RE: [ActiveDir] AD Site Confusion

[Jorge de Almeida Pinto]

I think that's incorrect if you're talking about autositecoverage.
Autositecoverage by DCs from some domain for some site will only occur if
some site has no DCs from that same domain. Although DCs are down and not
available, the DCs in other sites in the same domain see in their own
replica that that site has DCs and autositecoverage will occur.
Sitecoverage will occur by other DCs if you configured it manually through
the registry or a GPO

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, March 29, 2005 09:25
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Depending upon your site links, DCs in either site B or C will advertise
themselves as available to site A. The DCs in the site with lowest cost to
site A will perform this role.

What do you mean by 'take down'? Are you taking a WAN link down or powering
off the DCs or demoting them or what?

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: 28 March 2005 21:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Site Confusion


I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.

When I take down site A (both DC's), the clients in Site A cannot log in.
Shouldn't they be able to log in using site B or C?

Thanks,
--
Matt Brown
Information Technology System Specialist Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Site Confusion

[Ruston, Neil]

Thanks Jorge.

Are you implying that the answer to the original question is therefore 'no'?
This has huge ramifications in the branch office. Or did I simply explain how
the answer is 'yes', but for the wrong reasons??

Are you also saying that DCs (and sitecoverage) handle the following 2
scenarios in different ways:
1. No DCs installed in some site
2. DCs installed in some site but non available

Can you expand on your previous post please?

Thanks,
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 29 March 2005 10:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


I think that's incorrect if you're talking about autositecoverage.
Autositecoverage by DCs from some domain for some site will only occur if some
site has no DCs from that same domain. Although DCs are down and not
available, the DCs in other sites in the same domain see in their own replica
that that site has DCs and autositecoverage will occur. Sitecoverage will
occur by other DCs if you configured it manually through the registry or a GPO

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, March 29, 2005 09:25
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Depending upon your site links, DCs in either site B or C will advertise
themselves as available to site A. The DCs in the site with lowest cost to
site A will perform this role.

What do you mean by 'take down'? Are you taking a WAN link down or powering
off the DCs or demoting them or what?

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: 28 March 2005 21:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Site Confusion


I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.

When I take down site A (both DC's), the clients in Site A cannot log in.
Shouldn't they be able to log in using site B or C?

Thanks,
--
Matt Brown
Information Technology System Specialist Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD Site Confusion

[Sergio Fonseca]

Hi,

The site coverage is a good feature to speed up the login process but
the discover process that clients use will try any DC in the Domain.
Maybe you client is using the wrong the DNS (since there are DC´s
unavailable) or a GC is not available.
What is the error message when you try to login?



On Tue, 29 Mar 2005 10:55:33 +0100, Ruston, Neil <[EMAIL PROTECTED]> wrote:
> Thanks Jorge.
> 
> Are you implying that the answer to the original question is therefore 'no'?
> This has huge ramifications in the branch office. Or did I simply explain how
> the answer is 'yes', but for the wrong reasons??
> 
> Are you also saying that DCs (and sitecoverage) handle the following 2
> scenarios in different ways:
> 1. No DCs installed in some site
> 2. DCs installed in some site but non available
> 
> Can you expand on your previous post please?
> 
> Thanks,
> neil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
> Pinto
> Sent: 29 March 2005 10:21
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD Site Confusion
> 
> I think that's incorrect if you're talking about autositecoverage.
> Autositecoverage by DCs from some domain for some site will only occur if some
> site has no DCs from that same domain. Although DCs are down and not
> available, the DCs in other sites in the same domain see in their own replica
> that that site has DCs and autositecoverage will occur. Sitecoverage will
> occur by other DCs if you configured it manually through the registry or a GPO
> 
> Cheers,
> Jorge
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Tuesday, March 29, 2005 09:25
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] AD Site Confusion
> 
> Depending upon your site links, DCs in either site B or C will advertise
> themselves as available to site A. The DCs in the site with lowest cost to
> site A will perform this role.
> 
> What do you mean by 'take down'? Are you taking a WAN link down or powering
> off the DCs or demoting them or what?
> 
> neil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
> Sent: 28 March 2005 21:55
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] AD Site Confusion
> 
> I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.
> 
> When I take down site A (both DC's), the clients in Site A cannot log in.
> Shouldn't they be able to log in using site B or C?
> 
> Thanks,
> --
> Matt Brown
> Information Technology System Specialist Eastern Washington University
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> ==
> This message is for the sole use of the intended recipient. If you received
> this message in error please delete it and notify us. If this message was
> misdirected, CSFB does not waive any confidentiality or privilege. CSFB
> retains and monitors electronic communications sent through its network.
> Instructions transmitted over this system are not binding on CSFB until they
> are confirmed by us. Message transmission is not guaranteed to be secure.
> 
> ==
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an intended
> recipient then please promptly delete this e-mail and any attachment and all
> copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> ==
> This message is for the sole use of the intended recipient. If you received
> this message in error please delete it and notify us. If this message was
> misdirected, CSFB does not waive any confidentiality or privilege. CSFB
> retains and monitors electronic communications sent through its network.
> Instructions transmitted over this system are not binding on CSFB until they
> are confirmed by us. Message transmission is not guaranteed to be secure.
> ==
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List arch

RE: [ActiveDir] AD Site Confusion

[Paresh Nhathalal]

Auto-Site coverage is enabled by default and DCs will cover the site
where there are no DCs. You should ensure that the clients in that
"DC-less" site are re-pointed to the correct DNS Servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: 29 March 2005 10:56
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Thanks Jorge.

Are you implying that the answer to the original question is therefore
'no'?
This has huge ramifications in the branch office. Or did I simply
explain how
the answer is 'yes', but for the wrong reasons??

Are you also saying that DCs (and sitecoverage) handle the following 2
scenarios in different ways:
1. No DCs installed in some site
2. DCs installed in some site but non available

Can you expand on your previous post please?

Thanks,
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida
Pinto
Sent: 29 March 2005 10:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


I think that's incorrect if you're talking about autositecoverage.
Autositecoverage by DCs from some domain for some site will only occur
if some
site has no DCs from that same domain. Although DCs are down and not
available, the DCs in other sites in the same domain see in their own
replica
that that site has DCs and autositecoverage will occur. Sitecoverage
will
occur by other DCs if you configured it manually through the registry or
a GPO

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, March 29, 2005 09:25
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Depending upon your site links, DCs in either site B or C will advertise
themselves as available to site A. The DCs in the site with lowest cost
to
site A will perform this role.

What do you mean by 'take down'? Are you taking a WAN link down or
powering
off the DCs or demoting them or what?

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: 28 March 2005 21:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Site Confusion


I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.

When I take down site A (both DC's), the clients in Site A cannot log
in.
Shouldn't they be able to log in using site B or C?

Thanks,
--
Matt Brown
Information Technology System Specialist Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/



==
This message is for the sole use of the intended recipient. If you
received
this message in error please delete it and notify us. If this message
was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until
they
are confirmed by us. Message transmission is not guaranteed to be
secure.


==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended
recipient then please promptly delete this e-mail and any attachment and
all
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you
received
this message in error please delete it and notify us. If this message
was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until
they
are confirmed by us. Message transmission is not guaranteed to be
secure.

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: 

Re: [ActiveDir] AD Site Confusion

[Sergio Fonseca]

Hi,

The site coverage is a good feature to speed up the login process but
the discover process that clients use will try any DC in the Domain.
Maybe you client is using the wrong the DNS (since there are DC´s
unavailable) or a GC is not available.
What is the error message when you try to login?


On Tue, 29 Mar 2005 11:05:55 +0100, Paresh Nhathalal
<[EMAIL PROTECTED]> wrote:
> Auto-Site coverage is enabled by default and DCs will cover the site
> where there are no DCs. You should ensure that the clients in that
> "DC-less" site are re-pointed to the correct DNS Servers.
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: 29 March 2005 10:56
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] AD Site Confusion
> 
> Thanks Jorge.
> 
> Are you implying that the answer to the original question is therefore
> 'no'?
> This has huge ramifications in the branch office. Or did I simply
> explain how
> the answer is 'yes', but for the wrong reasons??
> 
> Are you also saying that DCs (and sitecoverage) handle the following 2
> scenarios in different ways:
> 1. No DCs installed in some site
> 2. DCs installed in some site but non available
> 
> Can you expand on your previous post please?
> 
> Thanks,
> neil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
> Almeida
> Pinto
> Sent: 29 March 2005 10:21
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] AD Site Confusion
> 
> I think that's incorrect if you're talking about autositecoverage.
> Autositecoverage by DCs from some domain for some site will only occur
> if some
> site has no DCs from that same domain. Although DCs are down and not
> available, the DCs in other sites in the same domain see in their own
> replica
> that that site has DCs and autositecoverage will occur. Sitecoverage
> will
> occur by other DCs if you configured it manually through the registry or
> a GPO
> 
> Cheers,
> Jorge
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Tuesday, March 29, 2005 09:25
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] AD Site Confusion
> 
> Depending upon your site links, DCs in either site B or C will advertise
> themselves as available to site A. The DCs in the site with lowest cost
> to
> site A will perform this role.
> 
> What do you mean by 'take down'? Are you taking a WAN link down or
> powering
> off the DCs or demoting them or what?
> 
> neil
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
> Sent: 28 March 2005 21:55
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] AD Site Confusion
> 
> I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.
> 
> When I take down site A (both DC's), the clients in Site A cannot log
> in.
> Shouldn't they be able to log in using site B or C?
> 
> Thanks,
> --
> Matt Brown
> Information Technology System Specialist Eastern Washington University
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> ==
> This message is for the sole use of the intended recipient. If you
> received
> this message in error please delete it and notify us. If this message
> was
> misdirected, CSFB does not waive any confidentiality or privilege. CSFB
> retains and monitors electronic communications sent through its network.
> Instructions transmitted over this system are not binding on CSFB until
> they
> are confirmed by us. Message transmission is not guaranteed to be
> secure.
> 
> 
> ==
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be
> copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended
> recipient then please promptly delete this e-mail and any attachment and
> all
> copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> ==
> This message is for the sole use of the intended recipient. If you
> received
> this message in error please delete it and notify us. If this message
> was
> misdirected, CSFB doe

RE: [ActiveDir] AD Site Confusion

[Jorge de Almeida Pinto]

Hi Neil,

Presuming the clients somehow have access to DNS (preferred or alternate)
they will first try to reach the DCs in their own site (site A). As all DCs
are down in site A the clients then will ask for all DCs in the domain that
have registered the domain specific DNS records.

For more info on this see:
* http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935
Authentication Topology by Gil Kirkpatrick
* http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html
Designing for DC Failover by Sean Deuby 

Autositecoverage only works for DC-less sites. So yes, it behaves
differently for situation 1 (autositecoverage will occur) and 2 (no
autositecoverage will occur)

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: dinsdag 29 maart 2005 11:56
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Thanks Jorge.

Are you implying that the answer to the original question is therefore 'no'?
This has huge ramifications in the branch office. Or did I simply explain
how the answer is 'yes', but for the wrong reasons??

Are you also saying that DCs (and sitecoverage) handle the following 2
scenarios in different ways:
1. No DCs installed in some site
2. DCs installed in some site but non available

Can you expand on your previous post please?

Thanks,
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 29 March 2005 10:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


I think that's incorrect if you're talking about autositecoverage.
Autositecoverage by DCs from some domain for some site will only occur if
some site has no DCs from that same domain. Although DCs are down and not
available, the DCs in other sites in the same domain see in their own
replica that that site has DCs and autositecoverage will occur. Sitecoverage
will occur by other DCs if you configured it manually through the registry
or a GPO

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, March 29, 2005 09:25
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Depending upon your site links, DCs in either site B or C will advertise
themselves as available to site A. The DCs in the site with lowest cost to
site A will perform this role.

What do you mean by 'take down'? Are you taking a WAN link down or powering
off the DCs or demoting them or what?

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: 28 March 2005 21:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Site Confusion


I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.

When I take down site A (both DC's), the clients in Site A cannot log in.
Shouldn't they be able to log in using site B or C?

Thanks,
--
Matt Brown
Information Technology System Specialist Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its networ

RE: [ActiveDir] Bridgehead in a single-server site

[Myrick, Todd (NIH/CC/DNA)]

There are two reasons why you select preferred BHS.

1.  You have some security / political requirement to direct traffic to a
particular server.  (Firewall, Core service DC vs child domain).

2.  You don't want the other servers to be targets as BHS.  (Underpowered
box, etc.)

Todd Myrick

-Original Message-
From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] 
Sent: Monday, March 28, 2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bridgehead in a single-server site

I completely agree with Gil's comment.  Let KCC to handle the BH
selection.  Otherwise you have to manually select the BH server(s). 
You can manually select more than one BH servers if you want.

Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX



On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote:
> Is there a good reason to NOT let the KCC pick the BH for you
automatically?
> That way you get some failover if it craps out for some reason. Otherwise
> you'll have to watch the DC constantly to reset the BH to make sure
> replication continues to work. In Windows 2003, the KCC is pretty good
about
> picking the best server as a BH.
>  
> -gil
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
> Sent: Monday, March 28, 2005 1:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Bridgehead in a single-server site
> 
> 
> Hi guys,
>  
> Just curious...any opinions on denoting a server as a bridgehead in a
> site where it is currently the only defined server?  We were thinking that
> it then wouldn't be necessary down the road when other DCs are added.  Is
> there any harm in this?  Is there any good in this?  ; - )
>  
> (Forest and domain functional levels are Win2003)
>  
> -DaveC
> Reuters CIO Infrastructure
>  
> 
> -
> Visit our Internet site at http://www.reuters.com
> 
> To find out more about Reuters Products and Services visit
> http://www.reuters.com/productinfo 
> 
> Any views expressed in this message are those of the individual
> sender, except where the sender specifically states them to be
> the views of Reuters Ltd.
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD user account keeps getting locked out

[Pelle, Joe]

Hey – thanks to all who replied –
the user was in a rush to catch an early flight back home and couldn’t wait
… so I ended up changing her logon and the problem has gone away.  I
just downloaded the tools mentioned below – so thanks for link!  Have
a good one! 

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or
protected information. If you are not the intended recipient, please notify me,
delete this message, and do not further communicate the information contained
herein without my express written consent.



 









From: Rick Kingslan
[mailto:[EMAIL PROTECTED] 
Sent: Saturday, March 26, 2005
10:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD user
account keeps getting locked out



 

Joe –

 

Run into this issue all of the time. 
Usually, it has to do with an application or some other application / process
that either uses or caches the user’s credentials.  If the password
is changed, the application or process needs to be changed as well.

 

My recommendation: The Account Lockout and
Management tools.  The most important part of this set is a .dll that
needs to be loaded on the DCs and adds an additional tab onto the user
properties in Active Directory Users and Computers.  It doesn’t need
to be on all of the DCs.  Just a couple that you would reference most
frequently.  With the tool you can determine what DC locked out the user,
and then go to the DC that has the actual record of the lockout.  Having
the firsthand events would be essential.  Also in the tool kit is a .dll
that can be loaded on the client workstation that will gather added information
into a log.  The log will pinpoint what on the client system might be
causing the problem.

 

Also included is EventCombMT (for parsing
the event logs for specific info) ALoInfo (lists all user accounts and the age
of the password) NLParse (used to get info from the NetLogon files), plus a few
more.

 

Find the Account Lockout and Management
tools here:

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

 

-rtk

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: Friday, March 25, 2005 12:29
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD user
account keeps getting locked out



 

Hello!

 

I have a user account that continuously keeps getting locked
out.  We’ve reset the user’s password (multiple times), took
the computer off of the domain, renamed the computer, put it back on the
domain, etc.  This user works primarily out of her home office but is at
our headquarters yesterday and today.  She had a junior admin reset her
password and install some software (adobe) yesterday and has had the problem
ever since.  Anyone been done this road before?

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or protected
information. If you are not the intended recipient, please notify me, delete
this message, and do not further communicate the information contained herein
without my express written consent.

 

RE: [ActiveDir] LDAPS part 2

[Mulnick, Al]

I run into this almost daily at the moment.  I can't comment on whether or
not I have SSL for ldap binds on the corporate network, but I have to say
that you should use it where required.  

>From what I keep seeing the apps that tend to use this model are the ones
that are converted from using SunONE to ADS.  They tend to want to use one
or the other and it's to the advantage of the development company to use
something common.  While I would prefer that they figure out what AD
Integrated means and define a common set of descriptions for that.  Might be
my fault for not being more rigid I suppose, but we can't all own the system
now can we :)

I've got three at the moment.  One wants to extend the schema and then will
use ADS as the identity, authentication and authorization mechanism.  It's
optional to use SunONE locally and have it pass through the authentication
from the desktop.  SSL and extend the schema on the DC's?  Not likely.
Another app doesn't extend the schema, but instead creates 200+ groups and a
few accounts to manage the access.  The app uses web logic and does ldap
bind (simple bind - yuck) and was originally written for SunOne directories.
A third one still has the requirements being defined apparently. 

There's several more in the wings waiting to see daylight. 

If you don't like SSL, which is fairly standard, have you considered IPSec?
When all is said and done, that's all you really are after: transport level
protection to prevent network traces of credentials that are flying about
the ether(net). 

Al


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 8:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS part 2

Use it if you have to use simple ldap binds or you don't mind clear text
passwords from simple ldap binds flying about.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Monday, March 28, 2005 11:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAPS part 2

So what is the consensus on this then?

How many people on this list have implemented LDAP over SSL in their
environment? 

Did you run into any problems? 

Would you do it again, or have you decided that there was no benefit in your
particular scenario?



Thanks for the information Joe^2
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] startup scripts not running

[Creamer, Mark]

It adds a group to the RDP permissions so
our off-hours operators have TS access into the servers. It’s in the
startup script because we wanted to make sure that if that ever got changed
manually by someone, a reboot would cure it

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 8:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

What exactly is the EXE doing? Not all
system services are not available when the startup script runs. For instance,
try to shutdown a server from a startup script. If you ever really need to do
that, let me know, I have an exe that will do it. Dean told me about issues
doing it and I got interested enough to look at it and it pissed me right off
so I "fixed" it.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 4:51
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running

It is a vbs. Actually, though, I found out
a little more. I put a fresh server into the same OU, and rebooted. Turns out
most of the script is successful. The only part that isn’t is a line that
calls an executable file (.exe), which is also located in the same folder as
the vbscript. 

 

If I wait until the server is fully logged
in, the script runs the executable with no problem. If I leave it to the
startup script to run, it does not. I’m using the Exec method of the
wscript object, such as:

 

Ws.exec(“myexecutable.exe”)

 

Does that make sense?

 

Thanks again,

Mark

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 28, 2005 3:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

Is it a vbs? If yes, have you tried
calling it from a bat file? Does it work if you do that? What you can do
depends on the outcome of that test.

 

Deji









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 11:54
AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup
scripts not running



 

I have a situation in which startup scripts assigned to
various OUs where different servers are located are not running. If I log in as
a domain admin, browse to the location of the script in the GPO assigned to the
OU where that server is located, I can launch the script with no problem. 

 

I’m having trouble figuring out why the script
won’t launch on its own.

 

The only thing I’ve found so far in troubleshooting a
startup script is to look for an entry in the Application log with a source of
Userinit. However, I see no such entries. Can anyone think of what I might need
to look at? What permissions need to be enabled on the Policy itself, just in
case that’s the issue?

