RE: [ActiveDir] AD Site Confusion
I think that's incorrect if you're talking about autositecoverage. Autositecoverage by DCs from some domain for some site will only occur if some site has no DCs from that same domain. Although DCs are down and not available, the DCs in other sites in the same domain see in their own replica that that site has DCs and autositecoverage will occur. Sitecoverage will occur by other DCs if you configured it manually through the registry or a GPO Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Tuesday, March 29, 2005 09:25 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Depending upon your site links, DCs in either site B or C will advertise themselves as available to site A. The DCs in the site with lowest cost to site A will perform this role. What do you mean by 'take down'? Are you taking a WAN link down or powering off the DCs or demoting them or what? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: 28 March 2005 21:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
Thanks Jorge. Are you implying that the answer to the original question is therefore 'no'? This has huge ramifications in the branch office. Or did I simply explain how the answer is 'yes', but for the wrong reasons?? Are you also saying that DCs (and sitecoverage) handle the following 2 scenarios in different ways: 1. No DCs installed in some site 2. DCs installed in some site but non available Can you expand on your previous post please? Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 29 March 2005 10:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion I think that's incorrect if you're talking about autositecoverage. Autositecoverage by DCs from some domain for some site will only occur if some site has no DCs from that same domain. Although DCs are down and not available, the DCs in other sites in the same domain see in their own replica that that site has DCs and autositecoverage will occur. Sitecoverage will occur by other DCs if you configured it manually through the registry or a GPO Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Tuesday, March 29, 2005 09:25 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Depending upon your site links, DCs in either site B or C will advertise themselves as available to site A. The DCs in the site with lowest cost to site A will perform this role. What do you mean by 'take down'? Are you taking a WAN link down or powering off the DCs or demoting them or what? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: 28 March 2005 21:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD Site Confusion
Hi, The site coverage is a good feature to speed up the login process but the discover process that clients use will try any DC in the Domain. Maybe you client is using the wrong the DNS (since there are DC´s unavailable) or a GC is not available. What is the error message when you try to login? On Tue, 29 Mar 2005 10:55:33 +0100, Ruston, Neil <[EMAIL PROTECTED]> wrote: > Thanks Jorge. > > Are you implying that the answer to the original question is therefore 'no'? > This has huge ramifications in the branch office. Or did I simply explain how > the answer is 'yes', but for the wrong reasons?? > > Are you also saying that DCs (and sitecoverage) handle the following 2 > scenarios in different ways: > 1. No DCs installed in some site > 2. DCs installed in some site but non available > > Can you expand on your previous post please? > > Thanks, > neil > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida > Pinto > Sent: 29 March 2005 10:21 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD Site Confusion > > I think that's incorrect if you're talking about autositecoverage. > Autositecoverage by DCs from some domain for some site will only occur if some > site has no DCs from that same domain. Although DCs are down and not > available, the DCs in other sites in the same domain see in their own replica > that that site has DCs and autositecoverage will occur. Sitecoverage will > occur by other DCs if you configured it manually through the registry or a GPO > > Cheers, > Jorge > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil > Sent: Tuesday, March 29, 2005 09:25 > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] AD Site Confusion > > Depending upon your site links, DCs in either site B or C will advertise > themselves as available to site A. The DCs in the site with lowest cost to > site A will perform this role. > > What do you mean by 'take down'? Are you taking a WAN link down or powering > off the DCs or demoting them or what? > > neil > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown > Sent: 28 March 2005 21:55 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] AD Site Confusion > > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? > > Thanks, > -- > Matt Brown > Information Technology System Specialist Eastern Washington University > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > == > This message is for the sole use of the intended recipient. If you received > this message in error please delete it and notify us. If this message was > misdirected, CSFB does not waive any confidentiality or privilege. CSFB > retains and monitors electronic communications sent through its network. > Instructions transmitted over this system are not binding on CSFB until they > are confirmed by us. Message transmission is not guaranteed to be secure. > > == > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be copied, > disclosed to, retained or used by, any other party. If you are not an intended > recipient then please promptly delete this e-mail and any attachment and all > copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > == > This message is for the sole use of the intended recipient. If you received > this message in error please delete it and notify us. If this message was > misdirected, CSFB does not waive any confidentiality or privilege. CSFB > retains and monitors electronic communications sent through its network. > Instructions transmitted over this system are not binding on CSFB until they > are confirmed by us. Message transmission is not guaranteed to be secure. > == > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List arch
RE: [ActiveDir] AD Site Confusion
Auto-Site coverage is enabled by default and DCs will cover the site where there are no DCs. You should ensure that the clients in that "DC-less" site are re-pointed to the correct DNS Servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: 29 March 2005 10:56 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Thanks Jorge. Are you implying that the answer to the original question is therefore 'no'? This has huge ramifications in the branch office. Or did I simply explain how the answer is 'yes', but for the wrong reasons?? Are you also saying that DCs (and sitecoverage) handle the following 2 scenarios in different ways: 1. No DCs installed in some site 2. DCs installed in some site but non available Can you expand on your previous post please? Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 29 March 2005 10:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion I think that's incorrect if you're talking about autositecoverage. Autositecoverage by DCs from some domain for some site will only occur if some site has no DCs from that same domain. Although DCs are down and not available, the DCs in other sites in the same domain see in their own replica that that site has DCs and autositecoverage will occur. Sitecoverage will occur by other DCs if you configured it manually through the registry or a GPO Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Tuesday, March 29, 2005 09:25 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Depending upon your site links, DCs in either site B or C will advertise themselves as available to site A. The DCs in the site with lowest cost to site A will perform this role. What do you mean by 'take down'? Are you taking a WAN link down or powering off the DCs or demoting them or what? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: 28 March 2005 21:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
Re: [ActiveDir] AD Site Confusion
Hi, The site coverage is a good feature to speed up the login process but the discover process that clients use will try any DC in the Domain. Maybe you client is using the wrong the DNS (since there are DC´s unavailable) or a GC is not available. What is the error message when you try to login? On Tue, 29 Mar 2005 11:05:55 +0100, Paresh Nhathalal <[EMAIL PROTECTED]> wrote: > Auto-Site coverage is enabled by default and DCs will cover the site > where there are no DCs. You should ensure that the clients in that > "DC-less" site are re-pointed to the correct DNS Servers. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil > Sent: 29 March 2005 10:56 > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] AD Site Confusion > > Thanks Jorge. > > Are you implying that the answer to the original question is therefore > 'no'? > This has huge ramifications in the branch office. Or did I simply > explain how > the answer is 'yes', but for the wrong reasons?? > > Are you also saying that DCs (and sitecoverage) handle the following 2 > scenarios in different ways: > 1. No DCs installed in some site > 2. DCs installed in some site but non available > > Can you expand on your previous post please? > > Thanks, > neil > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de > Almeida > Pinto > Sent: 29 March 2005 10:21 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] AD Site Confusion > > I think that's incorrect if you're talking about autositecoverage. > Autositecoverage by DCs from some domain for some site will only occur > if some > site has no DCs from that same domain. Although DCs are down and not > available, the DCs in other sites in the same domain see in their own > replica > that that site has DCs and autositecoverage will occur. Sitecoverage > will > occur by other DCs if you configured it manually through the registry or > a GPO > > Cheers, > Jorge > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil > Sent: Tuesday, March 29, 2005 09:25 > To: 'ActiveDir@mail.activedir.org' > Subject: RE: [ActiveDir] AD Site Confusion > > Depending upon your site links, DCs in either site B or C will advertise > themselves as available to site A. The DCs in the site with lowest cost > to > site A will perform this role. > > What do you mean by 'take down'? Are you taking a WAN link down or > powering > off the DCs or demoting them or what? > > neil > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown > Sent: 28 March 2005 21:55 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] AD Site Confusion > > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log > in. > Shouldn't they be able to log in using site B or C? > > Thanks, > -- > Matt Brown > Information Technology System Specialist Eastern Washington University > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > == > This message is for the sole use of the intended recipient. If you > received > this message in error please delete it and notify us. If this message > was > misdirected, CSFB does not waive any confidentiality or privilege. CSFB > retains and monitors electronic communications sent through its network. > Instructions transmitted over this system are not binding on CSFB until > they > are confirmed by us. Message transmission is not guaranteed to be > secure. > > > == > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended > recipient(s) only. It may contain proprietary material, confidential > information and/or be subject to legal privilege. It should not be > copied, > disclosed to, retained or used by, any other party. If you are not an > intended > recipient then please promptly delete this e-mail and any attachment and > all > copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > == > This message is for the sole use of the intended recipient. If you > received > this message in error please delete it and notify us. If this message > was > misdirected, CSFB doe
RE: [ActiveDir] AD Site Confusion
Hi Neil, Presuming the clients somehow have access to DNS (preferred or alternate) they will first try to reach the DCs in their own site (site A). As all DCs are down in site A the clients then will ask for all DCs in the domain that have registered the domain specific DNS records. For more info on this see: * http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935 Authentication Topology by Gil Kirkpatrick * http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html Designing for DC Failover by Sean Deuby Autositecoverage only works for DC-less sites. So yes, it behaves differently for situation 1 (autositecoverage will occur) and 2 (no autositecoverage will occur) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: dinsdag 29 maart 2005 11:56 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Thanks Jorge. Are you implying that the answer to the original question is therefore 'no'? This has huge ramifications in the branch office. Or did I simply explain how the answer is 'yes', but for the wrong reasons?? Are you also saying that DCs (and sitecoverage) handle the following 2 scenarios in different ways: 1. No DCs installed in some site 2. DCs installed in some site but non available Can you expand on your previous post please? Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 29 March 2005 10:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion I think that's incorrect if you're talking about autositecoverage. Autositecoverage by DCs from some domain for some site will only occur if some site has no DCs from that same domain. Although DCs are down and not available, the DCs in other sites in the same domain see in their own replica that that site has DCs and autositecoverage will occur. Sitecoverage will occur by other DCs if you configured it manually through the registry or a GPO Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Tuesday, March 29, 2005 09:25 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Depending upon your site links, DCs in either site B or C will advertise themselves as available to site A. The DCs in the site with lowest cost to site A will perform this role. What do you mean by 'take down'? Are you taking a WAN link down or powering off the DCs or demoting them or what? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: 28 March 2005 21:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its networ
RE: [ActiveDir] Bridgehead in a single-server site
There are two reasons why you select preferred BHS. 1. You have some security / political requirement to direct traffic to a particular server. (Firewall, Core service DC vs child domain). 2. You don't want the other servers to be targets as BHS. (Underpowered box, etc.) Todd Myrick -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Monday, March 28, 2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Bridgehead in a single-server site I completely agree with Gil's comment. Let KCC to handle the BH selection. Otherwise you have to manually select the BH server(s). You can manually select more than one BH servers if you want. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: > Is there a good reason to NOT let the KCC pick the BH for you automatically? > That way you get some failover if it craps out for some reason. Otherwise > you'll have to watch the DC constantly to reset the BH to make sure > replication continues to work. In Windows 2003, the KCC is pretty good about > picking the best server as a BH. > > -gil > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe > Sent: Monday, March 28, 2005 1:44 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Bridgehead in a single-server site > > > Hi guys, > > Just curious...any opinions on denoting a server as a bridgehead in a > site where it is currently the only defined server? We were thinking that > it then wouldn't be necessary down the road when other DCs are added. Is > there any harm in this? Is there any good in this? ; - ) > > (Forest and domain functional levels are Win2003) > > -DaveC > Reuters CIO Infrastructure > > > - > Visit our Internet site at http://www.reuters.com > > To find out more about Reuters Products and Services visit > http://www.reuters.com/productinfo > > Any views expressed in this message are those of the individual > sender, except where the sender specifically states them to be > the views of Reuters Ltd. > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD user account keeps getting locked out
Hey – thanks to all who replied – the user was in a rush to catch an early flight back home and couldn’t wait … so I ended up changing her logon and the problem has gone away. I just downloaded the tools mentioned below – so thanks for link! Have a good one! Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent. From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, March 26, 2005 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD user account keeps getting locked out Joe – Run into this issue all of the time. Usually, it has to do with an application or some other application / process that either uses or caches the user’s credentials. If the password is changed, the application or process needs to be changed as well. My recommendation: The Account Lockout and Management tools. The most important part of this set is a .dll that needs to be loaded on the DCs and adds an additional tab onto the user properties in Active Directory Users and Computers. It doesn’t need to be on all of the DCs. Just a couple that you would reference most frequently. With the tool you can determine what DC locked out the user, and then go to the DC that has the actual record of the lockout. Having the firsthand events would be essential. Also in the tool kit is a .dll that can be loaded on the client workstation that will gather added information into a log. The log will pinpoint what on the client system might be causing the problem. Also included is EventCombMT (for parsing the event logs for specific info) ALoInfo (lists all user accounts and the age of the password) NLParse (used to get info from the NetLogon files), plus a few more. Find the Account Lockout and Management tools here: http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en -rtk From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe Sent: Friday, March 25, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD user account keeps getting locked out Hello! I have a user account that continuously keeps getting locked out. We’ve reset the user’s password (multiple times), took the computer off of the domain, renamed the computer, put it back on the domain, etc. This user works primarily out of her home office but is at our headquarters yesterday and today. She had a junior admin reset her password and install some software (adobe) yesterday and has had the problem ever since. Anyone been done this road before? Joe Pelle Senior Infrastructure Architect Information Technology Valassis / IT 19975 Victor Parkway Livonia, MI 48152 Tel 734.591.7324 Fax 734.632.6151 [EMAIL PROTECTED] http://www.valassis.com/ This message may include proprietary or protected information. If you are not the intended recipient, please notify me, delete this message, and do not further communicate the information contained herein without my express written consent.
