RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2
Title: Message Ok I worked out how to disable it, there is one GPO setting I hadn't seen previously, you can disable at the client with it via secpol.msc assuming no domain level setting. As ~Eric pointed out, that is machine specific, not connection specific. The GPO setting is called "Network Security: LDAP client signing requirements" It impacts the reg key: hklm\system\currentcontrolset\services\ldap , value is ldapclientintegrity 0=no encryption 1=negotiate 2=must have I will make a note to self to put a request into ladybug next time I go into it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 28, 2005 2:21 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 Using ldp.exe and explicitly setting SIGN and ENCRYPT to 0 still results in encrypted traffic. I think this is what you were implying earlier regarding Joe’s GPO comments, but I wasn’t quite sure. Thus it looks like you can’t disable this at all from the client. Can the behavior be changed at the DC? Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, March 28, 2005 12:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 ….and that’s a good DCR IMHO. But that’s just me. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, March 28, 2005 9:46 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 File a dcr if you’d like that going forward, but today you can’t. Sorry. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 9:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I don't believe I have any signing enabled on the test box I trying this on. All GPO settings for signing and encryption are off. I will doublecheck it all though. Seems like you should be able to disable this per connection with a control. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, March 28, 2005 12:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 If you get NTLM authentication and you’ve requested signing (which is the default) you’ll find the traffic is encrypted. It is encrypting because it appears to have ldapclientintegrity set (thanks to the wldap32 dev that told me that, I didn’t see it). If you don’t want to encrypt, flip this value. But note that this will decrypt all such connections on the box, so this is not recommended. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Saturday, March 26, 2005 7:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 So, joe and Joe – is this indisputable truth that we’ve been looking for that NTLM is a required part of the Kerberos authentication process? :-D (Joe, just ask joe….. trust me…..) -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 25, 2005 2:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 Exactly. Since I can't find documentation on this anywhere, I feel it should firmly go into the classification of BUG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 25, 2005 1:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 That is exactly what I saw as well. Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, March 24, 2005 2:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I can do better for you... Fire up ethereal with a capture filter of tcp port 389 Open LDP o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary) Look at the trace, you should note that the traffic on the tree view is all clear text Now do the same but use an IP address of the DC. Traffic should be all encoded/encrypted. This message is for the designated recipient only and may contai
RE: [ActiveDir] AD Site Confusion
Depending upon your site links, DCs in either site B or C will advertise themselves as available to site A. The DCs in the site with lowest cost to site A will perform this role. What do you mean by 'take down'? Are you taking a WAN link down or powering off the DCs or demoting them or what? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: 28 March 2005 21:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] startup scripts not running
What exactly is the EXE doing? Not all system services are not available when the startup script runs. For instance, try to shutdown a server from a startup script. If you ever really need to do that, let me know, I have an exe that will do it. Dean told me about issues doing it and I got interested enough to look at it and it pissed me right off so I "fixed" it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, March 28, 2005 4:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 28, 2005 3:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, March 28, 2005 11:54 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, MarkThis e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] Track Network Logins
You also have hibernation which can play havoc with record keeping. It really comes down to the fact that people don't really log into a Windows domain in the way that you log into UNIX or Mainframes or other OSes. It used to be say with a PDP-11 I could look at one single output from a command like systat that would show me all current users, that concept doesn't work in Windows. You get a cert and off you go and the DC doesn't care nor track the fact that you are out therre. Or even before 2K you got your token and you didn't need to maintain a session with a DC, you could go off and connect to another server and it would handle the challenge response for you with the DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 28, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Track Network Logins Can you give some more background about what they want to see? When you say logon duration, what does that mean to the managers and is there some other reason they want to see that information other than for reporting? I ask that because some users don't logout, but rather lock the workstations. That might throw the reporting off. If they don't do that, you may get away with doing this in logon and logoff scripts easier than any other method. Some of that logon information is collected in the audit log settings, but that could be a pain to get to. It's also kept in the lastlogon attribute for logon. Logoff is not currently implemented last I checked (haven't checked in a while, but..) but could still be used I would imagine depending on the environment. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Monday, March 28, 2005 4:03 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Track Network Logins Ad 2000, I've had a request from management to log how long someone is logged into the domain. Can this be done without a third party utility? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAPS part 2
Use it if you have to use simple ldap binds or you don't mind clear text passwords from simple ldap binds flying about. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 28, 2005 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS part 2 So what is the consensus on this then? How many people on this list have implemented LDAP over SSL in their environment? Did you run into any problems? Would you do it again, or have you decided that there was no benefit in your particular scenario? Thanks for the information Joe^2 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Bridgehead in a single-server site
Unless you have special network considerations (such as firewalled sites, etc) you should try to just let Windows decide which servers to use as bridgeheads. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Bridgehead in a single-server site Hi guys, Just curious...any opinions on denoting a server as a bridgehead in a site where it is currently the only defined server? We were thinking that it then wouldn't be necessary down the road when other DCs are added. Is there any harm in this? Is there any good in this? ; - ) (Forest and domain functional levels are Win2003) -DaveC Reuters CIO Infrastructure -Visit our Internet site at http://www.reuters.comTo find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individualsender, except where the sender specifically states them to bethe views of Reuters Ltd.