 

Thanks,

Mark


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] startup scripts not running

[joe]

Ok, do you know for a fact that the exe isn't running or is 
it simply not outputting an error if it fails? The reboot issue I mentioned 
before appeared to be that shutdown wasn't being run, it was running, it was 
hitting a device not ready error and wasn't outputting it. Once I wrote a tool 
that definitely output errors when it ran into them, it was crystal clear that 
something was preventing shutdown from working when running in a startup script. 
It goes back to a type of error handling some programs use. Some will encounter 
an error and dump out with any errors it doesn't know how to handle. Some will 
dump out only with errors it knows how to handle. 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, March 29, 2005 8:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running


It adds a group to the 
RDP permissions so our off-hours operators have TS access into the servers. It’s 
in the startup script because we wanted to make sure that if that ever got 
changed manually by someone, a reboot would cure it
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, March 28, 2005 8:36 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running
 
What exactly is the EXE 
doing? Not all system services are not available when the startup script runs. 
For instance, try to shutdown a server from a startup script. If you ever really 
need to do that, let me know, I have an exe that will do it. Dean told me about 
issues doing it and I got interested enough to look at it and it pissed me right 
off so I "fixed" it.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Monday, March 28, 
2005 4:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running
It is a vbs. Actually, 
though, I found out a little more. I put a fresh server into the same OU, and 
rebooted. Turns out most of the script is successful. The only part that isn’t 
is a line that calls an executable file (.exe), which is also located in the 
same folder as the vbscript. 
 
If I wait until the 
server is fully logged in, the script runs the executable with no problem. If I 
leave it to the startup script to run, it does not. I’m using the Exec method of 
the wscript object, such as:
 
Ws.exec(“myexecutable.exe”)
 
Does that make 
sense?
 
Thanks 
again,
Mark
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 28, 2005 3:34 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running
 
Is it a vbs? If yes, 
have you tried calling it from a bat file? Does it work if you do that? What you 
can do depends on the outcome of that test.
 
Deji




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Monday, March 28, 
2005 11:54 AMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] startup scripts not 
running
 
I have a situation in which startup 
scripts assigned to various OUs where different servers are located are not 
running. If I log in as a domain admin, browse to the location of the script in 
the GPO assigned to the OU where that server is located, I can launch the script 
with no problem. 
 
I’m having trouble figuring out why 
the script won’t launch on its own.
 
The only thing I’ve found so far in 
troubleshooting a startup script is to look for an entry in the Application log 
with a source of Userinit. However, I see no such entries. Can anyone think of 
what I might need to look at? What permissions need to be enabled on the Policy 
itself, just in case that’s the issue?
 
Thanks,
Mark
This e-mail transmission contains information that 
is intended to be confidential and privileged. If you receive this e-mail and 
you are not a named addressee you are hereby notified that you are not 
authorized to read, print, retain, copy or disseminate this communication 
without the consent of the sender and that doing so is prohibited and may be 
unlawful. Please reply to the message immediately by informing the sender that 
the message was misdirected. After replying, please delete and otherwise erase 
it and any attachments from your computer system. Your assistance in correcting 
this error is appreciated.This e-mail 
transmission contains information that is intended to be confidential and 
privileged. If you receive this e-mail and you are not a named addressee you are 
hereby notified that you are not authorized to read, print, retain, copy or 
disseminate this communication without the consent of the sender and that doing 
so is prohibited and may be unlawful. Please reply to the message immediately by 
informing the sender that the message was misdirected. After replying, please 
delete and otherwise erase it and any attachments from your computer system. 
Your assistance in correcting this error is appreci

RE: [ActiveDir] startup scripts not running

[Creamer, Mark]

Good point Joe, I don’t know. I’m
basing the “not working” assumption on the end result not being
there, namely that the group has not been added to the RDP permissions. However
when I run it manually after logging in, the group is added.

 

Next I tried adding a Do Until loop in the
script, looking for the executable to return a 0. That never happens. The
startup script runs forever J

 

So based on that, and what you said, I
guess I need to ask the programmer (this app is home-grown) what error is
thrown if it doesn’t work.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Tuesday, March 29, 2005 9:11
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

Ok, do you know for a fact that the exe
isn't running or is it simply not outputting an error if it fails? The reboot
issue I mentioned before appeared to be that shutdown wasn't being run, it was
running, it was hitting a device not ready error and wasn't outputting it. Once
I wrote a tool that definitely output errors when it ran into them, it was
crystal clear that something was preventing shutdown from working when running
in a startup script. It goes back to a type of error handling some programs use.
Some will encounter an error and dump out with any errors it doesn't know how
to handle. Some will dump out only with errors it knows how to handle. 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, March 29, 2005 8:41
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running

It adds a group to the RDP permissions so
our off-hours operators have TS access into the servers. It’s in the
startup script because we wanted to make sure that if that ever got changed
manually by someone, a reboot would cure it

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 8:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

What exactly is the EXE doing? Not all
system services are not available when the startup script runs. For instance,
try to shutdown a server from a startup script. If you ever really need to do
that, let me know, I have an exe that will do it. Dean told me about issues
doing it and I got interested enough to look at it and it pissed me right off
so I "fixed" it.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 4:51
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running

It is a vbs. Actually, though, I found out
a little more. I put a fresh server into the same OU, and rebooted. Turns out
most of the script is successful. The only part that isn’t is a line that
calls an executable file (.exe), which is also located in the same folder as
the vbscript. 

 

If I wait until the server is fully logged
in, the script runs the executable with no problem. If I leave it to the
startup script to run, it does not. I’m using the Exec method of the
wscript object, such as:

 

Ws.exec(“myexecutable.exe”)

 

Does that make sense?

 

Thanks again,

Mark

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 28, 2005 3:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

Is it a vbs? If yes, have you tried
calling it from a bat file? Does it work if you do that? What you can do
depends on the outcome of that test.

 

Deji









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 11:54
AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup
scripts not running



 

I have a situation in which startup scripts assigned to
various OUs where different servers are located are not running. If I log in as
a domain admin, browse to the location of the script in the GPO assigned to the
OU where that server is located, I can launch the script with no problem. 

 

I’m having trouble figuring out why the script
won’t launch on its own.

 

The only thing I’ve found so far in troubleshooting a
startup script is to look for an entry in the Application log with a source of
Userinit. However, I see no such entries. Can anyone think of what I might need
to look at? What permissions need to be enabled on the Policy itself, just in
case that’s the issue?

 

Thanks,

Mark





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, 

RE: [ActiveDir] startup scripts not running

[joe]

Yep, that was a method I tried with the restart, assuming 
that eventually whatever was slow would come up, but it seems that part of the 
system just waits until after the startup script completes and the system says 
it is ready for users. 
 
If the app is local you can enable auditing on it and it 
will tell you if the file is being opened or not. If the file is being opened, 
you can pretty much guess it is being run and is bombing with some sort of 
undisclosed error. 
 
  
joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Creamer, 
MarkSent: Tuesday, March 29, 2005 9:29 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running


Good point Joe, I don’t 
know. I’m basing the “not working” assumption on the end result not being there, 
namely that the group has not been added to the RDP permissions. However when I 
run it manually after logging in, the group is 
added.
 
Next I tried adding a 
Do Until loop in the script, looking for the executable to return a 0. That 
never happens. The startup script runs forever J
 
So based on that, and 
what you said, I guess I need to ask the programmer (this app is home-grown) 
what error is thrown if it doesn’t work.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Tuesday, March 29, 2005 9:11 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running
 
Ok, do you know for a 
fact that the exe isn't running or is it simply not outputting an error if it 
fails? The reboot issue I mentioned before appeared to be that shutdown wasn't 
being run, it was running, it was hitting a device not ready error and wasn't 
outputting it. Once I wrote a tool that definitely output errors when it ran 
into them, it was crystal clear that something was preventing shutdown from 
working when running in a startup script. It goes back to a type of error 
handling some programs use. Some will encounter an error and dump out with any 
errors it doesn't know how to handle. Some will dump out only with errors it 
knows how to handle. 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Tuesday, March 29, 
2005 8:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running
It adds a group to the 
RDP permissions so our off-hours operators have TS access into the servers. It’s 
in the startup script because we wanted to make sure that if that ever got 
changed manually by someone, a reboot would cure it
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, March 28, 2005 8:36 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running
 
What exactly is the EXE 
doing? Not all system services are not available when the startup script runs. 
For instance, try to shutdown a server from a startup script. If you ever really 
need to do that, let me know, I have an exe that will do it. Dean told me about 
issues doing it and I got interested enough to look at it and it pissed me right 
off so I "fixed" it.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Monday, March 28, 
2005 4:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running
It is a vbs. Actually, 
though, I found out a little more. I put a fresh server into the same OU, and 
rebooted. Turns out most of the script is successful. The only part that isn’t 
is a line that calls an executable file (.exe), which is also located in the 
same folder as the vbscript. 
 
If I wait until the 
server is fully logged in, the script runs the executable with no problem. If I 
leave it to the startup script to run, it does not. I’m using the Exec method of 
the wscript object, such as:
 
Ws.exec(“myexecutable.exe”)
 
Does that make 
sense?
 
Thanks 
again,
Mark
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, March 28, 2005 3:34 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts 
not running
 
Is it a vbs? If yes, 
have you tried calling it from a bat file? Does it work if you do that? What you 
can do depends on the outcome of that test.
 
Deji




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Creamer, 
MarkSent: Monday, March 28, 
2005 11:54 AMTo: 
activedir@mail.activedir.orgSubject: [ActiveDir] startup scripts not 
running
 
I have a situation in which startup 
scripts assigned to various OUs where different servers are located are not 
running. If I log in as a domain admin, browse to the location of the script in 
the GPO assigned to the OU where that server is located, I can launch the script 
with no problem. 
 
I’m having trouble figuring out why 
the script won’t launch on its own.
 
The only thing I’ve found so far in 
troubleshooting a startup script is to look for an entry in the Application log 
with a source of Useri

[ActiveDir] Compelling arguments?

[Brent Westmoreland]

Title: Compelling arguments?



Are there compelling arguments to use the DNS Domain name of your AD Domain as the primary DNS Suffix versus a different DNS extension from a client functionality perspective?

Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix.

Any thoughts welcome.

RE: [ActiveDir] startup scripts not running

[deji]

Mark, trying calling the vbs from a bat
file and see what happens. So, instead of putting the name of the vbs directly
as the startup script, put the name of a bat file. In the bat file, you just simply
need to do something like:

 

Set ScriptPath=\\%logonserver%\NETLOGON

Call %ScriptPath%\myscript.vbs

 

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, March 29, 2005 6:29
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

Good point Joe, I don’t know.
I’m basing the “not working” assumption on the end result not
being there, namely that the group has not been added to the RDP permissions.
However when I run it manually after logging in, the group is added.

 

Next I tried adding a Do Until loop in the
script, looking for the executable to return a 0. That never happens. The
startup script runs forever J

 

So based on that, and what you said, I guess
I need to ask the programmer (this app is home-grown) what error is thrown if
it doesn’t work.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 9:11
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

Ok, do you know for a fact that the exe
isn't running or is it simply not outputting an error if it fails? The reboot
issue I mentioned before appeared to be that shutdown wasn't being run, it was
running, it was hitting a device not ready error and wasn't outputting it. Once
I wrote a tool that definitely output errors when it ran into them, it was
crystal clear that something was preventing shutdown from working when running
in a startup script. It goes back to a type of error handling some programs
use. Some will encounter an error and dump out with any errors it doesn't know
how to handle. Some will dump out only with errors it knows how to handle. 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Tuesday, March 29, 2005 8:41
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running

It adds a group to the RDP permissions so
our off-hours operators have TS access into the servers. It’s in the
startup script because we wanted to make sure that if that ever got changed
manually by someone, a reboot would cure it

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 8:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

What exactly is the EXE doing? Not all
system services are not available when the startup script runs. For instance,
try to shutdown a server from a startup script. If you ever really need to do
that, let me know, I have an exe that will do it. Dean told me about issues
doing it and I got interested enough to look at it and it pissed me right off
so I "fixed" it.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 4:51
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running

It is a vbs. Actually, though, I found out
a little more. I put a fresh server into the same OU, and rebooted. Turns out
most of the script is successful. The only part that isn’t is a line that
calls an executable file (.exe), which is also located in the same folder as
the vbscript. 

 

If I wait until the server is fully logged
in, the script runs the executable with no problem. If I leave it to the
startup script to run, it does not. I’m using the Exec method of the
wscript object, such as:

 

Ws.exec(“myexecutable.exe”)

 

Does that make sense?

 

Thanks again,

Mark

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 28, 2005 3:34
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] startup
scripts not running



 

Is it a vbs? If yes, have you tried
calling it from a bat file? Does it work if you do that? What you can do
depends on the outcome of that test.

 

Deji









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, March 28, 2005 11:54
AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] startup
scripts not running



 

I have a situation in which startup scripts assigned to various
OUs where different servers are located are not running. If I log in as a
domain admin, browse to the location of the script in the GPO assigned to the
OU where that server is located, I can launch the script with no problem. 

 

I’m having trouble figuring out why the script
won’t launch on its own.

 

The only thing I’ve found so far in troubleshooting a
startup script is to look for an entry in the Application log with a source of
Userinit. However, I see no such entries. Can anyone think of what I might need
to look at? What permissions need to be enabled on the Policy itself

RE: [ActiveDir] Compelling arguments?

[joe]

Title: Compelling arguments?



Ah you mean DNS disjoint namespace. I know of a couple of 
large orgs that do this either because Bind Based DNS is full deployed to a very 
large base and they don't want to change it and/or they feel a machine 
in California shouldn't have the same DNS Suffix as a machine in New York 
(I tend to be in that category as well - I like geographic based DNS names). It 
is supported from an OS standpoint however it requires some additional perms on 
the computer objects so the computers can properly update their SPNs and 
dNSHostNames (though these aren't needed for DCs obviously). I don't think it 
would be very fun to have some 100,000+ machines all in a DNS zone called 
ad.company.com. It almost seemed an attempt to get away from WINS by making DNS 
act like WINS on a domain by domain basis. 
 
The biggest downside to doing this is Microsoft and other 
software vendors keep forgetting it is a supported configuration with 
applications. Check out MOM2005, the latest SMS whatever that is, some of the 
EMC NAS solutions, etc. If you do this, every application that goes through 
testing, integration, certification needs to be tested for disjoint namespace 
capability. I have seen a couple of occasions where someone was really bright 
and set up a disjoint production namespace but their test environment wasn't 
disjoint so they would spend all of this time in test to say something works 
great and deploy to production and watch it blow up 
immediately.
 
The other major downside I can think of is around name 
resolution. If you aren't using WINS, you better like specifying FQDNs for 
machines. This also applies to multidomain forest environments as well as 
environments using disjoint namespace though. Personally, I like WINS (or should 
I say NBNS as the RFC calls them). I think it got a bum rap from people who used 
it and didn't understand how to keep it running well or those that didn't want, 
for some, reason, to have unique host names like those folks who think you need 
a machine named www to host a website called www.company.com. There have been times I have 
actually considered implementing an NBNS in case MS decides to drop WINS Server 
from support. Mine would be a little different though, accepting dynamic updates 
would be configurable, I see great value in an NBNS that does not accept client 
registrations but instead only gives out info put in by an admin. 

 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, March 29, 2005 10:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
arguments?
Are there compelling arguments to use the DNS Domain 
name of your AD Domain as the primary DNS Suffix versus a different DNS 
extension from a client functionality perspective?Clients are still able 
to resolve the AD DNS Domain but most do not use it as their primary 
suffix.Any thoughts welcome. 

RE: [ActiveDir] Bridgehead in a single-server site

[David Cliffe]

Thanks everyone.  All replies (opinions) were consistent and are summed
up effectively by the latest from Todd below.

For those interested --> Some brief detective work here has revealed
that, historically, there were some valid reasons for manually selecting
a BH in several sites.  At the time of my post I had thought EVERY site
here was configured that way, and so thought this was the norm
("assumption" once again a foolish path!).  The MS documentation and
your recent replies indicate we should consider a change, especially
since none of those old reasons apply anymore.  Thanks again!

-DaveC
Reuters CIO Infrastructure


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 29, 2005 6:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bridgehead in a single-server site

There are two reasons why you select preferred BHS.

1.  You have some security / political requirement to direct traffic to
a particular server.  (Firewall, Core service DC vs child domain).

2.  You don't want the other servers to be targets as BHS.
(Underpowered box, etc.)

Todd Myrick

-Original Message-
From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]
Sent: Monday, March 28, 2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bridgehead in a single-server site

I completely agree with Gil's comment.  Let KCC to handle the BH
selection.  Otherwise you have to manually select the BH server(s). 
You can manually select more than one BH servers if you want.

Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX



On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]>
wrote:
> Is there a good reason to NOT let the KCC pick the BH for you
automatically?
> That way you get some failover if it craps out for some reason. 
> Otherwise you'll have to watch the DC constantly to reset the BH to 
> make sure replication continues to work. In Windows 2003, the KCC is 
> pretty good
about
> picking the best server as a BH.
>  
> -gil
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
> Sent: Monday, March 28, 2005 1:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Bridgehead in a single-server site
> 
> 
> Hi guys,
>  
> Just curious...any opinions on denoting a server as a bridgehead 
> in a site where it is currently the only defined server?  We were 
> thinking that it then wouldn't be necessary down the road when other 
> DCs are added.  Is there any harm in this?  Is there any good in this?

> ; - )
>  
> (Forest and domain functional levels are Win2003)
>  
> -DaveC
> Reuters CIO Infrastructure
>  
> 
> -
> Visit our Internet site at http://www.reuters.com
> 
> To find out more about Reuters Products and Services visit 
> http://www.reuters.com/productinfo
> 
> Any views expressed in this message are those of the individual 
> sender, except where the sender specifically states them to be the 
> views of Reuters Ltd.
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Accounts disappearing from AD

[Mike Hogenauer]

In the past 2 months I’ve had 4 accounts that have just
disappeared without a trace from AD. I’ve turned up auditing on all my
Domain controllers but I haven’t been able to find anything relevant.

 

I have 4 offices in WA, Ca, NC, and NY, I did have some
replication errors but they have been fixed and none of the errors went past 60
days. 

I also don’t have a lot of group policies running or
scripts that run (I just recently inherited this environment) also I’ve
made sure only a select few people have rights to the Directory. 

 

Has anyone seen this or had accounts that just seem to
vanish? 

 

Thanks in advance. 

 

Mike 

 

 

Re: [ActiveDir] Compelling arguments?

[Sergio Fonseca]

Hi,

Interesting perspective Joe.
One thing that I notice every day is that not all code are prepared to
the new features, for example the Domain Controllers location process
is followed by many processes but not all. For example when you set
permissions on a file to a user of other domain the info is first get
from the DC´s in the root domain not the ones where you are logged.
If you do not use the same FQDN suffixes you will have some thing
working but other will suffer from slowness.

