" <[EMAIL PROTECTED]>:

> I have personally experienced this issue with Exchange 5.5.  It 
> happens very rarely and we have been unable to reproduce it at will.
> However, the problem seemed to start when we enabled site-level 
> journaling (we use KVS Enterprise Vault for journaling).
> 
> Steve
> 

Steve, just out of interest, how have you configured your journaling within
Exchange ?, and at what point did this issue start to crop up (immediately,
after some period of time)?

Just as background, we have a reasonably big Exchange sytem (3000 users,
about 600gb of stores) and are also running KVS + Exchange journaling, but
havent seen this problem (it may be hapenning, we just havent noticed yet).

Cheers

Glenn



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Site creation and DNZ zones

[Nathan Casey]

I'm not sure of the default behavior here so I have to
ask:

When I create a new site should a zone for the site be
created in the forest wide  "_msdcs.domain.com" zone. 

When I create sites, the site zone gets created in the
"domain.com" zone under _sites and forestdnszones but
not in the forest wide "_sites.dc._msdcs.domain.com"
zone.

Thanks
Nathan
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Logging changes made to GPOs

[Darren Mar-Elia]

Right, the challenge that native auditing presents is that 
no details about what GPO setting is changed are logged. You can find out that 
something changed on the GPC, but that's about it. As Hunter 
mentioned, there are at least three commercial products that I know of that do 
provide detailed GPO logging:
 
NetIQ GP Guardian
Netpro Change Auditor
Quest Change Manager for AD
 
 
Darren
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Free, 
BobSent: Thursday, March 24, 2005 2:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logging changes 
made to GPOs

You can employ a 3rd party tool like the offerings from 
NetPro, NetIQ, Quest etc
 
Natively, if you enable Audit directory service access 
you can detect changes to GPOs by finding event ID 565s that have the Object 
Type value groupPolicyContainer, the Accesses value Write Property, and a Write 
Property that includes versionNumber


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Janson, 
JoeSent: Thursday, March 24, 2005 8:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Logging changes made 
to GPOs


Is it possible to log changes made 
to Group Policy Objects?

RE: [ActiveDir] Logging changes made to GPOs

[Free, Bob]

You can employ a 3rd party tool like the offerings from 
NetPro, NetIQ, Quest etc
 
Natively, if you enable Audit directory service access 
you can detect changes to GPOs by finding event ID 565s that have the Object 
Type value groupPolicyContainer, the Accesses value Write Property, and a Write 
Property that includes versionNumber


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Janson, 
JoeSent: Thursday, March 24, 2005 8:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Logging changes made 
to GPOs


Is it possible to log changes made 
to Group Policy Objects?

RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[Myrick, Todd (NIH/CC/DNA)]

Title: Message








Yeah, I hit the wrong message.

 

Todd

 









From: joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 24, 2005 3:37
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2



 

I don't think so for this thread... 

 

:o)

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA)
Sent: Thursday, March 24, 2005
11:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2

IS Spam Filtering a possible cause?

 

Todd

 









From: joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 24, 2005
10:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2



 

That is exactly what I was thinking. I
bounced it off Eric but he hasn't had a chance to look at it yet. 

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March 24, 2005
10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2

Doesn’t that smell like a bug or something? 
This doesn’t seem to be the documented behavior.

 

Eric? J

 

We could bounce this off the SDK team too
as they are responsible for the code.

 

Joe K.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005
9:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2



 

No encrypt specified, in fact I can
specifically set it to off (0) and it still encrypts. I can not get it to do
anything clear text once it hits and succeeds the SASL NTLM bind.

 

  joe



This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.

RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[joe]

Title: Message



I can do better for you... 
 
Fire up ethereal with a capture filter of tcp port 
389
 
Open LDP
 
o type in a DC name and click OK
o Type in your bind info and bind
o Click on view|tree and hit enter on the empty dialog (you 
can fill something in if you want but not necessary)
 
Look at the trace, you should note that the traffic on the 
tree view is all clear text
 
Now do the same but use an IP address of the 
DC.
 
Traffic should be all 
encoded/encrypted.
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Thursday, March 24, 2005 11:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2


Two 
questions:
1)   
Can I see the line(s) 
of code that does(do) the bind?
2)   
What is the timestamp 
and version number on the wldap32.dll that you’re calling?
 
With that I can 
probably track it down.
 
Thanks!
~Eric
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Thursday, March 24, 2005 7:39 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2
 
That is exactly what I 
was thinking. I bounced it off Eric but he hasn't had a chance to look at it 
yet. 
 
  
joe
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, March 24, 2005 10:13 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2
Doesn’t that smell like 
a bug or something?  This doesn’t seem to be the documented 
behavior.
 
Eric? 
J
 
We could bounce this 
off the SDK team too as they are responsible for the code.
 
Joe 
K.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, March 23, 2005 9:29 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2
 
No encrypt specified, 
in fact I can specifically set it to off (0) and it still encrypts. I can not 
get it to do anything clear text once it hits and succeeds the SASL NTLM 
bind.
 
  
joe

This message is for the designated 
recipient only and may contain privileged, proprietary, or otherwise private 
information. If you have received it in error, please notify the sender 
immediately and delete the original. Any other use of the email by you is 
prohibited.

RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[joe]

Title: Message



I don't think so for this thread... 
 
:o)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd 
(NIH/CC/DNA)Sent: Thursday, March 24, 2005 11:24 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2


IS Spam Filtering a 
possible cause?
 
Todd
 




From: joe 
[mailto:[EMAIL PROTECTED] Sent: Thursday, March 24, 2005 10:39 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2
 
That is exactly what I 
was thinking. I bounced it off Eric but he hasn't had a chance to look at it 
yet. 
 
  
joe
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, March 24, 2005 10:13 
AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2
Doesn’t that smell like 
a bug or something?  This doesn’t seem to be the documented 
behavior.
 
Eric? 
J
 
We could bounce this 
off the SDK team too as they are responsible for the code.
 
Joe 
K.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, March 23, 2005 9:29 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2
 
No encrypt specified, 
in fact I can specifically set it to off (0) and it still encrypts. I can not 
get it to do anything clear text once it hits and succeeds the SASL NTLM 
bind.
 
  
joe

This message is for the designated 
recipient only and may contain privileged, proprietary, or otherwise private 
information. If you have received it in error, please notify the sender 
immediately and delete the original. Any other use of the email by you is 
prohibited.