RE: [ActiveDir] LDAPS part 2
I run into this almost daily at the moment. I can't comment on whether or not I have SSL for ldap binds on the corporate network, but I have to say that you should use it where required. >From what I keep seeing the apps that tend to use this model are the ones that are converted from using SunONE to ADS. They tend to want to use one or the other and it's to the advantage of the development company to use something common. While I would prefer that they figure out what AD Integrated means and define a common set of descriptions for that. Might be my fault for not being more rigid I suppose, but we can't all own the system now can we :) I've got three at the moment. One wants to extend the schema and then will use ADS as the identity, authentication and authorization mechanism. It's optional to use SunONE locally and have it pass through the authentication from the desktop. SSL and extend the schema on the DC's? Not likely. Another app doesn't extend the schema, but instead creates 200+ groups and a few accounts to manage the access. The app uses web logic and does ldap bind (simple bind - yuck) and was originally written for SunOne directories. A third one still has the requirements being defined apparently. There's several more in the wings waiting to see daylight. If you don't like SSL, which is fairly standard, have you considered IPSec? When all is said and done, that's all you really are after: transport level protection to prevent network traces of credentials that are flying about the ether(net). Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 8:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS part 2 Use it if you have to use simple ldap binds or you don't mind clear text passwords from simple ldap binds flying about. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, March 28, 2005 11:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAPS part 2 So what is the consensus on this then? How many people on this list have implemented LDAP over SSL in their environment? Did you run into any problems? Would you do it again, or have you decided that there was no benefit in your particular scenario? Thanks for the information Joe^2 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] startup scripts not running
It adds a group to the RDP permissions so our off-hours operators have TS access into the servers. It’s in the startup script because we wanted to make sure that if that ever got changed manually by someone, a reboot would cure it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running What exactly is the EXE doing? Not all system services are not available when the startup script runs. For instance, try to shutdown a server from a startup script. If you ever really need to do that, let me know, I have an exe that will do it. Dean told me about issues doing it and I got interested enough to look at it and it pissed me right off so I "fixed" it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.
RE: [ActiveDir] startup scripts not running
Ok, do you know for a fact that the exe isn't running or is it simply not outputting an error if it fails? The reboot issue I mentioned before appeared to be that shutdown wasn't being run, it was running, it was hitting a device not ready error and wasn't outputting it. Once I wrote a tool that definitely output errors when it ran into them, it was crystal clear that something was preventing shutdown from working when running in a startup script. It goes back to a type of error handling some programs use. Some will encounter an error and dump out with any errors it doesn't know how to handle. Some will dump out only with errors it knows how to handle. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, March 29, 2005 8:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running It adds a group to the RDP permissions so our off-hours operators have TS access into the servers. It’s in the startup script because we wanted to make sure that if that ever got changed manually by someone, a reboot would cure it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 8:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running What exactly is the EXE doing? Not all system services are not available when the startup script runs. For instance, try to shutdown a server from a startup script. If you ever really need to do that, let me know, I have an exe that will do it. Dean told me about issues doing it and I got interested enough to look at it and it pissed me right off so I "fixed" it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, March 28, 2005 4:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 28, 2005 3:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, March 28, 2005 11:54 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated.This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreci
RE: [ActiveDir] startup scripts not running
Good point Joe, I don’t know. I’m basing the “not working” assumption on the end result not being there, namely that the group has not been added to the RDP permissions. However when I run it manually after logging in, the group is added. Next I tried adding a Do Until loop in the script, looking for the executable to return a 0. That never happens. The startup script runs forever J So based on that, and what you said, I guess I need to ask the programmer (this app is home-grown) what error is thrown if it doesn’t work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 29, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Ok, do you know for a fact that the exe isn't running or is it simply not outputting an error if it fails? The reboot issue I mentioned before appeared to be that shutdown wasn't being run, it was running, it was hitting a device not ready error and wasn't outputting it. Once I wrote a tool that definitely output errors when it ran into them, it was crystal clear that something was preventing shutdown from working when running in a startup script. It goes back to a type of error handling some programs use. Some will encounter an error and dump out with any errors it doesn't know how to handle. Some will dump out only with errors it knows how to handle. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, March 29, 2005 8:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It adds a group to the RDP permissions so our off-hours operators have TS access into the servers. It’s in the startup script because we wanted to make sure that if that ever got changed manually by someone, a reboot would cure it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running What exactly is the EXE doing? Not all system services are not available when the startup script runs. For instance, try to shutdown a server from a startup script. If you ever really need to do that, let me know, I have an exe that will do it. Dean told me about issues doing it and I got interested enough to look at it and it pissed me right off so I "fixed" it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself, just in case that’s the issue? Thanks, Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying,
RE: [ActiveDir] startup scripts not running
Yep, that was a method I tried with the restart, assuming that eventually whatever was slow would come up, but it seems that part of the system just waits until after the startup script completes and the system says it is ready for users. If the app is local you can enable auditing on it and it will tell you if the file is being opened or not. If the file is being opened, you can pretty much guess it is being run and is bombing with some sort of undisclosed error. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, March 29, 2005 9:29 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running Good point Joe, I don’t know. I’m basing the “not working” assumption on the end result not being there, namely that the group has not been added to the RDP permissions. However when I run it manually after logging in, the group is added. Next I tried adding a Do Until loop in the script, looking for the executable to return a 0. That never happens. The startup script runs forever J So based on that, and what you said, I guess I need to ask the programmer (this app is home-grown) what error is thrown if it doesn’t work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, March 29, 2005 9:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running Ok, do you know for a fact that the exe isn't running or is it simply not outputting an error if it fails? The reboot issue I mentioned before appeared to be that shutdown wasn't being run, it was running, it was hitting a device not ready error and wasn't outputting it. Once I wrote a tool that definitely output errors when it ran into them, it was crystal clear that something was preventing shutdown from working when running in a startup script. It goes back to a type of error handling some programs use. Some will encounter an error and dump out with any errors it doesn't know how to handle. Some will dump out only with errors it knows how to handle. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Tuesday, March 29, 2005 8:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running It adds a group to the RDP permissions so our off-hours operators have TS access into the servers. It’s in the startup script because we wanted to make sure that if that ever got changed manually by someone, a reboot would cure it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 8:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running What exactly is the EXE doing? Not all system services are not available when the startup script runs. For instance, try to shutdown a server from a startup script. If you ever really need to do that, let me know, I have an exe that will do it. Dean told me about issues doing it and I got interested enough to look at it and it pissed me right off so I "fixed" it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, March 28, 2005 4:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Monday, March 28, 2005 3:34 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, MarkSent: Monday, March 28, 2005 11:54 AMTo: activedir@mail.activedir.orgSubject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Useri
[ActiveDir] Compelling arguments?
Title: Compelling arguments? Are there compelling arguments to use the DNS Domain name of your AD Domain as the primary DNS Suffix versus a different DNS extension from a client functionality perspective? Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix. Any thoughts welcome.
RE: [ActiveDir] startup scripts not running
Mark, trying calling the vbs from a bat file and see what happens. So, instead of putting the name of the vbs directly as the startup script, put the name of a bat file. In the bat file, you just simply need to do something like: Set ScriptPath=\\%logonserver%\NETLOGON Call %ScriptPath%\myscript.vbs Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, March 29, 2005 6:29 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Good point Joe, I don’t know. I’m basing the “not working” assumption on the end result not being there, namely that the group has not been added to the RDP permissions. However when I run it manually after logging in, the group is added. Next I tried adding a Do Until loop in the script, looking for the executable to return a 0. That never happens. The startup script runs forever J So based on that, and what you said, I guess I need to ask the programmer (this app is home-grown) what error is thrown if it doesn’t work. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 29, 2005 9:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Ok, do you know for a fact that the exe isn't running or is it simply not outputting an error if it fails? The reboot issue I mentioned before appeared to be that shutdown wasn't being run, it was running, it was hitting a device not ready error and wasn't outputting it. Once I wrote a tool that definitely output errors when it ran into them, it was crystal clear that something was preventing shutdown from working when running in a startup script. It goes back to a type of error handling some programs use. Some will encounter an error and dump out with any errors it doesn't know how to handle. Some will dump out only with errors it knows how to handle. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Tuesday, March 29, 2005 8:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It adds a group to the RDP permissions so our off-hours operators have TS access into the servers. It’s in the startup script because we wanted to make sure that if that ever got changed manually by someone, a reboot would cure it From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 8:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running What exactly is the EXE doing? Not all system services are not available when the startup script runs. For instance, try to shutdown a server from a startup script. If you ever really need to do that, let me know, I have an exe that will do it. Dean told me about issues doing it and I got interested enough to look at it and it pissed me right off so I "fixed" it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 4:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running It is a vbs. Actually, though, I found out a little more. I put a fresh server into the same OU, and rebooted. Turns out most of the script is successful. The only part that isn’t is a line that calls an executable file (.exe), which is also located in the same folder as the vbscript. If I wait until the server is fully logged in, the script runs the executable with no problem. If I leave it to the startup script to run, it does not. I’m using the Exec method of the wscript object, such as: Ws.exec(“myexecutable.exe”) Does that make sense? Thanks again, Mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 28, 2005 3:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] startup scripts not running Is it a vbs? If yes, have you tried calling it from a bat file? Does it work if you do that? What you can do depends on the outcome of that test. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Monday, March 28, 2005 11:54 AM To: activedir@mail.activedir.org Subject: [ActiveDir] startup scripts not running I have a situation in which startup scripts assigned to various OUs where different servers are located are not running. If I log in as a domain admin, browse to the location of the script in the GPO assigned to the OU where that server is located, I can launch the script with no problem. I’m having trouble figuring out why the script won’t launch on its own. The only thing I’ve found so far in troubleshooting a startup script is to look for an entry in the Application log with a source of Userinit. However, I see no such entries. Can anyone think of what I might need to look at? What permissions need to be enabled on the Policy itself
RE: [ActiveDir] Compelling arguments?
Title: Compelling arguments? Ah you mean DNS disjoint namespace. I know of a couple of large orgs that do this either because Bind Based DNS is full deployed to a very large base and they don't want to change it and/or they feel a machine in California shouldn't have the same DNS Suffix as a machine in New York (I tend to be in that category as well - I like geographic based DNS names). It is supported from an OS standpoint however it requires some additional perms on the computer objects so the computers can properly update their SPNs and dNSHostNames (though these aren't needed for DCs obviously). I don't think it would be very fun to have some 100,000+ machines all in a DNS zone called ad.company.com. It almost seemed an attempt to get away from WINS by making DNS act like WINS on a domain by domain basis. The biggest downside to doing this is Microsoft and other software vendors keep forgetting it is a supported configuration with applications. Check out MOM2005, the latest SMS whatever that is, some of the EMC NAS solutions, etc. If you do this, every application that goes through testing, integration, certification needs to be tested for disjoint namespace capability. I have seen a couple of occasions where someone was really bright and set up a disjoint production namespace but their test environment wasn't disjoint so they would spend all of this time in test to say something works great and deploy to production and watch it blow up immediately. The other major downside I can think of is around name resolution. If you aren't using WINS, you better like specifying FQDNs for machines. This also applies to multidomain forest environments as well as environments using disjoint namespace though. Personally, I like WINS (or should I say NBNS as the RFC calls them). I think it got a bum rap from people who used it and didn't understand how to keep it running well or those that didn't want, for some, reason, to have unique host names like those folks who think you need a machine named www to host a website called www.company.com. There have been times I have actually considered implementing an NBNS in case MS decides to drop WINS Server from support. Mine would be a little different though, accepting dynamic updates would be configurable, I see great value in an NBNS that does not accept client registrations but instead only gives out info put in by an admin. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Tuesday, March 29, 2005 10:06 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling arguments? Are there compelling arguments to use the DNS Domain name of your AD Domain as the primary DNS Suffix versus a different DNS extension from a client functionality perspective?Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix.Any thoughts welcome.