RE: [ActiveDir] AD Site Confusion
Nope? Why not? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Monday, March 28, 2005 4:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Site Confusion Nope. If GC is not available in Site A, the users cannot contact DC in either Site B or Site C. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On Mon, 28 Mar 2005 12:54:44 -0800, Matt Brown <[EMAIL PROTECTED]> wrote: > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? > > Thanks, > -- > Matt Brown > Information Technology System Specialist Eastern Washington University > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] startup scripts not running
Title: Re: [ActiveDir] startup scripts not running Mark, Do you have “Fast Boot” disabled in the BIOS of the client PC’s? This would prevent the scripts from running. Mark Orlando Systems Engineer Linden Public Schools On 3/28/05 4:51 PM, "Creamer, Mark" <[EMAIL PROTECTED]> wrote: It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] startup scripts not running
How about doing a workaround as in copying the exe to local %windir% or some other variables? Perhaps an if not exist statement copy, if not exist %windir%\test.exe copy %logonserver%\share\test.exe Since computer startup is run as system which should have full access to your machine, this should overcome if it is by any chance a permission issue… Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, March 29, 2005 7:25 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running I would say that the computer’s account doesn’t have access to the .exe. Where is the .exe located? If its in the GPO’s script folder, it should have inherited the Authenticated Users permission by default. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] startup scripts not running
I would say that the computer’s account doesn’t have access to the .exe. Where is the .exe located? If its in the GPO’s script folder, it should have inherited the Authenticated Users permission by default. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Bridgehead in a single-server site
As was already stated, if there is only a single DC in a site there is no good reason to identify it on the preferred bridgehead servers list. In general, especially under W2K3 with FFL at 2, it is best to leave the preferred BH list for every site empty unless you have a really good reason to push the BH load on a specific set of DCs. Is there any harm? Not really, assuming additional DCs are not added to the site, as the ISTG will create the same inter-site topology in this specific scenario regardless of the preferred BH list being defined. Is there any good? No, in fact having to define BH is additional administrative overhead that I would try and avoid. W2K3 ISTG does a great job of trying to load balance new connections amongst all DCs in a site for both inbound and outbound connections so there is that the load is no longer burdened by a single DC (per domain) in each site if others are available. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 1:05 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bridgehead in a single-server site and I wouldn't know of a single instance, where the KCC wouldn't pick that one DC in a single DC site as the BH ;-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Montag, 28. März 2005 22:53 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bridgehead in a single-server site Is there a good reason to NOT let the KCC pick the BH for you automatically? That way you get some failover if it craps out for some reason. Otherwise you'll have to watch the DC constantly to reset the BH to make sure replication continues to work. In Windows 2003, the KCC is pretty good about picking the best server as a BH. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Monday, March 28, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Bridgehead in a single-server site Hi guys, Just curious...any opinions on denoting a server as a bridgehead in a site where it is currently the only defined server? We were thinking that it then wouldn't be necessary down the road when other DCs are added. Is there any harm in this? Is there any good in this? ; - ) (Forest and domain functional levels are Win2003) -DaveC Reuters CIO Infrastructure - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] startup scripts not running
It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD Good suggestions, Thanks everyone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 12:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] AD Site Confusion
Configure the servers/clients to use the DNS servers in their own site as preferred servers and DNS servers in the other sites as alternate DNS servers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: maandag 28 maart 2005 23:28 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Ok, that's my problem.. I have DNS on all DC's but only have DNS configured to point to site A. So I really should add all sites in the DNS or have them grab dns automatically? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 1:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Yes they should, if your clients can still access DNS and have network connectivity to site B or C. So if you host DNS on all DCs, but you've configured your clients in A only to use DCs from A as DNS servers, then they won't be able to query for DCs in other Sites when all DCs in Site A go down. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Montag, 28. März 2005 22:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
Clients will still be able to contact DCs if resolution is functional. Also, in a single-domain config, the absence of a GC will not stop a client from locating resources at other sites. Even in a multi-domain config, such absence will not result in an absolute stoppage. Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Santhosh Sivarajan Sent: Monday, March 28, 2005 1:13 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] AD Site Confusion Nope. If GC is not available in Site A, the users cannot contact DC in either Site B or Site C. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On Mon, 28 Mar 2005 12:54:44 -0800, Matt Brown <[EMAIL PROTECTED]> wrote: > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? > > Thanks, > -- > Matt Brown > Information Technology System Specialist > Eastern Washington University > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Track Network Logins
Can you give some more background about what they want to see? When you say logon duration, what does that mean to the managers and is there some other reason they want to see that information other than for reporting? I ask that because some users don't logout, but rather lock the workstations. That might throw the reporting off. If they don't do that, you may get away with doing this in logon and logoff scripts easier than any other method. Some of that logon information is collected in the audit log settings, but that could be a pain to get to. It's also kept in the lastlogon attribute for logon. Logoff is not currently implemented last I checked (haven't checked in a while, but..) but could still be used I would imagine depending on the environment. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Christine Allen Sent: Monday, March 28, 2005 4:03 PM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] Track Network Logins Ad 2000, I've had a request from management to log how long someone is logged into the domain. Can this be done without a third party utility? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Site Confusion