On Tue, 29 Mar 2005 10:29:11 -0500, joe <[EMAIL PROTECTED]> wrote:
> Ah you mean DNS disjoint namespace. I know of a couple of large orgs that do
> this either because Bind Based DNS is full deployed to a very large base and
> they don't want to change it and/or they feel a machine in California
> shouldn't have the same DNS Suffix as a machine in New York (I tend to be in
> that category as well - I like geographic based DNS names). It is supported
> from an OS standpoint however it requires some additional perms on the
> computer objects so the computers can properly update their SPNs and
> dNSHostNames (though these aren't needed for DCs obviously). I don't think
> it would be very fun to have some 100,000+ machines all in a DNS zone called
> ad.company.com. It almost seemed an attempt to get away from WINS by making
> DNS act like WINS on a domain by domain basis. 
>  
> The biggest downside to doing this is Microsoft and other software vendors
> keep forgetting it is a supported configuration with applications. Check out
> MOM2005, the latest SMS whatever that is, some of the EMC NAS solutions,
> etc. If you do this, every application that goes through testing,
> integration, certification needs to be tested for disjoint namespace
> capability. I have seen a couple of occasions where someone was really
> bright and set up a disjoint production namespace but their test environment
> wasn't disjoint so they would spend all of this time in test to say
> something works great and deploy to production and watch it blow up
> immediately.
>  
> The other major downside I can think of is around name resolution. If you
> aren't using WINS, you better like specifying FQDNs for machines. This also
> applies to multidomain forest environments as well as environments using
> disjoint namespace though. Personally, I like WINS (or should I say NBNS as
> the RFC calls them). I think it got a bum rap from people who used it and
> didn't understand how to keep it running well or those that didn't want, for
> some, reason, to have unique host names like those folks who think you need
> a machine named www to host a website called www.company.com. There have
> been times I have actually considered implementing an NBNS in case MS
> decides to drop WINS Server from support. Mine would be a little different
> though, accepting dynamic updates would be configurable, I see great value
> in an NBNS that does not accept client registrations but instead only gives
> out info put in by an admin. 
>  
>  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
> Sent: Tuesday, March 29, 2005 10:06 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Compelling arguments?
> 
> 
> Are there compelling arguments to use the DNS Domain name of your AD Domain
> as the primary DNS Suffix versus a different DNS extension from a client
> functionality perspective?
> 
> Clients are still able to resolve the AD DNS Domain but most do not use it
> as their primary suffix.
> 
> Any thoughts welcome.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accounts disappearing from AD

[Mulnick, Al]

How do you know when the accounts when missing? 

 
Generally it would be a very bad thing for an account to go 
missing without a trace. I mean, at a minimum if it were deleted it would be 
stripped of attribute information and sent to the deleted objects 
graveyard.  You would be able to look there and see the tombstoned items if 
that were the case using this method http://support.microsoft.com/?kbid=840001#6 .
 
I was thinking that some of Joe's tools would let you look 
at this as well, but can't remember at the moment. 
 
Al
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Tuesday, March 29, 2005 10:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accounts 
disappearing from AD


In the past 2 months I’ve had 4 
accounts that have just disappeared without a trace from AD. I’ve turned up 
auditing on all my Domain controllers but I haven’t been able to find anything 
relevant.
 
I have 4 offices in WA, Ca, NC, and 
NY, I did have some replication errors but they have been fixed and none of the 
errors went past 60 days. 
I also don’t have a lot of group 
policies running or scripts that run (I just recently inherited this 
environment) also I’ve made sure only a select few people have rights to the 
Directory. 
 
Has anyone seen this or had accounts 
that just seem to vanish? 
 
Thanks in advance. 

 
Mike 
 
 

Re: [ActiveDir] Accounts disappearing from AD

[Sergio Fonseca]

Hi,

I think that the delete is the best explanation and try the adrestore:
http://www.sysinternals.com/ntw2k/source/misc.shtml#adrestore


On Tue, 29 Mar 2005 10:56:20 -0500, Mulnick, Al <[EMAIL PROTECTED]> wrote:
> How do you know when the accounts when missing? 
>  
> Generally it would be a very bad thing for an account to go missing without
> a trace. I mean, at a minimum if it were deleted it would be stripped of
> attribute information and sent to the deleted objects graveyard.  You would
> be able to look there and see the tombstoned items if that were the case
> using this method http://support.microsoft.com/?kbid=840001#6 .
>  
> I was thinking that some of Joe's tools would let you look at this as well,
> but can't remember at the moment. 
>  
> Al
>  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
> Sent: Tuesday, March 29, 2005 10:36 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Accounts disappearing from AD
> 
> 
> 
> 
> In the past 2 months I've had 4 accounts that have just disappeared without
> a trace from AD. I've turned up auditing on all my Domain controllers but I
> haven't been able to find anything relevant.
> 
>  
> 
> I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors
> but they have been fixed and none of the errors went past 60 days. 
> 
> I also don't have a lot of group policies running or scripts that run (I
> just recently inherited this environment) also I've made sure only a select
> few people have rights to the Directory. 
> 
>  
> 
> Has anyone seen this or had accounts that just seem to vanish? 
> 
>  
> 
> Thanks in advance. 
> 
>  
> 
> Mike 
> 
>  
> 
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accounts disappearing from AD

[Mike Hogenauer]

I only know because people come tell me
that they loose connection to e-mail or they can’t login. 

Example: yesterday a user logged in the AM
then by mid-morning couldn’t access his exchange account, having seen a
few account disappear I did a search in AD and his account didn’t come up
but his exchange account obviously still existed. 

Recreated the acoutn and re attached the Mailbox
and he’s off and running again. 

If this we’re exchange I’d
look at the SA and the Mailbox management tool ant the times they run to see if
they we’re related but its not related to Exchange

 

Mike 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 29, 2005 7:56
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Accounts
disappearing from AD



 

How do you know when the accounts when
missing? 

 

Generally it would be a very bad thing for
an account to go missing without a trace. I mean, at a minimum if it were
deleted it would be stripped of attribute information and sent to the deleted
objects graveyard.  You would be able to look there and see the tombstoned
items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 .

 

I was thinking that some of Joe's tools
would let you look at this as well, but can't remember at the moment. 

 

Al

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Tuesday, March 29, 2005
10:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Accounts
disappearing from AD

In the past 2 months I’ve had 4 accounts that have
just disappeared without a trace from AD. I’ve turned up auditing on all
my Domain controllers but I haven’t been able to find anything relevant.

 

I have 4 offices in WA, Ca, NC, and NY, I did have some
replication errors but they have been fixed and none of the errors went past 60
days. 

I also don’t have a lot of group policies running or
scripts that run (I just recently inherited this environment) also I’ve
made sure only a select few people have rights to the Directory. 

 

Has anyone seen this or had accounts that just seem to
vanish? 

 

Thanks in advance. 

 

Mike 

 

 

RE: [ActiveDir] AD Site Confusion

[Matt Brown]

All 3 of my sites (A,B,C) have GC in them and at least 1 DC in them.  All
DC's have DNS running on them.

By taking Site A down I was meaning shutting the machines off.

Thanks,
--
Matt Brown
[ SELECT * FROM directories WHERE AD > OpenLDAP ]
Information Technology System Specialist
Eastern Washington University


> I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.
> 
> When I take down site A (both DC's), the clients in Site A cannot log in.
> Shouldn't they be able to log in using site B or C?


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accounts disappearing from AD

[Mulnick, Al]

Is it possible that the accounts were deleted during the 
replication issues and are now being propagated? 
 
Have you checked the deleted objects container to see if it 
exists there on any of the DC's (since replication was indicated, it might not 
hurt to check multiple DC's)? 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Tuesday, March 29, 2005 11:35 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accounts 
disappearing from AD


I only know because 
people come tell me that they loose connection to e-mail or they can’t login. 

Example: yesterday a 
user logged in the AM then by mid-morning couldn’t access his exchange account, 
having seen a few account disappear I did a search in AD and his account didn’t 
come up but his exchange account obviously still existed. 

Recreated the acoutn 
and re attached the Mailbox and he’s off and running again. 

If this we’re exchange 
I’d look at the SA and the Mailbox management tool ant the times they run to see 
if they we’re related but its not related to 
Exchange
 
Mike 

 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Tuesday, March 29, 
2005 7:56 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accounts 
disappearing from AD
 
How do you know when 
the accounts when missing? 
 
Generally it would be a 
very bad thing for an account to go missing without a trace. I mean, at a 
minimum if it were deleted it would be stripped of attribute information and 
sent to the deleted objects graveyard.  You would be able to look there and 
see the tombstoned items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 .
 
I was thinking that 
some of Joe's tools would let you look at this as well, but can't remember at 
the moment. 
 
Al
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mike 
HogenauerSent: Tuesday, March 
29, 2005 10:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accounts disappearing 
from AD
In the past 2 months I’ve had 4 
accounts that have just disappeared without a trace from AD. I’ve turned up 
auditing on all my Domain controllers but I haven’t been able to find anything 
relevant.
 
I have 4 offices in WA, Ca, NC, and 
NY, I did have some replication errors but they have been fixed and none of the 
errors went past 60 days. 
I also don’t have a lot of group 
policies running or scripts that run (I just recently inherited this 
environment) also I’ve made sure only a select few people have rights to the 
Directory. 
 
Has anyone seen this or had accounts 
that just seem to vanish? 
 
Thanks in advance. 

 
Mike 
 
 

RE: [ActiveDir] Bridgehead in a single-server site

[Myrick, Todd (NIH/CC/DNA)]

One more point to add and I will consider the matter closed.  The BHS should
be a GC in a multi-domain forest.

Toddler

-Original Message-
From: David Cliffe [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 29, 2005 10:33 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bridgehead in a single-server site

Thanks everyone.  All replies (opinions) were consistent and are summed
up effectively by the latest from Todd below.

For those interested --> Some brief detective work here has revealed
that, historically, there were some valid reasons for manually selecting
a BH in several sites.  At the time of my post I had thought EVERY site
here was configured that way, and so thought this was the norm
("assumption" once again a foolish path!).  The MS documentation and
your recent replies indicate we should consider a change, especially
since none of those old reasons apply anymore.  Thanks again!

-DaveC
Reuters CIO Infrastructure


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Tuesday, March 29, 2005 6:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bridgehead in a single-server site

There are two reasons why you select preferred BHS.

1.  You have some security / political requirement to direct traffic to
a particular server.  (Firewall, Core service DC vs child domain).

2.  You don't want the other servers to be targets as BHS.
(Underpowered box, etc.)

Todd Myrick

-Original Message-
From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]
Sent: Monday, March 28, 2005 4:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bridgehead in a single-server site

I completely agree with Gil's comment.  Let KCC to handle the BH
selection.  Otherwise you have to manually select the BH server(s). 
You can manually select more than one BH servers if you want.

Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX



On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]>
wrote:
> Is there a good reason to NOT let the KCC pick the BH for you
automatically?
> That way you get some failover if it craps out for some reason. 
> Otherwise you'll have to watch the DC constantly to reset the BH to 
> make sure replication continues to work. In Windows 2003, the KCC is 
> pretty good
about
> picking the best server as a BH.
>  
> -gil
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
> Sent: Monday, March 28, 2005 1:44 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Bridgehead in a single-server site
> 
> 
> Hi guys,
>  
> Just curious...any opinions on denoting a server as a bridgehead 
> in a site where it is currently the only defined server?  We were 
> thinking that it then wouldn't be necessary down the road when other 
> DCs are added.  Is there any harm in this?  Is there any good in this?

> ; - )
>  
> (Forest and domain functional levels are Win2003)
>  
> -DaveC
> Reuters CIO Infrastructure
>  
> 
> -
> Visit our Internet site at http://www.reuters.com
> 
> To find out more about Reuters Products and Services visit 
> http://www.reuters.com/productinfo
> 
> Any views expressed in this message are those of the individual 
> sender, except where the sender specifically states them to be the 
> views of Reuters Ltd.
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accounts disappearing from AD

[Myrick, Todd (NIH/CC/DNA)]

You might want to check for Event ID 630
on all your DC’s using eventcmb.

 

Here is a good article that list all the
Event ID’s for specific account operations.  http://www.rippletech.com/PDF/New/SOX/Auditing%20Best%20Practices.pdf

 

If you aren’t backing up your security
event logs on your DC’s each night (Yes every DC) you are doing yourself
a disservice.  I recommend getting a tool that can consolidate your
security event logs into one location so that you can run reports
against.  I have used Intrust from Quest/Aelita.  Pretty good tool
and easy to setup and use.  There are a lot others out there though, some
free some not so free.  

 

Todd









From: Mulnick, Al
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 29, 2005
11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Accounts
disappearing from AD



 

Is it possible that the accounts were
deleted during the replication issues and are now being propagated? 

 

Have you checked the deleted objects
container to see if it exists there on any of the DC's (since replication was
indicated, it might not hurt to check multiple DC's)? 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Tuesday, March 29, 2005
11:35 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Accounts
disappearing from AD

I only know because people come tell me
that they loose connection to e-mail or they can’t login. 

Example: yesterday a user logged in the AM
then by mid-morning couldn’t access his exchange account, having seen a
few account disappear I did a search in AD and his account didn’t come up
but his exchange account obviously still existed. 

Recreated the acoutn and re attached the
Mailbox and he’s off and running again. 

If this we’re exchange I’d
look at the SA and the Mailbox management tool ant the times they run to see if
they we’re related but its not related to Exchange

 

Mike 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 29, 2005 7:56
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Accounts
disappearing from AD



 

How do you know when the accounts when
missing? 

 

Generally it would be a very bad thing for
an account to go missing without a trace. I mean, at a minimum if it were
deleted it would be stripped of attribute information and sent to the deleted
objects graveyard.  You would be able to look there and see the tombstoned
items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 .

 

I was thinking that some of Joe's tools
would let you look at this as well, but can't remember at the moment. 

 

Al

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Tuesday, March 29, 2005
10:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Accounts
disappearing from AD

In the past 2 months I’ve had 4 accounts that have
just disappeared without a trace from AD. I’ve turned up auditing on all
my Domain controllers but I haven’t been able to find anything relevant.

 

I have 4 offices in WA, Ca, NC, and NY, I did have some
replication errors but they have been fixed and none of the errors went past 60
days. 

I also don’t have a lot of group policies running or
scripts that run (I just recently inherited this environment) also I’ve
made sure only a select few people have rights to the Directory. 

 

Has anyone seen this or had accounts that just seem to vanish?


 

Thanks in advance. 

 

Mike 

 

 

RE: [ActiveDir] AD Site Confusion

[Myrick, Todd (NIH/CC/DNA)]

Interesting tagline

I prefer

Netdom query trust 

Toddler


-Original Message-
From: Matt Brown [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 29, 2005 11:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

All 3 of my sites (A,B,C) have GC in them and at least 1 DC in them.  All
DC's have DNS running on them.

By taking Site A down I was meaning shutting the machines off.

Thanks,
--
Matt Brown
[ SELECT * FROM directories WHERE AD > OpenLDAP ]
Information Technology System Specialist
Eastern Washington University


> I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.
> 
> When I take down site A (both DC's), the clients in Site A cannot log in.
> Shouldn't they be able to log in using site B or C?


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Compelling arguments?

[Brent Westmoreland]

Title: Re: [ActiveDir] Compelling arguments?



As always, thanks for the thorough reply, mate...


From: joe <[EMAIL PROTECTED]>
Reply-To: 
Date: Tue, 29 Mar 2005 10:29:11 -0500
To: 
Subject: RE: [ActiveDir] Compelling arguments?

Ah you mean DNS disjoint namespace. I know of a couple of large orgs that do this either because Bind Based DNS is full deployed to a very large base and they don't want to change it and/or they feel a machine in California shouldn't have the same DNS Suffix as a machine in New York (I tend to be in that category as well - I like geographic based DNS names). It is supported from an OS standpoint however it requires some additional perms on the computer objects so the computers can properly update their SPNs and dNSHostNames (though these aren't needed for DCs obviously). I don't think it would be very fun to have some 100,000+ machines all in a DNS zone called ad.company.com. It almost seemed an attempt to get away from WINS by making DNS act like WINS on a domain by domain basis. 
 
The biggest downside to doing this is Microsoft and other software vendors keep forgetting it is a supported configuration with applications. Check out MOM2005, the latest SMS whatever that is, some of the EMC NAS solutions, etc. If you do this, every application that goes through testing, integration, certification needs to be tested for disjoint namespace capability. I have seen a couple of occasions where someone was really bright and set up a disjoint production namespace but their test environment wasn't disjoint so they would spend all of this time in test to say something works great and deploy to production and watch it blow up immediately.
 
The other major downside I can think of is around name resolution. If you aren't using WINS, you better like specifying FQDNs for machines. This also applies to multidomain forest environments as well as environments using disjoint namespace though. Personally, I like WINS (or should I say NBNS as the RFC calls them). I think it got a bum rap from people who used it and didn't understand how to keep it running well or those that didn't want, for some, reason, to have unique host names like those folks who think you need a machine named www to host a website called www.company.com  . There have been times I have actually considered implementing an NBNS in case MS decides to drop WINS Server from support. Mine would be a little different though, accepting dynamic updates would be configurable, I see great value in an NBNS that does not accept client registrations but instead only gives out info put in by an admin. 
 
 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
Sent: Tuesday, March 29, 2005 10:06 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Compelling arguments?

Are there compelling arguments to use the DNS Domain name of your AD Domain as the primary DNS Suffix versus a different DNS extension from a client functionality perspective?

Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix.

Any thoughts welcome. 

[ActiveDir] DNS should point to...?

[Noah Eiger]

Hi –

 

I have just been brought into a situation where a client has
several poorly connected (VPN and slow connections to the Internet) sites in a
single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously,
most of the DCs had tombstoned.
Microsoft walked the in-house guy through demoting and re-promoting everything.


 

The question is this: where should each DC’s DNS
point? I have always thought they should point to themselves and only
themselves. The DNS server forwards to the Internet (as everything is poorly
connected). The in-house tech said Microsoft told him to point each DC’s
primary DNS to the FSMO-role holder and then to itself as secondary.

 

Any thoughts?

 

-- nme

 

Re: [ActiveDir] Compelling arguments?

[Phil Renouf]

Agreed. I'd love to get more info on your view on that though; get
some more details of how you would set it up in that type of
environment given the chance ;) The issue of geographic DNS isn't
something I'd thought of unless it was also attached to a multi domain
geographic type forest (NA, Asia, Europe etc.)

Phil

On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland
<[EMAIL PROTECTED]> wrote:
> As always, thanks for the thorough reply, mate...
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS should point to...?

[Tomasz Onyszko]

Noah Eiger wrote:
(...)
The question is this: where should each DC’s DNS point? I have always 
thought they should point to themselves and only themselves. The DNS 
server forwards to the Internet (as everything is poorly connected). The 
in-house tech said Microsoft told him to point each DC’s primary DNS to 
the FSMO-role holder and then to itself as secondary.
This tech guy was talking probably about "server islands" problem. it is 
necessary to point to some other then local server on the time of 
promotion, but then with proper configuration You can point DC to itself 
as DNS server (read method  scenario in KB which url is listed below).

http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&id=kb;en-us;275278
--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS should point to...?

[ASB]

http://www.ultratech-llc.com/KB/?File=ADNetwork.TXT

No, DNS servers should not only point to themselves.  See above.

-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On Tue, 29 Mar 2005 09:31:59 -0800, Noah Eiger <[EMAIL PROTECTED]> wrote:
> 
> 
> Hi –
> 
>  
> 
> I have just been brought into a situation where a client has several poorly
> connected (VPN and slow connections to the Internet) sites in a single W2k
> domain. Each site has a single DC that runs AD-integrated DNS. Previously,
> most of the DCs had tombstoned. Microsoft walked the in-house guy through
> demoting and re-promoting everything. 
> 
>  
> 
> The question is this: where should each DC's DNS point? I have always
> thought they should point to themselves and only themselves. The DNS server
> forwards to the Internet (as everything is poorly connected). The in-house
> tech said Microsoft told him to point each DC's primary DNS to the FSMO-role
> holder and then to itself as secondary.
> 
>  
> 
> Any thoughts?
> 
>  
> 
> -- nme
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS should point to...?

[James_Day]

Hi Noah.