RE: [ActiveDir] Bridgehead in a single-server site
Thanks everyone. All replies (opinions) were consistent and are summed up effectively by the latest from Todd below. For those interested --> Some brief detective work here has revealed that, historically, there were some valid reasons for manually selecting a BH in several sites. At the time of my post I had thought EVERY site here was configured that way, and so thought this was the norm ("assumption" once again a foolish path!). The MS documentation and your recent replies indicate we should consider a change, especially since none of those old reasons apply anymore. Thanks again! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Tuesday, March 29, 2005 6:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bridgehead in a single-server site There are two reasons why you select preferred BHS. 1. You have some security / political requirement to direct traffic to a particular server. (Firewall, Core service DC vs child domain). 2. You don't want the other servers to be targets as BHS. (Underpowered box, etc.) Todd Myrick -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Monday, March 28, 2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Bridgehead in a single-server site I completely agree with Gil's comment. Let KCC to handle the BH selection. Otherwise you have to manually select the BH server(s). You can manually select more than one BH servers if you want. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: > Is there a good reason to NOT let the KCC pick the BH for you automatically? > That way you get some failover if it craps out for some reason. > Otherwise you'll have to watch the DC constantly to reset the BH to > make sure replication continues to work. In Windows 2003, the KCC is > pretty good about > picking the best server as a BH. > > -gil > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe > Sent: Monday, March 28, 2005 1:44 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Bridgehead in a single-server site > > > Hi guys, > > Just curious...any opinions on denoting a server as a bridgehead > in a site where it is currently the only defined server? We were > thinking that it then wouldn't be necessary down the road when other > DCs are added. Is there any harm in this? Is there any good in this? > ; - ) > > (Forest and domain functional levels are Win2003) > > -DaveC > Reuters CIO Infrastructure > > > - > Visit our Internet site at http://www.reuters.com > > To find out more about Reuters Products and Services visit > http://www.reuters.com/productinfo > > Any views expressed in this message are those of the individual > sender, except where the sender specifically states them to be the > views of Reuters Ltd. > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Accounts disappearing from AD
In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant. I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory. Has anyone seen this or had accounts that just seem to vanish? Thanks in advance. Mike
Re: [ActiveDir] Compelling arguments?
Hi, Interesting perspective Joe. One thing that I notice every day is that not all code are prepared to the new features, for example the Domain Controllers location process is followed by many processes but not all. For example when you set permissions on a file to a user of other domain the info is first get from the DC´s in the root domain not the ones where you are logged. If you do not use the same FQDN suffixes you will have some thing working but other will suffer from slowness. On Tue, 29 Mar 2005 10:29:11 -0500, joe <[EMAIL PROTECTED]> wrote: > Ah you mean DNS disjoint namespace. I know of a couple of large orgs that do > this either because Bind Based DNS is full deployed to a very large base and > they don't want to change it and/or they feel a machine in California > shouldn't have the same DNS Suffix as a machine in New York (I tend to be in > that category as well - I like geographic based DNS names). It is supported > from an OS standpoint however it requires some additional perms on the > computer objects so the computers can properly update their SPNs and > dNSHostNames (though these aren't needed for DCs obviously). I don't think > it would be very fun to have some 100,000+ machines all in a DNS zone called > ad.company.com. It almost seemed an attempt to get away from WINS by making > DNS act like WINS on a domain by domain basis. > > The biggest downside to doing this is Microsoft and other software vendors > keep forgetting it is a supported configuration with applications. Check out > MOM2005, the latest SMS whatever that is, some of the EMC NAS solutions, > etc. If you do this, every application that goes through testing, > integration, certification needs to be tested for disjoint namespace > capability. I have seen a couple of occasions where someone was really > bright and set up a disjoint production namespace but their test environment > wasn't disjoint so they would spend all of this time in test to say > something works great and deploy to production and watch it blow up > immediately. > > The other major downside I can think of is around name resolution. If you > aren't using WINS, you better like specifying FQDNs for machines. This also > applies to multidomain forest environments as well as environments using > disjoint namespace though. Personally, I like WINS (or should I say NBNS as > the RFC calls them). I think it got a bum rap from people who used it and > didn't understand how to keep it running well or those that didn't want, for > some, reason, to have unique host names like those folks who think you need > a machine named www to host a website called www.company.com. There have > been times I have actually considered implementing an NBNS in case MS > decides to drop WINS Server from support. Mine would be a little different > though, accepting dynamic updates would be configurable, I see great value > in an NBNS that does not accept client registrations but instead only gives > out info put in by an admin. > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland > Sent: Tuesday, March 29, 2005 10:06 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Compelling arguments? > > > Are there compelling arguments to use the DNS Domain name of your AD Domain > as the primary DNS Suffix versus a different DNS extension from a client > functionality perspective? > > Clients are still able to resolve the AD DNS Domain but most do not use it > as their primary suffix. > > Any thoughts welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accounts disappearing from AD
How do you know when the accounts when missing? Generally it would be a very bad thing for an account to go missing without a trace. I mean, at a minimum if it were deleted it would be stripped of attribute information and sent to the deleted objects graveyard. You would be able to look there and see the tombstoned items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 . I was thinking that some of Joe's tools would let you look at this as well, but can't remember at the moment. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, March 29, 2005 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accounts disappearing from AD In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant. I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory. Has anyone seen this or had accounts that just seem to vanish? Thanks in advance. Mike
Re: [ActiveDir] Accounts disappearing from AD
Hi, I think that the delete is the best explanation and try the adrestore: http://www.sysinternals.com/ntw2k/source/misc.shtml#adrestore On Tue, 29 Mar 2005 10:56:20 -0500, Mulnick, Al <[EMAIL PROTECTED]> wrote: > How do you know when the accounts when missing? > > Generally it would be a very bad thing for an account to go missing without > a trace. I mean, at a minimum if it were deleted it would be stripped of > attribute information and sent to the deleted objects graveyard. You would > be able to look there and see the tombstoned items if that were the case > using this method http://support.microsoft.com/?kbid=840001#6 . > > I was thinking that some of Joe's tools would let you look at this as well, > but can't remember at the moment. > > Al > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer > Sent: Tuesday, March 29, 2005 10:36 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Accounts disappearing from AD > > > > > In the past 2 months I've had 4 accounts that have just disappeared without > a trace from AD. I've turned up auditing on all my Domain controllers but I > haven't been able to find anything relevant. > > > > I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors > but they have been fixed and none of the errors went past 60 days. > > I also don't have a lot of group policies running or scripts that run (I > just recently inherited this environment) also I've made sure only a select > few people have rights to the Directory. > > > > Has anyone seen this or had accounts that just seem to vanish? > > > > Thanks in advance. > > > > Mike > > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accounts disappearing from AD
I only know because people come tell me that they loose connection to e-mail or they can’t login. Example: yesterday a user logged in the AM then by mid-morning couldn’t access his exchange account, having seen a few account disappear I did a search in AD and his account didn’t come up but his exchange account obviously still existed. Recreated the acoutn and re attached the Mailbox and he’s off and running again. If this we’re exchange I’d look at the SA and the Mailbox management tool ant the times they run to see if they we’re related but its not related to Exchange Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 29, 2005 7:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Accounts disappearing from AD How do you know when the accounts when missing? Generally it would be a very bad thing for an account to go missing without a trace. I mean, at a minimum if it were deleted it would be stripped of attribute information and sent to the deleted objects graveyard. You would be able to look there and see the tombstoned items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 . I was thinking that some of Joe's tools would let you look at this as well, but can't remember at the moment. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, March 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accounts disappearing from AD In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant. I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory. Has anyone seen this or had accounts that just seem to vanish? Thanks in advance. Mike
RE: [ActiveDir] AD Site Confusion
All 3 of my sites (A,B,C) have GC in them and at least 1 DC in them. All DC's have DNS running on them. By taking Site A down I was meaning shutting the machines off. Thanks, -- Matt Brown [ SELECT * FROM directories WHERE AD > OpenLDAP ] Information Technology System Specialist Eastern Washington University > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accounts disappearing from AD
Is it possible that the accounts were deleted during the replication issues and are now being propagated? Have you checked the deleted objects container to see if it exists there on any of the DC's (since replication was indicated, it might not hurt to check multiple DC's)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, March 29, 2005 11:35 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accounts disappearing from AD I only know because people come tell me that they loose connection to e-mail or they can’t login. Example: yesterday a user logged in the AM then by mid-morning couldn’t access his exchange account, having seen a few account disappear I did a search in AD and his account didn’t come up but his exchange account obviously still existed. Recreated the acoutn and re attached the Mailbox and he’s off and running again. If this we’re exchange I’d look at the SA and the Mailbox management tool ant the times they run to see if they we’re related but its not related to Exchange Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, March 29, 2005 7:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accounts disappearing from AD How do you know when the accounts when missing? Generally it would be a very bad thing for an account to go missing without a trace. I mean, at a minimum if it were deleted it would be stripped of attribute information and sent to the deleted objects graveyard. You would be able to look there and see the tombstoned items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 . I was thinking that some of Joe's tools would let you look at this as well, but can't remember at the moment. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, March 29, 2005 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accounts disappearing from AD In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant. I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory. Has anyone seen this or had accounts that just seem to vanish? Thanks in advance. Mike
RE: [ActiveDir] Bridgehead in a single-server site
One more point to add and I will consider the matter closed. The BHS should be a GC in a multi-domain forest. Toddler -Original Message- From: David Cliffe [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 10:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bridgehead in a single-server site Thanks everyone. All replies (opinions) were consistent and are summed up effectively by the latest from Todd below. For those interested --> Some brief detective work here has revealed that, historically, there were some valid reasons for manually selecting a BH in several sites. At the time of my post I had thought EVERY site here was configured that way, and so thought this was the norm ("assumption" once again a foolish path!). The MS documentation and your recent replies indicate we should consider a change, especially since none of those old reasons apply anymore. Thanks again! -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CC/DNA) Sent: Tuesday, March 29, 2005 6:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Bridgehead in a single-server site There are two reasons why you select preferred BHS. 1. You have some security / political requirement to direct traffic to a particular server. (Firewall, Core service DC vs child domain). 2. You don't want the other servers to be targets as BHS. (Underpowered box, etc.) Todd Myrick -Original Message- From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED] Sent: Monday, March 28, 2005 4:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Bridgehead in a single-server site I completely agree with Gil's comment. Let KCC to handle the BH selection. Otherwise you have to manually select the BH server(s). You can manually select more than one BH servers if you want. Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]> wrote: > Is there a good reason to NOT let the KCC pick the BH for you automatically? > That way you get some failover if it craps out for some reason. > Otherwise you'll have to watch the DC constantly to reset the BH to > make sure replication continues to work. In Windows 2003, the KCC is > pretty good about > picking the best server as a BH. > > -gil > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe > Sent: Monday, March 28, 2005 1:44 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Bridgehead in a single-server site > > > Hi guys, > > Just curious...any opinions on denoting a server as a bridgehead > in a site where it is currently the only defined server? We were > thinking that it then wouldn't be necessary down the road when other > DCs are added. Is there any harm in this? Is there any good in this? > ; - ) > > (Forest and domain functional levels are Win2003) > > -DaveC > Reuters CIO Infrastructure > > > - > Visit our Internet site at http://www.reuters.com > > To find out more about Reuters Products and Services visit > http://www.reuters.com/productinfo > > Any views expressed in this message are those of the individual > sender, except where the sender specifically states them to be the > views of Reuters Ltd. > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accounts disappearing from AD
You might want to check for Event ID 630 on all your DC’s using eventcmb. Here is a good article that list all the Event ID’s for specific account operations. http://www.rippletech.com/PDF/New/SOX/Auditing%20Best%20Practices.pdf If you aren’t backing up your security event logs on your DC’s each night (Yes every DC) you are doing yourself a disservice. I recommend getting a tool that can consolidate your security event logs into one location so that you can run reports against. I have used Intrust from Quest/Aelita. Pretty good tool and easy to setup and use. There are a lot others out there though, some free some not so free. Todd From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Accounts disappearing from AD Is it possible that the accounts were deleted during the replication issues and are now being propagated? Have you checked the deleted objects container to see if it exists there on any of the DC's (since replication was indicated, it might not hurt to check multiple DC's)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, March 29, 2005 11:35 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Accounts disappearing from AD I only know because people come tell me that they loose connection to e-mail or they can’t login. Example: yesterday a user logged in the AM then by mid-morning couldn’t access his exchange account, having seen a few account disappear I did a search in AD and his account didn’t come up but his exchange account obviously still existed. Recreated the acoutn and re attached the Mailbox and he’s off and running again. If this we’re exchange I’d look at the SA and the Mailbox management tool ant the times they run to see if they we’re related but its not related to Exchange Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 29, 2005 7:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Accounts disappearing from AD How do you know when the accounts when missing? Generally it would be a very bad thing for an account to go missing without a trace. I mean, at a minimum if it were deleted it would be stripped of attribute information and sent to the deleted objects graveyard. You would be able to look there and see the tombstoned items if that were the case using this method http://support.microsoft.com/?kbid=840001#6 . I was thinking that some of Joe's tools would let you look at this as well, but can't remember at the moment. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, March 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accounts disappearing from AD In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant. I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory. Has anyone seen this or had accounts that just seem to vanish? Thanks in advance. Mike
RE: [ActiveDir] AD Site Confusion
Interesting tagline I prefer Netdom query trust Toddler -Original Message- From: Matt Brown [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 11:40 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion All 3 of my sites (A,B,C) have GC in them and at least 1 DC in them. All DC's have DNS running on them. By taking Site A down I was meaning shutting the machines off. Thanks, -- Matt Brown [ SELECT * FROM directories WHERE AD > OpenLDAP ] Information Technology System Specialist Eastern Washington University > I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. > > When I take down site A (both DC's), the clients in Site A cannot log in. > Shouldn't they be able to log in using site B or C? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Compelling arguments?