Just one clarification, you don't have to contact whole DNS Zone. You just need _msdcs zone. Santhosh On Mon, 28 Mar 2005 23:08:50 +0200, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote: > Yes they should, if your clients can still access DNS and have network > connectivity to site B or C. > > So if you host DNS on all DCs, but you've configured your clients in A only > to use DCs from A as DNS servers, then they won't be able to query for DCs in > other Sites when all DCs in Site A go down. > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown > Sent: Montag, 28. März 2005 22:55 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] AD Site Confusion > > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? > > Thanks, > -- > Matt Brown > Information Technology System Specialist > Eastern Washington University > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
That depends... Have you configured in GPOs or through the registry which records a DC should register? If your site A your hub location and the other (B and C) the branch offices? Have you configured your hub DCs (site A) to register domain and site records and have you configured your branch office DCs to register only site records and not domain records? If both answers are YES then this could be the problem. Clients first try to contact DCs in their own site and if none of those DCs are available they try to contact DCs in other sites that have registered the domain-wide records. Also make sure the clients can reach other DNS servers and GC servers. The following came from http://www.windowsitpro.com/Articles/ArticleID/40718/40718.html ### Ideally, when a Windows client can't contact a local (i.e., onsite) DC, it would use site link costs in the AD site topology to determine the next closest site and attempt to contact a DC there. If DCs in that site weren't available, the client would look to the next closest site and try again, looping until it found a DC. Unfortunately, the DC locator process hasn't reached that state yet. In Windows Server 2003 and Win2K, the client requests a list of DCs in its site and domain. If these DCs aren't available, the client requests a list of all DCs in its domain. ### Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: maandag 28 maart 2005 22:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
Jorge, my response was to Guido’s “intentions” when he made the cross-AG statement that he has now clarified. I was not responding to the original poster because. I am seriously behind on this list, so I am mostly breezing through. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 28, 2005 1:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Deji, No offense I hope, but If they meant SERVERS why are they then talking about user accounts and mailboxes? In E2K3 SP1 it is also possible to move mailboxes in MIXED mode exchange. I have missed the part that it is possible to move servers between AGs. Can you point me to that info? Cheers, Jorge If you are running Exchange in mixed mode (meaning that coexistence is established between Microsoft Exchange Server 5.5 and Exchange 2000 Server or Exchange 2003), several new features and tools in Exchange 2003 SP1 help you migrate data, distribution lists, and custom recipients as part of a site consolidation effort. The Move Mailbox task in the Exchange Task Wizard now allows mailbox moves across administrative groups when the Exchange organization contains servers running Exchange 5.5. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: maandag 28 maart 2005 18:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership I think he meant "servers", and this also is now possible in E2K3-SP1. Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 28, 2005 6:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may cont
RE: [ActiveDir] Recover DL membership
As per that last part, it's probably a good idea to dig down a little deeper into the hows and whys before going that route. http://www.microsoft.com/technet/prodtechnol/exchange/guides/PlanE2k3MsgSys/ 2287474d-d826-48e0-aaf3-710b68409a93.mspx The recommendation to remove the 5.5 and go native before using the site consolidation tool sets is good advice :) al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Monday, March 28, 2005 4:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Deji, No offense I hope, but If they meant SERVERS why are they then talking about user accounts and mailboxes? In E2K3 SP1 it is also possible to move mailboxes in MIXED mode exchange. I have missed the part that it is possible to move servers between AGs. Can you point me to that info? Cheers, Jorge If you are running Exchange in mixed mode (meaning that coexistence is established between Microsoft Exchange Server 5.5 and Exchange 2000 Server or Exchange 2003), several new features and tools in Exchange 2003 SP1 help you migrate data, distribution lists, and custom recipients as part of a site consolidation effort. The Move Mailbox task in the Exchange Task Wizard now allows mailbox moves across administrative groups when the Exchange organization contains servers running Exchange 5.5. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: maandag 28 maart 2005 18:10 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership I think he meant "servers", and this also is now possible in E2K3-SP1. Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 28, 2005 6:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List a
RE: [ActiveDir] AD Site Confusion
Ok, that's my problem.. I have DNS on all DC's but only have DNS configured to point to site A. So I really should add all sites in the DNS or have them grab dns automatically? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 1:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Yes they should, if your clients can still access DNS and have network connectivity to site B or C. So if you host DNS on all DCs, but you've configured your clients in A only to use DCs from A as DNS servers, then they won't be able to query for DCs in other Sites when all DCs in Site A go down. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Montag, 28. März 2005 22:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
All DC's in all sites are GCs. Windows 2003 Domain, all clients are Windows XP Pro SP2 Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University -Original Message- From: John Singler [mailto:[EMAIL PROTECTED] Sent: Monday, March 28, 2005 1:16 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD Site Confusion are you w2k or w2k3? are any of the DCs in sites B and C GCs? Matt Brown wrote: > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? > > Thanks, > -- > Matt Brown > Information Technology System Specialist > Eastern Washington University > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