RE: [ActiveDir] Domain remains after decommissioning

[Jorge de Almeida Pinto]

Hi,

Cleaning up metadata with NTDSUTIL will not help in this situation as the
domain is external to the AD forest. NTDSUTIL only works for DCs and domains
within the same forest.

If the trust still shows in the dialog box you may need to remove it with
the Active Directory Domains and Trusts MMC.

Check with the Active Directory Domains and Trusts MMC if the trusts still
exist. If it still exists delete it and make sure that action replicates to
the other DCs in the domain. If not check the same but on another DC. If
some DCs still have the trust and some don't there may be something wrong
with your replication!

You can also dig into AD and remove the trust objects from within the
directory using ADSIEDIT. BE CAREFULL THOUGH!!!

Steps (test this first if you unsure!):
* With ADSIEDIT open the domain NC and navigate to
CN=system,DC= ,DC= (e.g.
CN=system,DC=BLABLA,DC=COM)
* See if there exists an object with CN= . (e.g.
CN=BLABLA.COM) of the class "trustedDomain" (if you have other domains in
your forest or outside your forest that still validly trust the domain, make
sure you don't delete the wrong object!!!)
* Select the trustedDomain object of the domain you have decommissioned and
delete that object
* Make sure this replicates to the other DCs in the domain!
* The old domain should be gone from the dialog boxes

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Thursday, March 24, 2005 15:42
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain remains after decommissioning

Is there still a trust relationship between the new and old domain?  IF the
old Domain is Windows 2000, you might want to run a Metadata clean-up using
NTDSUTIL.  Be careful though.  If this domain was used to establish the
forest, you can't get rid of it.

Todd Myrick

-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 24, 2005 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain remains after decommissioning

People,

This was a single domain in a separate forest.  All objects were migrated to
a new domain in a new forest.  Now the new forest still shows the old domain
from the old forest.  Yes, "This is the last server.." was selected.

Thanks again.
RH
__


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jorge de Almeida
Pinto
Sent: Thursday, March 24, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain remains after decommissioning


HI,

If you're talking about decommissioning a domain within a AD forest try the
following:
MS-KBQ230306_How To Remove Orphaned Domains from Active Directory
(http://support.microsoft.com/kb/230306/EN-US/)
This may occur if you did not select "this is the last server in the domain"
option when demoting

Or are you talking about a domain in a separate forest?

Cheers,
jorge


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: donderdag 24 maart 2005 14:18
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain remains after decommissioning

Dear List Readers,

I have finally decommissioned an old domain after having migrated into our
new domain structure.  The last DC was DCPromoed down and actually moved to
the new domain as a standalone server.  Prior to this, there was a two way
trust which had been in place.  All trust relationships were broken before
the final DCPromo down.  Now, I can still see the old domain in my new
domain drop down list and I want to get rid of it.  Do I have to run
ntdsutil on the new domain to clean up something somewhere or is there
something else I need to do to delete this old domain from my new domain's
drop down list?

Thanks for anything you may offer to me and for continuing to help those of
us on the list who need help.  This list is invaluable.

RH

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.o

RE: [ActiveDir] Logging changes made to GPOs

[Coleman, Hunter]

ChangeAuditor from NetPro
http://www.netpro.com/products/changeauditor/index.cfm


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Janson, 
JoeSent: Thursday, March 24, 2005 9:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Logging changes made 
to GPOs


Is it possible to log changes made 
to Group Policy Objects?

[ActiveDir] Logging changes made to GPOs

[Janson, Joe]

Is it possible to log changes made to Group Policy Objects?

RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[Myrick, Todd (NIH/CC/DNA)]

Title: Message








IS Spam Filtering a possible cause?

 

Todd

 









From: joe [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 24, 2005
10:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2



 

That is exactly what I was thinking. I
bounced it off Eric but he hasn't had a chance to look at it yet. 

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March 24, 2005
10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2

Doesn’t that smell like a bug or
something?  This doesn’t seem to be the documented behavior.

 

Eric? J

 

We could bounce this off the SDK team too
as they are responsible for the code.

 

Joe K.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005
9:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2



 

No encrypt specified, in fact I can
specifically set it to off (0) and it still encrypts. I can not get it to do
anything clear text once it hits and succeeds the SASL NTLM bind.

 

  joe



This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.

RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[Eric Fleischman]

Title: Message








Two questions:

1)  
Can I see the line(s) of
code that does(do) the bind?

2)  
What is the timestamp and
version number on the wldap32.dll that you’re calling?

 

With that I can probably track it down.

 

Thanks!

~Eric

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, March 24, 2005
7:39 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2



 

That is exactly what I was thinking. I
bounced it off Eric but he hasn't had a chance to look at it yet. 

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March 24, 2005
10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2

Doesn’t that smell like a bug or
something?  This doesn’t seem to be the documented behavior.

 

Eric? J

 

We could bounce this off the SDK team too
as they are responsible for the code.

 

Joe K.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005
9:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2



 

No encrypt specified, in fact I can
specifically set it to off (0) and it still encrypts. I can not get it to do
anything clear text once it hits and succeeds the SASL NTLM bind.

 

  joe



This
message is for the designated recipient only and may contain privileged,
proprietary, or otherwise private information. If you have received it in
error, please notify the sender immediately and delete the original. Any other
use of the email by you is prohibited.

RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...

[Coleman, Hunter]

Title: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...



Long shot, but what are they running for anti-virus on the 
Exchange servers? There were "unexpected behaviors" with server-side MAPI-based 
products under heavy load. That lead to Sybari's ESE shim and then later the 
VSAPI approach.
 
Hunter


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, March 24, 2005 8:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Another Odd 
OT Question - Exchange DL based but still has an AD 
portion...

Mail servers are Windows 2000 with Exchange 2000 with 
all latest patches for both.
DCs are Windows 2000 with all latest patches. 

 
Obviously no QB DLs since on E2K. 
 
Basically problem is that some people on the DL got a 
message the first time something was sent but when the very important followup 
was sent in a known time span (known that is to the users), they didn't get 
that. No change in status of the users who didn't receive the second message. No 
NDRs. No badmail. No log hits in the blocking software. No obvious errors 
anywhere. Tracking logs confirm the known users didn't get sent the 
message. Now trying to compare the several thousand users in the DL to who is in 
the tracking logs as having received the message to  get an accurate 
picture of who all didn't receive the message.
 