Title: Re: [ActiveDir] Compelling arguments? As always, thanks for the thorough reply, mate... From: joe <[EMAIL PROTECTED]> Reply-To: Date: Tue, 29 Mar 2005 10:29:11 -0500 To: Subject: RE: [ActiveDir] Compelling arguments? Ah you mean DNS disjoint namespace. I know of a couple of large orgs that do this either because Bind Based DNS is full deployed to a very large base and they don't want to change it and/or they feel a machine in California shouldn't have the same DNS Suffix as a machine in New York (I tend to be in that category as well - I like geographic based DNS names). It is supported from an OS standpoint however it requires some additional perms on the computer objects so the computers can properly update their SPNs and dNSHostNames (though these aren't needed for DCs obviously). I don't think it would be very fun to have some 100,000+ machines all in a DNS zone called ad.company.com. It almost seemed an attempt to get away from WINS by making DNS act like WINS on a domain by domain basis. The biggest downside to doing this is Microsoft and other software vendors keep forgetting it is a supported configuration with applications. Check out MOM2005, the latest SMS whatever that is, some of the EMC NAS solutions, etc. If you do this, every application that goes through testing, integration, certification needs to be tested for disjoint namespace capability. I have seen a couple of occasions where someone was really bright and set up a disjoint production namespace but their test environment wasn't disjoint so they would spend all of this time in test to say something works great and deploy to production and watch it blow up immediately. The other major downside I can think of is around name resolution. If you aren't using WINS, you better like specifying FQDNs for machines. This also applies to multidomain forest environments as well as environments using disjoint namespace though. Personally, I like WINS (or should I say NBNS as the RFC calls them). I think it got a bum rap from people who used it and didn't understand how to keep it running well or those that didn't want, for some, reason, to have unique host names like those folks who think you need a machine named www to host a website called www.company.com . There have been times I have actually considered implementing an NBNS in case MS decides to drop WINS Server from support. Mine would be a little different though, accepting dynamic updates would be configurable, I see great value in an NBNS that does not accept client registrations but instead only gives out info put in by an admin. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland Sent: Tuesday, March 29, 2005 10:06 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Compelling arguments? Are there compelling arguments to use the DNS Domain name of your AD Domain as the primary DNS Suffix versus a different DNS extension from a client functionality perspective? Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix. Any thoughts welcome.
[ActiveDir] DNS should point to...?
Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
Re: [ActiveDir] Compelling arguments?
Agreed. I'd love to get more info on your view on that though; get some more details of how you would set it up in that type of environment given the chance ;) The issue of geographic DNS isn't something I'd thought of unless it was also attached to a multi domain geographic type forest (NA, Asia, Europe etc.) Phil On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland <[EMAIL PROTECTED]> wrote: > As always, thanks for the thorough reply, mate... > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS should point to...?
Noah Eiger wrote: (...) The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. This tech guy was talking probably about "server islands" problem. it is necessary to point to some other then local server on the time of promotion, but then with proper configuration You can point DC to itself as DNS server (read method scenario in KB which url is listed below). http://support.microsoft.com/default.aspx?scid=kb;en-us;275278&id=kb;en-us;275278 -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS should point to...?
http://www.ultratech-llc.com/KB/?File=ADNetwork.TXT No, DNS servers should not only point to themselves. See above. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Tue, 29 Mar 2005 09:31:59 -0800, Noah Eiger <[EMAIL PROTECTED]> wrote: > > > Hi – > > > > I have just been brought into a situation where a client has several poorly > connected (VPN and slow connections to the Internet) sites in a single W2k > domain. Each site has a single DC that runs AD-integrated DNS. Previously, > most of the DCs had tombstoned. Microsoft walked the in-house guy through > demoting and re-promoting everything. > > > > The question is this: where should each DC's DNS point? I have always > thought they should point to themselves and only themselves. The DNS server > forwards to the Internet (as everything is poorly connected). The in-house > tech said Microsoft told him to point each DC's primary DNS to the FSMO-role > holder and then to itself as secondary. > > > > Any thoughts? > > > > -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS should point to...?
Hi Noah. Having a DC point to itself as primary can create a replication problem. If I change my DCs ip address, it will register in the primary DNS (itself) with the updated ip address. It's replication partner - your DNS will then go query itself for the ip address and get the old IP. Since all replication is pull, and the default is that the zone is AD integrated and shared among all DCs, your DC cannot update its DNS until it replicates, and it cannot replicate until it updates it's DNS. Having all DCs point at one DC (I have heard the first DC in the hub site for the domain) means that at least one DC has the updated ip address of every DC out there. Pointing at itself for secondary gives it name resolution when the link is down. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | "Noah Eiger" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/29/2005 09:31 AM PST| | | Please respond to | | | ActiveDir | |-+--> >--| | | | To: | | cc: (bcc: James Day/Contractor/NPS) | | Subject: [ActiveDir] DNS should point to...? | >--| Hi â I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DCâs DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DCâs primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
[ActiveDir] AD/ Virus outbreak
Hi, I have 3 DC's in a protected root domain and 2 child domains. Unfortunately the 3 root DC's were not running a virus client, totally missedanyway. Looks like it is using known Windows exploitability to drop files and what not. 2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE) If I have to rebuild can I at least for the interim transfer the above roles on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS should point to...?
On DCs running DNS - point primary DNS to itself and secondary DNS to a nearest site or hub DNS server. Be aware of DNS Island issue in Windows 2000 though! Paresh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: 29 March 2005 18:47 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS should point to...? http://www.ultratech-llc.com/KB/?File=ADNetwork.TXT No, DNS servers should not only point to themselves. See above. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Tue, 29 Mar 2005 09:31:59 -0800, Noah Eiger <[EMAIL PROTECTED]> wrote: > > > Hi - > > > > I have just been brought into a situation where a client has several poorly > connected (VPN and slow connections to the Internet) sites in a single W2k > domain. Each site has a single DC that runs AD-integrated DNS. Previously, > most of the DCs had tombstoned. Microsoft walked the in-house guy through > demoting and re-promoting everything. > > > > The question is this: where should each DC's DNS point? I have always > thought they should point to themselves and only themselves. The DNS server > forwards to the Internet (as everything is poorly connected). The in-house > tech said Microsoft told him to point each DC's primary DNS to the FSMO-role > holder and then to itself as secondary. > > > > Any thoughts? > > > > -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS should point to...?
In this scenario, I’d recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
RE: [ActiveDir] AD/ Virus outbreak
Yes. This *may* be a useful primer for you: http://www.readymaids.com/Portals/1/FSMO-xfer.htm Deji -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, March 29, 2005 9:51 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Virus outbreak Hi, I have 3 DC's in a protected root domain and 2 child domains. Unfortunately the 3 root DC's were not running a virus client, totally missedanyway. Looks like it is using known Windows exploitability to drop files and what not. 2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE) If I have to rebuild can I at least for the interim transfer the above roles on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well. Thanks, List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Compelling arguments?
Phil, you know he's for hire right? He has a "p*mp" and everything last I heard. :) That said, it is interesting to see a regional specific approach to name resolution. Some like it, some don't. I'd be interested to hear why, Joe because I think it would depend on the company goals whether or not that would make sense. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Tuesday, March 29, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Agreed. I'd love to get more info on your view on that though; get some more details of how you would set it up in that type of environment given the chance ;) The issue of geographic DNS isn't something I'd thought of unless it was also attached to a multi domain geographic type forest (NA, Asia, Europe etc.) Phil On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland <[EMAIL PROTECTED]> wrote: > As always, thanks for the thorough reply, mate... > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Compelling arguments?
Our existing setup involves exactly as described by joe, BIND servers at the root that feed down to further bind servers at each location with the exception of the Americas. The americas have a majority of win2k DNS servers but also some bind. So you may have AD domains of americas.corp.com, europe.corp.com, and asiapacific.corp.com. You then have locations within americas like buenos aires, sao paolo, new york city. So you have site codes bue, spo, and nyc. With dns domains for each location of bue.sub, spo.sub, and nyc.sub with the sub domain being delegated from the central bind server to the localized servers. Our situation is that our client services team prefers to use the AD domain for resolution of client names, our colleagues in different areas prefer to use the bind services for many applications, so what we end up with is a mixed implementation and inconsistent client settings inside the organization that lead to one machine having a need for a static entry in the localized dns while the machine updates its hostname in the AD domain automagically. Now we have two host records for the same machine, and an inconsistent PTR record as well. We have unix based apps that implement a tcp wrapper to determine a machines identity but because there are different settings or duplicates in the localized dns, AD dns, and the PTR records, the application breaks upon forward and reverse lookup (whoever thought it was a good idea to use DNS as a security mechanism should be choked) The lesson here is to determine which to do and implement without exception. The problem with doing it after the fact is that you WILL break something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Tuesday, March 29, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Agreed. I'd love to get more info on your view on that though; get some more details of how you would set it up in that type of environment given the chance ;) The issue of geographic DNS isn't something I'd thought of unless it was also attached to a multi domain geographic type forest (NA, Asia, Europe etc.) Phil On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland <[EMAIL PROTECTED]> wrote: > As always, thanks for the thorough reply, mate... > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS should point to...?
Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 12:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...? In this scenario, I’d recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, March 29, 2005 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS should point to...? Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
RE: [ActiveDir] DNS should point to...?
Agreed - and admiring Dejis ability to say in 12 words what I took 2 pages to type. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | <[EMAIL PROTECTED]| | | dca.com> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 03/29/2005 01:03 PM EST| | | Please respond to | | | ActiveDir | |-+--> >--| | | | To: | | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] DNS should point to...? | >--| Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? In this scenario, Iâd recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi â I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DCâs DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DCâs primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme [EMAIL PROTECTED] šŠV«r¯yÊ&ý§-Š÷4™¨¥iËb½çb®Šà
RE: [ActiveDir] DNS should point to...?
Ok. Some conflicting responses. Just so I can sort this out in my little brain: I am aware of the island issue and my practice has been to point to another site to promote, then change it to point to itself. Why would you point to another site as primary if there is poor connectivity? The AD-integrated DNS zones should be complete at each site, no? Should the SOA and the Name Servers be the same at each site? -- nme From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 10:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? In this scenario, I’d recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
Re: [ActiveDir] Compelling arguments?
hahaha, yeah I didn't know for sure, but I was getting the idea that he was "for hire" ;) I just wanted some more details on his thought process though...not a full out design ;) Phil On Tue, 29 Mar 2005 13:01:51 -0500, Mulnick, Al <[EMAIL PROTECTED]> wrote: > Phil, you know he's for hire right? He has a "p*mp" and everything last I > heard. :) > > That said, it is interesting to see a regional specific approach to name > resolution. Some like it, some don't. I'd be interested to hear why, Joe > because I think it would depend on the company goals whether or not that > would make sense. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS should point to...?
You can point to the DC/GC/DNS server running the PDC Emulator role but better resolution on the primary DNS setting. Chuck -Original Message-From: [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Tue, 29 Mar 2005 13:03:20 -0500Subject: RE: [ActiveDir] DNS should point to...? Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 12:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...? In this scenario, Iâd recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, March 29, 2005 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS should point to...? Hi â I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DCâs DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DCâs primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
RE: [ActiveDir] DNS should point to...?
12 words??? I thought it was 11!!! I need to cut down on that next time â thereâs no room for 2 Joes[1] on this list J Deji [1] I still need to respond to that âinverseâ thread â as soon I can wrap my head around that wacky equation :-p -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 10:26 AM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS should point to...? Agreed - and admiring Dejis ability to say in 12 words what I took 2 pages to type. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | <[EMAIL PROTECTED]| | | dca.com> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 03/29/2005 01:03 PM EST| | | Please respond to | | | ActiveDir | |-+-->  >--|  | |  | To: |  | cc: (bcc: James Day/Contractor/NPS) |  | Subject: RE: [ActiveDir] DNS should point to...? ÂÂ|  >--| Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? In this scenario, Iâd recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi â I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DCâs DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DCâs primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme .+-wi0-+Ö[EMAIL PROTECTED]Örzm Vry&-4ibb
RE: [ActiveDir] DNS should point to...?