Having a DC point to itself as primary can create a replication problem.
If I change my DCs ip address, it will register in the primary DNS (itself)
with the updated ip address.  It's replication partner - your DNS will then
go query itself for the ip address and get the old IP.  Since all
replication is pull, and the default is that the zone is AD integrated and
shared among all DCs, your DC cannot update its DNS until it replicates,
and it cannot replicate until it updates it's DNS.

Having all DCs point at one DC (I have heard the first DC in the hub site
for the domain) means that at least one DC has the updated ip address of
every DC out there.  Pointing at itself for secondary gives it name
resolution when the link is down.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+-->
| |   "Noah Eiger"   |
| |   <[EMAIL PROTECTED]>  |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   03/29/2005 09:31 AM PST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
  
>--|
  | 
 |
  |   To: 
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  [ActiveDir] DNS should point to...? 
 |
  
>--|




Hi â





I have just been brought into a situation where a client has several poorly
connected (VPN and slow connections to the Internet) sites in a single W2k
domain. Each site has a single DC that runs AD-integrated DNS. Previously,
most of the DCs had tombstoned. Microsoft walked the in-house guy through
demoting and re-promoting everything.





The question is this: where should each DCâs DNS point? I have always
thought they should point to themselves and only themselves. The DNS server
forwards to the Internet (as everything is poorly connected). The in-house
tech said Microsoft told him to point each DCâs primary DNS to the
FSMO-role holder and then to itself as secondary.





Any thoughts?





-- nme

[ActiveDir] AD/ Virus outbreak

[Devan Pala]

Hi,
I have 3 DC's in a protected root domain and 2 child domains. Unfortunately 
the 3 root DC's were not running a virus client, totally missedanyway. 
Looks like it is using known Windows exploitability to drop files and what 
not.

2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE)
If I have to rebuild can I at least for the interim transfer the above roles 
on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well.

Thanks,
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS should point to...?

[Paresh Nhathalal]

On DCs running DNS - point primary DNS to itself and secondary DNS to a
nearest site or hub DNS server.

Be aware of DNS Island issue in Windows 2000 though!

Paresh

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: 29 March 2005 18:47
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS should point to...?

http://www.ultratech-llc.com/KB/?File=ADNetwork.TXT

No, DNS servers should not only point to themselves.  See above.

-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On Tue, 29 Mar 2005 09:31:59 -0800, Noah Eiger <[EMAIL PROTECTED]> wrote:
> 
> 
> Hi -
> 
>  
> 
> I have just been brought into a situation where a client has several
poorly
> connected (VPN and slow connections to the Internet) sites in a single
W2k
> domain. Each site has a single DC that runs AD-integrated DNS.
Previously,
> most of the DCs had tombstoned. Microsoft walked the in-house guy
through
> demoting and re-promoting everything. 
> 
>  
> 
> The question is this: where should each DC's DNS point? I have always
> thought they should point to themselves and only themselves. The DNS
server
> forwards to the Internet (as everything is poorly connected). The
in-house
> tech said Microsoft told him to point each DC's primary DNS to the
FSMO-role
> holder and then to itself as secondary.
> 
>  
> 
> Any thoughts?
> 
>  
> 
> -- nme
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS should point to...?

[deji]

In this scenario, I’d recommend
Primary to another and secondary to self.

 

Deji

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS should
point to...?



 

Hi –

 

I have just been brought into a situation where a client has
several poorly connected (VPN and slow connections to the Internet) sites in a
single W2k domain. Each site has a single DC that runs AD-integrated DNS.
Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy
through demoting and re-promoting everything. 

 

The question is this: where should each DC’s DNS
point? I have always thought they should point to themselves and only
themselves. The DNS server forwards to the Internet (as everything is poorly
connected). The in-house tech said Microsoft told him to point each DC’s
primary DNS to the FSMO-role holder and then to itself as secondary.

 

Any thoughts?

 

-- nme

 

RE: [ActiveDir] AD/ Virus outbreak

[deji]

Yes.

 

This *may* be a useful primer for you: http://www.readymaids.com/Portals/1/FSMO-xfer.htm

 

Deji

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, March 29, 2005 9:51 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD/ Virus outbreak

 

Hi,

 

I have 3 DC's in a protected root domain and 2 child domains.
Unfortunately 

the 3 root DC's were not running a virus client, totally missedanyway.


Looks like it is using known Windows exploitability to drop files and
what 

not.

 

2 of the 3 seem to be infected. (ones with the Schema Master & DNM
and PDCE)

 

If I have to rebuild can I at least for the interim transfer the above
roles 

on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well.

 

Thanks,

 

 

List info   : http://www.activedir.org/List.aspx

List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Compelling arguments?

[Mulnick, Al]

Phil, you know he's for hire right?  He has a "p*mp" and everything last I
heard. :)


That said, it is interesting to see a regional specific approach to name
resolution.  Some like it, some don't.  I'd be interested to hear why, Joe
because I think it would depend on the company goals whether or not that
would make sense. 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Tuesday, March 29, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compelling arguments?

Agreed. I'd love to get more info on your view on that though; get some more
details of how you would set it up in that type of environment given the
chance ;) The issue of geographic DNS isn't something I'd thought of unless
it was also attached to a multi domain geographic type forest (NA, Asia,
Europe etc.)

Phil

On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland
<[EMAIL PROTECTED]> wrote:
> As always, thanks for the thorough reply, mate...
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Compelling arguments?

[brent.westmoreland]

Our existing setup involves exactly as described by joe, BIND servers at
the root that feed down to further bind servers at each location with
the exception of the Americas. The americas have a majority of win2k DNS
servers but also some bind.

So you may have AD domains of americas.corp.com, europe.corp.com, and
asiapacific.corp.com.

You then have locations within americas like buenos aires, sao paolo,
new york city.

So you have site codes bue, spo, and nyc.

With dns domains for each location of bue.sub, spo.sub, and nyc.sub with
the sub domain being delegated from the central bind server to the
localized servers.   

Our situation is that our client services team prefers to use the AD
domain for resolution of client names, our colleagues in different areas
prefer to use the bind services for many applications, so what we end up
with is a mixed implementation and inconsistent client settings inside
the organization that lead to one machine having a need for a static
entry in the localized dns while the machine updates its hostname in the
AD domain automagically.  Now we have two host records for the same
machine, and an inconsistent PTR record as well.

We have unix based apps that implement a tcp wrapper to determine a
machines identity but because there are different settings or duplicates
in the localized dns, AD dns, and the PTR records, the application
breaks upon forward and reverse lookup (whoever thought it was a good
idea to use DNS as a security mechanism should be choked)

The lesson here is to determine which to do and implement without
exception.  The problem with doing it after the fact is that you WILL
break something.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Tuesday, March 29, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compelling arguments?

Agreed. I'd love to get more info on your view on that though; get some
more details of how you would set it up in that type of environment
given the chance ;) The issue of geographic DNS isn't something I'd
thought of unless it was also attached to a multi domain geographic type
forest (NA, Asia, Europe etc.)

Phil

On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland
<[EMAIL PROTECTED]> wrote:
> As always, thanks for the thorough reply, mate...
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS should point to...?

[brent.westmoreland]

Agreed


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 12:57 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
DNS should point to...?


In this scenario, I’d 
recommend Primary to another and secondary to self.
 
Deji
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Noah 
EigerSent: Tuesday, March 29, 
2005 9:32 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS should point 
to...?
 
Hi –
 
I have just been brought into a 
situation where a client has several poorly connected (VPN and slow connections 
to the Internet) sites in a single W2k domain. Each site has a single DC that 
runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft 
walked the in-house guy through demoting and re-promoting everything. 

 
The question is this: where should 
each DC’s DNS point? I have always thought they should point to themselves and 
only themselves. The DNS server forwards to the Internet (as everything is 
poorly connected). The in-house tech said Microsoft told him to point each DC’s 
primary DNS to the FSMO-role holder and then to itself as 
secondary.
 
Any 
thoughts?
 
-- nme
 

RE: [ActiveDir] DNS should point to...?

[James_Day]

Agreed - and admiring Dejis ability to say in 12 words what I took 2 pages
to type.

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
(202) 354-1464 (direct)
(202) 371-1549 (fax)
[EMAIL PROTECTED]


|-+-->
| |   <[EMAIL PROTECTED]|
| |   dca.com>   |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   03/29/2005 01:03 PM EST|
| |   Please respond to  |
| |   ActiveDir  |
|-+-->
  
>--|
  | 
 |
  |   To: 
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  RE: [ActiveDir] DNS should point to...? 
 |
  
>--|




Agreed

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005 12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS should point to...?

In this scenario, Iâd recommend Primary to another and secondary to self.

Deji


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005 9:32 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS should point to...?

Hi â

I have just been brought into a situation where a client has several poorly
connected (VPN and slow connections to the Internet) sites in a single W2k
domain. Each site has a single DC that runs AD-integrated DNS. Previously,
most of the DCs had tombstoned. Microsoft walked the in-house guy through
demoting and re-promoting everything.

The question is this: where should each DCâs DNS point? I have always
thought they should point to themselves and only themselves. The DNS server
forwards to the Internet (as everything is poorly connected). The in-house
tech said Microsoft told him to point each DCâs primary DNS to the
FSMO-role holder and then to itself as secondary.

Any thoughts?

-- nme
[EMAIL PROTECTED]   šŠV«r¯yÊ&ý§-Š÷4™¨¥iËb½çb®Šà

RE: [ActiveDir] DNS should point to...?

[Noah Eiger]

Ok. Some conflicting
responses. Just so I can sort this out in my little brain:

 

I am aware of the island issue and my
practice has been to point to another site to promote, then
change it to point to itself. 

 

Why would you point to another site as
primary if there is poor connectivity?

 

The AD-integrated DNS zones should be
complete at each site, no? Should the SOA and the Name Servers be the same at
each site?

 

-- nme

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 29, 2005
10:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Agreed

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005
12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?

In this scenario,
I’d recommend Primary to another and secondary to self.

 

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS should
point to...?



 

Hi –

 

I have just been brought into a
situation where a client has several poorly connected (VPN and slow connections
to the Internet) sites in a single W2k domain. Each site has a single DC that
runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft
walked the in-house guy through demoting and re-promoting everything. 

 

The question is this: where should
each DC’s DNS point? I have always thought they should point to
themselves and only themselves. The DNS server forwards to the Internet (as
everything is poorly connected). The in-house tech said Microsoft told him to
point each DC’s primary DNS to the FSMO-role holder and then to itself as
secondary.

 

Any thoughts?

 

-- nme

 

Re: [ActiveDir] Compelling arguments?

[Phil Renouf]

hahaha, yeah I didn't know for sure, but I was getting the idea that
he was "for hire" ;)

I just wanted some more details on his thought process though...not a
full out design ;)

Phil

On Tue, 29 Mar 2005 13:01:51 -0500, Mulnick, Al <[EMAIL PROTECTED]> wrote:
> Phil, you know he's for hire right?  He has a "p*mp" and everything last I
> heard. :)
> 
> That said, it is interesting to see a regional specific approach to name
> resolution.  Some like it, some don't.  I'd be interested to hear why, Joe
> because I think it would depend on the company goals whether or not that
> would make sense.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] DNS should point to...?

[chuckgaff]

 You can point to the DC/GC/DNS server running the PDC Emulator role but better resolution on the primary DNS setting.
 
Chuck -Original Message-From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Tue, 29 Mar 2005 13:03:20 -0500Subject: RE: [ActiveDir] DNS should point to...?





Agreed


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 12:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...?


In this scenario, Iâd recommend Primary to another and secondary to self.
 
Deji
 




From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, March 29, 2005 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS should point to...?
 
Hi â
 
I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. 
 
The question is this: where should each DCâs DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DCâs primary DNS to the FSMO-role holder and then to itself as secondary.
 
Any thoughts?
 
-- nme
 

RE: [ActiveDir] DNS should point to...?

[deji]

12 words??? I thought it was 11!!! I need to cut down on that next time
â thereâs no room for 2 Joes[1] on this list J

 

Deji

[1] I still need to respond to that âinverseâ thread â as soon I can
wrap my head around that wacky equation :-p

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005 10:26 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org;
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] DNS should point to...?

 

Agreed - and admiring Dejis ability to say in 12 words what I took 2
pages

to type.

 

James R. Day

Active Directory Core Team

Office of the Chief Information Officer

National Park Service

(202) 354-1464 (direct)

(202) 371-1549 (fax)

[EMAIL PROTECTED]

 

 

|-+-->

| |ÂÂ <[EMAIL PROTECTED]|

| |ÂÂ dca.com>ÂÂ |

| |ÂÂ Sent by:ÂÂ |

| |ÂÂ [EMAIL PROTECTED]|

| |ÂÂ tivedir.orgÂÂÂ |

| |Â |

| |Â |

| |ÂÂ 03/29/2005 01:03 PM EST|

| | Please respond to |

| | ActiveDir |

|-+-->

Â
>--|

Â
|Â
|

 | To: ÂÂ
|

 | cc: (bcc: James
Day/Contractor/NPS)Â
|

 | Subject: RE: [ActiveDir] DNS should point
to...?ÂÂÂ ÂÂ|

Â
>--|

 

 

 

 

Agreed

 

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of

[EMAIL PROTECTED]

Sent: Tuesday, March 29, 2005 12:57 PM

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] DNS should point to...?

 

In this scenario, Iâd recommend Primary to another and secondary to
self.

 

Deji

 

 

From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger

Sent: Tuesday, March 29, 2005 9:32 AM

To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] DNS should point to...?

 

Hi â

 

I have just been brought into a situation where a client has several
poorly

connected (VPN and slow connections to the Internet) sites in a single
W2k

domain. Each site has a single DC that runs AD-integrated DNS.
Previously,

most of the DCs had tombstoned. Microsoft walked the in-house guy
through

demoting and re-promoting everything.

 

The question is this: where should each DCâs DNS point? I have always

thought they should point to themselves and only themselves. The DNS
server

forwards to the Internet (as everything is poorly connected). The
in-house

tech said Microsoft told him to point each DCâs primary DNS to the

FSMO-role holder and then to itself as secondary.

 

Any thoughts?

 

-- nme

.+-wi0-+Ö[EMAIL PROTECTED]Örzm Vry&-4ibb

RE: [ActiveDir] DNS should point to...?

[deji]

>>>Ok. Some conflicting
responses.

You will always get that. I have yet to
see a consensus on this and many other issues. So, it ultimately ends up being
one of those “it depends” cases.

 

>>>I am aware of the island issue

Remember, the “Island
issue” occurs in a multi-domain environment, which, in your case, is not
applicable here. No _msdcs problem to factor in.

 

>>> Why would you point to
another site as primary if there is poor connectivity?

If poor connectivity is an issue for you,
then again (in this scenario), primary to another server is a good way to ameliorate
the impact of the poor connectivity. “Poor connectivity”, in this
case, means that there is “intermittent” connectivity, right? If
the DC points to itself or to another and there is an extended outage, then you
are SOL in that you can’t find anything on the other side anyway. Remember
that this “to self or to another” question is specific to the DNS
server ITSELF, not relevant to what it does for (or on behalf of) other
clients. The configuration is only applicable to the DNS server’s ability
to publish and locate records for itself. If it can NOT find the referenced DNS
Server configured as PRIMARY (because of the poor connectivity), it will flag
that server as being unresponsive and then go to the secondary, which is itself,
in the meantime.

 

>>> The AD-integrated DNS zones
should be complete at each site, no?

I say yes. But, there is nothing in the
book (AFAIK) that says you can’t mix and match.

 

>>>Should the SOA and the Name
Servers be the same at each site?

“The same”, meaning that the
SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will be
DNS1.whatever and DNS2 will be DNS2.whatever because they are each
authoritative for the zone and, therefore, consider themselves the “Start
of Authority” for that zone.

 

HTH

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005
10:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Ok. Some conflicting responses. Just so I
can sort this out in my little brain:

 

I am aware of the island issue and my
practice has been to point to another site to promote, then change it to point
to itself. 

 

Why would you point to another site as
primary if there is poor connectivity?

 

The AD-integrated DNS zones should be
complete at each site, no? Should the SOA and the Name Servers be the same at each
site?

 

-- nme

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 29, 2005
10:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Agreed

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005
12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?

In this scenario,
I’d recommend Primary to another and secondary to self.

 

Deji

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS should
point to...?



 

Hi –

 

I have just been brought into a
situation where a client has several poorly connected (VPN and slow connections
to the Internet) sites in a single W2k domain. Each site has a single DC that runs
AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked
the in-house guy through demoting and re-promoting everything. 

 

The question is this: where should
each DC’s DNS point? I have always thought they should point to themselves
and only themselves. The DNS server forwards to the Internet (as everything is
poorly connected). The in-house tech said Microsoft told him to point each
DC’s primary DNS to the FSMO-role holder and then to itself as secondary.

 

Any thoughts?

 

-- nme

 

RE: [ActiveDir] DNS should point to...?

[deji]

I meant to say, “no root/sub-root _msdcs
ISSUES to factor in”

 

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe
Sent: Tuesday, March 29, 2005
11:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

>>>Ok. Some conflicting
responses.

You will always get that. I have yet to
see a consensus on this and many other issues. So, it ultimately ends up being
one of those “it depends” cases.

 

>>>I am aware of the island issue

Remember, the “Island
issue” occurs in a multi-domain environment, which, in your case, is not
applicable here. No _msdcs problem to factor in.

 

>>> Why would you point to
another site as primary if there is poor connectivity?

If poor connectivity is an issue for you,
then again (in this scenario), primary to another server is a good way to
ameliorate the impact of the poor connectivity. “Poor
connectivity”, in this case, means that there is “intermittent”
connectivity, right? If the DC points to itself or to another and there is an
extended outage, then you are SOL in that you can’t find anything on the
other side anyway. Remember that this “to self or to another”
question is specific to the DNS server ITSELF, not relevant to what it does for
(or on behalf of) other clients. The configuration is only applicable to the
DNS server’s ability to publish and locate records for itself. If it can
NOT find the referenced DNS Server configured as PRIMARY (because of the poor
connectivity), it will flag that server as being unresponsive and then go to
the secondary, which is itself, in the meantime.

 

>>> The AD-integrated DNS zones
should be complete at each site, no?

I say yes. But, there is nothing in the
book (AFAIK) that says you can’t mix and match.

 

>>>Should the SOA and the Name
Servers be the same at each site?

“The same”, meaning that the
SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will be
DNS1.whatever and DNS2 will be DNS2.whatever because they are each authoritative
for the zone and, therefore, consider themselves the “Start of
Authority” for that zone.

 

HTH

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005
10:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Ok. Some conflicting responses. Just so I
can sort this out in my little brain:

 

I am aware of the island issue and my practice
has been to point to another site to promote, then change it to point to
itself. 

 

Why would you point to another site as
primary if there is poor connectivity?

 

The AD-integrated DNS zones should be
complete at each site, no? Should the SOA and the Name Servers be the same at
each site?

 

-- nme

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 29, 2005
10:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Agreed

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005
12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?

In this scenario,
I’d recommend Primary to another and secondary to self.

 

Deji

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS should
point to...?



 

Hi –

 

I have just been brought into a
situation where a client has several poorly connected (VPN and slow connections
to the Internet) sites in a single W2k domain. Each site has a single DC that
runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft
walked the in-house guy through demoting and re-promoting everything. 

 

The question is this: where should
each DC’s DNS point? I have always thought they should point to
themselves and only themselves. The DNS server forwards to the Internet (as
everything is poorly connected). The in-house tech said Microsoft told him to
point each DC’s primary DNS to the FSMO-role holder and then to itself as
secondary.