There are some new migration tools that are aimed at moving users between sites (5.5 term) which is the lowest common denominator in a mixed mode org. They're better than exmerge or admt, but not a lot different under the covers (it takes care of a lot of the other housekeeping that would otherwise be needed if you used one of the other non-specific tools such as public folders and so on). Thanks Guido, I was about to have to rewrite a lot of migration information relating to strategies :) Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 4:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Oops - sorry guys - ofcourse everything changes with Exchange in native mode - I'm still so much used to global-never-ending Exchange Migrations (i.e. mixed mode Orgs), where you can only move the mailboxes around within the same AG/site - correct me if I'm wrong, but I believe even this has changed with E2k3 SP1 (I think you're now even able move single mailboxes accross AGs/Sites in mixed mode...). But Devon's Org is E2k anyways and who knows, maybe it's still running in mixed mode as well. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 28. März 2005 16:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Yeah I belive in Native mode there should be no issues in cross-AG mailbox moves. I am sure I have done this at least in test and probably in production. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 28, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%4
Re: [ActiveDir] Bridgehead in a single-server site
I completely agree with Gil's comment. Let KCC to handle the BH selection. Otherwise you have to manually select the BH server(s). You can manually select more than one BH servers if you want. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: > Is there a good reason to NOT let the KCC pick the BH for you automatically? > That way you get some failover if it craps out for some reason. Otherwise > you'll have to watch the DC constantly to reset the BH to make sure > replication continues to work. In Windows 2003, the KCC is pretty good about > picking the best server as a BH. > > -gil > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe > Sent: Monday, March 28, 2005 1:44 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Bridgehead in a single-server site > > > Hi guys, > > Just curious...any opinions on denoting a server as a bridgehead in a > site where it is currently the only defined server? We were thinking that > it then wouldn't be necessary down the road when other DCs are added. Is > there any harm in this? Is there any good in this? ; - ) > > (Forest and domain functional levels are Win2003) > > -DaveC > Reuters CIO Infrastructure > > > - > Visit our Internet site at http://www.reuters.com > > To find out more about Reuters Products and Services visit > http://www.reuters.com/productinfo > > Any views expressed in this message are those of the individual > sender, except where the sender specifically states them to be > the views of Reuters Ltd. > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
1) Are the DCs all in the same domain? Obviously you need a DC in the same domain as the clients. 2) Are the DCs in Site B and C GCs? You need a GC to log on. 3) Can the Site A clients resolve DNS names if both DCs in Site A are down? Clients locate DCs through DNS; no DNS, no logon. 4) Are there firewalls between Site A and B/C? Firewalls require some configuration to allow authentication and replication traffic. If none of the above, then most likely the SRV records for the Site B and C DCs aren't updated properly in DNS. DCDIAG can help sort that out. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Monday, March 28, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Site Confusion
Nope. If GC is not available in Site A, the users cannot contact DC in either Site B or Site C. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On Mon, 28 Mar 2005 12:54:44 -0800, Matt Brown <[EMAIL PROTECTED]> wrote: > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? > > Thanks, > -- > Matt Brown > Information Technology System Specialist > Eastern Washington University > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
Deji, No offense I hope, but If they meant SERVERS why are they then talking about user accounts and mailboxes? In E2K3 SP1 it is also possible to move mailboxes in MIXED mode exchange. I have missed the part that it is possible to move servers between AGs. Can you point me to that info? Cheers, Jorge If you are running Exchange in mixed mode (meaning that coexistence is established between Microsoft Exchange Server 5.5 and Exchange 2000 Server or Exchange 2003), several new features and tools in Exchange 2003 SP1 help you migrate data, distribution lists, and custom recipients as part of a site consolidation effort. The Move Mailbox task in the Exchange Task Wizard now allows mailbox moves across administrative groups when the Exchange organization contains servers running Exchange 5.5. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: maandag 28 maart 2005 18:10To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recover DL membership I think he meant "servers", and this also is now possible in E2K3-SP1. Deji -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Monday, March 28, 2005 6:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recover DL membership Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Recover DL membership
No - you just didn't read my last post ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Montag, 28. März 2005 22:59 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership I have always thought that it was possible to move a mailbox between administrative groups when exchange 2kx was in NATIVE mode. Have I missed something here? Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: maandag 28 maart 2005 13:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
Yes they should, if your clients can still access DNS and have network connectivity to site B or C. So if you host DNS on all DCs, but you've configured your clients in A only to use DCs from A as DNS servers, then they won't be able to query for DCs in other Sites when all DCs in Site A go down. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: Montag, 28. März 2005 22:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Bridgehead in a single-server site
and I wouldn't know of a single instance, where the KCC wouldn't pick that one DC in a single DC site as the BH ;-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Montag, 28. März 2005 22:53To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Bridgehead in a single-server site Is there a good reason to NOT let the KCC pick the BH for you automatically? That way you get some failover if it craps out for some reason. Otherwise you'll have to watch the DC constantly to reset the BH to make sure replication continues to work. In Windows 2003, the KCC is pretty good about picking the best server as a BH. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Monday, March 28, 2005 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Bridgehead in a single-server site Hi guys, Just curious...any opinions on denoting a server as a bridgehead in a site where it is currently the only defined server? We were thinking that it then wouldn't be necessary down the road when other DCs are added. Is there any harm in this? Is there any good in this? ; - ) (Forest and domain functional levels are Win2003) -DaveC Reuters CIO Infrastructure -Visit our Internet site at http://www.reuters.comTo find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individualsender, except where the sender specifically states them to bethe views of Reuters Ltd.