>>>Ok. Some conflicting responses. You will always get that. I have yet to see a consensus on this and many other issues. So, it ultimately ends up being one of those “it depends” cases. >>>I am aware of the island issue Remember, the “Island issue” occurs in a multi-domain environment, which, in your case, is not applicable here. No _msdcs problem to factor in. >>> Why would you point to another site as primary if there is poor connectivity? If poor connectivity is an issue for you, then again (in this scenario), primary to another server is a good way to ameliorate the impact of the poor connectivity. “Poor connectivity”, in this case, means that there is “intermittent” connectivity, right? If the DC points to itself or to another and there is an extended outage, then you are SOL in that you can’t find anything on the other side anyway. Remember that this “to self or to another” question is specific to the DNS server ITSELF, not relevant to what it does for (or on behalf of) other clients. The configuration is only applicable to the DNS server’s ability to publish and locate records for itself. If it can NOT find the referenced DNS Server configured as PRIMARY (because of the poor connectivity), it will flag that server as being unresponsive and then go to the secondary, which is itself, in the meantime. >>> The AD-integrated DNS zones should be complete at each site, no? I say yes. But, there is nothing in the book (AFAIK) that says you can’t mix and match. >>>Should the SOA and the Name Servers be the same at each site? “The same”, meaning that the SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will be DNS1.whatever and DNS2 will be DNS2.whatever because they are each authoritative for the zone and, therefore, consider themselves the “Start of Authority” for that zone. HTH Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Ok. Some conflicting responses. Just so I can sort this out in my little brain: I am aware of the island issue and my practice has been to point to another site to promote, then change it to point to itself. Why would you point to another site as primary if there is poor connectivity? The AD-integrated DNS zones should be complete at each site, no? Should the SOA and the Name Servers be the same at each site? -- nme From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 10:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? In this scenario, I’d recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
RE: [ActiveDir] DNS should point to...?
I meant to say, “no root/sub-root _msdcs ISSUES to factor in” Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Tuesday, March 29, 2005 11:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? >>>Ok. Some conflicting responses. You will always get that. I have yet to see a consensus on this and many other issues. So, it ultimately ends up being one of those “it depends” cases. >>>I am aware of the island issue Remember, the “Island issue” occurs in a multi-domain environment, which, in your case, is not applicable here. No _msdcs problem to factor in. >>> Why would you point to another site as primary if there is poor connectivity? If poor connectivity is an issue for you, then again (in this scenario), primary to another server is a good way to ameliorate the impact of the poor connectivity. “Poor connectivity”, in this case, means that there is “intermittent” connectivity, right? If the DC points to itself or to another and there is an extended outage, then you are SOL in that you can’t find anything on the other side anyway. Remember that this “to self or to another” question is specific to the DNS server ITSELF, not relevant to what it does for (or on behalf of) other clients. The configuration is only applicable to the DNS server’s ability to publish and locate records for itself. If it can NOT find the referenced DNS Server configured as PRIMARY (because of the poor connectivity), it will flag that server as being unresponsive and then go to the secondary, which is itself, in the meantime. >>> The AD-integrated DNS zones should be complete at each site, no? I say yes. But, there is nothing in the book (AFAIK) that says you can’t mix and match. >>>Should the SOA and the Name Servers be the same at each site? “The same”, meaning that the SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will be DNS1.whatever and DNS2 will be DNS2.whatever because they are each authoritative for the zone and, therefore, consider themselves the “Start of Authority” for that zone. HTH Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Ok. Some conflicting responses. Just so I can sort this out in my little brain: I am aware of the island issue and my practice has been to point to another site to promote, then change it to point to itself. Why would you point to another site as primary if there is poor connectivity? The AD-integrated DNS zones should be complete at each site, no? Should the SOA and the Name Servers be the same at each site? -- nme From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 10:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? In this scenario, I’d recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
RE: [ActiveDir] DNS should point to...?
can you explain to me how "island dns" cannot occur in a single domain enviorment. if i have 2 dc's for the same domain and they are each pointing to themsleves as the only dns and i change the ip of one dc, won't that break replication? how will one dc find the other to pull the change i just made sorry if this sounds stupid or basic. thanks -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 2:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...? >>>Ok. Some conflicting responses. You will always get that. I have yet to see a consensus on this and many other issues. So, it ultimately ends up being one of those “it depends” cases. >>>I am aware of the island issue Remember, the “Island issue” occurs in a multi-domain environment, which, in your case, is not applicable here. No _msdcs problem to factor in. >>> Why would you point to another site as primary if there is poor connectivity? If poor connectivity is an issue for you, then again (in this scenario), primary to another server is a good way to ameliorate the impact of the poor connectivity. “Poor connectivity”, in this case, means that there is “intermittent” connectivity, right? If the DC points to itself or to another and there is an extended outage, then you are SOL in that you can’t find anything on the other side anyway. Remember that this “to self or to another” question is specific to the DNS server ITSELF, not relevant to what it does for (or on behalf of) other clients. The configuration is only applicable to the DNS server’s ability to publish and locate records for itself. If it can NOT find the referenced DNS Server configured as PRIMARY (because of the poor connectivity), it will flag that server as being unresponsive and then go to the secondary, which is itself, in the meantime. >>> The AD-integrated DNS zones should be complete at each site, no? I say yes. But, there is nothing in the book (AFAIK) that says you can’t mix and match. >>>Should the SOA and the Name Servers be the same at each site? “The same”, meaning that the SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will be DNS1.whatever and DNS2 will be DNS2.whatever because they are each authoritative for the zone and, therefore, consider themselves the “Start of Authority” for that zone. HTH Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, March 29, 2005 10:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...? Ok. Some conflicting responses. Just so I can sort this out in my little brain: I am aware of the island issue and my practice has been to point to another site to promote, then change it to point to itself. Why would you point to another site as primary if there is poor connectivity? The AD-integrated DNS zones should be complete at each site, no? Should the SOA and the Name Servers be the same at each site? -- nme From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...? Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 12:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...? In this scenario, I’d recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Tuesday, March 29, 2005 9:32 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS should point to...? Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
RE: [ActiveDir] DNS should point to...?
It’s actually a good question. An intelligent description can be found on http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/branchoffice/plan02.asp I am still looking for the “de-facto” (to me) discussion I participated in on this topic a while ago. I will send that when I locate it. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, March 29, 2005 11:54 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? can you explain to me how "island dns" cannot occur in a single domain enviorment. if i have 2 dc's for the same domain and they are each pointing to themsleves as the only dns and i change the ip of one dc, won't that break replication? how will one dc find the other to pull the change i just made sorry if this sounds stupid or basic. thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? >>>Ok. Some conflicting responses. You will always get that. I have yet to see a consensus on this and many other issues. So, it ultimately ends up being one of those “it depends” cases. >>>I am aware of the island issue Remember, the “Island issue” occurs in a multi-domain environment, which, in your case, is not applicable here. No _msdcs problem to factor in. >>> Why would you point to another site as primary if there is poor connectivity? If poor connectivity is an issue for you, then again (in this scenario), primary to another server is a good way to ameliorate the impact of the poor connectivity. “Poor connectivity”, in this case, means that there is “intermittent” connectivity, right? If the DC points to itself or to another and there is an extended outage, then you are SOL in that you can’t find anything on the other side anyway. Remember that this “to self or to another” question is specific to the DNS server ITSELF, not relevant to what it does for (or on behalf of) other clients. The configuration is only applicable to the DNS server’s ability to publish and locate records for itself. If it can NOT find the referenced DNS Server configured as PRIMARY (because of the poor connectivity), it will flag that server as being unresponsive and then go to the secondary, which is itself, in the meantime. >>> The AD-integrated DNS zones should be complete at each site, no? I say yes. But, there is nothing in the book (AFAIK) that says you can’t mix and match. >>>Should the SOA and the Name Servers be the same at each site? “The same”, meaning that the SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will be DNS1.whatever and DNS2 will be DNS2.whatever because they are each authoritative for the zone and, therefore, consider themselves the “Start of Authority” for that zone. HTH Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Ok. Some conflicting responses. Just so I can sort this out in my little brain: I am aware of the island issue and my practice has been to point to another site to promote, then change it to point to itself. Why would you point to another site as primary if there is poor connectivity? The AD-integrated DNS zones should be complete at each site, no? Should the SOA and the Name Servers be the same at each site? -- nme From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 10:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? In this scenario, I’d recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to i
[ActiveDir] LDAP search filter
Does anyone know how to create an LDAP search filter I can use within a Saved Query of ADUC that will list the users in an OU? I can do this with VBScript, but I am looking for a way to do this within ADUC. Thanks, Shawn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Kerberos and proxy servers
Title: Kerberos and proxy servers Hello, I was wondering if anyone knows why Microsoft removed kerb auth to a proxy from Internet Explorer. I believe that they did support it with the early versions of IE5. Here's the MS explanation (which really isn't an explanation) http://support.microsoft.com/kb/321728/EN-US/ What possible reason could exist for them to remove this feature? Does anyone know if there's a way to make it work? Thanks
RE: [ActiveDir] Compelling arguments?
Title: Compelling arguments? If you're also talking about servers don't forget that by default computers register their SPN using the AD domain name. So if you have a server that registers HOST/someserver.myadname.net and the server actually resolves to someserver.mydnszone.net Kerberos will not work for the clients that try to connect using the DNS name. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling arguments? Are there compelling arguments to use the DNS Domain name of your AD Domain as the primary DNS Suffix versus a different DNS extension from a client functionality perspective?Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix.Any thoughts welcome.
RE: [ActiveDir] LDAP search filter
Yes. When you create the query, choose the OU you want. Then use a custom query and use an LDAP filter search filter on the advanced tab. Make sense? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, March 29, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP search filter Does anyone know how to create an LDAP search filter I can use within a Saved Query of ADUC that will list the users in an OU? I can do this with VBScript, but I am looking for a way to do this within ADUC. Thanks, Shawn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP search filter
I end up with something like this but get no information (&(&(ou>="")(name=Comit*))(objectClass=user)(name=*)) This is not a filter from what I can tell >>> "Mulnick, Al" <[EMAIL PROTECTED]> 03/29/05 03:46PM >>> Yes. When you create the query, choose the OU you want. Then use a custom query and use an LDAP filter search filter on the advanced tab. Make sense? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, March 29, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP search filter Does anyone know how to create an LDAP search filter I can use within a Saved Query of ADUC that will list the users in an OU? I can do this with VBScript, but I am looking for a way to do this within ADUC. Thanks, Shawn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] LDAP search filter
The filter I used was (&(objectClass=User)(objectCategory=Person)) and I set the filter to the OU I wanted (it's on the first panel of the query editing). The query was entered into the custom search | advanced tab section. That returns all the user objects at the level in the tree specified. In your case from the OU level down. I get one that looks like this: Better? If not, create the Query and then export it and send it offline if you're able. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, March 29, 2005 3:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP search filter I end up with something like this but get no information (&(&(ou>="")(name=Comit*))(objectClass=user)(name=*)) This is not a filter from what I can tell >>> "Mulnick, Al" <[EMAIL PROTECTED]> 03/29/05 03:46PM >>> Yes. When you create the query, choose the OU you want. Then use a custom query and use an LDAP filter search filter on the advanced tab. Make sense? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, March 29, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP search filter Does anyone know how to create an LDAP search filter I can use within a Saved Query of ADUC that will list the users in an OU? I can do this with VBScript, but I am looking for a way to do this within ADUC. Thanks, Shawn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] LDAP search filter
shawn -- in the properties of your query point the Query root to the OU you want to query. then this filter should be sufficient: (&(objectCategory=user)(userPrincipalName=*)) hth, john Shawn Hayes wrote: I end up with something like this but get no information (&(&(ou>="")(name=Comit*))(objectClass=user)(name=*)) This is not a filter from what I can tell "Mulnick, Al" <[EMAIL PROTECTED]> 03/29/05 03:46PM >>> Yes. When you create the query, choose the OU you want. Then use a custom query and use an LDAP filter search filter on the advanced tab. Make sense? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes Sent: Tuesday, March 29, 2005 3:32 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LDAP search filter Does anyone know how to create an LDAP search filter I can use within a Saved Query of ADUC that will list the users in an OU? I can do this with VBScript, but I am looking for a way to do this within ADUC. Thanks, Shawn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD I think it still depends on how you intend to use the data. For example, if you're going to pull other information of similar type (maybe pwdLastSet?) it would make sense to use the same format. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 4:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] Kerberos and proxy servers
Title: Kerberos and proxy servers Are you trying to auth to the proxy server itself with IE? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 3:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos and proxy servers Hello, I was wondering if anyone knows why Microsoft removed kerb auth to a proxy from Internet Explorer. I believe that they did support it with the early versions of IE5. Here's the MS explanation (which really isn't an explanation) http://support.microsoft.com/kb/321728/EN-US/ What possible reason could exist for them to remove this feature? Does anyone know if there's a way to make it work? Thanks
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD The purist in me says use the pwdLastSet form... it avoids the 2038 "problem", such as it is. And in general its better to limit the number of different representations for a particular data type. I don't think MS uses time_t in the directory anywhere. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 2:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD Actually I just googled this and found something interesting that I didn't know: Windows NT uses a 64-bit integer to track time. However, it uses 100 nanoseconds as its increment and the beginning of time is January 1, 1601, so NT suffers from the Year 2184 problem. I don't think we'll be on the same system in 2,184, but I don't want to be short sighted :) Does Microsoft still use a 64-bit integer? That's a good point Al, the date is not going to be compared to the other date types in AD so I suppose it really doesn't matter. I may go with the NT date just to be consistent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, March 29, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD I think it still depends on how you intend to use the data. For example, if you're going to pull other information of similar type (maybe pwdLastSet?) it would make sense to use the same format. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 4:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] Kerberos and proxy servers
Title: Kerberos and proxy servers Yes, although I haven't tried yet. According to the article it is not possible. Our proxy vendor supports Kerberos auth mainly because IE used to support. And not only that, using kerb solves a bunch of latency issues because the proxy doesn't need to keep talking to DC the way that it does for NTLM. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, March 29, 2005 1:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Kerberos and proxy servers Are you trying to auth to the proxy server itself with IE? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 3:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Kerberos and proxy servers Hello, I was wondering if anyone knows why Microsoft removed kerb auth to a proxy from Internet Explorer. I believe that they did support it with the early versions of IE5. Here's the MS explanation (which really isn't an explanation) http://support.microsoft.com/kb/321728/EN-US/ What possible reason could exist for them to remove this feature? Does anyone know if there's a way to make it work? Thanks
RE: [ActiveDir] DNS should point to...?