 

Any thoughts?

 

-- nme

 

RE: [ActiveDir] DNS should point to...?

[Kern, Tom]

can 
you explain to me how "island dns" cannot occur in a single domain 
enviorment.
if i 
have 2 dc's for the same domain and they are each pointing to themsleves as the 
only dns and i change the ip of one dc, won't that break 
replication?
how 
will one dc find the other to pull the change i just 
made 
sorry 
if this sounds stupid or basic.
thanks

  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 2:41 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DNS should point to...?
  
  >>>Ok. Some 
  conflicting responses.
  You will always get 
  that. I have yet to see a consensus on this and many other issues. So, it 
  ultimately ends up being one of those “it depends” 
  cases.
   
  >>>I am 
  aware of the island issue
  Remember, the 
  “Island issue” occurs in a multi-domain 
  environment, which, in your case, is not applicable here. No _msdcs problem to 
  factor in.
   
  >>> Why 
  would you point to another site as primary if there is poor 
  connectivity?
  If poor connectivity 
  is an issue for you, then again (in this scenario), primary to another server 
  is a good way to ameliorate the impact of the poor connectivity. “Poor 
  connectivity”, in this case, means that there is “intermittent” connectivity, 
  right? If the DC points to itself or to another and there is an extended 
  outage, then you are SOL in that you can’t find anything on the other side 
  anyway. Remember that this “to self or to another” question is specific to the 
  DNS server ITSELF, not relevant to what it does for (or on behalf of) other 
  clients. The configuration is only applicable to the DNS server’s ability to 
  publish and locate records for itself. If it can NOT find the referenced DNS 
  Server configured as PRIMARY (because of the poor connectivity), it will flag 
  that server as being unresponsive and then go to the secondary, which is 
  itself, in the meantime.
   
  >>> The 
  AD-integrated DNS zones should be complete at each site, 
  no?
  I say yes. But, there 
  is nothing in the book (AFAIK) that says you can’t mix and 
  match.
   
  >>>Should 
  the SOA and the Name Servers be the same at each 
  site?
  “The same”, meaning 
  that the SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will 
  be DNS1.whatever and DNS2 will be DNS2.whatever because they are each 
  authoritative for the zone and, therefore, consider themselves the “Start of 
  Authority” for that zone.
   
  HTH
  Deji
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Noah 
  EigerSent: Tuesday, March 
  29, 2005 10:41 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point 
  to...?
   
  Ok. Some conflicting 
  responses. Just so I can sort this out in my little 
  brain:
   
  I am aware of the 
  island issue and my practice has been to point to another site to promote, 
  then change it to point to itself. 
   
  Why would you point 
  to another site as primary if there is poor 
  connectivity?
   
  The AD-integrated DNS 
  zones should be complete at each site, no? Should the SOA and the Name Servers 
  be the same at each site?
   
  -- 
  nme
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, March 29, 
  2005 10:03 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point 
  to...?
   
  Agreed
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 12:57 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point 
  to...?
  In this 
  scenario, I’d recommend Primary to another and secondary to 
  self.
   
  Deji
   
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Noah 
  EigerSent: Tuesday, March 
  29, 2005 9:32 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS should point 
  to...?
   
  Hi –
   
  I have just been brought into a 
  situation where a client has several poorly connected (VPN and slow 
  connections to the Internet) sites in a single W2k domain. Each site has a 
  single DC that runs AD-integrated DNS. Previously, most of the DCs had 
  tombstoned. Microsoft walked the in-house guy through demoting and 
  re-promoting everything. 
   
  The question is this: where should 
  each DC’s DNS point? I have always thought they should point to themselves and 
  only themselves. The DNS server forwards to the Internet (as everything is 
  poorly connected). The in-house tech said Microsoft told him to point each 
  DC’s primary DNS to the FSMO-role holder and then to itself as 
  secondary.
   
  Any 
  thoughts?
   
  -- 
nme
   

RE: [ActiveDir] DNS should point to...?

[deji]

It’s actually a good question. An
intelligent description can be found on http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/branchoffice/plan02.asp

 

I am still looking for the “de-facto”
(to me) discussion I participated in on this topic a while ago. I will send
that when I locate it.

 

Deji

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kern, Tom
Sent: Tuesday, March 29, 2005
11:54 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 



can you explain to me how "island
dns" cannot occur in a single domain enviorment.





if i have 2 dc's for the same domain and
they are each pointing to themsleves as the only dns and i change the ip
of one dc, won't that break replication?





how will one dc find the other to
pull the change i just made 





sorry if this sounds stupid or basic.





thanks





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005 2:41
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?

>>>Ok. Some conflicting
responses.

You will always get that. I have yet to
see a consensus on this and many other issues. So, it ultimately ends up being
one of those “it depends” cases.

 

>>>I am aware of the island issue

Remember, the “Island
issue” occurs in a multi-domain environment, which, in your case, is not
applicable here. No _msdcs problem to factor in.

 

>>> Why would you point to
another site as primary if there is poor connectivity?

If poor connectivity is an issue for you,
then again (in this scenario), primary to another server is a good way to
ameliorate the impact of the poor connectivity. “Poor
connectivity”, in this case, means that there is
“intermittent” connectivity, right? If the DC points to itself or
to another and there is an extended outage, then you are SOL in that you
can’t find anything on the other side anyway. Remember that this
“to self or to another” question is specific to the DNS server
ITSELF, not relevant to what it does for (or on behalf of) other clients. The
configuration is only applicable to the DNS server’s ability to publish
and locate records for itself. If it can NOT find the referenced DNS Server
configured as PRIMARY (because of the poor connectivity), it will flag that
server as being unresponsive and then go to the secondary, which is itself, in
the meantime.

 

>>> The AD-integrated DNS zones
should be complete at each site, no?

I say yes. But, there is nothing in the
book (AFAIK) that says you can’t mix and match.

 

>>>Should the SOA and the Name
Servers be the same at each site?

“The same”, meaning that the
SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will be
DNS1.whatever and DNS2 will be DNS2.whatever because they are each
authoritative for the zone and, therefore, consider themselves the “Start
of Authority” for that zone.

 

HTH

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005
10:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Ok. Some conflicting responses. Just so I
can sort this out in my little brain:

 

I am aware of the island issue and my
practice has been to point to another site to promote, then change it to point
to itself. 

 

Why would you point to another site as
primary if there is poor connectivity?

 

The AD-integrated DNS zones should be
complete at each site, no? Should the SOA and the Name Servers be the same at
each site?

 

-- nme

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 29, 2005
10:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Agreed

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005
12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?

In this scenario,
I’d recommend Primary to another and secondary to self.

 

Deji

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS should
point to...?



 

Hi –

 

I have just been brought into a
situation where a client has several poorly connected (VPN and slow connections
to the Internet) sites in a single W2k domain. Each site has a single DC that
runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft
walked the in-house guy through demoting and re-promoting everything. 

 

The question is this: where should
each DC’s DNS point? I have always thought they should point to
themselves and only themselves. The DNS server forwards to the Internet (as
everything is poorly connected). The in-house tech said Microsoft told him to
point each DC’s primary DNS to the FSMO-role holder and then to i

[ActiveDir] LDAP search filter

[Shawn Hayes]

Does anyone know how to create an LDAP search filter I can use within a Saved 
Query of ADUC that will list the users in an OU?  I can do this with VBScript, 
but I am looking for a way to do this within ADUC.

Thanks,
Shawn

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Kerberos and proxy servers

[Isenhour, Joseph]

Title: Kerberos and proxy servers






Hello,


I was wondering if anyone knows why Microsoft removed kerb auth to a proxy from Internet Explorer.  I believe that they did support it with the early versions of IE5.

Here's the MS explanation (which really isn't an explanation)

http://support.microsoft.com/kb/321728/EN-US/


What possible reason could exist for them to remove this feature?  Does anyone know if there's a way to make it work?


Thanks

RE: [ActiveDir] Compelling arguments?

[Isenhour, Joseph]

Title: Compelling arguments?



If you're also talking about servers don't forget that by 
default computers register their SPN using the AD domain name.  So if 
you have a server that registers HOST/someserver.myadname.net and the server 
actually resolves to someserver.mydnszone.net Kerberos will not work for the 
clients that try to connect using the DNS name.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
arguments?
Are there compelling arguments to use the DNS Domain 
name of your AD Domain as the primary DNS Suffix versus a different DNS 
extension from a client functionality perspective?Clients are still able 
to resolve the AD DNS Domain but most do not use it as their primary 
suffix.Any thoughts welcome. 

RE: [ActiveDir] LDAP search filter

[Mulnick, Al]

Yes.  When you create the query, choose the OU you want.  Then use a custom
query and use an LDAP filter search filter on the advanced tab. 

Make sense? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Tuesday, March 29, 2005 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP search filter

Does anyone know how to create an LDAP search filter I can use within a
Saved Query of ADUC that will list the users in an OU?  I can do this with
VBScript, but I am looking for a way to do this within ADUC.

Thanks,
Shawn

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP search filter

[Shawn Hayes]

I end up with something like this but get no information 

(&(&(ou>="")(name=Comit*))(objectClass=user)(name=*))

This is not a filter from what I can tell

>>> "Mulnick, Al" <[EMAIL PROTECTED]> 03/29/05 03:46PM >>>
Yes.  When you create the query, choose the OU you want.  Then use a custom
query and use an LDAP filter search filter on the advanced tab. 

Make sense? 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Tuesday, March 29, 2005 3:32 PM
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] LDAP search filter

Does anyone know how to create an LDAP search filter I can use within a
Saved Query of ADUC that will list the users in an OU?  I can do this with
VBScript, but I am looking for a way to do this within ADUC.

Thanks,
Shawn

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Storing dates in AD

[Isenhour, Joseph]

Title: Storing dates in AD



We are going to be modifying the field programmatically so 
from what Gil said it sounds like the large integer method is appropriate.  
As a follow up question, do you think I should use nano seconds from the Jan 2, 
1970 (UNIX style) or January 1, 1601 (The date used by 
pwdLastSet)?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, March 28, 2005 5:33 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Bingo, how is the data going to be used? I definitely 
agree, don't come up with your own format unless you have some amazing scheme 
that blows all of the other formats out of the water that makes it the best 
thing to do. Not saying you aren't going to come up with something amazing but I 
would guess the odds are against you. Anything you put into the directory, keep 
it in UTC. Less confusion that way.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Depends on the domain of the date values, and how they are 
used. If the dates will be passed along to other X.500/LDAP type directories, 
you probably should use the Generalized Time syntax (2.5.5.11). If the dates are 
manipulated programmatically, use the long integer representation. Its pretty 
trivial to manipulate it as a date in your code. I'd avoid using a string 
representation unless your code requires a funny string format or unless it 
requires unusual date values like "today", "yesterday", or "when hell freezes 
over" (we use the latter for setting development dates for certain silly feature 
requests in our products :)
 
-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in 
AD

I'm looking for some opinions on a schema 
extension.  I need to store a date type in AD.  I figure I have 
several options.
Store it as a long integer.  To determine the 
date the consumer will need to count the nano seconds from a certain date (the 
way that pwdLastSet works)
Store it as a date type (which I've never used, and 
looking at the current schema it appears that most people do not choose this 
option).
Store it as a unicode string and come up with a 
format like:  MMDD[ss][ss] 
Does anyone have an opinion on how this should be 
done? 
Thanks 

RE: [ActiveDir] LDAP search filter

[Mulnick, Al]

The filter I used was 

(&(objectClass=User)(objectCategory=Person)) and I set the filter to the OU
I wanted (it's on the first panel of the query editing).  The query was
entered into the custom search | advanced tab section.

That returns all the user objects at the level in the tree specified. In
your case from the OU level down. 

I get one that looks like this:



Better?  If not, create the Query and then export it and send it offline if
you're able.

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Tuesday, March 29, 2005 3:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP search filter

I end up with something like this but get no information 

(&(&(ou>="")(name=Comit*))(objectClass=user)(name=*))

This is not a filter from what I can tell

>>> "Mulnick, Al" <[EMAIL PROTECTED]> 03/29/05 03:46PM >>>
Yes.  When you create the query, choose the OU you want.  Then use a custom
query and use an LDAP filter search filter on the advanced tab. 

Make sense? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Tuesday, March 29, 2005 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP search filter

Does anyone know how to create an LDAP search filter I can use within a
Saved Query of ADUC that will list the users in an OU?  I can do this with
VBScript, but I am looking for a way to do this within ADUC.

Thanks,
Shawn

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] LDAP search filter

[John Singler]

shawn --
in the properties of your query point the Query root to the OU you want 
to query.

then this filter should be sufficient:
(&(objectCategory=user)(userPrincipalName=*))
hth,
john
Shawn Hayes wrote:
I end up with something like this but get no information 

(&(&(ou>="")(name=Comit*))(objectClass=user)(name=*))
This is not a filter from what I can tell

"Mulnick, Al" <[EMAIL PROTECTED]> 03/29/05 03:46PM >>>
Yes.  When you create the query, choose the OU you want.  Then use a custom
query and use an LDAP filter search filter on the advanced tab. 

Make sense? 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Tuesday, March 29, 2005 3:32 PM
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] LDAP search filter

Does anyone know how to create an LDAP search filter I can use within a
Saved Query of ADUC that will list the users in an OU?  I can do this with
VBScript, but I am looking for a way to do this within ADUC.
Thanks,
Shawn
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Storing dates in AD

[Mulnick, Al]

Title: Storing dates in AD



I think it still depends on how you intend to use the 
data.
 
For example, if you're going to pull other information of 
similar type (maybe pwdLastSet?) it would make sense to use the same 
format. 
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 4:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

We are going to be modifying the field programmatically so 
from what Gil said it sounds like the large integer method is appropriate.  
As a follow up question, do you think I should use nano seconds from the Jan 2, 
1970 (UNIX style) or January 1, 1601 (The date used by 
pwdLastSet)?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, March 28, 2005 5:33 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Bingo, how is the data going to be used? I definitely 
agree, don't come up with your own format unless you have some amazing scheme 
that blows all of the other formats out of the water that makes it the best 
thing to do. Not saying you aren't going to come up with something amazing but I 
would guess the odds are against you. Anything you put into the directory, keep 
it in UTC. Less confusion that way.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Depends on the domain of the date values, and how they are 
used. If the dates will be passed along to other X.500/LDAP type directories, 
you probably should use the Generalized Time syntax (2.5.5.11). If the dates are 
manipulated programmatically, use the long integer representation. Its pretty 
trivial to manipulate it as a date in your code. I'd avoid using a string 
representation unless your code requires a funny string format or unless it 
requires unusual date values like "today", "yesterday", or "when hell freezes 
over" (we use the latter for setting development dates for certain silly feature 
requests in our products :)
 
-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in 
AD

I'm looking for some opinions on a schema 
extension.  I need to store a date type in AD.  I figure I have 
several options.
Store it as a long integer.  To determine the 
date the consumer will need to count the nano seconds from a certain date (the 
way that pwdLastSet works)
Store it as a date type (which I've never used, and 
looking at the current schema it appears that most people do not choose this 
option).
Store it as a unicode string and come up with a 
format like:  MMDD[ss][ss] 
Does anyone have an opinion on how this should be 
done? 
Thanks 

RE: [ActiveDir] Kerberos and proxy servers

[Mulnick, Al]

Title: Kerberos and proxy servers



Are you trying to auth to the proxy server itself with 
IE?
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 3:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos and proxy 
servers

Hello, 
I was wondering if anyone knows why Microsoft removed 
kerb auth to a proxy from Internet Explorer.  I believe that they did 
support it with the early versions of IE5.
Here's the MS explanation (which really isn't an 
explanation) http://support.microsoft.com/kb/321728/EN-US/ 
What possible reason could exist for them to remove 
this feature?  Does anyone know if there's a way to make it work? 

Thanks 

RE: [ActiveDir] Storing dates in AD

[Gil Kirkpatrick]

Title: Storing dates in AD



The purist in me says use the pwdLastSet form... it avoids 
the 2038 "problem", such as it is. And in general its better to limit the number 
of different representations for a particular data type. I don't think MS uses 
time_t in the directory anywhere.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 2:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

We are going to be modifying the field programmatically so 
from what Gil said it sounds like the large integer method is appropriate.  
As a follow up question, do you think I should use nano seconds from the Jan 2, 
1970 (UNIX style) or January 1, 1601 (The date used by 
pwdLastSet)?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, March 28, 2005 5:33 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Bingo, how is the data going to be used? I definitely 
agree, don't come up with your own format unless you have some amazing scheme 
that blows all of the other formats out of the water that makes it the best 
thing to do. Not saying you aren't going to come up with something amazing but I 
would guess the odds are against you. Anything you put into the directory, keep 
it in UTC. Less confusion that way.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Depends on the domain of the date values, and how they are 
used. If the dates will be passed along to other X.500/LDAP type directories, 
you probably should use the Generalized Time syntax (2.5.5.11). If the dates are 
manipulated programmatically, use the long integer representation. Its pretty 
trivial to manipulate it as a date in your code. I'd avoid using a string 
representation unless your code requires a funny string format or unless it 
requires unusual date values like "today", "yesterday", or "when hell freezes 
over" (we use the latter for setting development dates for certain silly feature 
requests in our products :)
 
-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in 
AD

I'm looking for some opinions on a schema 
extension.  I need to store a date type in AD.  I figure I have 
several options.
Store it as a long integer.  To determine the 
date the consumer will need to count the nano seconds from a certain date (the 
way that pwdLastSet works)
Store it as a date type (which I've never used, and 
looking at the current schema it appears that most people do not choose this 
option).
Store it as a unicode string and come up with a 
format like:  MMDD[ss][ss] 
Does anyone have an opinion on how this should be 
done? 
Thanks 

RE: [ActiveDir] Storing dates in AD

[Isenhour, Joseph]

Title: Storing dates in AD



Actually I just googled this and found something 
interesting that I didn't know:

Windows NT uses a 64-bit integer to track time. 
However, it uses 100 nanoseconds as its increment and the beginning of time is 
January 1, 1601, so NT suffers from the Year 2184 problem. 
I don't 
think we'll be on the same system in 2,184, but I don't want to be short sighted 
:)  Does Microsoft still use a 64-bit integer?
That's a 
good point Al, the date is not going to be compared to the other date types in 
AD so I suppose it really doesn't matter.  I may go with the NT date just 
to be consistent.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Tuesday, March 29, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

I think it still depends on how you intend to use the 
data.
 