[ActiveDir] Track Network Logins
Ad 2000, I've had a request from management to log how long someone is logged into the domain. Can this be done without a third party utility?
RE: [ActiveDir] Recover DL membership
Oops - sorry guys - ofcourse everything changes with Exchange in native mode - I'm still so much used to global-never-ending Exchange Migrations (i.e. mixed mode Orgs), where you can only move the mailboxes around within the same AG/site - correct me if I'm wrong, but I believe even this has changed with E2k3 SP1 (I think you're now even able move single mailboxes accross AGs/Sites in mixed mode...). But Devon's Org is E2k anyways and who knows, maybe it's still running in mixed mode as well. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Montag, 28. März 2005 16:41 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Yeah I belive in Native mode there should be no issues in cross-AG mailbox moves. I am sure I have done this at least in test and probably in production. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 28, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
I have always thought that it was possible to move a mailbox between administrative groups when exchange 2kx was in NATIVE mode. Have I missed something here? Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: maandag 28 maart 2005 13:08 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
If I recall correctly, when using the default MS migration tools (e.g. ADMT) to move a user between domains in the same forest (which is a destructive operation, as the old user account is "removed", compared to "migrate" users between forests that's non-destructive) the GUID of the user account does not change. The SID, the DN do change. Some third party migration tools create a new user (and thus changing the SID, GUID, etc.) to provide easy fallback to the old user account. Regards Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: maandag 28 maart 2005 13:47To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recover DL membership Don't forget that the typical backup procedure for group-links won't help you that much with your current approach, as you're actually re-creating the user in a different domain => it will have a different DN, GUID and SID. Depending on your naming convention, your samAccountName and UPN may remain the same. Tools that perform automated recovery of links (e.g. group-memberships etc.) typically assume you're recovering the links to the same user object (preferred method here is to use the GUID of the object for identification in a forest) - which is not the case in your current "user/mailbox move" approach. If you stick to this approach, you'd require a custom app that would allow you to recover DLs via some sort of mapping for UserNEW to UserOLD. This is a whole different thing (obviously it's still possible to do this). As previously posted, you should switch to using the normal user "move" operations (e.g. using MS ADMT which is preferred over the movetree command; you can still script the move using ADMT) which will keep you DLs intact (naturally you'll always lose the group memberships which are out of scope for the target domain, e.g. memberships in global groups of the source domain). Then use something like exmerge for the mailbox move to a different admin group. This way, you won't need any special tool to "recover" group memberships when a user moves between domain. However, if you want to be prepared for other scenarios, such as recovering memberships for accidentally deleted objects, you should still do as joe already pointed out: periodically dump all memberships to some other store so that you can recover them to the _original_ objects as required. Do do so, Quest has a good offering with their AD Recovery Manager (which does more than the backup and recovery of links) - it's not for free, but you may want to check it out. I hate to add this plug in this list, but I have also worked rather intensively on a tool which focusses on backing up, displaying and recovering just the links between objects in an AD forest for quite a while now (other people on this list already know about it anyways ;-): AD Link Recovery Manager (ADLRM). It's also not for free (it's bundled with AD disaster recovery consulting services from HP), but it has a lot to offer. It centrally stores forest-wide link information in an SQL/MSDE database and has a very powerful explorer like UI to display links (incl. nested memberships etc.) and to restore them. Let me know if you want to know more about it, or send an eMail to [EMAIL PROTECTED]. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Mittwoch, 23. März 2005 23:39To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recover DL membership This would be very useful as we have people moving from different domains\admin groups quite often. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, March 23, 2005 5:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recover DL membership Nope. Nothing native that is. This is a good reason to take dumps occasionally of groups you have or sync the membership to another store like SQL or AD/AM. I have been thinking about making a tool to do something like this. How much would people pay for that functionality? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, March 23, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Recover DL membership I had a user that was moved from one child domain to another. The user was deleted and added. Is there any way to recover the group membership of that user in the old domain? -Devon This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] Bridgehead in a single-server site
Is there a good reason to NOT let the KCC pick the BH for you automatically? That way you get some failover if it craps out for some reason. Otherwise you'll have to watch the DC constantly to reset the BH to make sure replication continues to work. In Windows 2003, the KCC is pretty good about picking the best server as a BH. -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David CliffeSent: Monday, March 28, 2005 1:44 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Bridgehead in a single-server site Hi guys, Just curious...any opinions on denoting a server as a bridgehead in a site where it is currently the only defined server? We were thinking that it then wouldn't be necessary down the road when other DCs are added. Is there any harm in this? Is there any good in this? ; - ) (Forest and domain functional levels are Win2003) -DaveC Reuters CIO Infrastructure -Visit our Internet site at http://www.reuters.comTo find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individualsender, except where the sender specifically states them to bethe views of Reuters Ltd.