ï Deji, You're hilarious ! RH __ -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 1:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS should point to...? 12 words??? I thought it was 11!!! I need to cut down on that next time â thereâs no room for 2 Joes[1] on this list J Deji [1] I still need to respond to that âinverseâ thread â as soon I can wrap my head around that wacky equation :-p -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 10:26 AMTo: ActiveDir@mail.activedir.orgCc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]Subject: RE: [ActiveDir] DNS should point to...? Agreed - and admiring Dejis ability to say in 12 words what I took 2 pages to type. James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service (202) 354-1464 (direct) (202) 371-1549 (fax) [EMAIL PROTECTED] |-+--> | | <[EMAIL PROTECTED]| | | dca.com> | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org | | | | | | | | | 03/29/2005 01:03 PM EST| | | Please respond to | | | ActiveDir | |-+--> >--| | | | To:| | cc: (bcc: James Day/Contractor/NPS) | | Subject: RE: [ActiveDir] DNS should point to...? | >--| Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? In this scenario, Iâd recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi â I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DCâs DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DCâs primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme .+-wi0-+Ö[EMAIL PROTECTED]Örzm Vry&-4ibb
Re: [ActiveDir] DNS should point to...?
[EMAIL PROTECTED] wrote: It’s actually a good question. An intelligent description can be found on http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/branchoffice/plan02.asp This is URL which I want to post in my first post but I came to a conclusion that KB article will be enough :) -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD I still don’t think you should use Integer8/FILETIME format to store your date unless you absolutely need to. I think 2.5.5.11 OM 23 or 24 is the way to go. Depending on your API I think you will likely find them to be a better impedance match. The big kicker is if you ever have to use VBScript to do this. VBScript sucks at dealing with long integers but happily marshals LDAP 2.5.5.11 to variant datetime and back. Plus, you’ll get some nicer fidelity in other tools such as ldp and ADSI Edit. Integer8 will just be an opaque number that you need code to interpret. 2.5.5.11 values sort and index just fine and allow >= and <= comparisons, so I can’t think of a real compelling reason to use Integer8 unless your code happens to already rely on that. It sounds like it doesn’t. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, March 29, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD Actually I just googled this and found something interesting that I didn't know: Windows NT uses a 64-bit integer to track time. However, it uses 100 nanoseconds as its increment and the beginning of time is January 1, 1601, so NT suffers from the Year 2184 problem. I don't think we'll be on the same system in 2,184, but I don't want to be short sighted :) Does Microsoft still use a 64-bit integer? That's a good point Al, the date is not going to be compared to the other date types in AD so I suppose it really doesn't matter. I may go with the NT date just to be consistent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 29, 2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD I think it still depends on how you intend to use the data. For example, if you're going to pull other information of similar type (maybe pwdLastSet?) it would make sense to use the same format. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, March 29, 2005 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, March 28, 2005 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, March 28, 2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the ori
RE: [ActiveDir] DNS should point to...?
>>> The AD-integrated DNS zones should be complete at each site, no? I say yes. But, there is nothing in the book (AFAIK) that says you can’t mix and match. But the zones should be replicas, right? If I add a record in one location, it gets replicated to the others. What about differences in the Name Servers tab. Some Sites list certain servers; other sites list different servers. >>>Should the SOA and the Name Servers be the same at each site? “The same”, meaning that the SOA on DNS1 and DNS2 should reference the same server? No. DNS1 will be DNS1.whatever and DNS2 will be DNS2.whatever because they are each authoritative for the zone and, therefore, consider themselves the “Start of Authority” for that zone. Ack. Thanks. BTW: On a similar note, I am seeing what seems odd in the _msdcs records. Under Server1\Forward Lookup Zones\company.com\_msdcs\dc\_sites\ all of the sites are listed. Under _tcp are Sevice Locator records for _kerberos and _ldap. The servers listed for these records do not correspond to the servers in those sites. For example, server1.company.com appears for those records in Site1, Site3, and Site5. Site2 has records for servers that physically sit in other locations. This behavior is duplicated in _msdcs\gc\_sites. Again, I was just brought in on this. What is going on here? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 10:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Ok. Some conflicting responses. Just so I can sort this out in my little brain: I am aware of the island issue and my practice has been to point to another site to promote, then change it to point to itself. Why would you point to another site as primary if there is poor connectivity? The AD-integrated DNS zones should be complete at each site, no? Should the SOA and the Name Servers be the same at each site? -- nme From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 10:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? Agreed From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 12:57 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? In this scenario, I’d recommend Primary to another and secondary to self. Deji From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Tuesday, March 29, 2005 9:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS should point to...? Hi – I have just been brought into a situation where a client has several poorly connected (VPN and slow connections to the Internet) sites in a single W2k domain. Each site has a single DC that runs AD-integrated DNS. Previously, most of the DCs had tombstoned. Microsoft walked the in-house guy through demoting and re-promoting everything. The question is this: where should each DC’s DNS point? I have always thought they should point to themselves and only themselves. The DNS server forwards to the Internet (as everything is poorly connected). The in-house tech said Microsoft told him to point each DC’s primary DNS to the FSMO-role holder and then to itself as secondary. Any thoughts? -- nme
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD Joe, You make a good point. What would an LDAP >= filter look like using this data type? I'm familiar with VB and VBScript. So are you saying that I can simply create a date type in script and use ADSI for example and set my variable to the AD attribute and it will convert automatically? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 2:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD I still don’t think you should use Integer8/FILETIME format to store your date unless you absolutely need to. I think 2.5.5.11 OM 23 or 24 is the way to go. Depending on your API I think you will likely find them to be a better impedance match. The big kicker is if you ever have to use VBScript to do this. VBScript sucks at dealing with long integers but happily marshals LDAP 2.5.5.11 to variant datetime and back. Plus, you’ll get some nicer fidelity in other tools such as ldp and ADSI Edit. Integer8 will just be an opaque number that you need code to interpret. 2.5.5.11 values sort and index just fine and allow >= and <= comparisons, so I can’t think of a real compelling reason to use Integer8 unless your code happens to already rely on that. It sounds like it doesn’t. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 3:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Actually I just googled this and found something interesting that I didn't know: Windows NT uses a 64-bit integer to track time. However, it uses 100 nanoseconds as its increment and the beginning of time is January 1, 1601, so NT suffers from the Year 2184 problem. I don't think we'll be on the same system in 2,184, but I don't want to be short sighted :) Does Microsoft still use a 64-bit integer? That's a good point Al, the date is not going to be compared to the other date types in AD so I suppose it really doesn't matter. I may go with the NT date just to be consistent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, March 29, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD I think it still depends on how you intend to use the data. For example, if you're going to pull other information of similar type (maybe pwdLastSet?) it would make sense to use the same format. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 4:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date
Re: [ActiveDir] Compelling arguments?
Joe. What additional permissions are required for disjointed names spaces? You mention more permissions are required on the computer object? Care to expand? OR point to where they are documented? Cheers On Tue, 29 Mar 2005 12:43:10 -0800, Isenhour, Joseph <[EMAIL PROTECTED]> wrote: > If you're also talking about servers don't forget that by default computers > register their SPN using the AD domain name. So if you have a server that > registers HOST/someserver.myadname.net and the server actually resolves to > someserver.mydnszone.net Kerberos will not work for the clients that try to > connect using the DNS name. > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brent Westmoreland > Sent: Tuesday, March 29, 2005 7:06 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Compelling arguments? > > > Are there compelling arguments to use the DNS Domain name of your AD Domain > as the primary DNS Suffix versus a different DNS extension from a client > functionality perspective? > > Clients are still able to resolve the AD DNS Domain but most do not use it > as their primary suffix. > > Any thoughts welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD In an LDAP filter, generalized time and UTC time look like this: (yourTimeAttribute= MMDDHHMMSS.0Z) As such, they are pretty easy to spit out with code and are also human readable. LDP and ADSI Edit will also show these in a friendly format. With integer8, they look like this: (yourTimeAttribute=125655822921406250) Those are not human readable and require code to interpret. Additionally, the IADsLargeInteger thing is a huge PITA in my book and is worth avoiding for that reason alone if you need to deal with VBScript. In script, generalized time and UTC time are converted by ADSI to and from normal COM variant date times, so in VBS they’ll show up as normal date values. No special processing is required. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, March 29, 2005 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD Joe, You make a good point. What would an LDAP >= filter look like using this data type? I'm familiar with VB and VBScript. So are you saying that I can simply create a date type in script and use ADSI for example and set my variable to the AD attribute and it will convert automatically? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 2:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD I still don’t think you should use Integer8/FILETIME format to store your date unless you absolutely need to. I think 2.5.5.11 OM 23 or 24 is the way to go. Depending on your API I think you will likely find them to be a better impedance match. The big kicker is if you ever have to use VBScript to do this. VBScript sucks at dealing with long integers but happily marshals LDAP 2.5.5.11 to variant datetime and back. Plus, you’ll get some nicer fidelity in other tools such as ldp and ADSI Edit. Integer8 will just be an opaque number that you need code to interpret. 2.5.5.11 values sort and index just fine and allow >= and <= comparisons, so I can’t think of a real compelling reason to use Integer8 unless your code happens to already rely on that. It sounds like it doesn’t. Joe K. This message is forthe designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Storing dates in AD
This is a very good argument for using 2.5.5.11. I've changed my mind. -gil From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Tue 3/29/2005 2:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD I still don't think you should use Integer8/FILETIME format to store your date unless you absolutely need to. I think 2.5.5.11 OM 23 or 24 is the way to go. Depending on your API I think you will likely find them to be a better impedance match. The big kicker is if you ever have to use VBScript to do this. VBScript sucks at dealing with long integers but happily marshals LDAP 2.5.5.11 to variant datetime and back. Plus, you'll get some nicer fidelity in other tools such as ldp and ADSI Edit. Integer8 will just be an opaque number that you need code to interpret. 2.5.5.11 values sort and index just fine and allow >= and <= comparisons, so I can't think of a real compelling reason to use Integer8 unless your code happens to already rely on that. It sounds like it doesn't. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, March 29, 2005 3:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD Actually I just googled this and found something interesting that I didn't know: Windows NT uses a 64-bit integer to track time. However, it uses 100 nanoseconds as its increment and the beginning of time is January 1, 1601, so NT suffers from the Year 2184 problem. I don't think we'll be on the same system in 2,184, but I don't want to be short sighted :) Does Microsoft still use a 64-bit integer? That's a good point Al, the date is not going to be compared to the other date types in AD so I suppose it really doesn't matter. I may go with the NT date just to be consistent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 29, 2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD I think it still depends on how you intend to use the data. For example, if you're going to pull other information of similar type (maybe pwdLastSet?) it would make sense to use the same format. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, March 29, 2005 4:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, March 28, 2005 5:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Monday, March 28, 2005 3:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Monday, March 28, 2005 1:15 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current sche
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD These are good arguments but I still put my money on int8. However my main coding is in c++ and it is trivial to handle the value and is immediately in a usable format. Initially it was a pain in the butt because it was new, but I expect more and more tools will become available to decode it. One thing I really like about int8 over the other formats I want to add 100 days, 14 hours, 35 mins, 30 seconds, and 600ms to a current time. Convert that to 100 nanosecond intervals and simply add to an int8 and you have the new date and don't have to worry about leap days, hours, seconds, etc. You don't need any COM to do it, simple basic API calls. But that is me, I dislike COM with a passion, also ADSI, etc. Of course, like JoeK says, if using vbscript or anything else with binary/interger handling it will be more interesting. Doing stuff from UNIX/perl and filetime is fairly easy as well, you throw an int8 through some basic math and use the ctime function. I have published the algorithm for converting it in perl several times both on this list and in the pubs. I think the argument is similar to why use binary for SDs or SIDs or GUIDs, etc. GUIDs are especially special as you will find them as unicode strings and as binary packs. Whomever is responsible for that could use a good smack. Chase property sets / extended rights some time and you start hating AD a little. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 8:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD In an LDAP filter, generalized time and UTC time look like this: (yourTimeAttribute= MMDDHHMMSS.0Z) As such, they are pretty easy to spit out with code and are also human readable. LDP and ADSI Edit will also show these in a friendly format. With integer8, they look like this: (yourTimeAttribute=125655822921406250) Those are not human readable and require code to interpret. Additionally, the IADsLargeInteger thing is a huge PITA in my book and is worth avoiding for that reason alone if you need to deal with VBScript. In script, generalized time and UTC time are converted by ADSI to and from normal COM variant date times, so in VBS they’ll show up as normal date values. No special processing is required. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 5:24 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Joe, You make a good point. What would an LDAP >= filter look like using this data type? I'm familiar with VB and VBScript. So are you saying that I can simply create a date type in script and use ADSI for example and set my variable to the AD attribute and it will convert automatically? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, March 29, 2005 2:41 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD I still don’t think you should use Integer8/FILETIME format to store your date unless you absolutely need to. I think 2.5.5.11 OM 23 or 24 is the way to go. Depending on your API I think you will likely find them to be a better impedance match. The big kicker is if you ever have to use VBScript to do this. VBScript sucks at dealing with long integers but happily marshals LDAP 2.5.5.11 to variant datetime and back. Plus, you’ll get some nicer fidelity in other tools such as ldp and ADSI Edit. Integer8 will just be an opaque number that you need code to interpret. 2.5.5.11 values sort and index just fine and allow >= and <= comparisons, so I can’t think of a real compelling reason to use Integer8 unless your code happens to already rely on that. It sounds like it doesn’t. Joe K. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD I don't believe that is correct. I seem to recall running that clock out once before with a loop and the value didn't stop until well past the year 31,000. Assuming positive and negative numbers I think you can get some value like 9,000,000,000,000,000,000 (it should be something like 9 followed by 18 zero's) into an int8. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 4:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Actually I just googled this and found something interesting that I didn't know: Windows NT uses a 64-bit integer to track time. However, it uses 100 nanoseconds as its increment and the beginning of time is January 1, 1601, so NT suffers from the Year 2184 problem. I don't think we'll be on the same system in 2,184, but I don't want to be short sighted :) Does Microsoft still use a 64-bit integer? That's a good point Al, the date is not going to be compared to the other date types in AD so I suppose it really doesn't matter. I may go with the NT date just to be consistent. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, March 29, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD I think it still depends on how you intend to use the data. For example, if you're going to pull other information of similar type (maybe pwdLastSet?) it would make sense to use the same format. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 4:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] Storing dates in AD