My main question is has anyone ever really took the time to 
verify that Exchange is actually sending messages to everyone on a large DL 
accurately and consistently? People tend to be pretty forgiving in terms of 
email delivery unless they expect something. Something going to a DL is not 
usually expected unless it is a followup to something else that someone is 
watching for. If someone doesn't get something that is a following, what is the 
method they will usually take to track it down? They won't, it is a pain in the 
butt to call the help desk, for something so simple they will ask their friend 
or ask the poster to resend that is if they even know something was sent at 
all.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Thursday, March 24, 2005 1:26 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Another Odd 
OT Question - Exchange DL based but still has an AD 
portion...


Also, is it a query based DL 
or not?
 
 


From: [EMAIL PROTECTED] on 
behalf of Eric FleischmanSent: Thu 3/24/2005 12:42 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Another Odd 
OT Question - Exchange DL based but still has an AD 
portion...


Can you give us some 
insight in to the problem and what you know so far? Versions of Exchange and AD 
are also of interest….
 
~Eric
 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Coleman, 
HunterSent: Wednesday, March 
23, 2005 7:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Another Odd 
OT Question - Exchange DL based but still has an AD 
portion...
 
Seems like you're on 
the right track. With the message ID and tracking logs, you can back out all of 
the mailboxes that got the message. But you already knew that, and probably have 
let loose a perl script on the logs. I suppose there may be a way to get a 
message into a mailbox without having events logged in the tracking logs, but I 
can't remember ever seeing that as long as logging was 
enabled.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, March 23, 2005 7:37 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Another Odd 
OT Question - Exchange DL based but still has an AD portion...
Yes. 
:)
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric 
FleischmanSent: Wednesday, 
March 23, 2005 8:58 PMTo: 
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Another Odd 
OT Question - Exchange DL based but still has an AD portion...


I should have 
addedare you looking for thoughts on troubleshooting? Or just asking if 
anyone has seen this?

 

~Eric

 

 



From: 
[EMAIL PROTECTED] on behalf of Eric FleischmanSent: Wed 3/23/2005 5:11 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Another Odd 
OT Question - Exchange DL based but still has an AD 
portion...

I say it 
because some of the DLs I'm on, people would find out theydidn't get the 
message. Such as a required form that they would not fillout.Did I 
call all 4000 people on one of these lists? No I didn't.Short of having a 
script that watches every mailbox, I suspect no one onthis list can really 
answer that question.~Eric-Original 
Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of joeSent: Wednesday, March 23, 2005 4:48 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] [OT] Another Odd OT 
Question - Exchange DLbased but still has an AD portion...How do you 
know it works just fine?

RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[joe]

Title: Message



That is exactly what I was thinking. I bounced it off Eric 
but he hasn't had a chance to look at it yet. 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Thursday, March 24, 2005 10:13 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
LDAP NTLM Authed Channel Encryption Question was LDAPS part 
2


Doesn’t that smell like 
a bug or something?  This doesn’t seem to be the documented 
behavior.
 
Eric? 
J
 
We could bounce this 
off the SDK team too as they are responsible for the 
code.
 
Joe 
K.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, March 23, 2005 9:29 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed 
Channel Encryption Question was LDAPS part 2
 
No encrypt specified, 
in fact I can specifically set it to off (0) and it still encrypts. I can not 
get it to do anything clear text once it hits and succeeds the SASL NTLM 
bind.
 
  
joe


This message is 
for the designated recipient only and may contain privileged, proprietary, or 
otherwise private information. If you have received it in error, please notify 
the sender immediately and delete the original. Any other use of the email by 
you is prohibited.

RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...

[joe]

Mail servers are Windows 2000 with Exchange 2000 with all latest patches for
both.
DCs are Windows 2000 with all latest patches. 
 
Obviously no QB DLs since on E2K. 
 
Basically problem is that some people on the DL got a message the first time
something was sent but when the very important followup was sent in a known
time span (known that is to the users), they didn't get that. No change in
status of the users who didn't receive the second message. No NDRs. No
badmail. No log hits in the blocking software. No obvious errors anywhere.
Tracking logs confirm the known users didn't get sent the message. Now
trying to compare the several thousand users in the DL to who is in the
tracking logs as having received the message to  get an accurate picture of
who all didn't receive the message.
 
My main question is has anyone ever really took the time to verify that
Exchange is actually sending messages to everyone on a large DL accurately
and consistently? People tend to be pretty forgiving in terms of email
delivery unless they expect something. Something going to a DL is not
usually expected unless it is a followup to something else that someone is
watching for. If someone doesn't get something that is a following, what is
the method they will usually take to track it down? They won't, it is a pain
in the butt to call the help desk, for something so simple they will ask
their friend or ask the poster to resend that is if they even know something
was sent at all.
 
  joe

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Thursday, March 24, 2005 1:26 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...


Also, is it a query based DL or not?
 
 

  _  

From: [EMAIL PROTECTED] on behalf of Eric Fleischman
Sent: Thu 3/24/2005 12:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...



Can you give us some insight in to the problem and what you know so far?
Versions of Exchange and AD are also of interest

 

~Eric

 

 

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Wednesday, March 23, 2005 7:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

 

Seems like you're on the right track. With the message ID and tracking logs,
you can back out all of the mailboxes that got the message. But you already
knew that, and probably have let loose a perl script on the logs. I suppose
there may be a way to get a message into a mailbox without having events
logged in the tracking logs, but I can't remember ever seeing that as long
as logging was enabled.

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005 7:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

Yes. :)

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, March 23, 2005 8:58 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

I should have addedare you looking for thoughts on troubleshooting? Or
just asking if anyone has seen this?

 

~Eric

 

 

  _  

From: [EMAIL PROTECTED] on behalf of Eric Fleischman
Sent: Wed 3/23/2005 5:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

I say it because some of the DLs I'm on, people would find out they
didn't get the message. Such as a required form that they would not fill
out.

Did I call all 4000 people on one of these lists? No I didn't.
Short of having a script that watches every mailbox, I suspect no one on
this list can really answer that question.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005 4:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL
based but still has an AD portion...

How do you know it works just fine? What proactive checking is done to
verify it? Say 2 people didn't get the message and they didn't realize
there
was a message to not get...