For example, if you're going to pull other information of 
similar type (maybe pwdLastSet?) it would make sense to use the same 
format. 
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 4:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

We are going to be modifying the field programmatically so 
from what Gil said it sounds like the large integer method is appropriate.  
As a follow up question, do you think I should use nano seconds from the Jan 2, 
1970 (UNIX style) or January 1, 1601 (The date used by 
pwdLastSet)?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, March 28, 2005 5:33 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Bingo, how is the data going to be used? I definitely 
agree, don't come up with your own format unless you have some amazing scheme 
that blows all of the other formats out of the water that makes it the best 
thing to do. Not saying you aren't going to come up with something amazing but I 
would guess the odds are against you. Anything you put into the directory, keep 
it in UTC. Less confusion that way.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Depends on the domain of the date values, and how they are 
used. If the dates will be passed along to other X.500/LDAP type directories, 
you probably should use the Generalized Time syntax (2.5.5.11). If the dates are 
manipulated programmatically, use the long integer representation. Its pretty 
trivial to manipulate it as a date in your code. I'd avoid using a string 
representation unless your code requires a funny string format or unless it 
requires unusual date values like "today", "yesterday", or "when hell freezes 
over" (we use the latter for setting development dates for certain silly feature 
requests in our products :)
 
-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in 
AD

I'm looking for some opinions on a schema 
extension.  I need to store a date type in AD.  I figure I have 
several options.
Store it as a long integer.  To determine the 
date the consumer will need to count the nano seconds from a certain date (the 
way that pwdLastSet works)
Store it as a date type (which I've never used, and 
looking at the current schema it appears that most people do not choose this 
option).
Store it as a unicode string and come up with a 
format like:  MMDD[ss][ss] 
Does anyone have an opinion on how this should be 
done? 
Thanks 

RE: [ActiveDir] Kerberos and proxy servers

[Isenhour, Joseph]

Title: Kerberos and proxy servers



Yes, although I haven't tried yet.  According to the 
article it is not possible.  Our proxy vendor supports Kerberos auth mainly 
because IE used to support.  And not only that, using kerb solves a 
bunch of latency issues because the proxy doesn't need to keep talking 
to DC the way that it does for NTLM.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Tuesday, March 29, 2005 1:16 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos and 
proxy servers

Are you trying to auth to the proxy server itself with 
IE?
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 3:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos and proxy 
servers

Hello, 
I was wondering if anyone knows why Microsoft removed 
kerb auth to a proxy from Internet Explorer.  I believe that they did 
support it with the early versions of IE5.
Here's the MS explanation (which really isn't an 
explanation) http://support.microsoft.com/kb/321728/EN-US/ 
What possible reason could exist for them to remove 
this feature?  Does anyone know if there's a way to make it work? 

Thanks 

RE: [ActiveDir] DNS should point to...?

[Rocky Habeeb]

ï


Deji,
 
You're hilarious 
!
 
RH
__
 

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of 
  [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 1:45 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DNS should point to...?
  
  12 words??? I thought it was 11!!! I need to cut down 
  on that next time â thereâs no room for 2 Joes[1] on this list 
  J
   
  Deji
  [1] I still need to respond to that âinverseâ thread â 
  as soon I can wrap my head around that wacky equation 
  :-p
   
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 
  10:26 AMTo: ActiveDir@mail.activedir.orgCc: ActiveDir@mail.activedir.org; 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS should 
  point to...?
   
  Agreed - and admiring Dejis ability to say in 12 words 
  what I took 2 pages
  to type.
   
  James R. Day
  Active Directory Core 
Team
  Office of the Chief Information 
  Officer
  National Park Service
  (202) 354-1464 (direct)
  (202) 371-1549 (fax)
  [EMAIL PROTECTED]
   
   
  |-+-->
  | 
  |   
  <[EMAIL PROTECTED]|
  | 
  |   
  dca.com>   
  |
  | 
  |   Sent 
  by:   
  |
  | 
  |   
  [EMAIL PROTECTED]|
  | 
  |   
  tivedir.org    
  |
  | 
  |  
  |
  | 
  |  
  |
  | 
  |   03/29/2005 01:03 
  PM EST|
  | 
  |   Please respond 
  to  |
  | 
  |   
  ActiveDir  
  |
  |-+-->
    
  >--|
    
  |  
  |
    |   
  To:      
  |
    |   
  cc:   (bcc: James 
  Day/Contractor/NPS)  
  |
    |   
  Subject:  RE: [ActiveDir] DNS should point 
  to...?    
    |
    
  >--|
   
   
   
   
  Agreed
   
  From: 
  [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf 
  Of
  [EMAIL PROTECTED]
  Sent: Tuesday, March 29, 2005 12:57 
  PM
  To: ActiveDir@mail.activedir.org
  Subject: RE: [ActiveDir] DNS should point 
  to...?
   
  In this scenario, Iâd recommend Primary to another and 
  secondary to self.
   
  Deji
   
   
  From: 
  [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED] On Behalf 
  Of Noah Eiger
  Sent: Tuesday, March 29, 2005 9:32 
  AM
  To: ActiveDir@mail.activedir.org
  Subject: [ActiveDir] DNS should point 
  to...?
   
  Hi â
   
  I have just been brought into a situation where a 
  client has several poorly
  connected (VPN and slow connections to the Internet) 
  sites in a single W2k
  domain. Each site has a single DC that runs 
  AD-integrated DNS. Previously,
  most of the DCs had tombstoned. Microsoft walked the 
  in-house guy through
  demoting and re-promoting 
  everything.
   
  The question is this: where should each DCâs DNS 
  point? I have always
  thought they should point to themselves and only 
  themselves. The DNS server
  forwards to the Internet (as everything is poorly 
  connected). The in-house
  tech said Microsoft told him to point each DCâs 
  primary DNS to the
  FSMO-role holder and then to itself as 
  secondary.
   
  Any thoughts?
   
  -- nme
  .+-wi0-+Ö[EMAIL PROTECTED]Örzm 
  Vry&-4ibb

Re: [ActiveDir] DNS should point to...?

[Tomasz Onyszko]

[EMAIL PROTECTED] wrote:
It’s actually a good question. An intelligent description can be found 
on 
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/branchoffice/plan02.asp
This is URL which I want to post in my first post but I came to a 
conclusion that KB article will be enough :)

--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Storing dates in AD

[joseph.e.kaplan]

Title: Storing dates in AD








I still don’t think you should use
Integer8/FILETIME format to store your date unless you absolutely need
to.  I think 2.5.5.11 OM 23 or 24 is the
way to go.  Depending on your API I think you will likely find them to be
a better impedance match.

 

The big kicker is if you ever have to use
VBScript to do this.  VBScript sucks at dealing with long integers but
happily marshals LDAP 2.5.5.11 to variant datetime and back.

 

Plus, you’ll get some nicer fidelity
in other tools such as ldp and ADSI Edit.  Integer8 will just be an opaque
number that you need code to interpret.

 

2.5.5.11 values sort and index just fine
and allow >= and <= comparisons, so I can’t think of a real
compelling reason to use Integer8 unless your code happens to already rely on
that.  It sounds like it doesn’t.

 

Joe K.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 3:29
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD



 

Actually I just googled this and found
something interesting that I didn't know:

Windows
NT uses a 64-bit integer to track time. However, it uses 100 nanoseconds as its
increment and the beginning of time is January 1, 1601, so NT suffers from the
Year 2184 problem. 

I don't think we'll be on the same system in 2,184, but I
don't want to be short sighted :)  Does Microsoft still use a 64-bit
integer?

That's a good point Al, the date is not going to be compared
to the other date types in AD so I suppose it really doesn't matter.  I
may go with the NT date just to be consistent.

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 29, 2005 1:15
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

I think it still depends on how you
intend to use the data.

 

For example, if you're going to pull other
information of similar type (maybe pwdLastSet?) it would make sense to use the
same format. 

 

Al

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 4:06
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

We are going to be modifying the field
programmatically so from what Gil said it sounds like the large integer method
is appropriate.  As a follow up question, do you think I should use nano
seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by
pwdLastSet)?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 5:33
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

Bingo, how is the data going to be used? I
definitely agree, don't come up with your own format unless you have some
amazing scheme that blows all of the other formats out of the water that makes
it the best thing to do. Not saying you aren't going to come up with something
amazing but I would guess the odds are against you. Anything you put into the
directory, keep it in UTC. Less confusion that way.

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 28, 2005 3:44
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

Depends on the domain of the date values,
and how they are used. If the dates will be passed along to other X.500/LDAP
type directories, you probably should use the Generalized Time syntax
(2.5.5.11). If the dates are manipulated programmatically, use the long integer
representation. Its pretty trivial to manipulate it as a date in your code. I'd
avoid using a string representation unless your code requires a funny string
format or unless it requires unusual date values like "today",
"yesterday", or "when hell freezes over" (we use the latter
for setting development dates for certain silly feature requests in our
products :)

 

-gil

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, March 28, 2005 1:15
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Storing dates
in AD

I'm
looking for some opinions on a schema extension.  I need to store a date
type in AD.  I figure I have several options.

Store
it as a long integer.  To determine the date the consumer will need to
count the nano seconds from a certain date (the way that pwdLastSet works)

Store
it as a date type (which I've never used, and looking at the current schema it
appears that most people do not choose this option).

Store
it as a unicode string and come up with a format like:  MMDD[ss][ss]


Does
anyone have an opinion on how this should be done? 

Thanks




This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the ori

RE: [ActiveDir] DNS should point to...?

[Noah Eiger]

>>> The
AD-integrated DNS zones should be complete at each site, no?

I say yes. But, there is
nothing in the book (AFAIK) that says you can’t mix and match.

 

But the zones should be replicas, right? If
I add a record in one location, it gets replicated to the others. What about
differences in the Name Servers tab. Some Sites list certain servers; other
sites list different servers.

 

>>>Should the
SOA and the Name Servers be the same at each site?

“The same”,
meaning that the SOA on DNS1 and DNS2 should reference the same server? No.
DNS1 will be DNS1.whatever and DNS2 will be DNS2.whatever because they are each
authoritative for the zone and, therefore, consider themselves the “Start
of Authority” for that zone.

 

Ack. Thanks.

 

BTW: On a similar note, I am seeing what
seems odd in the _msdcs records. Under
Server1\Forward Lookup Zones\company.com\_msdcs\dc\_sites\
all of the sites are listed. Under _tcp are Sevice Locator records for _kerberos
and _ldap. The servers listed for these records do
not correspond to the servers in those sites. For example, server1.company.com
appears for those records in Site1, Site3, and Site5. Site2 has records for
servers that physically sit in other locations. 

 

This behavior is duplicated in _msdcs\gc\_sites.

 

Again, I was just brought in on this. What
is going on here?

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005
10:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Ok. Some conflicting
responses. Just so I can sort this out in my little brain:

 

I am aware of the island
issue and my practice has been to point to another site to promote, then change
it to point to itself. 

 

Why would you point to
another site as primary if there is poor connectivity?

 

The AD-integrated DNS
zones should be complete at each site, no? Should the SOA and the Name Servers
be the same at each site?

 

-- nme

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, March 29, 2005
10:03 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?



 

Agreed

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005
12:57 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS
should point to...?

In this
scenario, I’d recommend Primary to another and secondary to self.

 

Deji

 













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, March 29, 2005 9:32
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] DNS should
point to...?



 

Hi –

 

I have just been brought into a situation
where a client has several poorly connected (VPN and slow connections to the
Internet) sites in a single W2k domain. Each site has a single DC that runs
AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked
the in-house guy through demoting and re-promoting everything. 

 

The question is this: where should
each DC’s DNS point? I have always thought they should point to
themselves and only themselves. The DNS server forwards to the Internet (as
everything is poorly connected). The in-house tech said Microsoft told him to
point each DC’s primary DNS to the FSMO-role holder and then to itself as
secondary.

 

Any thoughts?

 

-- nme

 

RE: [ActiveDir] Storing dates in AD

[Isenhour, Joseph]

Title: Storing dates in AD



Joe,
 
You make a good point.  What would an LDAP >= 
filter look like using this data type?  I'm familiar with VB and 
VBScript.  So are you saying that I can simply create a date type in script 
and use ADSI for example and set my variable to the AD attribute and it will 
convert automatically?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 2:41 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Storing dates in AD


I still don’t think you 
should use Integer8/FILETIME format to store your date unless you absolutely 
need to.  I think 2.5.5.11 OM 23 or 24 is 
the way to go.  Depending on your API I think you will likely find them to 
be a better impedance match.
 
The big kicker is if 
you ever have to use VBScript to do this.  VBScript sucks at dealing with 
long integers but happily marshals LDAP 2.5.5.11 to variant datetime and 
back.
 
Plus, you’ll get some 
nicer fidelity in other tools such as ldp and ADSI Edit.  Integer8 will 
just be an opaque number that you need code to 
interpret.
 
2.5.5.11 values sort 
and index just fine and allow >= and <= comparisons, so I can’t think of a 
real compelling reason to use Integer8 unless your code happens to already rely 
on that.  It sounds like it doesn’t.
 
Joe 
K.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 
2005 3:29 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
 
Actually I just googled 
this and found something interesting that I didn't 
know:
Windows NT uses a 64-bit integer to 
track time. However, it uses 100 nanoseconds as its increment and the beginning 
of time is January 1, 1601, so NT suffers from the Year 2184 problem. 

I don't think we'll be 
on the same system in 2,184, but I don't want to be short sighted :)  Does 
Microsoft still use a 64-bit integer?
That's a good point Al, 
the date is not going to be compared to the other date types in AD so I suppose 
it really doesn't matter.  I may go with the NT date just to be 
consistent.
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Tuesday, March 29, 
2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
I think it still 
depends on how you intend to use the data.
 
For example, if you're 
going to pull other information of similar type (maybe pwdLastSet?) it would 
make sense to use the same format. 
 
Al
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 
2005 4:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
We are going to be 
modifying the field programmatically so from what Gil said it sounds like the 
large integer method is appropriate.  As a follow up question, do you think 
I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 
(The date used by pwdLastSet)?
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, March 28, 2005 5:33 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
Bingo, how is the data 
going to be used? I definitely agree, don't come up with your own format unless 
you have some amazing scheme that blows all of the other formats out of the 
water that makes it the best thing to do. Not saying you aren't going to come up 
with something amazing but I would guess the odds are against you. Anything you 
put into the directory, keep it in UTC. Less confusion that 
way.
 
  
joe
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Monday, March 
28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
Depends on the domain 
of the date values, and how they are used. If the dates will be passed along to 
other X.500/LDAP type directories, you probably should use the Generalized Time 
syntax (2.5.5.11). If the dates are manipulated programmatically, use the long 
integer representation. Its pretty trivial to manipulate it as a date in your 
code. I'd avoid using a string representation unless your code requires a funny 
string format or unless it requires unusual date values like "today", 
"yesterday", or "when hell freezes over" (we use the latter for setting 
development dates for certain silly feature requests in our products 
:)
 
-gil
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 
2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in 
AD
I'm 
looking for some opinions on a schema extension.  I need to store a date 
type in AD.  I figure I have several options.
Store it as a long integer.  To 
determine the date the consumer will need to count the nano seconds from a 
certain date (the way that pwdLastSet works)
Store it as a date

Re: [ActiveDir] Compelling arguments?

[Steve]

Joe.

What additional permissions are required for disjointed names spaces? 
You mention more permissions are required on the computer object?

Care to expand?  OR point to where they are documented?  

Cheers


On Tue, 29 Mar 2005 12:43:10 -0800, Isenhour, Joseph
<[EMAIL PROTECTED]> wrote:
> If you're also talking about servers don't forget that by default computers
> register their SPN using the AD domain name.  So if you have a server that
> registers HOST/someserver.myadname.net and the server actually resolves to
> someserver.mydnszone.net Kerberos will not work for the clients that try to
> connect using the DNS name.
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland
> Sent: Tuesday, March 29, 2005 7:06 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Compelling arguments?
> 
> 
> Are there compelling arguments to use the DNS Domain name of your AD Domain
> as the primary DNS Suffix versus a different DNS extension from a client
> functionality perspective?
> 
> Clients are still able to resolve the AD DNS Domain but most do not use it
> as their primary suffix.
> 
> Any thoughts welcome.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Storing dates in AD

[joseph.e.kaplan]

Title: Storing dates in AD








In an LDAP filter, generalized time and
UTC time look like this:

 

(yourTimeAttribute= MMDDHHMMSS.0Z)

 

As such, they are pretty easy to spit out
with code and are also human readable.

 

LDP and ADSI Edit will also show these in
a friendly format.

 

With integer8, they look like this:

 

(yourTimeAttribute=125655822921406250)

 

Those are not human readable and require
code to interpret.  Additionally, the IADsLargeInteger thing is a huge PITA in
my book and is worth avoiding for that reason alone if you need to deal with
VBScript.

 

In script, generalized time and UTC time
are converted by ADSI to and from normal COM variant date times, so in VBS they’ll
show up as normal date values.  No special processing is required.

 

Joe K.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 5:24
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD



 

Joe,

 

You make a good point.  What would an
LDAP >= filter look like using this data type?  I'm familiar with VB
and VBScript.  So are you saying that I can simply create a date type in
script and use ADSI for example and set my variable to the AD attribute and it
will convert automatically?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005 2:41
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

I still don’t think you should use
Integer8/FILETIME format to store your date unless you absolutely need
to.  I think 2.5.5.11 OM 23 or 24 is the
way to go.  Depending on your API I think you will likely find them to be
a better impedance match.

 

The big kicker is if you ever have to use
VBScript to do this.  VBScript sucks at dealing with long integers but
happily marshals LDAP 2.5.5.11 to variant datetime and back.

 

Plus, you’ll get some nicer fidelity
in other tools such as ldp and ADSI Edit.  Integer8 will just be an opaque
number that you need code to interpret.

 

2.5.5.11 values sort and index just fine
and allow >= and <= comparisons, so I can’t think of a real
compelling reason to use Integer8 unless your code happens to already rely on
that.  It sounds like it doesn’t.

 

Joe K.



This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

RE: [ActiveDir] Storing dates in AD

[Gil Kirkpatrick]

This is a very good argument for using 2.5.5.11. I've changed my mind.
 
-gil



From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED]
Sent: Tue 3/29/2005 2:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing dates in AD



I still don't think you should use Integer8/FILETIME format to store your date 
unless you absolutely need to.  I think 2.5.5.11 OM 23 or 24 is the way to go.  
Depending on your API I think you will likely find them to be a better 
impedance match.

 

The big kicker is if you ever have to use VBScript to do this.  VBScript sucks 
at dealing with long integers but happily marshals LDAP 2.5.5.11 to variant 
datetime and back.

 

Plus, you'll get some nicer fidelity in other tools such as ldp and ADSI Edit.  
Integer8 will just be an opaque number that you need code to interpret.

 

2.5.5.11 values sort and index just fine and allow >= and <= comparisons, so I 
can't think of a real compelling reason to use Integer8 unless your code 
happens to already rely on that.  It sounds like it doesn't.

 

Joe K.

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 3:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing dates in AD

 

Actually I just googled this and found something interesting that I didn't know:

Windows NT uses a 64-bit integer to track time. However, it uses 100 
nanoseconds as its increment and the beginning of time is January 1, 1601, so 
NT suffers from the Year 2184 problem. 

I don't think we'll be on the same system in 2,184, but I don't want to be 
short sighted :)  Does Microsoft still use a 64-bit integer?

That's a good point Al, the date is not going to be compared to the other date 
types in AD so I suppose it really doesn't matter.  I may go with the NT date 
just to be consistent.

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 29, 2005 1:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing dates in AD

I think it still depends on how you intend to use the data.

 

For example, if you're going to pull other information of similar type (maybe 
pwdLastSet?) it would make sense to use the same format. 

 

Al

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing dates in AD

We are going to be modifying the field programmatically so from what Gil said 
it sounds like the large integer method is appropriate.  As a follow up 
question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX 
style) or January 1, 1601 (The date used by pwdLastSet)?

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing dates in AD

Bingo, how is the data going to be used? I definitely agree, don't come up with 
your own format unless you have some amazing scheme that blows all of the other 
formats out of the water that makes it the best thing to do. Not saying you 
aren't going to come up with something amazing but I would guess the odds are 
against you. Anything you put into the directory, keep it in UTC. Less 
confusion that way.