Title: Storing dates in AD If you use large int use filetime - Number 100 nanosecond intervals from jan 1, 1601. There is some docs (in fact I think there are some typos in Gil's book) that mention the 1970 date but I am not aware of anything in AD that uses anything but filetime. http://msdn.microsoft.com/library/default.asp?url=""> If you use int8 and don't use filetime, you will have some developer hunt you down most likely later on because their generic function that works on all other int8's doesn't work on yours. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 4:06 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD We are going to be modifying the field programmatically so from what Gil said it sounds like the large integer method is appropriate. As a follow up question, do you think I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, March 28, 2005 5:33 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Bingo, how is the data going to be used? I definitely agree, don't come up with your own format unless you have some amazing scheme that blows all of the other formats out of the water that makes it the best thing to do. Not saying you aren't going to come up with something amazing but I would guess the odds are against you. Anything you put into the directory, keep it in UTC. Less confusion that way. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in AD Depends on the domain of the date values, and how they are used. If the dates will be passed along to other X.500/LDAP type directories, you probably should use the Generalized Time syntax (2.5.5.11). If the dates are manipulated programmatically, use the long integer representation. Its pretty trivial to manipulate it as a date in your code. I'd avoid using a string representation unless your code requires a funny string format or unless it requires unusual date values like "today", "yesterday", or "when hell freezes over" (we use the latter for setting development dates for certain silly feature requests in our products :) -gil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Monday, March 28, 2005 1:15 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in AD I'm looking for some opinions on a schema extension. I need to store a date type in AD. I figure I have several options. Store it as a long integer. To determine the date the consumer will need to count the nano seconds from a certain date (the way that pwdLastSet works) Store it as a date type (which I've never used, and looking at the current schema it appears that most people do not choose this option). Store it as a unicode string and come up with a format like: MMDD[ss][ss] Does anyone have an opinion on how this should be done? Thanks
RE: [ActiveDir] Compelling arguments?
I am not sure I follow what you are saying. I have absolutely run in this configuration in a very large widget manufacturer. Hundreds of thousands of hosts. It works fine for the Base OS. Issues tend to crop up from poorly written/tested applications like the ones I mentioned. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Fonseca Sent: Tuesday, March 29, 2005 10:56 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Hi, Interesting perspective Joe. One thing that I notice every day is that not all code are prepared to the new features, for example the Domain Controllers location process is followed by many processes but not all. For example when you set permissions on a file to a user of other domain the info is first get from the DC´s in the root domain not the ones where you are logged. If you do not use the same FQDN suffixes you will have some thing working but other will suffer from slowness. On Tue, 29 Mar 2005 10:29:11 -0500, joe <[EMAIL PROTECTED]> wrote: > Ah you mean DNS disjoint namespace. I know of a couple of large orgs > that do this either because Bind Based DNS is full deployed to a very > large base and they don't want to change it and/or they feel a machine > in California shouldn't have the same DNS Suffix as a machine in New > York (I tend to be in that category as well - I like geographic based > DNS names). It is supported from an OS standpoint however it requires > some additional perms on the computer objects so the computers can > properly update their SPNs and dNSHostNames (though these aren't > needed for DCs obviously). I don't think it would be very fun to have > some 100,000+ machines all in a DNS zone called ad.company.com. It > almost seemed an attempt to get away from WINS by making DNS act like WINS on a domain by domain basis. > > The biggest downside to doing this is Microsoft and other software > vendors keep forgetting it is a supported configuration with > applications. Check out MOM2005, the latest SMS whatever that is, some > of the EMC NAS solutions, etc. If you do this, every application that > goes through testing, integration, certification needs to be tested > for disjoint namespace capability. I have seen a couple of occasions > where someone was really bright and set up a disjoint production > namespace but their test environment wasn't disjoint so they would > spend all of this time in test to say something works great and deploy > to production and watch it blow up immediately. > > The other major downside I can think of is around name resolution. If > you aren't using WINS, you better like specifying FQDNs for machines. > This also applies to multidomain forest environments as well as > environments using disjoint namespace though. Personally, I like WINS > (or should I say NBNS as the RFC calls them). I think it got a bum rap > from people who used it and didn't understand how to keep it running > well or those that didn't want, for some, reason, to have unique host > names like those folks who think you need a machine named www to host > a website called www.company.com. There have been times I have > actually considered implementing an NBNS in case MS decides to drop > WINS Server from support. Mine would be a little different though, > accepting dynamic updates would be configurable, I see great value in > an NBNS that does not accept client registrations but instead only gives out info put in by an admin. > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brent > Westmoreland > Sent: Tuesday, March 29, 2005 10:06 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Compelling arguments? > > > Are there compelling arguments to use the DNS Domain name of your AD > Domain as the primary DNS Suffix versus a different DNS extension from > a client functionality perspective? > > Clients are still able to resolve the AD DNS Domain but most do not > use it as their primary suffix. > > Any thoughts welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Compelling arguments?
Remember, my experience is mostly Fortune 50 and better. Most of the last ten years was Fortune 5 or greater. Today I spent 10.5 hours at a (I think) Fortune 2 company - another widget maker. Not AD work though thank god, it was to consult on some Windows OS level stuff and some issues encountered getting some probe based monitoring working with an app running on it. Last time I talked to someone about it, their AD environment was best classified as a military term that you can't say in mixed company. These environments are to the size that say a single DNS domain for North America is 100,000+ hosts, do you really want 100,000+ hosts in a DNS Zone? If so great! How are you delegating that management? If you have a solution, great! In those environments though it is almost certain DNS is being managed in some decentralized fashion and very likely is Bind based or at least running on UNIX and has been for a long long time. Heck a single DataCenter itself may be divied up into 3-4-5 DNS Zones for management by different groups. The times I have seen Windows DNS in these environments is with small pocket deployments, not big centralized configurations. Generally it is ShadowIT running around and central IT is trying to stamp them out anyway. Oh, you may have the underscore zones delegated off to Windows, that is done as well. I like being able to look at a hostname and knowing where in the world the machine is. Would I do this in some small company of 5000-1 hosts in one building? No, highly doubtful. But the more decentralized the environment in terms of machine locations and host management, the more I would be looking in that direction. Overall, I care about DNS resolving correctly but I don't have some innate need for it to run on Windows. In fact, in these large environments I kind of like letting someone else manage it. Integrated DNS has always bothered me, the implicit circular logic there. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Tuesday, March 29, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Agreed. I'd love to get more info on your view on that though; get some more details of how you would set it up in that type of environment given the chance ;) The issue of geographic DNS isn't something I'd thought of unless it was also attached to a multi domain geographic type forest (NA, Asia, Europe etc.) Phil On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland <[EMAIL PROTECTED]> wrote: > As always, thanks for the thorough reply, mate... > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Compelling arguments?
Ah not really for hire. Well unless someone wants to hire me away from my current employer which I am sure they wouldn't be happy about. I am not saying it can't be done, I will do all sorts of things for good money and a fun position. My main requirements are being very well paid, very little travel, work from home, you get a hold of me via email - not pager, not cell. I am in a pretty comfy spot right now for all of that. I actually had a headhunter who claimed he represented Dell emailing me a month or three ago. I asked to hear the ball park number and the headhunter just kept saying call me I was being asked for by name. I don't like phones, ask anyone who knows me. Phones are archaic sync'ed communications devices that do not scale well globally (you think otherwise, try getting US East Coast, US West Coast, England, Germany, Singapore, Australia, and New Zealand easily onto a single con call). I spend enough time on con calls, I try to avoid it all the rest of the times. My home phone has the ringer off, my personal cell phone usually isn't anywhere near me, my work cell phone is only near me during business hours and someone has to have the number given to them or they need to open the full properties of my GAL entry. Anyway, Al, let me know if the reasons given for regional in the previous email make sense or not. I agree, company goals would be paramount. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, March 29, 2005 1:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compelling arguments? Phil, you know he's for hire right? He has a "p*mp" and everything last I heard. :) That said, it is interesting to see a regional specific approach to name resolution. Some like it, some don't. I'd be interested to hear why, Joe because I think it would depend on the company goals whether or not that would make sense. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Tuesday, March 29, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Agreed. I'd love to get more info on your view on that though; get some more details of how you would set it up in that type of environment given the chance ;) The issue of geographic DNS isn't something I'd thought of unless it was also attached to a multi domain geographic type forest (NA, Asia, Europe etc.) Phil On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland <[EMAIL PROTECTED]> wrote: > As always, thanks for the thorough reply, mate... > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Compelling arguments?
> The lesson here is to determine which to do and implement > without exception. The problem with doing it after the > fact is that you WILL break something. Ding ding ding, we have a winner... Exactly. You will break something and no matter what you do, someone will be pissy about it. The UNIX folks coming in tend to be happy with the broken up zoning, the Windows guys coming in tend to hate it. However I haven't had many good Windows people come in the door off the street so it is generally easier to dismiss them. Actually any more I am getting more and more to the point where I look at a UNIX person as someone that can be trained to do well on Windows Servers and Windows people are someone that can work the help desk. Yeah, cynical I know. :op Come on Server Foundation. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, March 29, 2005 1:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Compelling arguments? Our existing setup involves exactly as described by joe, BIND servers at the root that feed down to further bind servers at each location with the exception of the Americas. The americas have a majority of win2k DNS servers but also some bind. So you may have AD domains of americas.corp.com, europe.corp.com, and asiapacific.corp.com. You then have locations within americas like buenos aires, sao paolo, new york city. So you have site codes bue, spo, and nyc. With dns domains for each location of bue.sub, spo.sub, and nyc.sub with the sub domain being delegated from the central bind server to the localized servers. Our situation is that our client services team prefers to use the AD domain for resolution of client names, our colleagues in different areas prefer to use the bind services for many applications, so what we end up with is a mixed implementation and inconsistent client settings inside the organization that lead to one machine having a need for a static entry in the localized dns while the machine updates its hostname in the AD domain automagically. Now we have two host records for the same machine, and an inconsistent PTR record as well. We have unix based apps that implement a tcp wrapper to determine a machines identity but because there are different settings or duplicates in the localized dns, AD dns, and the PTR records, the application breaks upon forward and reverse lookup (whoever thought it was a good idea to use DNS as a security mechanism should be choked) The lesson here is to determine which to do and implement without exception. The problem with doing it after the fact is that you WILL break something. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Tuesday, March 29, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Agreed. I'd love to get more info on your view on that though; get some more details of how you would set it up in that type of environment given the chance ;) The issue of geographic DNS isn't something I'd thought of unless it was also attached to a multi domain geographic type forest (NA, Asia, Europe etc.) Phil On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland <[EMAIL PROTECTED]> wrote: > As always, thanks for the thorough reply, mate... > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Compelling arguments?