The question is being posed because I am working with some folks who had
a
couple of people (that we know of) out of several thousand that got one
message posted to a DL but didn't get an important followup message. It
is
slowly being reduced to either the expansion is screwed on the Exchange
side
or on the AD side and my bet is Exchange side as I don't expect AD would
not
return all users in a group without throwing at le

RE: [ActiveDir] GPO's in AD (online and offline)

[Darren Mar-Elia]

Right, they are called Domain and Standard, and Neil is correct--if you
define both profiles, both reg settings are delivered to the machine
when it processes GP and then the Windows Firewall decides which to
apply based on a  network state determination process--which is
explained reasonably well here:

http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, March 24, 2005 4:33 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] GPO's in AD (online and offline)

One further clarification - GPO settings are stored in the registry and
*are* active even if the machine is disconnected from the domain or
network.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 24 March 2005 11:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO's in AD (online and offline)


There are two profiles for the firewall settings. The one is external
and the other one is internal. I can't recall their exact names but the
one operates when the firewall is aware that it's connect to it's domain
and the other operates in all other scenarios.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: 24 March 2005 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO's in AD (online and offline)

We are in the process of rolling out XP SP2 in our environment and I am
beginning to mess around a bit with the GPO settings for SP2,
specifically the firewall.

We have a mixture of laptop and desktop users, the desktops are no
problem as we disable the firewall on all of them as the corporate
network they are connected to handles all access rights. The laptop
users however are a bit of a headache.

What I need to be able to do is disable the firewall when the laptiops
are logging on locally to the network but ensure that the firewall is
enabled when they are working offline and perhaps making dialup
connections to the internet.

What I cant figure out is how I am supposed to get the firewall policy
settings to the laptops. If they are logging on to the domain the
firewall should be disabled and if they logon while disconnected from
the domain then they wont process the GPO and therefore won't get any
settings ?!? Just how can I solve this Catch 22 ?

Thanks for any help

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you
received this message in error please delete it and notify us. If this
message was misdirected, CSFB does not waive any confidentiality or
privilege. CSFB retains and monitors electronic communications sent
through its network.
Instructions transmitted over this system are not binding on CSFB until
they are confirmed by us. Message transmission is not guaranteed to be
secure.

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remove DNS forwader

[Manjeet Singh]

Cool, it worked for me.

Thanks a lot

Manjeet

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, March 24, 2005 8:23 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Remove DNS forwader

Hi Manjeet

You are looking to remove conditional forwarders correct?  W2K3 DNS treats
conditional forwarders as zones in their own right.

dnscmd /zonedelete xyz.com will remove the conditional forwarder outright
(it will prompt - I believe if you use the /f it does not ask if you are
sure)

dnscmd /zoneadd xyz.com /forwarder 192.168.1.1   will set a conditional
forwarder for the zone xyz.com.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+-->
| |   "Manjeet Singh"|
| |   <[EMAIL PROTECTED]|
| |   com>   |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   03/24/2005 05:56 AM PST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
  
>--|
  | 
 |
  |   To: 
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Remove DNS forwader 
 |
  
>--|




Hi Neil,

Thanks for the reply. But the dnscmd /resetforwarders only remove the IP
entries of default DNS domain (All other DNS domains) and I want to remove
another domain entries.

Suppose to make a trust with external domain, I have created a forwarder
from âabc.comâ to âxyz.comâ.

Now I want to remove the forwarder entry of xyz.com domain using command
line.


Thanks,
Manjeet


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, March 24, 2005 7:05 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remove DNS forwader

"dnscmd /resetforwarders"

i.e. set list of forwarders to blank.

neil
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
  Singh
  Sent: 24 March 2005 13:29
  To: activedir@mail.activedir.org
  Subject: [ActiveDir] Remove DNS forwader
  Hi,

  How to remove the DNS forwarder using command line?

  I was trying dnscmd but there is not switch to remove the forwarder.

  Thanks,
  Manjeet


==

This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until
they are confirmed by us. Message transmission is not guaranteed to be
secure.
==

.+wÖB+v*
rzVryiËç

RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2

[joseph.e.kaplan]

Title: Message








Doesn’t that smell like a bug or
something?  This doesn’t seem to be the documented behavior.

 

Eric? J

 

We could bounce this off the SDK team too
as they are responsible for the code.

 

Joe K.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005
9:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP NTLM
Authed Channel Encryption Question was LDAPS part 2



 

No encrypt specified, in fact I can
specifically set it to off (0) and it still encrypts. I can not get it to do
anything clear text once it hits and succeeds the SASL NTLM bind.

 

  joe



This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

RE: [ActiveDir] Remove DNS forwader

[James_Day]

Hi Manjeet

You are looking to remove conditional forwarders correct?  W2K3 DNS treats
conditional forwarders as zones in their own right.

dnscmd /zonedelete xyz.com will remove the conditional forwarder outright
(it will prompt - I believe if you use the /f it does not ask if you are
sure)

dnscmd /zoneadd xyz.com /forwarder 192.168.1.1   will set a conditional
forwarder for the zone xyz.com.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+-->
| |   "Manjeet Singh"|
| |   <[EMAIL PROTECTED]|
| |   com>   |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   03/24/2005 05:56 AM PST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
  
>--|
  | 
 |
  |   To: 
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] Remove DNS forwader 
 |
  
>--|




Hi Neil,

Thanks for the reply. But the dnscmd /resetforwarders only remove the IP
entries of default DNS domain (All other DNS domains) and I want to remove
another domain entries.

Suppose to make a trust with external domain, I have created a forwarder
from âabc.comâ to âxyz.comâ.

Now I want to remove the forwarder entry of xyz.com domain using command
line.


Thanks,
Manjeet


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Thursday, March 24, 2005 7:05 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remove DNS forwader

"dnscmd /resetforwarders"

i.e. set list of forwarders to blank.

neil
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
  Singh
  Sent: 24 March 2005 13:29
  To: activedir@mail.activedir.org
  Subject: [ActiveDir] Remove DNS forwader
  Hi,

  How to remove the DNS forwarder using command line?

  I was trying dnscmd but there is not switch to remove the forwarder.

  Thanks,
  Manjeet


==

This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until
they are confirmed by us. Message transmission is not guaranteed to be
secure.
==

RE: [ActiveDir] Remove DNS forwader

[Coleman, Hunter]

Title: Message



I haven't tried this, but check the DNS WMI provider. 
ForwardersIPAddressesArray looks to be the property that you'd want to strip the 
xyz.com entry from and then write the array back.
 
http://msdn.microsoft.com/library/default.asp?url="">


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Manjeet 
SinghSent: Thursday, March 24, 2005 6:56 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Remove DNS 
forwader


Hi 
Neil,
 
Thanks for the reply. 
But the dnscmd /resetforwarders 
only remove the IP entries of default DNS domain (All other DNS domains) and I 
want to remove another domain entries.
 