 

  joe

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 28, 2005 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing dates in AD

Depends on the domain of the date values, and how they are used. If the dates 
will be passed along to other X.500/LDAP type directories, you probably should 
use the Generalized Time syntax (2.5.5.11). If the dates are manipulated 
programmatically, use the long integer representation. Its pretty trivial to 
manipulate it as a date in your code. I'd avoid using a string representation 
unless your code requires a funny string format or unless it requires unusual 
date values like "today", "yesterday", or "when hell freezes over" (we use the 
latter for setting development dates for certain silly feature requests in our 
products :)

 

-gil

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, March 28, 2005 1:15 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Storing dates in AD

I'm looking for some opinions on a schema extension.  I need to store a date 
type in AD.  I figure I have several options.

Store it as a long integer.  To determine the date the consumer will need to 
count the nano seconds from a certain date (the way that pwdLastSet works)

Store it as a date type (which I've never used, and looking at the current 
sche

RE: [ActiveDir] Storing dates in AD

[joe]

Title: Storing dates in AD



These are good arguments but I still put my money on int8. 
However my main coding is in c++ and it is trivial to handle the value and is 
immediately in a usable format. Initially it was a pain in the butt because it 
was new, but I expect more and more tools will become available to decode it. 

 
One thing I really like about int8 over the other 
formats I want to add 100 days, 14 hours, 35 mins, 30 seconds, and 600ms to 
a current time. Convert that to 100 nanosecond intervals and simply add to an 
int8 and you have the new date and don't have to worry about leap days, hours, 
seconds, etc. You don't need any COM to do it, simple basic API calls. But 
that is me, I dislike COM with a passion, also ADSI, etc. 

 
Of course, like JoeK says, if using vbscript or anything 
else with binary/interger handling it will be more interesting. Doing 
stuff from UNIX/perl and filetime is fairly easy as well, you throw an int8 
through some basic math and use the ctime function. I have published the 
algorithm for converting it in perl several times both on this list and in the 
pubs. 
 
I think the argument is similar to why use binary for SDs 
or SIDs or GUIDs, etc. GUIDs are especially special as you will find them as 
unicode strings and as binary packs. Whomever is responsible for that could use 
a good smack. Chase property sets / extended rights some time and you start 
hating AD a little.
 
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 8:25 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Storing dates in AD


In an LDAP filter, 
generalized time and UTC time look like this:
 
(yourTimeAttribute= 
MMDDHHMMSS.0Z)
 
As such, they are 
pretty easy to spit out with code and are also human 
readable.
 
LDP and ADSI Edit will 
also show these in a friendly format.
 
With integer8, they 
look like this:
 
(yourTimeAttribute=125655822921406250)
 
Those are not human 
readable and require code to interpret.  Additionally, the IADsLargeInteger 
thing is a huge PITA in my book and is worth avoiding for that reason alone if 
you need to deal with VBScript.
 
In script, generalized 
time and UTC time are converted by ADSI to and from normal COM variant date 
times, so in VBS they’ll show up as normal date values.  No special 
processing is required.
 
Joe 
K.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 
2005 5:24 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
 
Joe,
 
You make a good 
point.  What would an LDAP >= filter look like using this data 
type?  I'm familiar with VB and VBScript.  So are you saying that I 
can simply create a date type in script and use ADSI for example and set my 
variable to the AD attribute and it will convert 
automatically?
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 2:41 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
I still don’t think you 
should use Integer8/FILETIME format to store your date unless you absolutely 
need to.  I think 2.5.5.11 OM 23 or 24 is 
the way to go.  Depending on your API I think you will likely find them to 
be a better impedance match.
 
The big kicker is if 
you ever have to use VBScript to do this.  VBScript sucks at dealing with 
long integers but happily marshals LDAP 2.5.5.11 to variant datetime and 
back.
 
Plus, you’ll get some 
nicer fidelity in other tools such as ldp and ADSI Edit.  Integer8 will 
just be an opaque number that you need code to 
interpret.
 
2.5.5.11 values sort 
and index just fine and allow >= and <= comparisons, so I can’t think of a 
real compelling reason to use Integer8 unless your code happens to already rely 
on that.  It sounds like it doesn’t.
 
Joe 
K.


This message is 
for the designated recipient only and may contain privileged, proprietary, or 
otherwise private information. If you have received it in error, please notify 
the sender immediately and delete the original. Any other use of the email by 
you is prohibited.

RE: [ActiveDir] Storing dates in AD

[joe]

Title: Storing dates in AD



I don't believe that is correct. I seem to recall running 
that clock out once before with a loop and the value didn't stop until well past 
the year 31,000. Assuming positive and negative numbers I think you can get some 
value like 9,000,000,000,000,000,000 (it should be something like 9 followed by 
18 zero's) into an int8. 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 4:29 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Actually I just googled this and found something 
interesting that I didn't know:

Windows NT uses a 64-bit integer to track time. 
However, it uses 100 nanoseconds as its increment and the beginning of time is 
January 1, 1601, so NT suffers from the Year 2184 problem. 
I don't 
think we'll be on the same system in 2,184, but I don't want to be short sighted 
:)  Does Microsoft still use a 64-bit integer?
That's a 
good point Al, the date is not going to be compared to the other date types in 
AD so I suppose it really doesn't matter.  I may go with the NT date just 
to be consistent.
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Tuesday, March 29, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

I think it still depends on how you intend to use the 
data.
 
For example, if you're going to pull other information of 
similar type (maybe pwdLastSet?) it would make sense to use the same 
format. 
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 4:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

We are going to be modifying the field programmatically so 
from what Gil said it sounds like the large integer method is appropriate.  
As a follow up question, do you think I should use nano seconds from the Jan 2, 
1970 (UNIX style) or January 1, 1601 (The date used by 
pwdLastSet)?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, March 28, 2005 5:33 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Bingo, how is the data going to be used? I definitely 
agree, don't come up with your own format unless you have some amazing scheme 
that blows all of the other formats out of the water that makes it the best 
thing to do. Not saying you aren't going to come up with something amazing but I 
would guess the odds are against you. Anything you put into the directory, keep 
it in UTC. Less confusion that way.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Depends on the domain of the date values, and how they are 
used. If the dates will be passed along to other X.500/LDAP type directories, 
you probably should use the Generalized Time syntax (2.5.5.11). If the dates are 
manipulated programmatically, use the long integer representation. Its pretty 
trivial to manipulate it as a date in your code. I'd avoid using a string 
representation unless your code requires a funny string format or unless it 
requires unusual date values like "today", "yesterday", or "when hell freezes 
over" (we use the latter for setting development dates for certain silly feature 
requests in our products :)
 
-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in 
AD

I'm looking for some opinions on a schema 
extension.  I need to store a date type in AD.  I figure I have 
several options.
Store it as a long integer.  To determine the 
date the consumer will need to count the nano seconds from a certain date (the 
way that pwdLastSet works)
Store it as a date type (which I've never used, and 
looking at the current schema it appears that most people do not choose this 
option).
Store it as a unicode string and come up with a 
format like:  MMDD[ss][ss] 
Does anyone have an opinion on how this should be 
done? 
Thanks 

RE: [ActiveDir] Storing dates in AD

[joe]

Title: Storing dates in AD



If you use large int use filetime - Number 100 
nanosecond intervals from jan 1, 1601. There is some docs (in fact I 
think there are some typos in Gil's book) that mention the 1970 date but I am 
not aware of anything in AD that uses anything but 
filetime. 
 
http://msdn.microsoft.com/library/default.asp?url="">
 
If you use int8 and don't use filetime, you will have 
some developer hunt you down most likely later on because their generic 
function that works on all other int8's doesn't work on 
yours.
 
   joe 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 4:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

We are going to be modifying the field programmatically so 
from what Gil said it sounds like the large integer method is appropriate.  
As a follow up question, do you think I should use nano seconds from the Jan 2, 
1970 (UNIX style) or January 1, 1601 (The date used by 
pwdLastSet)?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, March 28, 2005 5:33 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Bingo, how is the data going to be used? I definitely 
agree, don't come up with your own format unless you have some amazing scheme 
that blows all of the other formats out of the water that makes it the best 
thing to do. Not saying you aren't going to come up with something amazing but I 
would guess the odds are against you. Anything you put into the directory, keep 
it in UTC. Less confusion that way.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Depends on the domain of the date values, and how they are 
used. If the dates will be passed along to other X.500/LDAP type directories, 
you probably should use the Generalized Time syntax (2.5.5.11). If the dates are 
manipulated programmatically, use the long integer representation. Its pretty 
trivial to manipulate it as a date in your code. I'd avoid using a string 
representation unless your code requires a funny string format or unless it 
requires unusual date values like "today", "yesterday", or "when hell freezes 
over" (we use the latter for setting development dates for certain silly feature 
requests in our products :)
 
-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in 
AD

I'm looking for some opinions on a schema 
extension.  I need to store a date type in AD.  I figure I have 
several options.
Store it as a long integer.  To determine the 
date the consumer will need to count the nano seconds from a certain date (the 
way that pwdLastSet works)
Store it as a date type (which I've never used, and 
looking at the current schema it appears that most people do not choose this 
option).
Store it as a unicode string and come up with a 
format like:  MMDD[ss][ss] 
Does anyone have an opinion on how this should be 
done? 
Thanks 

RE: [ActiveDir] Compelling arguments?

[joe]

I am not sure I follow what you are saying.

I have absolutely run in this configuration in a very large widget
manufacturer. Hundreds of thousands of hosts. It works fine for the Base OS.
Issues tend to crop up from poorly written/tested applications like the ones
I mentioned. 

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sergio Fonseca
Sent: Tuesday, March 29, 2005 10:56 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compelling arguments?

Hi,

Interesting perspective Joe.
One thing that I notice every day is that not all code are prepared to the
new features, for example the Domain Controllers location process is
followed by many processes but not all. For example when you set permissions
on a file to a user of other domain the info is first get from the DC´s in
the root domain not the ones where you are logged.
If you do not use the same FQDN suffixes you will have some thing working
but other will suffer from slowness.

On Tue, 29 Mar 2005 10:29:11 -0500, joe <[EMAIL PROTECTED]> wrote:
> Ah you mean DNS disjoint namespace. I know of a couple of large orgs 
> that do this either because Bind Based DNS is full deployed to a very 
> large base and they don't want to change it and/or they feel a machine 
> in California shouldn't have the same DNS Suffix as a machine in New 
> York (I tend to be in that category as well - I like geographic based 
> DNS names). It is supported from an OS standpoint however it requires 
> some additional perms on the computer objects so the computers can 
> properly update their SPNs and dNSHostNames (though these aren't 
> needed for DCs obviously). I don't think it would be very fun to have 
> some 100,000+ machines all in a DNS zone called ad.company.com. It 
> almost seemed an attempt to get away from WINS by making DNS act like WINS
on a domain by domain basis.
>  
> The biggest downside to doing this is Microsoft and other software 
> vendors keep forgetting it is a supported configuration with 
> applications. Check out MOM2005, the latest SMS whatever that is, some 
> of the EMC NAS solutions, etc. If you do this, every application that 
> goes through testing, integration, certification needs to be tested 
> for disjoint namespace capability. I have seen a couple of occasions 
> where someone was really bright and set up a disjoint production 
> namespace but their test environment wasn't disjoint so they would 
> spend all of this time in test to say something works great and deploy 
> to production and watch it blow up immediately.
>  
> The other major downside I can think of is around name resolution. If 
> you aren't using WINS, you better like specifying FQDNs for machines. 
> This also applies to multidomain forest environments as well as 
> environments using disjoint namespace though. Personally, I like WINS 
> (or should I say NBNS as the RFC calls them). I think it got a bum rap 
> from people who used it and didn't understand how to keep it running 
> well or those that didn't want, for some, reason, to have unique host 
> names like those folks who think you need a machine named www to host 
> a website called www.company.com. There have been times I have 
> actually considered implementing an NBNS in case MS decides to drop 
> WINS Server from support. Mine would be a little different though, 
> accepting dynamic updates would be configurable, I see great value in 
> an NBNS that does not accept client registrations but instead only gives
out info put in by an admin.
>  
>  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brent 
> Westmoreland
> Sent: Tuesday, March 29, 2005 10:06 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Compelling arguments?
> 
> 
> Are there compelling arguments to use the DNS Domain name of your AD 
> Domain as the primary DNS Suffix versus a different DNS extension from 
> a client functionality perspective?
> 
> Clients are still able to resolve the AD DNS Domain but most do not 
> use it as their primary suffix.
> 
> Any thoughts welcome.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Compelling arguments?

[joe]

Remember, my experience is mostly Fortune 50 and better. Most of the last
ten years was Fortune 5 or greater. Today I spent 10.5 hours at a (I think)
Fortune 2 company - another widget maker. Not AD work though thank god, it
was to consult on some Windows OS level stuff and some issues encountered
getting some probe based monitoring working with an app running on it. Last
time I talked to someone about it, their AD environment was best classified
as a military term that you can't say in mixed company. 

These environments are to the size that say a single DNS domain for North
America is 100,000+ hosts, do you really want 100,000+ hosts in a DNS Zone?
If so great! How are you delegating that management? If you have a solution,
great! In those environments though it is almost certain DNS is being
managed in some decentralized fashion and very likely is Bind based or at
least running on UNIX and has been for a long long time. Heck a single
DataCenter itself may be divied up into 3-4-5 DNS Zones for management by
different groups. 

The times I have seen Windows DNS in these environments is with small pocket
deployments, not big centralized configurations. Generally it is ShadowIT
running around and central IT is trying to stamp them out anyway. Oh, you
may have the underscore zones delegated off to Windows, that is done as
well.

I like being able to look at a hostname and knowing where in the world the
machine is. Would I do this in some small company of 5000-1 hosts in one
building? No, highly doubtful. But the more decentralized the environment in
terms of machine locations and host management, the more I would be looking
in that direction. 

Overall, I care about DNS resolving correctly but I don't have some innate
need for it to run on Windows. In fact, in these large environments I kind
of like letting someone else manage it. Integrated DNS has always bothered
me, the implicit circular logic there. 


  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Tuesday, March 29, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compelling arguments?

Agreed. I'd love to get more info on your view on that though; get some more
details of how you would set it up in that type of environment given the
chance ;) The issue of geographic DNS isn't something I'd thought of unless
it was also attached to a multi domain geographic type forest (NA, Asia,
Europe etc.)

Phil

On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland
<[EMAIL PROTECTED]> wrote:
> As always, thanks for the thorough reply, mate...
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Compelling arguments?

[joe]

Ah not really for hire. Well unless someone wants to hire me away from my
current employer which I am sure they wouldn't be happy about. I am not
saying it can't be done, I will do all sorts of things for good money and a
fun position. My main requirements are being very well paid, very little
travel, work from home, you get a hold of me via email - not pager, not
cell. I am in a pretty comfy spot right now for all of that. 

I actually had a headhunter who claimed he represented Dell emailing me a
month or three ago. I asked to hear the ball park number and the headhunter
just kept saying call me I was being asked for by name. I don't like phones,
ask anyone who knows me. Phones are archaic sync'ed communications devices
that do not scale well globally (you think otherwise, try getting US East
Coast, US West Coast, England, Germany, Singapore, Australia, and New
Zealand easily onto a single con call). I spend enough time on con calls, I
try to avoid it all the rest of the times. My home phone has the ringer off,
my personal cell phone usually isn't anywhere near me, my work cell phone is
only near me during business hours and someone has to have the number given
to them or they need to open the full properties of my GAL entry. 

Anyway, Al, let me know if the reasons given for regional in the previous
email make sense or not. I agree, company goals would be paramount. 
 
  joe 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 29, 2005 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?

Phil, you know he's for hire right?  He has a "p*mp" and everything last I
heard. :)


That said, it is interesting to see a regional specific approach to name
resolution.  Some like it, some don't.  I'd be interested to hear why, Joe
because I think it would depend on the company goals whether or not that
would make sense. 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Tuesday, March 29, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compelling arguments?

Agreed. I'd love to get more info on your view on that though; get some more
details of how you would set it up in that type of environment given the
chance ;) The issue of geographic DNS isn't something I'd thought of unless
it was also attached to a multi domain geographic type forest (NA, Asia,
Europe etc.)

Phil

On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland
<[EMAIL PROTECTED]> wrote:
> As always, thanks for the thorough reply, mate...
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Compelling arguments?

[joe]

> The lesson here is to determine which to do and implement 
> without exception.  The problem with doing it after the 
> fact is that you WILL break something.

Ding ding ding, we have a winner...

Exactly. You will break something and no matter what you do, someone will be
pissy about it. The UNIX folks coming in tend to be happy with the broken up
zoning, the Windows guys coming in tend to hate it. However I haven't had
many good Windows people come in the door off the street so it is generally
easier to dismiss them. Actually any more I am getting more and more to the
point where I look at a UNIX person as someone that can be trained to do
well on Windows Servers and Windows people are someone that can work the
help desk.

Yeah, cynical I know. :op

Come on Server Foundation.

   joe 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, March 29, 2005 1:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?

Our existing setup involves exactly as described by joe, BIND servers at the
root that feed down to further bind servers at each location with the
exception of the Americas. The americas have a majority of win2k DNS servers
but also some bind.

So you may have AD domains of americas.corp.com, europe.corp.com, and
asiapacific.corp.com.

You then have locations within americas like buenos aires, sao paolo, new
york city.

So you have site codes bue, spo, and nyc.

With dns domains for each location of bue.sub, spo.sub, and nyc.sub with the
sub domain being delegated from the central bind server to the
localized servers.   

Our situation is that our client services team prefers to use the AD domain
for resolution of client names, our colleagues in different areas prefer to
use the bind services for many applications, so what we end up with is a
mixed implementation and inconsistent client settings inside the
organization that lead to one machine having a need for a static entry in
the localized dns while the machine updates its hostname in the AD domain
automagically.  Now we have two host records for the same machine, and an
inconsistent PTR record as well.

We have unix based apps that implement a tcp wrapper to determine a machines
identity but because there are different settings or duplicates in the
localized dns, AD dns, and the PTR records, the application breaks upon
forward and reverse lookup (whoever thought it was a good idea to use DNS as
a security mechanism should be choked)

The lesson here is to determine which to do and implement without exception.
The problem with doing it after the fact is that you WILL break something.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Tuesday, March 29, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compelling arguments?

Agreed. I'd love to get more info on your view on that though; get some more
details of how you would set it up in that type of environment given the
chance ;) The issue of geographic DNS isn't something I'd thought of unless
it was also attached to a multi domain geographic type forest (NA, Asia,
Europe etc.)

Phil

On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland
<[EMAIL PROTECTED]> wrote:
> As always, thanks for the thorough reply, mate...
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Compelling arguments?

[joe]

Title: Compelling arguments?



The permission mod you need to make is to correct this. 

 
http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
 
 
Again, disjoint namespace works fine in the core OS. The 
issues that crop up are around poorly written/tested 
applications.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

If you're also talking about servers don't forget that by 
default computers register their SPN using the AD domain name.  So if 
you have a server that registers HOST/someserver.myadname.net and the server 
actually resolves to someserver.mydnszone.net Kerberos will not work for the 
clients that try to connect using the DNS name.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
arguments?
Are there compelling arguments to use the DNS Domain 
name of your AD Domain as the primary DNS Suffix versus a different DNS 
extension from a client functionality perspective?Clients are still able 
to resolve the AD DNS Domain but most do not use it as their primary 
suffix.Any thoughts welcome. 

RE: [ActiveDir] Compelling arguments?

[joe]

http://support.microsoft.com/default.aspx?scid=kb;en-us;258503

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Sent: Tuesday, March 29, 2005 7:36 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compelling arguments?

Joe.

What additional permissions are required for disjointed names spaces? 
You mention more permissions are required on the computer object?