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
[ActiveDir] AD Site Confusion
I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD I’d definitely recommend using generalized time (syntax 2.5.5.11 OMSyntax 24) or UTC Time (syntax 2.5.5.11 OMSyntax 23). It gives you the nicer ADSI/SDS data marshaling to date times and is pretty easily searchable. I think using the FILETIME/integer8 thing is ok, but kind of a pain and not that natural to deal with unless the native format you are using is a FILETIME. I think the string is the least good way to go as the DSA doesn’t validate it for you. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, March 28, 2005 2:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
[ActiveDir] Bridgehead in a single-server site
Hi guys, Just curious...any opinions on denoting a server as a bridgehead in a site where it is currently the only defined server? We were thinking that it then wouldn't be necessary down the road when other DCs are added. Is there any harm in this? Is there any good in this? ; - ) (Forest and domain functional levels are Win2003) -DaveC Reuters CIO Infrastructure - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
Re: [ActiveDir] startup scripts not running
Hi Mark If you run gpresult on the client machine does it show that GPO being applied and run? That may be a good starting point - making sure the GPO gets there. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | "Creamer, Mark"| | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/28/2005 02:54 PM EST| | | Please respond to | | | ActiveDir | |-+--> >--| | | | To: | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] startup scripts not running | >--| I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. Iâm having trouble figuring out why the script wonât launch on its own. The only thing Iâve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case thatâs the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] startup scripts not running
Mark- Check out this KB article and see if it applies to you: http://support.microsoft.com/default.aspx?scid=kb;en-us;840669 Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, March 28, 2005 11:54 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, MarkThis e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] startup scripts not running
Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
[ActiveDir] Storing dates in AD
Title: Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
[ActiveDir] startup scripts not running
I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2
Title: Message Using ldp.exe and explicitly setting SIGN and ENCRYPT to 0 still results in encrypted traffic. I think this is what you were implying earlier regarding Joe’s GPO comments, but I wasn’t quite sure. Thus it looks like you can’t disable this at all from the client. Can the behavior be changed at the DC? Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 28, 2005 12:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 ….and that’s a good DCR IMHO. But that’s just me. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 28, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 File a dcr if you’d like that going forward, but today you can’t. Sorry. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I don't believe I have any signing enabled on the test box I trying this on. All GPO settings for signing and encryption are off. I will doublecheck it all though. Seems like you should be able to disable this per connection with a control. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 28, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 If you get NTLM authentication and you’ve requested signing (which is the default) you’ll find the traffic is encrypted. It is encrypting because it appears to have ldapclientintegrity set (thanks to the wldap32 dev that told me that, I didn’t see it). If you don’t want to encrypt, flip this value. But note that this will decrypt all such connections on the box, so this is not recommended. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 26, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 So, joe and Joe – is this indisputable truth that we’ve been looking for that NTLM is a required part of the Kerberos authentication process? :-D (Joe, just ask joe….. trust me…..) -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 Exactly. Since I can't find documentation on this anywhere, I feel it should firmly go into the classification of BUG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 1:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 That is exactly what I saw as well. Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 24, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I can do better for you... Fire up ethereal with a capture filter of tcp port 389 Open LDP o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary) Look at the trace, you should note that the traffic on the tree view is all clear text Now do the same but use an IP address of the DC. Traffic should be all encoded/encrypted. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2
Title: Message ….and that’s a good DCR IMHO. But that’s just me. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 28, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 File a dcr if you’d like that going forward, but today you can’t. Sorry. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I don't believe I have any signing enabled on the test box I trying this on. All GPO settings for signing and encryption are off. I will doublecheck it all though. Seems like you should be able to disable this per connection with a control. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 28, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 If you get NTLM authentication and you’ve requested signing (which is the default) you’ll find the traffic is encrypted. It is encrypting because it appears to have ldapclientintegrity set (thanks to the wldap32 dev that told me that, I didn’t see it). If you don’t want to encrypt, flip this value. But note that this will decrypt all such connections on the box, so this is not recommended. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 26, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 So, joe and Joe – is this indisputable truth that we’ve been looking for that NTLM is a required part of the Kerberos authentication process? :-D (Joe, just ask joe….. trust me…..) -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 Exactly. Since I can't find documentation on this anywhere, I feel it should firmly go into the classification of BUG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 1:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 That is exactly what I saw as well. Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 24, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I can do better for you... Fire up ethereal with a capture filter of tcp port 389 Open LDP o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary) Look at the trace, you should note that the traffic on the tree view is all clear text Now do the same but use an IP address of the DC. Traffic should be all encoded/encrypted. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2
