[ActiveDir] OT (sort of) ADC entry in Active Directory
Title: OT (sort of) ADC entry in Active Directory Everyone, We recently switched over to Exchange 2000 Native mode (successfully) making sure to remove config_ca, srs databases, and then uninstalling the Active Directory Connector from all the servers within our organization. Switched to Exchange 2000 Native mode and waited for replication and all of the features of Exchange 2000 Native mode are present ie everything is running smoothly. I was using ADSI Edit to check some things in the configuration container and noticed we still have a container called Active Directory Connections under Services\Microsoft Exchange. In the container there is one object called Default ADC Policy. I figured when we switched over it would be removed, nope. Anyone have any ideas as to what I should do? Delete it? Leave it? It does not seem to be bother anything within our Exchange organization just bother me :^) Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi
Re: [ActiveDir] Logging changes made to GPOs
Anyone have the general price-range on these products? Web sites don't seem to list it, and after contacting sales, they want all kinds of info just to get a price. I am just looking for aGENERAL price. I don't know if they are $99, $99 per client, $1000 or $10,000. - Original Message - From: Darren Mar-Elia To: ActiveDir@mail.activedir.org Sent: Thursday, March 24, 2005 5:32 PM Subject: RE: [ActiveDir] Logging changes made to GPOs Right, the challenge that native auditing presents is that no details about what GPO setting is changed are logged. You can find out that something changed on the GPC, but that's about it. As Hunter mentioned, there are at least three commercial products that I know of that do provide detailed GPO logging: NetIQ GP Guardian Netpro Change Auditor Quest Change Manager for AD Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Thursday, March 24, 2005 2:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Logging changes made to GPOs You can employ a 3rd party tool like the offerings from NetPro, NetIQ, Quest etc Natively, if you enableAudit directory service access you can detect changes to GPOs by finding event ID 565s that have the Object Type value groupPolicyContainer, the Accesses value Write Property, and a Write Property that includes versionNumber From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Janson, JoeSent: Thursday, March 24, 2005 8:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Logging changes made to GPOs Is it possible to log changes made to Group Policy Objects?
RE: [ActiveDir] AD Database size questions.
Also, I believe in 2003, they've raised the TSL to 120 days as a default. Sorry, but no, we did not. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 8:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. Also, I believe in 2003, they've raised the TSL to 120 days as a default. marcus c. oh .\core technologies\cox communications, inc. .\mvp\windows server systems\management [v] 404.847.6117 [c] 404.391.7097 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, March 23, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. Assuming your DCs are all replicating fine within the TSL you are proprosing you should be fine. The idea behind the TSL is that the tombstoned objects get replicated to every DC in your forest so AD knows that an object has been deleted. If you, for instance, set the value to low, a tombstone will not make it across the forest and an object that is supposed to be dead has a possibility of being reanimated. I would keep the TLS low for only as long as needed. As for the cleanup, unfortunately yes, you will either need to offline defrag or demote and repromote to reclaim the disk space. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Wednesday, March 23, 2005 8:13 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Hi Joe/Eric, I was able to use that script to convert to csv format. Another thing I did ahead of time was use CSVDE and export the entire OU in question. I exported the cn, whenCreated, whenChanged attributes and discovered more clues. This is NOT an AD problem as expected but the script is the real problem. On a few of occasions it deleted like 6000 or 8000 records at a time. I regress and take blame for the problem! :) While looking into this issue I've learned quite a bit. One thing I'm not sure about is helping clean up AD. Would it hurt to lower the Tombstone life from 60 day to 30 or even 15 days to clean up this up? Assuming I clean up the tombstoned records. Eric mentioned I would have to take the DC off-line to compact the database to reclaim space, does this have to be performed on each DC separately? The reason I ask is one of the DC's disk space is kind of a premium and to leave the ntds.dit file at almost 2 gig hurts when doing backups. I appreciate your help on this as I've learned quite a bit. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 1:49 PM Subject: RE: [ActiveDir] AD Database size questions. ~Eric: I don't believe ldifde knows how to look at deleted items. Also, this won't give the csv format he is looking for. Steve: If you download the latest copy of adfind, you will find a perl script in the zip file with it. This perl script will take an adfind dump and convert it to csv format for you. Script should be called adcsv.pl joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 21, 2005 1:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I think this'll do it (no directory in front of me to test against) ldifde -x -d CN=Deleted objects,dc=domain,dc=com -f output.ldf -l dn,objectclass -s serverName csvde probably has similar syntax, but I don't have it nearby. Csvde would perhaps be more handy for this because then you could Excel/Access the data and see what it looks like. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Monday, March 21, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Is there a way to use csvde to export just this information from AD? I've used this utility to export a lot of information is very handy when troubleshooting things like this. Otherwise I'll parse the output file I got from AdFind. Steve - Original Message - From: Eric Fleischman [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 10:32 AM Subject: RE: [ActiveDir] AD Database size questions. No it would not, auth restoring just a bunch of regular 'ol objects would not cause lots of tombstones. You have some sort of object creation/deletion situation going on. Can we see the list of tombstones? I'm probably just interested in attributes dn and objectclass and when they were deleted. More