Suppose to make a trust 
with external domain, I have created a forwarder from “abc.com” to 
“xyz.com”.
 
Now I want to remove 
the forwarder entry of xyz.com domain using command 
line.
 
 
Thanks,
Manjeet
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ruston, NeilSent: Thursday, March 24, 2005 7:05 
PMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Remove DNS 
forwader
 

"dnscmd 
/resetforwarders"

 

i.e. set list of 
forwarders to blank.

 

neil

  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Manjeet SinghSent: 24 March 2005 13:29To: 
  activedir@mail.activedir.orgSubject: [ActiveDir] Remove DNS 
  forwader
  Hi,
   
  How to remove the DNS forwarder 
  using command line?
   
  I was trying dnscmd but there is 
  not switch to remove the forwarder.
   
  Thanks,
  Manjeet
==This 
message is for the sole use of the intended recipient. If you received this 
message in error please delete it and notify us. If this message was 
misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains 
and monitors electronic communications sent through its network. Instructions 
transmitted over this system are not binding on CSFB until they are confirmed by 
us. Message transmission is not guaranteed to be 
secure.==

RE: [ActiveDir] Domain remains after decommissioning

[Myrick, Todd (NIH/CC/DNA)]

Is there still a trust relationship between the new and old domain?  IF the
old Domain is Windows 2000, you might want to run a Metadata clean-up using
NTDSUTIL.  Be careful though.  If this domain was used to establish the
forest, you can't get rid of it.

Todd Myrick

-Original Message-
From: Rocky Habeeb [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 24, 2005 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain remains after decommissioning

People,

This was a single domain in a separate forest.  All objects were migrated to
a new domain in a new forest.  Now the new forest still shows the old domain
from the old forest.  Yes, "This is the last server.." was selected.

Thanks again.
RH
__


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jorge de Almeida
Pinto
Sent: Thursday, March 24, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain remains after decommissioning


HI,

If you're talking about decommissioning a domain within a AD forest try the
following:
MS-KBQ230306_How To Remove Orphaned Domains from Active Directory
(http://support.microsoft.com/kb/230306/EN-US/)
This may occur if you did not select "this is the last server in the domain"
option when demoting

Or are you talking about a domain in a separate forest?

Cheers,
jorge


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: donderdag 24 maart 2005 14:18
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain remains after decommissioning

Dear List Readers,

I have finally decommissioned an old domain after having migrated into our
new domain structure.  The last DC was DCPromoed down and actually moved to
the new domain as a standalone server.  Prior to this, there was a two way
trust which had been in place.  All trust relationships were broken before
the final DCPromo down.  Now, I can still see the old domain in my new
domain drop down list and I want to get rid of it.  Do I have to run
ntdsutil on the new domain to clean up something somewhere or is there
something else I need to do to delete this old domain from my new domain's
drop down list?

Thanks for anything you may offer to me and for continuing to help those of
us on the list who need help.  This list is invaluable.

RH

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain remains after decommissioning

[Rocky Habeeb]

People,

This was a single domain in a separate forest.  All objects were migrated to
a new domain in a new forest.  Now the new forest still shows the old domain
from the old forest.  Yes, "This is the last server.." was selected.

Thanks again.
RH
__


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Jorge de Almeida
Pinto
Sent: Thursday, March 24, 2005 9:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Domain remains after decommissioning


HI,

If you're talking about decommissioning a domain within a AD forest try the
following:
MS-KBQ230306_How To Remove Orphaned Domains from Active Directory
(http://support.microsoft.com/kb/230306/EN-US/)
This may occur if you did not select "this is the last server in the domain"
option when demoting

Or are you talking about a domain in a separate forest?

Cheers,
jorge


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: donderdag 24 maart 2005 14:18
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain remains after decommissioning

Dear List Readers,

I have finally decommissioned an old domain after having migrated into our
new domain structure.  The last DC was DCPromoed down and actually moved to
the new domain as a standalone server.  Prior to this, there was a two way
trust which had been in place.  All trust relationships were broken before
the final DCPromo down.  Now, I can still see the old domain in my new
domain drop down list and I want to get rid of it.  Do I have to run
ntdsutil on the new domain to clean up something somewhere or is there
something else I need to do to delete this old domain from my new domain's
drop down list?

Thanks for anything you may offer to me and for continuing to help those of
us on the list who need help.  This list is invaluable.

RH

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Password Expiration Prompt

[chris . ryan]

Thanks for all the feedback.

Our Citrix users are the primary affected users and we are debating whether
to make this change for the company or just for the Citrix users. I think
we may implement a script in the NFUSE logon page that will redirect the
user to the appropriate website to change their password. This way it will
change everything before the user is even allowed to login.

Chris




   
 "Isenhour,
 Joseph"   

 Sent by:   cc 
 [EMAIL PROTECTED] 
 ail.activedir.org Subject 
   RE:  [ActiveDir] Password   
   Expiration Prompt   
 03/22/2005 01:09  
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




We had a similar issue in our environment.

We implemented a log off script that checked for password expiration.
If the users password is within 14 days of expiration the user is
notified and the password change page is launched.

This actually has two benefits.  One, it solved the notification issue
and two it allowed plenty of time for the password to synchronize
because it occurs as the user is leaving for the day.  We use some older
systems like OS/2 that do not have fast password replication so this
helped us.

The downside to this solution is that it's a bit inconvenient for the
user, but it's for their own good :)

Modifying msgina.dll will also work but requires more development.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 22, 2005 6:30 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Password Expiration Prompt





  In our environment we use a product called Passport to synchronize
password changes across multiple accounts. Our users are aware of this
product and the procedures required for making a password change,
however, the Default Domain GPO specifies that the user will be notified
to change their password 5 days before expiration. When a user logs in
and sees this message they become confused and frustrated because they
think this change will apply to all accounts and passwords, which it
does not. Is there a script or setting I can change that will notify the
user it is time for a password change and take them directly to the
Passport website to change their password?

Thanks,
  Chris

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Domain remains after decommissioning

[Jorge de Almeida Pinto]

HI,

If you're talking about decommissioning a domain within a AD forest try the
following:
MS-KBQ230306_How To Remove Orphaned Domains from Active Directory
(http://support.microsoft.com/kb/230306/EN-US/)
This may occur if you did not select "this is the last server in the domain"
option when demoting

Or are you talking about a domain in a separate forest?