Title: Message File a dcr if you’d like that going forward, but today you can’t. Sorry. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I don't believe I have any signing enabled on the test box I trying this on. All GPO settings for signing and encryption are off. I will doublecheck it all though. Seems like you should be able to disable this per connection with a control. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, March 28, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 If you get NTLM authentication and you’ve requested signing (which is the default) you’ll find the traffic is encrypted. It is encrypting because it appears to have ldapclientintegrity set (thanks to the wldap32 dev that told me that, I didn’t see it). If you don’t want to encrypt, flip this value. But note that this will decrypt all such connections on the box, so this is not recommended. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 26, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 So, joe and Joe – is this indisputable truth that we’ve been looking for that NTLM is a required part of the Kerberos authentication process? :-D (Joe, just ask joe….. trust me…..) -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 Exactly. Since I can't find documentation on this anywhere, I feel it should firmly go into the classification of BUG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 1:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 That is exactly what I saw as well. Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 24, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I can do better for you... Fire up ethereal with a capture filter of tcp port 389 Open LDP o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary) Look at the trace, you should note that the traffic on the tree view is all clear text Now do the same but use an IP address of the DC. Traffic should be all encoded/encrypted. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2
Title: Message I don't believe I have any signing enabled on the test box I trying this on. All GPO settings for signing and encryption are off. I will doublecheck it all though. Seems like you should be able to disable this per connection with a control. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Monday, March 28, 2005 12:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 If you get NTLM authentication and you’ve requested signing (which is the default) you’ll find the traffic is encrypted. It is encrypting because it appears to have ldapclientintegrity set (thanks to the wldap32 dev that told me that, I didn’t see it). If you don’t want to encrypt, flip this value. But note that this will decrypt all such connections on the box, so this is not recommended. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Saturday, March 26, 2005 7:48 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 So, joe and Joe – is this indisputable truth that we’ve been looking for that NTLM is a required part of the Kerberos authentication process? :-D (Joe, just ask joe….. trust me…..) -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 25, 2005 2:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 Exactly. Since I can't find documentation on this anywhere, I feel it should firmly go into the classification of BUG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, March 25, 2005 1:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 That is exactly what I saw as well. Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, March 24, 2005 2:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I can do better for you... Fire up ethereal with a capture filter of tcp port 389 Open LDP o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary) Look at the trace, you should note that the traffic on the tree view is all clear text Now do the same but use an IP address of the DC. Traffic should be all encoded/encrypted. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2
Title: Message If you get NTLM authentication and you’ve requested signing (which is the default) you’ll find the traffic is encrypted. It is encrypting because it appears to have ldapclientintegrity set (thanks to the wldap32 dev that told me that, I didn’t see it). If you don’t want to encrypt, flip this value. But note that this will decrypt all such connections on the box, so this is not recommended. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, March 26, 2005 7:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 So, joe and Joe – is this indisputable truth that we’ve been looking for that NTLM is a required part of the Kerberos authentication process? :-D (Joe, just ask joe….. trust me…..) -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, March 25, 2005 2:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 Exactly. Since I can't find documentation on this anywhere, I feel it should firmly go into the classification of BUG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, March 25, 2005 1:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 That is exactly what I saw as well. Using the IP address kills off the ability to use Kerberos, forcing SNEGO to NTLM, and then the whole connection is encrypted after that even though I did not specific LDAP_OPT_ENCRYPT. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, March 24, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP NTLM Authed Channel Encryption Question was LDAPS part 2 I can do better for you... Fire up ethereal with a capture filter of tcp port 389 Open LDP o type in a DC name and click OK o Type in your bind info and bind o Click on view|tree and hit enter on the empty dialog (you can fill something in if you want but not necessary) Look at the trace, you should note that the traffic on the tree view is all clear text Now do the same but use an IP address of the DC. Traffic should be all encoded/encrypted. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] LDAPS part 2
So what is the consensus on this then? How many people on this list have implemented LDAP over SSL in their environment? Did you run into any problems? Would you do it again, or have you decided that there was no benefit in your particular scenario? Thanks for the information Joe^2 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
I think he meant “servers”, and this also is now possible in E2K3-SP1. Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 28, 2005 6:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] USB port disabled if I log in to domain.
Already checked this setting, it is 3. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Meneses, Arturo Sent: Monday, March 28, 2005 7:24 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] USB port disabled if I log in to domain. Make sure the domain does not have any policies applied to the user/machine look in the registry under: HKLM\SYSTEM\CurrentControlSet\Service\USBSTOR and look for the Star key if it has a 4, then USB is disabled, it should have a 3. AM -Original Message- From: Manjeet Singh [mailto:[EMAIL PROTECTED] Sent: Sunday, March 27, 2005 11:57 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] USB port disabled if I log in to domain. Hi, My USB scanner stops working if I login a windows 2000 machine in to domain. If I log on locally, my USB scanner is working fine. I did not apply any group policy…. Any idea how to enable it.. Thanks, Manjeet -- --- This message has been inspected by DynaComm i:mail 5.0 --- -- -- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp --
RE: [ActiveDir] Recover DL membership
Yeah I belive in Native mode there should be no issues in cross-AG mailbox moves. I am sure I have done this at least in test and probably in production. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Monday, March 28, 2005 9:24 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
Help me remember: Why is it that we wouldn't be able to move a user across an AG? I can understand not being able to move a server across an AG boundary, but a user doesn't make sense to me in a native org. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, March 28, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] USB port disabled if I log in to domain.