RE: [ActiveDir] OT (sort of) ADC entry in Active Directory
There's no point in deleting it either. You could, but why mess with it? In native mode, it won't matter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (sort of) ADC entry in Active Directory Not sure if you can delete it or not, however a raw forest with Exchange loaded without ever using ADC will have the Active Directory Connections container. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Friday, March 25, 2005 8:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT (sort of) ADC entry in Active Directory Everyone, We recently switched over to Exchange 2000 Native mode (successfully) making sure to remove config_ca, srs databases, and then uninstalling the Active Directory Connector from all the servers within our organization. Switched to Exchange 2000 Native mode and waited for replication and all of the features of Exchange 2000 Native mode are present ie everything is running smoothly. I was using ADSI Edit to check some things in the configuration container and noticed we still have a container called Active Directory Connections under Services\Microsoft Exchange. In the container there is one object called Default ADC Policy. I figured when we switched over it would be removed, nope. Anyone have any ideas as to what I should do? Delete it? Leave it? It does not seem to be bother anything within our Exchange organization just bother me :^) Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2
Title: Message That is exactly what I saw as well. Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 24, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I can do better for you... Fire up ethereal with a capture filter of tcp port 389 Open LDP o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary) Look at the trace, you should note that the traffic on the tree view is all clear text Now do the same but use an IP address of the DC. Traffic should be all encoded/encrypted. This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Site creation and DNZ zones
Hi, The resource records registered by each DC in DNS can also be found in the file NETLOGON.DNS (%WINDIR%\system32\config). The record you say you are missing is: _ldap._tcp.YOUR-SITE._sites.dc._msdcs.YOUR-DOMAIN.YOUR-DOMAIN Check if the this record can be found in the NETLOGON.DNS file on the DCs that should register this record. If it is in there you can make a DC re-register its record by typing: NET STOP NETLOGON NET START NETLOGON Go to the location in DNS, refresh and see if the record appears Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Friday, March 25, 2005 01:42 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Site creation and DNZ zones I'm not sure of the default behavior here so I have to ask: When I create a new site should a zone for the site be created in the forest wide _msdcs.domain.com zone. When I create sites, the site zone gets created in the domain.com zone under _sites and forestdnszones but not in the forest wide _sites.dc._msdcs.domain.com zone. Thanks Nathan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Database size questions.
For NEW forests installed with W2K3 SP1 the default is 180 days For UPGRADED forests to W2K3 SP1 the default is 60 days or any value that has been configured manually Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gould, Andrew D. Sent: vrijdag 25 maart 2005 19:06 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. Isn't the TSL being increased in SP1? Andrew Gould -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, March 25, 2005 11:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. Also, I believe in 2003, they've raised the TSL to 120 days as a default. Sorry, but no, we did not. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 8:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. Also, I believe in 2003, they've raised the TSL to 120 days as a default. marcus c. oh .\core technologies\cox communications, inc. .\mvp\windows server systems\management [v] 404.847.6117 [c] 404.391.7097 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, March 23, 2005 5:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. Assuming your DCs are all replicating fine within the TSL you are proprosing you should be fine. The idea behind the TSL is that the tombstoned objects get replicated to every DC in your forest so AD knows that an object has been deleted. If you, for instance, set the value to low, a tombstone will not make it across the forest and an object that is supposed to be dead has a possibility of being reanimated. I would keep the TLS low for only as long as needed. As for the cleanup, unfortunately yes, you will either need to offline defrag or demote and repromote to reclaim the disk space. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Wednesday, March 23, 2005 8:13 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Hi Joe/Eric, I was able to use that script to convert to csv format. Another thing I did ahead of time was use CSVDE and export the entire OU in question. I exported the cn, whenCreated, whenChanged attributes and discovered more clues. This is NOT an AD problem as expected but the script is the real problem. On a few of occasions it deleted like 6000 or 8000 records at a time. I regress and take blame for the problem! :) While looking into this issue I've learned quite a bit. One thing I'm not sure about is helping clean up AD. Would it hurt to lower the Tombstone life from 60 day to 30 or even 15 days to clean up this up? Assuming I clean up the tombstoned records. Eric mentioned I would have to take the DC off-line to compact the database to reclaim space, does this have to be performed on each DC separately? The reason I ask is one of the DC's disk space is kind of a premium and to leave the ntds.dit file at almost 2 gig hurts when doing backups. I appreciate your help on this as I've learned quite a bit. Thank you, Steve Schofield Microsoft MVP - ASP/ASP.NET ASPInsider Member - MCP http://www.orcsweb.com/ Powerful Web Hosting Solutions #1 in Service and Support - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, March 21, 2005 1:49 PM Subject: RE: [ActiveDir] AD Database size questions. ~Eric: I don't believe ldifde knows how to look at deleted items. Also, this won't give the csv format he is looking for. Steve: If you download the latest copy of adfind, you will find a perl script in the zip file with it. This perl script will take an adfind dump and convert it to csv format for you. Script should be called adcsv.pl joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 21, 2005 1:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Database size questions. I think this'll do it (no directory in front of me to test against) ldifde -x -d CN=Deleted objects,dc=domain,dc=com -f output.ldf -l dn,objectclass -s serverName csvde probably has similar syntax, but I don't have it nearby. Csvde would perhaps be more handy for this because then you could Excel/Access the data and see what it looks like. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Schofield Sent: Monday, March 21, 2005 10:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Database size questions. Is there a way to use csvde to export just this information from AD? I've used this utility to export
RE: [ActiveDir] OT (sort of) ADC entry in Active Directory
Thanks everyone. I did not know that a raw installation with no ADC installation would have that container. Interesting. Thanks for the information, good thing I did nothing. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, March 25, 2005 1:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (sort of) ADC entry in Active Directory There's no point in deleting it either. You could, but why mess with it? In native mode, it won't matter. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 11:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT (sort of) ADC entry in Active Directory Not sure if you can delete it or not, however a raw forest with Exchange loaded without ever using ADC will have the Active Directory Connections container. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Friday, March 25, 2005 8:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT (sort of) ADC entry in Active Directory Everyone, We recently switched over to Exchange 2000 Native mode (successfully) making sure to remove config_ca, srs databases, and then uninstalling the Active Directory Connector from all the servers within our organization. Switched to Exchange 2000 Native mode and waited for replication and all of the features of Exchange 2000 Native mode are present ie everything is running smoothly. I was using ADSI Edit to check some things in the configuration container and noticed we still have a container called Active Directory Connections under Services\Microsoft Exchange. In the container there is one object called Default ADC Policy. I figured when we switched over it would be removed, nope. Anyone have any ideas as to what I should do? Delete it? Leave it? It does not seem to be bother anything within our Exchange organization just bother me :^) Jeremy - Jeremy Burkes Strategic Systems Program MIS Department [EMAIL PROTECTED] PH: 202-764-1270 All that is necessary for the forces of evil to win in the world is for enough good men to do nothing. - Edmund Burke It is not how many times you get knocked down, it is how many times you get back up. - Vince Lombardi List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD user account keeps getting locked out
Hi Joe We have seen two causes for this (although there are others). First, we had a service that was started using the user credentials. The password was changed but the service was never updated. Everytime the service attempted to start it would lock the account. The second time we found the user had logged into a workstation that was locked, and she never logged out. Something was running on the machine that would periodically access a server drive - again with the credentials the machine was logged in with before the password was changed, which locked her account every hour. In both cases we checked the DC event log for failure audits which tracked down the machine the problems were coming from (ip address) took the machine offline and then went through to find out what was the problem. The IP address may be another DC - which suggests the failed login happened on that DC and then was replicated to the one you are looking at (in the second machine case we tracked it through 3 DCs to find the actual workstation IP address). In your case, it would seem that Adobe was installed under the old users account with a service type connection that keeps trying to start, using her creds and the old password. I would check the event logs to make sure the failed logins are coming from that IP and then if they are look at uninstalling Adobe or the Adobe associated services. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+-- | | Pelle, Joe | | | [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/25/2005 01:29 PM EST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] AD user account keeps getting locked out | --| Hello! I have a user account that continuously keeps getting locked out. Weve reset the users password (multiple times), took the computer off of the domain, renamed the computer, put it back on the domain, etc. This user works primarily out of her home office but is at our headquarters yesterday and today. She had a junior admin reset her password and install some software (adobe) yesterday and has had the problem ever since. Anyone been done this road before? Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent.