Cheers,
jorge


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: donderdag 24 maart 2005 14:18
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain remains after decommissioning

Dear List Readers,

I have finally decommissioned an old domain after having migrated into our
new domain structure.  The last DC was DCPromoed down and actually moved to
the new domain as a standalone server.  Prior to this, there was a two way
trust which had been in place.  All trust relationships were broken before
the final DCPromo down.  Now, I can still see the old domain in my new
domain drop down list and I want to get rid of it.  Do I have to run
ntdsutil on the new domain to clean up something somewhere or is there
something else I need to do to delete this old domain from my new domain's
drop down list?

Thanks for anything you may offer to me and for continuing to help those of
us on the list who need help.  This list is invaluable.

RH

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] GPO's in AD (online and offline)

[jpsalemi]

Hi Mark...

I've found that just by using the "older"  policy setting.Prohibit use
of Internet Connection Firewall on your DNS domain network.  That you get
pretty much the behavior you're looking for.

You can prove this by just pulling out the patch, the firewall will come
on...Reconnect the patch, and it goes back off, in a few seconds.

Hope this helps some.

John




   
 "Abbiss, Mark"
 <[EMAIL PROTECTED] 
 .net>  To 
 Sent by:
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   [ActiveDir] GPO's in AD (online and 
 03/24/2005 04:09  offline)
 AM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




We are in the process of rolling out XP SP2 in our environment and I am
beginning to mess around a bit with the GPO settings for SP2, specifically
the firewall.

We have a mixture of laptop and desktop users, the desktops are no problem
as we disable the firewall on all of them as the corporate network they are
connected to handles all access rights. The laptop users however are a bit
of a headache.

What I need to be able to do is disable the firewall when the laptiops are
logging on locally to the network but ensure that the firewall is enabled
when they are working offline and perhaps making dialup connections to the
internet.

What I cant figure out is how I am supposed to get the firewall policy
settings to the laptops. If they are logging on to the domain the firewall
should be disabled and if they logon while disconnected from the domain
then they wont process the GPO and therefore won't get any settings ?!?
Just how can I solve this Catch 22 ?

Thanks for any help

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Remove DNS forwader

[Manjeet Singh]

Title: Message








Hi Neil,

 

Thanks for the reply. But the dnscmd /resetforwarders only remove the IP entries of default DNS
domain (All other DNS domains) and I want to remove another domain entries.

 

Suppose to make a trust with external
domain, I have created a forwarder from “abc.com” to “xyz.com”.

 

Now I want to remove the forwarder entry
of xyz.com domain using command line.

 

 

Thanks,

Manjeet

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ruston,
Neil
Sent: Thursday, March 24, 2005
7:05 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Remove
DNS forwader



 



"dnscmd /resetforwarders"





 





i.e. set list of forwarders to blank.





 





neil





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
 Singh
Sent: 24 March 2005 13:29
To: activedir@mail.activedir.org
Subject: [ActiveDir] Remove DNS
forwader

Hi,

 

How to remove the DNS forwarder using command line?

 

I was trying dnscmd but there is not switch to remove the
forwarder.

 

Thanks,

Manjeet








==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

[ActiveDir] IP Relay Restrictions Attribute format

[Manjeet Singh]

Hi,

 

Exchange SMTP Servers store IP Relay Restrictions in Active
Directory Attribute called “msExchSmtpRelayIpList” which is binary
string. If anyone has inside knowledge of format of data stored in this
attribute, the help is highly appreciated. This attribute need to set for the
setting IP Relay settings on the SMTP Servers for testing

 

There is a COM Object called ExpIPSec from MS to do so, but
the interface provide by this object is very restrictive and not usable for
sync’ing the value

 

 

This attribute can have following
information encoded in binary string:


 IP
 Address 
 IP
 Address with Subnet mask 
 Domain
 names. 


 

 

Any pointers on that?

 

 

Thanks,

Manjeet

RE: [ActiveDir] [Active Dir] Handling Duplicate Accounts During d omain Migration

[chris . ryan]

Thanks for the explanation, I really appreciate it. This is the first time
I have attempted a domain consolidation so I want to be sure I have all the
background information. I have a VMware lab environment with production
data in it for testing and I will begin testing the products.





   
 Jorge de Almeida  
 Pinto 
   <[EMAIL PROTECTED]>, 
 Sent by:  "'ActiveDir@mail.activedir.org '"   
 [EMAIL PROTECTED]   
 ail.activedir.org  cc 
   
   Subject 
 03/23/2005 05:32  RE: [ActiveDir] [Active Dir]
 PMHandling Duplicate Accounts During  
   d omain Migration   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




Hi,

In an intraforest migration ADMT actually MOVES the user account by
creating
a new account in the target domain (new SID, but SAME GUID as the
sourceaccount) with the SID of the source account in the sIDHistory of the
target account. This is a destructive operation as there is no (quick)
fallback. The only options for fallback are (only on W2K3) undeleting the
source user account (but first delete the target account!!!) and an
authoritative restore of the user acount in the source domain (but first
delete the target account!!!). The main reason for deleting the target
account, before restoring the source account, is that they have the same
GUID as the source account. In an AD forest (and independent of the AD
domain) NO 2 or more accounts can have the same GUID!!! When also doing
migrating clients (w2k and w2k3 and wxp) there will no need to do a profile
migration as the GUID does NOT change for each account.
Using ADMT, only in an interforest migration is a NON-destructive operation
as source accounts are NOT deleted by default

If I'm correct Aelita's Domain Migration Wizard creates a new target
account
with a new GUID, puts the SID of the source account in the NEW target
account's sidhistory AND keeps the source account for fallback. One of the
caveats here is that you need to do a profile migration. It depends what's
more important in an intraforest migration -> fallback for source accounts
or easy profile migration. I think the first!

It is still not clear to me if you also have groups in the source domains
that also need to be migrated and if these groups also have the same names
in all the source domains. Don't forget to define closed sets of security
principals if you don't change groups scope otherwise change the group
scope
to universal sec.. The target domain must at least be windows 2000 native
to
accept sidhistory and universal security groups

For user accounts you must do a many-to-one migration of user accounts
where
the sid history of each source account is added to the sidhistory attribute
of the target account.
With ADMT I think merging user accounts would only work in inter forest
scenarios and not in a intraforest scenario as GUID can not be consolidated
into one account like this which is possible with SIDs

>From the ADMT readme.doc (see section "Subsequent User Migrations Update
Group Membership of Target Accounts") group memberships will be migrated to
the target where as target group memberships that do not exist in the
source
will be preserved. DON'T use the option "remove existing members" when
remigrating groups. I'm not sure though how this works in a intraforest
migration scenario.