Make sure the domain does not have any policies applied to the user/machine look in the registry under: HKLM\SYSTEM\CurrentControlSet\Service\USBSTOR and look for the Star key if it has a 4, then USB is disabled, it should have a 3. AM -Original Message-From: Manjeet Singh [mailto:[EMAIL PROTECTED]Sent: Sunday, March 27, 2005 11:57 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] USB port disabled if I log in to domain. Hi, My USB scanner stops working if I login a windows 2000 machine in to domain. If I log on locally, my USB scanner is working fine. I did not apply any group policy…. Any idea how to enable it.. Thanks, Manjeet -- --- This message has been inspected by DynaComm i:mail 5.0 --- -- -- FutureSoft, Inc. 12012 Wickchester Lane, Suite 600 Houston, TX 77079 If you no longer want to receive commercial e-mail correspondence from FutureSoft, you may remove your address from our records by visiting www.futuresoft.com/emailremoval.asp --
RE: [ActiveDir] Retiring a DC
The demotion went flawlessly. I had a little clean up but nothing major. It didn't hold any major roles. Thanks to everyone who replied. Paul Gonzalez -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Sunday, March 27, 2005 6:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Retiring a DC If this DC is a DNS server adn your AD DNS is delegated from higher powers, make sure there isn't an entry in teh delegation pointing to this DC. Need to yank that prior to retirement. --Brian Desmond [EMAIL PROTECTED] Payton on the web! www.wpcp.org v - 773.534.0034 x135 f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Paul Gonzalez Sent: Tue 3/22/2005 11:38 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Retiring a DC Hello all, I've been asked to retire a win2000 DC. My understanding is that I just need to run DCPromo. I've done this at home in my lab with no ill effects. The server doesn't really hold any roles other that being a DC. Am I missing something? Is there more to it? Is there a doc or URL that you can point me to? Thanks in advance. Paul List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
Don't forget that the typical backup procedure for group-links won't help you that much with your current approach, as you're actually re-creating the user in a different domain => it will have a different DN, GUID and SID. Depending on your naming convention, your samAccountName and UPN may remain the same. Tools that perform automated recovery of links (e.g. group-memberships etc.) typically assume you're recovering the links to the same user object (preferred method here is to use the GUID of the object for identification in a forest) - which is not the case in your current "user/mailbox move" approach. If you stick to this approach, you'd require a custom app that would allow you to recover DLs via some sort of mapping for UserNEW to UserOLD. This is a whole different thing (obviously it's still possible to do this). As previously posted, you should switch to using the normal user "move" operations (e.g. using MS ADMT which is preferred over the movetree command; you can still script the move using ADMT) which will keep you DLs intact (naturally you'll always lose the group memberships which are out of scope for the target domain, e.g. memberships in global groups of the source domain). Then use something like exmerge for the mailbox move to a different admin group. This way, you won't need any special tool to "recover" group memberships when a user moves between domain. However, if you want to be prepared for other scenarios, such as recovering memberships for accidentally deleted objects, you should still do as joe already pointed out: periodically dump all memberships to some other store so that you can recover them to the _original_ objects as required. Do do so, Quest has a good offering with their AD Recovery Manager (which does more than the backup and recovery of links) - it's not for free, but you may want to check it out. I hate to add this plug in this list, but I have also worked rather intensively on a tool which focusses on backing up, displaying and recovering just the links between objects in an AD forest for quite a while now (other people on this list already know about it anyways ;-): AD Link Recovery Manager (ADLRM). It's also not for free (it's bundled with AD disaster recovery consulting services from HP), but it has a lot to offer. It centrally stores forest-wide link information in an SQL/MSDE database and has a very powerful explorer like UI to display links (incl. nested memberships etc.) and to restore them. Let me know if you want to know more about it, or send an eMail to [EMAIL PROTECTED]. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Mittwoch, 23. März 2005 23:39To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recover DL membership This would be very useful as we have people moving from different domains\admin groups quite often. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, March 23, 2005 5:22 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Recover DL membership Nope. Nothing native that is. This is a good reason to take dumps occasionally of groups you have or sync the membership to another store like SQL or AD/AM. I have been thinking about making a tool to do something like this. How much would people pay for that functionality? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, DevonSent: Wednesday, March 23, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Recover DL membership I had a user that was moved from one child domain to another. The user was deleted and added. Is there any way to recover the group membership of that user in the old domain? -Devon
Re: [ActiveDir] USB port disabled if I log in to domain.
Have you looked at your Event Logs as yet? http://www.ultratech-llc.com/KB/?File=Diagnose.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Sun, 27 Mar 2005 21:57:17 -0800, Manjeet Singh <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > My USB scanner stops working if I login a windows 2000 machine in to domain. > > > > If I log on locally, my USB scanner is working fine. > > > > I did not apply any group policy…. > > > > > > Any idea how to enable it.. > > > > > > Thanks, > > Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recover DL membership
Sure you can _move_ the mail-enabled _user_ account from one domain accross to another, which should be your preferred method (using ADMT works fine for this task). This will ensure least impact on the user as most of his group-memberships (usually all DLs, as these should be UGs) will stay intact. You're correct in thinking that you can't move the mailbox itself to a different Admin Group in E2k, but you'll just have to follow a different process for this part of the user's move (e.g. via exmerge) - this will have no influence on the DLs. Once you've upgraded to E2k3, you can then also move the mailbox to a different admin group (yet the user account still needs to be moved separately). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Mittwoch, 23. März 2005 23:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover DL membership This was a Windows 2000 domain with Exchange 2000, and I don't think you can move mailbox accounts across Admin Groups (which is what we have for each domain). Correct me if I'm wrong, but wouldn't we have to upgrade to Exchange 2003 to accomplish this? -Devon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, March 23, 2005 2:21 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Recover DL membership If the user was deleted from the old domain and recreated in the new one then I would say no. Why was this process followed and not a Move or a Migration? Phil On Wed, 23 Mar 2005 12:53:30 -0500, Harding, Devon <[EMAIL PROTECTED]> wrote: > > > I had a user that was moved from one child domain to another. The user was > deleted and added. Is there any way to recover the group membership of that > user in the old domain? > > > > -Devon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