Care to expand?  OR point to where they are documented?  

Cheers


On Tue, 29 Mar 2005 12:43:10 -0800, Isenhour, Joseph
<[EMAIL PROTECTED]> wrote:
> If you're also talking about servers don't forget that by default 
> computers register their SPN using the AD domain name.  So if you have 
> a server that registers HOST/someserver.myadname.net and the server 
> actually resolves to someserver.mydnszone.net Kerberos will not work 
> for the clients that try to connect using the DNS name.
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brent 
> Westmoreland
> Sent: Tuesday, March 29, 2005 7:06 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Compelling arguments?
> 
> 
> Are there compelling arguments to use the DNS Domain name of your AD 
> Domain as the primary DNS Suffix versus a different DNS extension from 
> a client functionality perspective?
> 
> Clients are still able to resolve the AD DNS Domain but most do not 
> use it as their primary suffix.
> 
> Any thoughts welcome.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Site Confusion

[joe]

Jorge keeps saying it in different ways and I think people are missing the
point...

The coverage of neighboring sites occurs when there is no DC in the site, it
doesn't occur when a site's DCs are down. This is all keyed off of the site
containers in the configuration. I have seen DCs being promoed into a Domain
in a site and the DCs from other sites unregistering their records in that
site before the DC is even promoed up, all because the server object in the
site already replicated around. 

So as Jorge as said

Look up local site DCs by DNS queries to Site based entries for the domain.
If none of those DCs are cool, ask for the global list of all DCs for the
domain and use one of those. It isn't the most efficient and you will find
odd things like clients in Florida hitting DCs in Seattle when there is
another DC in another city in Florida that would be better to use. The idea
seems to be if you can't use a DC in your site, screw it, use any DC that
responds. This is one of the reasons why Exchange doesn't really use the
standard mechanism for DC/GC service location. They walk the metrics of the
site connections trying to find the closest.

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, March 29, 2005 6:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

Hi Neil,

Presuming the clients somehow have access to DNS (preferred or alternate)
they will first try to reach the DCs in their own site (site A). As all DCs
are down in site A the clients then will ask for all DCs in the domain that
have registered the domain specific DNS records.

For more info on this see:
* http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935
Authentication Topology by Gil Kirkpatrick
* http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html
Designing for DC Failover by Sean Deuby 

Autositecoverage only works for DC-less sites. So yes, it behaves
differently for situation 1 (autositecoverage will occur) and 2 (no
autositecoverage will occur)

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: dinsdag 29 maart 2005 11:56
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Thanks Jorge.

Are you implying that the answer to the original question is therefore 'no'?
This has huge ramifications in the branch office. Or did I simply explain
how the answer is 'yes', but for the wrong reasons??

Are you also saying that DCs (and sitecoverage) handle the following 2
scenarios in different ways:
1. No DCs installed in some site
2. DCs installed in some site but non available

Can you expand on your previous post please?

Thanks,
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 29 March 2005 10:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


I think that's incorrect if you're talking about autositecoverage.
Autositecoverage by DCs from some domain for some site will only occur if
some site has no DCs from that same domain. Although DCs are down and not
available, the DCs in other sites in the same domain see in their own
replica that that site has DCs and autositecoverage will occur. Sitecoverage
will occur by other DCs if you configured it manually through the registry
or a GPO

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, March 29, 2005 09:25
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Depending upon your site links, DCs in either site B or C will advertise
themselves as available to site A. The DCs in the site with lowest cost to
site A will perform this role.

What do you mean by 'take down'? Are you taking a WAN link down or powering
off the DCs or demoting them or what?

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: 28 March 2005 21:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Site Confusion


I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.

When I take down site A (both DC's), the clients in Site A cannot log in.
Shouldn't they be able to log in using site B or C?

Thanks,
--
Matt Brown
Information Technology System Specialist Eastern Washington University



List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic c

RE: [ActiveDir] Accounts disappearing from AD

[joe]

Yeah adfind will look at deleted objects. Do a search 
like
 
adfind -showdel -b dc=domain,dc=com -f name=name* 

 
So for instance if I am looking for the account 
joedeletetest
 
F:\DEV\cpp\AccExp>adfind -showdel -default -f 
name=joedeletetest*
 
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
Using server: 2k3dc01.joe.comDirectory: Windows Server 
2003Base DN: DC=joe,DC=com
 
dn:CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted 
Objects,DC=joe,DC=com>objectClass: top>objectClass: 
person>objectClass: organizationalPerson>objectClass: 
user>cn: 
joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197>distinguishedName: 
CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted 
Objects,DC=joe,DC=com>instanceType: 4>whenCreated: 
20050330052740.0Z>whenChanged: 
20050330052811.0Z>uSNCreated: 1773671>isDeleted: 
TRUE>uSNChanged: 1773678>name: 
joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197>objectGUID: 
{5EBBC64E-41ED-4E9D-9776-C13827A31197}>userAccountControl: 
512>objectSid: 
S-1-5-21-1862701446-4008382571-2198042679-18526>sAMAccountName: 
joedeletetest>lastKnownParent: 
CN=Users,DC=joe,DC=com>dSCorePropagationData: 
20050330052811.0Z>dSCorePropagationData: 
20050330052811.0Z>dSCorePropagationData: 
20050330052811.0Z>dSCorePropagationData: 
16010108151056.0Z
 
1 
Objects returned
 
 
Note I was 
logged onto the domain I wanted to look in so I could shortcut -b 
dc=domain,dc=com with -default
 
You will 
note that the name is the old name with \0ADEL:OBJECTGUID so you will need to 
say name*. You could also do samaccountname=userid if you want though. 

 
When changed 
will tell you when it was deleted. If you have 2K3 you can look at the 
msDS-ReplAttributeMetaData which will tell you where the object was deleted at. 

 
F:\DEV\cpp\AccExp>adfind -showdel -default -f 
name=joedeletetest* msDS-ReplAttributeMetaData
 
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
Using server: 2k3dc01.joe.comDirectory: Windows Server 
2003Base DN: DC=joe,DC=com
 
dn:CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted 
Objects,DC=joe,DC=com>msDS-ReplAttributeMetaData: 
    
objectCategory    
2    
2005-03-30T05:28:11Z    
d69be175-f343-4937-95d5-aa9efb2fa32b    
1773678    
1773678    
CN=NTDS 
Settings,CN=2K3DC01,CN=Servers,CN=MainSite,CN=Sites,CN=Configuration,DC=joe,DC=com
 
>msDS-ReplAttributeMetaData: 
    
lastKnownParent    
1    
2005-03-30T05:28:11Z    
d69be175-f343-4937-95d5-aa9efb2fa32b    
1773678    
1773678    
CN=NTDS 
Settings,CN=2K3DC01,CN=Servers,CN=MainSite,CN=Sites,CN=Configuration,DC=joe,DC=com

 
Just look at 
the originating DSA for the lastKnownParent attribute. 
 
Also if you 
have K3, you can use admod to restore that ID back and maintain the current SID, 
however anything scrubbed in the delete process you will need to put back 
manually like group memberships, etc.
 
 
[Wed 03/30/2005  
0:32:46.26]F:\DEV\cpp\AccExp>adfind -showdel -default -f 
name=joedeletetest* -dsq |admod -undel
 
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
DN Count: 1Using server: 
2k3dc01.joe.comUndeleting specified objects...   DN: 
cn=joedeletetest\0adel:5ebbc64e-41ed-4e9d-9776-c13827a31197,cn=deleted 
objects,dc=joe,dc=com...
 
The command completed successfully
 
[Wed 
03/30/2005  0:36:50.23]F:\DEV\cpp\AccExp>adfind -showdel -default -f 
name=joedeletetest
 
AdFind 
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
Using server: 
2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
DC=joe,DC=com
 
dn:CN=joedeletetest,CN=Users,DC=joe,DC=com>objectClass: 
top>objectClass: person>objectClass: 
organizationalPerson>objectClass: user>cn: 
joedeletetest>distinguishedName: 
CN=joedeletetest,CN=Users,DC=joe,DC=com>instanceType: 
4>whenCreated: 20050330052740.0Z>whenChanged: 
20050330053650.0Z>uSNCreated: 1773671>uSNChanged: 
1773719>name: joedeletetest>objectGUID: 
{5EBBC64E-41ED-4E9D-9776-C13827A31197}>userAccountControl: 
514>badPwdCount: 0>codePage: 0>countryCode: 
0>badPasswordTime: 0>lastLogoff: 0>lastLogon: 
0>pwdLastSet: 0>primaryGroupID: 513>operatorCount: 
0>objectSid: 
S-1-5-21-1862701446-4008382571-2198042679-18526>adminCount: 
0>accountExpires: 0>logonCount: 0>sAMAccountName: 
joedeletetest>sAMAccountType: 805306368>lastKnownParent: 
CN=Users,DC=joe,DC=com>objectCategory: 
CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com>dSCorePropagationData: 
20050330053650.0Z>dSCorePropagationData: 
20050330053650.0Z>dSCorePropagationData: 
20050330053650.0Z>dSCorePropagationData: 
20050330052811.0Z>dSCorePropagationData: 16010108151056.0Z
 
1 Objects 
returned
 
 
 
  
joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, 
AlSent: Tuesday, March 29, 2005 10:56 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accounts 
disappearing from AD

How do you know when the accounts when missing?

RE: [ActiveDir] Accounts disappearing from AD

[joe]

I have never seen an object disappear that wasn't 
deleted by some process, script, tool, or some admin...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mike 
HogenauerSent: Tuesday, March 29, 2005 10:36 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accounts 
disappearing from AD


In the past 2 months I’ve had 4 
accounts that have just disappeared without a trace from AD. I’ve turned up 
auditing on all my Domain controllers but I haven’t been able to find anything 
relevant.
 
I have 4 offices in WA, Ca, NC, and 
NY, I did have some replication errors but they have been fixed and none of the 
errors went past 60 days. 
I also don’t have a lot of group 
policies running or scripts that run (I just recently inherited this 
environment) also I’ve made sure only a select few people have rights to the 
Directory. 
 
Has anyone seen this or had accounts 
that just seem to vanish? 
 
Thanks in advance. 

 
Mike 
 
 

RE: [ActiveDir] AD/ Virus outbreak

[joe]

1. Don't log into servers to do daily work, learn how to do things with
remote interfaces.
2. Do not run IE, OE, or pretty much any App interactively on servers.
3. Do not log into workstations with IDs that have admin rights on servers,
use RUNAS or scripts that require you to specify the creds, etc. Even avoid
fixed drive letters to DCs with admin creds, use UNCs if you want to use NET
USE /USER.
4. Do not allow normal users to write to the file systems of a DC.
5. Keep DCs fully patched and do not run unnecessary services.

Quite honestly, you really shouldn't need to run AV software on DCs, there
shouldn't be vectors for them to be infected. If they get infected, it
usually means an Admin was careless - actually in every case of an infected
DC I have investigated it has been an admin being careless.

Yes you can put all roles on one DC. In an empty root I would have done it
already anyway and would have made all DCs in the empty root GCs most likely
as well.

   joe



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, March 29, 2005 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD/ Virus outbreak

Hi,

I have 3 DC's in a protected root domain and 2 child domains. Unfortunately
the 3 root DC's were not running a virus client, totally missedanyway. 
Looks like it is using known Windows exploitability to drop files and what
not.

2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE)

If I have to rebuild can I at least for the interim transfer the above roles
on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accounts disappearing from AD

[Mike Hogenauer]

Neither have I
which why I’m so concerned!! 

I’m auditing
everything and still nothing that points to a malicious account deletion. 

 

The only think
that I can think of is that with the File replication errors the forest was
having that some accounts reached their tombstone period and we’re
disabled, then they were possibly deleted by a local admin. 

 

Thanks

 

Mike 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 9:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Accounts
disappearing from AD



 

I have never seen an object disappear
that wasn't deleted by some process, script, tool, or some admin...

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mike Hogenauer
Sent: Tuesday, March 29, 2005
10:36 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Accounts
disappearing from AD

In the past 2 months I’ve had 4 accounts that have
just disappeared without a trace from AD. I’ve turned up auditing on all
my Domain controllers but I haven’t been able to find anything relevant.

 

I have 4 offices in WA, Ca, NC, and NY, I did have some
replication errors but they have been fixed and none of the errors went past 60
days. 

I also don’t have a lot of group policies running or
scripts that run (I just recently inherited this environment) also I’ve
made sure only a select few people have rights to the Directory. 

 

Has anyone seen this or had accounts that just seem to
vanish? 

 

Thanks in advance. 

 

Mike 

 

 

[ActiveDir] Proxys and users, and ieak

[Sergio Sánchez Trujillo]

Hello, 

 

Can i configure diferent proxys to diferent users
with group policy?

 

And the other question is if I can substitute our
ieak config file with group policy.

 

Thanks,

 

Sergio Sánchez

www.epes.es 

 

Este correo electrónico y, en su caso, cualquier fichero
anexo, contiene información confidencial exclusivamente dirigida a su(s)
destinatario(s). Toda copia o divulgación deberá ser autorizada por la Empresa Pública de
Emergencias Sanitarias (EPES).

This e-mail and any attachments are confidential
and exclusively directed to its adressee(s). Any copy or distribution will have
to be authorized by the Empresa Pública de Emergencias Sanitarias (EPES).

 

RE: [ActiveDir] AD Site Confusion

[Jorge de Almeida Pinto]

Thanks joe!

An additional comment to:  

If none of those DCs are cool, ask for the global list of all DCs for the
domain and use one of those. It isn't the most efficient and you will find
odd things like clients in Florida hitting DCs in Seattle when there is
another DC in another city in Florida that would be better to use. The idea
seems to be if you can't use a DC in your site, screw it, use any DC that
responds


The latter could be optimized when a client asks for the global list of all
DCs for the domain (= all DCs that have registered the domain specific
resource records) the list is ordered, compared to the clients site, from
the lowest site cost (on top of the list) to the highest site cost. This way
it will try the nearest DCs and if those are not available the DCs that are
further away, etc.
Maybe in the "longhorn timeframe" ;-)
Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 30, 2005 07:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

Jorge keeps saying it in different ways and I think people are missing the
point...

The coverage of neighboring sites occurs when there is no DC in the site, it
doesn't occur when a site's DCs are down. This is all keyed off of the site
containers in the configuration. I have seen DCs being promoed into a Domain
in a site and the DCs from other sites unregistering their records in that
site before the DC is even promoed up, all because the server object in the
site already replicated around. 

So as Jorge as said

Look up local site DCs by DNS queries to Site based entries for the domain.
If none of those DCs are cool, ask for the global list of all DCs for the
domain and use one of those. It isn't the most efficient and you will find
odd things like clients in Florida hitting DCs in Seattle when there is
another DC in another city in Florida that would be better to use. The idea
seems to be if you can't use a DC in your site, screw it, use any DC that
responds. This is one of the reasons why Exchange doesn't really use the
standard mechanism for DC/GC service location. They walk the metrics of the
site connections trying to find the closest.

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, March 29, 2005 6:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

Hi Neil,

Presuming the clients somehow have access to DNS (preferred or alternate)
they will first try to reach the DCs in their own site (site A). As all DCs
are down in site A the clients then will ask for all DCs in the domain that
have registered the domain specific DNS records.

For more info on this see:
* http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935
Authentication Topology by Gil Kirkpatrick
* http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html
Designing for DC Failover by Sean Deuby 

Autositecoverage only works for DC-less sites. So yes, it behaves
differently for situation 1 (autositecoverage will occur) and 2 (no
autositecoverage will occur)

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: dinsdag 29 maart 2005 11:56
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Thanks Jorge.

Are you implying that the answer to the original question is therefore 'no'?
This has huge ramifications in the branch office. Or did I simply explain
how the answer is 'yes', but for the wrong reasons??

Are you also saying that DCs (and sitecoverage) handle the following 2
scenarios in different ways:
1. No DCs installed in some site
2. DCs installed in some site but non available

Can you expand on your previous post please?

Thanks,
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 29 March 2005 10:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


I think that's incorrect if you're talking about autositecoverage.
Autositecoverage by DCs from some domain for some site will only occur if
some site has no DCs from that same domain. Although DCs are down and not
available, the DCs in other sites in the same domain see in their own
replica that that site has DCs and autositecoverage will occur. Sitecoverage
will occur by other DCs if you configured it manually through the registry
or a GPO

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, March 29, 2005 09:25
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Depending upon your site links, DCs in either site B or C will advertise
themselves as available to site A. The DCs in the site with lowest cost to
site A will perform this role.

What do you mean by 'take down'? Are 

RE: [ActiveDir] AD/ Virus outbreak

[Jorge de Almeida Pinto]

Try to sync from the non-infected DC with the infected DCs (as being the
inbound replication partners for the non-infected DC), transfer the FSMO
roles from the infected DCs to the non-infected DC. From now you can do it
in two ways:
* Clean the infected DCs (offline) by installing antivirus software with the
latest virus definition files
OR
* Kill the DCs, clean-up metadata for those DCs and rebuild them and finally
transfer the FSMO roles back accordingly. Before killing the DCs you could
install an additional (safety) DC so that after you remove/kill the infected
DCs your forest root domain still has 2 DCs. Reason: If you only have one DC
for your root domain and that one also dies, then your forest is dead and
needs to be rebuilded unless you have good backups for your forest root DCs.

In my opinion each Windows machine connected to the network (and I don't
care what role or function it has!) should (MUST) have the latest virusscan
engine and definitions and each windows machine should be patched to the
latest possible security patches!
Two measures that will mitigate the risk of security problems and virus
attacks (locally or remotely) on Windows machines connected to the network

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, March 29, 2005 19:51
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD/ Virus outbreak

Hi,

I have 3 DC's in a protected root domain and 2 child domains. Unfortunately
the 3 root DC's were not running a virus client, totally missedanyway. 
Looks like it is using known Windows exploitability to drop files and what
not.

2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE)

If I have to rebuild can I at least for the interim transfer the above roles
on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS should point to...?

[Jorge de Almeida Pinto]

The DNS island issue occurs only in Windows 2000 domains begin the forest
root domain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Paresh Nhathalal
Sent: Tuesday, March 29, 2005 19:56
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS should point to...?

On DCs running DNS - point primary DNS to itself and secondary DNS to a
nearest site or hub DNS server.

Be aware of DNS Island issue in Windows 2000 though!

Paresh

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: 29 March 2005 18:47
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DNS should point to...?

http://www.ultratech-llc.com/KB/?File=ADNetwork.TXT

No, DNS servers should not only point to themselves.  See above.

-ASB
 FAST, CHEAP, SECURE: Pick Any TWO
 http://www.ultratech-llc.com/KB/


On Tue, 29 Mar 2005 09:31:59 -0800, Noah Eiger <[EMAIL PROTECTED]> wrote:
> 
> 
> Hi -
> 
>  
> 
> I have just been brought into a situation where a client has several
poorly
> connected (VPN and slow connections to the Internet) sites in a single
W2k
> domain. Each site has a single DC that runs AD-integrated DNS.
Previously,
> most of the DCs had tombstoned. Microsoft walked the in-house guy
through
> demoting and re-promoting everything. 
> 
>  
> 
> The question is this: where should each DC's DNS point? I have always 
> thought they should point to themselves and only themselves. The DNS
server
> forwards to the Internet (as everything is poorly connected). The
in-house
> tech said Microsoft told him to point each DC's primary DNS to the
FSMO-role
> holder and then to itself as secondary.
> 
>  
> 
> Any thoughts?
> 
>  
> 
> -- nme
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/