The most sure thing for you is to create a VMware environment with at least
3 domains (root = target and both childs are source) (each with 1 DC)
create
some users and groups in all domains. Install trial third party tool like
DMW and ADMT and configure accordingly. Create snapshot at this moment.
First try ADMT and then the third party tool. I think in this case a third
party tool like DMW would be the way to go. I don't know about NetIQ
migtooling but I know DMW preserves source accounts even in an intraforest
mig scenario.

Hope this rather long explanation helps you!

Cheers
Jorge



-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 3/23/2005 9:59 PM
Subj

RE: [ActiveDir] Remove DNS forwader

[Ruston, Neil]

Title: Message



"dnscmd /resetforwarders"
 
i.e.
set list of forwarders to blank.
 
neil

  
  -Original Message-From: 
  [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
  On Behalf Of Manjeet SinghSent: 24 March 2005 
  13:29To: activedir@mail.activedir.orgSubject: 
  [ActiveDir] Remove DNS forwader
  
  Hi,
   
  How to remove the DNS forwarder 
  using command line?
   
  I was trying dnscmd but there is
  not switch to remove the forwarder.
   
  Thanks,
  Manjeet

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

[ActiveDir] Remove DNS forwader

[Manjeet Singh]

Hi,

 

How to remove the DNS forwarder using command line?

 

I was trying dnscmd but there is not switch to remove the forwarder.

 

Thanks,

Manjeet

RE: [ActiveDir] Domain remains after decommissioning

[Ruston, Neil]

I would suggest that you still have a WINS entry for the domain. You may
either remove this/these entry(ies) manually or allow the entry(ies) to be
tombstoned.

Search for 1B and 1C entries corresponding to the domain in the WINS database.


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rocky Habeeb
Sent: 24 March 2005 13:18
To: activedir@mail.activedir.org
Subject: [ActiveDir] Domain remains after decommissioning


Dear List Readers,

I have finally decommissioned an old domain after having migrated into our new
domain structure.  The last DC was DCPromoed down and actually moved to the
new domain as a standalone server.  Prior to this, there was a two way trust
which had been in place.  All trust relationships were broken before the final
DCPromo down.  Now, I can still see the old domain in my new domain drop down
list and I want to get rid of it.  Do I have to run ntdsutil on the new domain
to clean up something somewhere or is there something else I need to do to
delete this old domain from my new domain's drop down list?

Thanks for anything you may offer to me and for continuing to help those of us
on the list who need help.  This list is invaluable.

RH

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Domain remains after decommissioning

[Rocky Habeeb]

Dear List Readers,

I have finally decommissioned an old domain after having migrated into our
new domain structure.  The last DC was DCPromoed down and actually moved to
the new domain as a standalone server.  Prior to this, there was a two way
trust which had been in place.  All trust relationships were broken before
the final DCPromo down.  Now, I can still see the old domain in my new
domain drop down list and I want to get rid of it.  Do I have to run
ntdsutil on the new domain to clean up something somewhere or is there
something else I need to do to delete this old domain from my new domain's
drop down list?

Thanks for anything you may offer to me and for continuing to help those of
us on the list who need help.  This list is invaluable.

RH

_

Rocky Habeeb
Microsoft Systems Administrator
James W. Sewall Company
Old Town, Maine
Voice: 207.827.4456  Ext. 387
Email: [EMAIL PROTECTED]
www.jws.com
_


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...

[Ramsay, Steve]

The Information Store is set to "No local delivery" so all emails are pushed
up to the MTA.  MTA is set for Site-level journaling.  This issue first
occurred within a few months of introducing Exchange journaling.  It is by
no means conclusive that this is the cause, however I've never seen/heard of
this issue before in any other company I've worked for.

I only noticed it because it happened to a couple of us in the
infrastructure team.  An email was sent to the IT Department DL (which
contains a number of nested DL's) and we didn't receive it.  We were unable
to discover why it happened.  We have had a few calls logged over the last
couple of years where our customers have had the same issue.  I am only
aware of ~5 instances of this happening.

I'm interested to see if anyone else has seen or heard of this issue.

Note - The fact that the emails are removed from the Journal mailboxes by
KVS Ent Vault can't have any bearing on the problem as this happens after
the event.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 24 March 2005 11:39
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

Quoting "Ramsay, Steve" <[EMAIL PROTECTED]>:

> I have personally experienced this issue with Exchange 5.5.  It 
> happens very rarely and we have been unable to reproduce it at will.  
> However, the problem seemed to start when we enabled site-level 
> journaling (we use KVS Enterprise Vault for journaling).
> 
> Steve
> 

Steve, just out of interest, how have you configured your journaling within
Exchange ?, and at what point did this issue start to crop up (immediately,
after some period of time)?

Just as background, we have a reasonably big Exchange sytem (3000 users,
about 600gb of stores) and are also running KVS + Exchange journaling, but
havent seen this problem (it may be hapenning, we just havent noticed yet).

Cheers

Glenn





This email was sent from Netspace Webmail: http://www.netspace.net.au

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


** 
This is a commercial communication from Commerzbank AG.

This communication is confidential and is intended only for the person to
whom it is addressed.  If you are not that person you are not permitted to
make use of the information and you are requested to notify
 immediately that you have
received it and then destroy the copy in your possession.

Commerzbank AG may monitor outgoing and incoming e-mails. By replying to
this e-mail you consent to such monitoring. This e-mail message and any
attached files have been scanned for the presence of computer viruses.
However, you are advised that you open attachments at your own risk.

This email was sent either by Commerzbank AG, London Branch, or by
Commerzbank Corporates & Markets, a division of Commerzbank. Commerzbank AG
is a limited liability company incorporated in the Federal Republic of
Germany. Registered Company Number in England BR001025. Our registered
address in the UK is 23 Austin Friars, London, EC2P 2JD. We are regulated by
the Financial Services Authority for the conduct of investment business in
the UK and we appear on the FSA register under number 124920. 

**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...

[gcorbett]

Quoting "Ramsay, Steve" <[EMAIL PROTECTED]>:

> I have personally experienced this issue with Exchange 5.5.  It happens very
> rarely and we have been unable to reproduce it at will.  However, the
> problem seemed to start when we enabled site-level journaling (we use KVS
> Enterprise Vault for journaling).
> 
> Steve
> 

Steve, just out of interest, how have you configured your journaling within 
Exchange ?, and at what point did this issue start to crop up (immediately, 
after some period of time)?

Just as background, we have a reasonably big Exchange sytem (3000 users, about 
600gb of stores) and are also running KVS + Exchange journaling, but havent 
seen this problem (it may be hapenning, we just havent noticed yet).

Cheers

Glenn





This email was sent from Netspace Webmail: http://www.netspace.net.au

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO's in AD (online and offline)

[Ruston, Neil]

One further clarification - GPO settings are stored in the registry and *are*
active even if the machine is disconnected from the domain or network.

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Peter Johnson
Sent: 24 March 2005 11:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO's in AD (online and offline)


There are two profiles for the firewall settings. The one is external and the
other one is internal. I can't recall their exact names but the one operates
when the firewall is aware that it's connect to it's domain and the other
operates in all other scenarios.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: 24 March 2005 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO's in AD (online and offline)

We are in the process of rolling out XP SP2 in our environment and I am
beginning to mess around a bit with the GPO settings for SP2, specifically the
firewall.

We have a mixture of laptop and desktop users, the desktops are no problem as
we disable the firewall on all of them as the corporate network they are
connected to handles all access rights. The laptop users however are a bit of
a headache.

What I need to be able to do is disable the firewall when the laptiops are
logging on locally to the network but ensure that the firewall is enabled when
they are working offline and perhaps making dialup connections to the
internet.

What I cant figure out is how I am supposed to get the firewall policy
settings to the laptops. If they are logging on to the domain the firewall
should be disabled and if they logon while disconnected from the domain then
they wont process the GPO and therefore won't get any settings ?!? Just how
can I solve this Catch 22 ?

Thanks for any help

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO's in AD (online and offline)

[Peter Johnson]

There are two profiles for the firewall settings. The one is external
and the other one is internal. I can't recall their exact names but the
one operates when the firewall is aware that it's connect to it's domain
and the other operates in all other scenarios.


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, Mark
Sent: 24 March 2005 12:09 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO's in AD (online and offline)

We are in the process of rolling out XP SP2 in our environment and I am
beginning to mess around a bit with the GPO settings for SP2,
specifically the firewall.

We have a mixture of laptop and desktop users, the desktops are no
problem as we disable the firewall on all of them as the corporate
network they are connected to handles all access rights. The laptop
users however are a bit of a headache.

What I need to be able to do is disable the firewall when the laptiops
are logging on locally to the network but ensure that the firewall is
enabled when they are working offline and perhaps making dialup
connections to the internet.

What I cant figure out is how I am supposed to get the firewall policy
settings to the laptops. If they are logging on to the domain the
firewall should be disabled and if they logon while disconnected from
the domain then they wont process the GPO and therefore won't get any
settings ?!? Just how can I solve this Catch 22 ?

Thanks for any help

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] GPO's in AD (online and offline)

[Abbiss, Mark]

We are in the process of rolling out XP SP2 in our environment and I am 
beginning to mess around a bit with the GPO settings for SP2, specifically the 
firewall.

We have a mixture of laptop and desktop users, the desktops are no problem as 
we disable the firewall on all of them as the corporate network they are 
connected to handles all access rights. The laptop users however are a bit of a 
headache.

What I need to be able to do is disable the firewall when the laptiops are 
logging on locally to the network but ensure that the firewall is enabled when 
they are working offline and perhaps making dialup connections to the internet.

What I cant figure out is how I am supposed to get the firewall policy settings 
to the laptops. If they are logging on to the domain the firewall should be 
disabled and if they logon while disconnected from the domain then they wont 
process the GPO and therefore won't get any settings ?!? Just how can I solve 
this Catch 22 ?

Thanks for any help

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Exchange 2003 Forestprep

[Lucia Washaya]

Return Receipt
   
Your  RE: [ActiveDir] OT: Exchange 2003 Forestprep 
document   
:  
   
was   Lucia Washaya/UNAMSIL
received   
by:
   
at:   24/03/2005 09:30:30 GMT  
   





List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but still has an AD portion...

[Ramsay, Steve]

I have personally experienced this issue with Exchange 5.5.  It happens very
rarely and we have been unable to reproduce it at will.  However, the
problem seemed to start when we enabled site-level journaling (we use KVS
Enterprise Vault for journaling).

Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 24 March 2005 00:48
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

How do you know it works just fine? What proactive checking is done to
verify it? Say 2 people didn't get the message and they didn't realize there
was a message to not get...

The question is being posed because I am working with some folks who had a
couple of people (that we know of) out of several thousand that got one
message posted to a DL but didn't get an important followup message. It is
slowly being reduced to either the expansion is screwed on the Exchange side
or on the AD side and my bet is Exchange side as I don't expect AD would not
return all users in a group without throwing at least one error. We know
that it isn't a user issue because there is no evidence in the tracking logs
of the message ever going to those people. Right now I am trying to get a
comprehensive list of everyone who did get sent a message so it can be
compared to the DL itself to see if it was just these two people or more.

  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Wednesday, March 23, 2005 7:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based
but still has an AD portion...

I'm on several DLs that are thousands of users in size(some are multiple
times larger than MaxValRange), and it works just fine. (by thousands of
users in size, I'm talking about a single DL that is thousands of users, not
nested DLs, as that is of course an entirely different test scenario that
may not hit ranged retrieval)

Why do you ask? Is there a followup technical question? :)

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 23, 2005 3:04 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] [OT] Another Odd OT Question - Exchange DL based but
still has an AD portion...

Has anyone ever actually tested if Exchange properly delivers emails to all
members of a large (many thousands of mail objects) Distribution List?
Specifically where the Exchange server has to expand a DL and use attribute
ranging to get all members. 

  joe

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


** 
This is a commercial communication from Commerzbank AG.

This communication is confidential and is intended only for the person to
whom it is addressed.  If you are not that person you are not permitted to
make use of the information and you are requested to notify
 immediately that you have
received it and then destroy the copy in your possession.

Commerzbank AG may monitor outgoing and incoming e-mails. By replying to
this e-mail you consent to such monitoring. This e-mail message and any
attached files have been scanned for the presence of computer viruses.
However, you are advised that you open attachments at your own risk.

This email was sent either by Commerzbank AG, London Branch, or by
Commerzbank Corporates & Markets, a division of Commerzbank. Commerzbank AG
is a limited liability company incorporated in the Federal Republic of
Germany. Registered Company Number in England BR001025. Our registered
address in the UK is 23 Austin Friars, London, EC2P 2JD. We are regulated by
the Financial Services Authority for the conduct of investment business in
the UK and we appear on the FSA register under number 124920. 

**

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/