Title: Compelling arguments? The permission mod you need to make is to correct this. http://support.microsoft.com/default.aspx?scid=kb;en-us;258503 Again, disjoint namespace works fine in the core OS. The issues that crop up are around poorly written/tested applications. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, JosephSent: Tuesday, March 29, 2005 3:43 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling arguments? If you're also talking about servers don't forget that by default computers register their SPN using the AD domain name. So if you have a server that registers HOST/someserver.myadname.net and the server actually resolves to someserver.mydnszone.net Kerberos will not work for the clients that try to connect using the DNS name. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brent WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling arguments? Are there compelling arguments to use the DNS Domain name of your AD Domain as the primary DNS Suffix versus a different DNS extension from a client functionality perspective?Clients are still able to resolve the AD DNS Domain but most do not use it as their primary suffix.Any thoughts welcome.
RE: [ActiveDir] Compelling arguments?
http://support.microsoft.com/default.aspx?scid=kb;en-us;258503 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Sent: Tuesday, March 29, 2005 7:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Compelling arguments? Joe. What additional permissions are required for disjointed names spaces? You mention more permissions are required on the computer object? Care to expand? OR point to where they are documented? Cheers On Tue, 29 Mar 2005 12:43:10 -0800, Isenhour, Joseph <[EMAIL PROTECTED]> wrote: > If you're also talking about servers don't forget that by default > computers register their SPN using the AD domain name. So if you have > a server that registers HOST/someserver.myadname.net and the server > actually resolves to someserver.mydnszone.net Kerberos will not work > for the clients that try to connect using the DNS name. > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brent > Westmoreland > Sent: Tuesday, March 29, 2005 7:06 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Compelling arguments? > > > Are there compelling arguments to use the DNS Domain name of your AD > Domain as the primary DNS Suffix versus a different DNS extension from > a client functionality perspective? > > Clients are still able to resolve the AD DNS Domain but most do not > use it as their primary suffix. > > Any thoughts welcome. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Site Confusion
Jorge keeps saying it in different ways and I think people are missing the point... The coverage of neighboring sites occurs when there is no DC in the site, it doesn't occur when a site's DCs are down. This is all keyed off of the site containers in the configuration. I have seen DCs being promoed into a Domain in a site and the DCs from other sites unregistering their records in that site before the DC is even promoed up, all because the server object in the site already replicated around. So as Jorge as said Look up local site DCs by DNS queries to Site based entries for the domain. If none of those DCs are cool, ask for the global list of all DCs for the domain and use one of those. It isn't the most efficient and you will find odd things like clients in Florida hitting DCs in Seattle when there is another DC in another city in Florida that would be better to use. The idea seems to be if you can't use a DC in your site, screw it, use any DC that responds. This is one of the reasons why Exchange doesn't really use the standard mechanism for DC/GC service location. They walk the metrics of the site connections trying to find the closest. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Tuesday, March 29, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Hi Neil, Presuming the clients somehow have access to DNS (preferred or alternate) they will first try to reach the DCs in their own site (site A). As all DCs are down in site A the clients then will ask for all DCs in the domain that have registered the domain specific DNS records. For more info on this see: * http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935 Authentication Topology by Gil Kirkpatrick * http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html Designing for DC Failover by Sean Deuby Autositecoverage only works for DC-less sites. So yes, it behaves differently for situation 1 (autositecoverage will occur) and 2 (no autositecoverage will occur) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: dinsdag 29 maart 2005 11:56 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Thanks Jorge. Are you implying that the answer to the original question is therefore 'no'? This has huge ramifications in the branch office. Or did I simply explain how the answer is 'yes', but for the wrong reasons?? Are you also saying that DCs (and sitecoverage) handle the following 2 scenarios in different ways: 1. No DCs installed in some site 2. DCs installed in some site but non available Can you expand on your previous post please? Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 29 March 2005 10:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion I think that's incorrect if you're talking about autositecoverage. Autositecoverage by DCs from some domain for some site will only occur if some site has no DCs from that same domain. Although DCs are down and not available, the DCs in other sites in the same domain see in their own replica that that site has DCs and autositecoverage will occur. Sitecoverage will occur by other DCs if you configured it manually through the registry or a GPO Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Tuesday, March 29, 2005 09:25 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Depending upon your site links, DCs in either site B or C will advertise themselves as available to site A. The DCs in the site with lowest cost to site A will perform this role. What do you mean by 'take down'? Are you taking a WAN link down or powering off the DCs or demoting them or what? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown Sent: 28 March 2005 21:55 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD Site Confusion I have 3 sites, site A has 2 DC's and site B & C each have 1 DC. When I take down site A (both DC's), the clients in Site A cannot log in. Shouldn't they be able to log in using site B or C? Thanks, -- Matt Brown Information Technology System Specialist Eastern Washington University List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic c
RE: [ActiveDir] Accounts disappearing from AD
Yeah adfind will look at deleted objects. Do a search like adfind -showdel -b dc=domain,dc=com -f name=name* So for instance if I am looking for the account joedeletetest F:\DEV\cpp\AccExp>adfind -showdel -default -f name=joedeletetest* AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted Objects,DC=joe,DC=com>objectClass: top>objectClass: person>objectClass: organizationalPerson>objectClass: user>cn: joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197>distinguishedName: CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted Objects,DC=joe,DC=com>instanceType: 4>whenCreated: 20050330052740.0Z>whenChanged: 20050330052811.0Z>uSNCreated: 1773671>isDeleted: TRUE>uSNChanged: 1773678>name: joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197>objectGUID: {5EBBC64E-41ED-4E9D-9776-C13827A31197}>userAccountControl: 512>objectSid: S-1-5-21-1862701446-4008382571-2198042679-18526>sAMAccountName: joedeletetest>lastKnownParent: CN=Users,DC=joe,DC=com>dSCorePropagationData: 20050330052811.0Z>dSCorePropagationData: 20050330052811.0Z>dSCorePropagationData: 20050330052811.0Z>dSCorePropagationData: 16010108151056.0Z 1 Objects returned Note I was logged onto the domain I wanted to look in so I could shortcut -b dc=domain,dc=com with -default You will note that the name is the old name with \0ADEL:OBJECTGUID so you will need to say name*. You could also do samaccountname=userid if you want though. When changed will tell you when it was deleted. If you have 2K3 you can look at the msDS-ReplAttributeMetaData which will tell you where the object was deleted at. F:\DEV\cpp\AccExp>adfind -showdel -default -f name=joedeletetest* msDS-ReplAttributeMetaData AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted Objects,DC=joe,DC=com>msDS-ReplAttributeMetaData: objectCategory 2 2005-03-30T05:28:11Z d69be175-f343-4937-95d5-aa9efb2fa32b 1773678 1773678 CN=NTDS Settings,CN=2K3DC01,CN=Servers,CN=MainSite,CN=Sites,CN=Configuration,DC=joe,DC=com >msDS-ReplAttributeMetaData: lastKnownParent 1 2005-03-30T05:28:11Z d69be175-f343-4937-95d5-aa9efb2fa32b 1773678 1773678 CN=NTDS Settings,CN=2K3DC01,CN=Servers,CN=MainSite,CN=Sites,CN=Configuration,DC=joe,DC=com Just look at the originating DSA for the lastKnownParent attribute. Also if you have K3, you can use admod to restore that ID back and maintain the current SID, however anything scrubbed in the delete process you will need to put back manually like group memberships, etc. [Wed 03/30/2005 0:32:46.26]F:\DEV\cpp\AccExp>adfind -showdel -default -f name=joedeletetest* -dsq |admod -undel AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comUndeleting specified objects... DN: cn=joedeletetest\0adel:5ebbc64e-41ed-4e9d-9776-c13827a31197,cn=deleted objects,dc=joe,dc=com... The command completed successfully [Wed 03/30/2005 0:36:50.23]F:\DEV\cpp\AccExp>adfind -showdel -default -f name=joedeletetest AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:CN=joedeletetest,CN=Users,DC=joe,DC=com>objectClass: top>objectClass: person>objectClass: organizationalPerson>objectClass: user>cn: joedeletetest>distinguishedName: CN=joedeletetest,CN=Users,DC=joe,DC=com>instanceType: 4>whenCreated: 20050330052740.0Z>whenChanged: 20050330053650.0Z>uSNCreated: 1773671>uSNChanged: 1773719>name: joedeletetest>objectGUID: {5EBBC64E-41ED-4E9D-9776-C13827A31197}>userAccountControl: 514>badPwdCount: 0>codePage: 0>countryCode: 0>badPasswordTime: 0>lastLogoff: 0>lastLogon: 0>pwdLastSet: 0>primaryGroupID: 513>operatorCount: 0>objectSid: S-1-5-21-1862701446-4008382571-2198042679-18526>adminCount: 0>accountExpires: 0>logonCount: 0>sAMAccountName: joedeletetest>sAMAccountType: 805306368>lastKnownParent: CN=Users,DC=joe,DC=com>objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=joe,DC=com>dSCorePropagationData: 20050330053650.0Z>dSCorePropagationData: 20050330053650.0Z>dSCorePropagationData: 20050330053650.0Z>dSCorePropagationData: 20050330052811.0Z>dSCorePropagationData: 16010108151056.0Z 1 Objects returned joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Tuesday, March 29, 2005 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Accounts disappearing from AD How do you know when the accounts when missing?
RE: [ActiveDir] Accounts disappearing from AD
I have never seen an object disappear that wasn't deleted by some process, script, tool, or some admin... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike HogenauerSent: Tuesday, March 29, 2005 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Accounts disappearing from AD In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant. I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory. Has anyone seen this or had accounts that just seem to vanish? Thanks in advance. Mike
RE: [ActiveDir] AD/ Virus outbreak
1. Don't log into servers to do daily work, learn how to do things with remote interfaces. 2. Do not run IE, OE, or pretty much any App interactively on servers. 3. Do not log into workstations with IDs that have admin rights on servers, use RUNAS or scripts that require you to specify the creds, etc. Even avoid fixed drive letters to DCs with admin creds, use UNCs if you want to use NET USE /USER. 4. Do not allow normal users to write to the file systems of a DC. 5. Keep DCs fully patched and do not run unnecessary services. Quite honestly, you really shouldn't need to run AV software on DCs, there shouldn't be vectors for them to be infected. If they get infected, it usually means an Admin was careless - actually in every case of an infected DC I have investigated it has been an admin being careless. Yes you can put all roles on one DC. In an empty root I would have done it already anyway and would have made all DCs in the empty root GCs most likely as well. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, March 29, 2005 12:51 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Virus outbreak Hi, I have 3 DC's in a protected root domain and 2 child domains. Unfortunately the 3 root DC's were not running a virus client, totally missedanyway. Looks like it is using known Windows exploitability to drop files and what not. 2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE) If I have to rebuild can I at least for the interim transfer the above roles on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accounts disappearing from AD
Neither have I which why I’m so concerned!! I’m auditing everything and still nothing that points to a malicious account deletion. The only think that I can think of is that with the File replication errors the forest was having that some accounts reached their tombstone period and we’re disabled, then they were possibly deleted by a local admin. Thanks Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, March 29, 2005 9:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Accounts disappearing from AD I have never seen an object disappear that wasn't deleted by some process, script, tool, or some admin... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Tuesday, March 29, 2005 10:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Accounts disappearing from AD In the past 2 months I’ve had 4 accounts that have just disappeared without a trace from AD. I’ve turned up auditing on all my Domain controllers but I haven’t been able to find anything relevant. I have 4 offices in WA, Ca, NC, and NY, I did have some replication errors but they have been fixed and none of the errors went past 60 days. I also don’t have a lot of group policies running or scripts that run (I just recently inherited this environment) also I’ve made sure only a select few people have rights to the Directory. Has anyone seen this or had accounts that just seem to vanish? Thanks in advance. Mike
[ActiveDir] Proxys and users, and ieak
Hello, Can i configure diferent proxys to diferent users with group policy? And the other question is if I can substitute our ieak config file with group policy. Thanks, Sergio Sánchez www.epes.es Este correo electrónico y, en su caso, cualquier fichero anexo, contiene información confidencial exclusivamente dirigida a su(s) destinatario(s). Toda copia o divulgación deberá ser autorizada por la Empresa Pública de Emergencias Sanitarias (EPES). This e-mail and any attachments are confidential and exclusively directed to its adressee(s). Any copy or distribution will have to be authorized by the Empresa Pública de Emergencias Sanitarias (EPES).
RE: [ActiveDir] AD Site Confusion
Thanks joe! An additional comment to: If none of those DCs are cool, ask for the global list of all DCs for the domain and use one of those. It isn't the most efficient and you will find odd things like clients in Florida hitting DCs in Seattle when there is another DC in another city in Florida that would be better to use. The idea seems to be if you can't use a DC in your site, screw it, use any DC that responds The latter could be optimized when a client asks for the global list of all DCs for the domain (= all DCs that have registered the domain specific resource records) the list is ordered, compared to the clients site, from the lowest site cost (on top of the list) to the highest site cost. This way it will try the nearest DCs and if those are not available the DCs that are further away, etc. Maybe in the "longhorn timeframe" ;-) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, March 30, 2005 07:26 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Jorge keeps saying it in different ways and I think people are missing the point... The coverage of neighboring sites occurs when there is no DC in the site, it doesn't occur when a site's DCs are down. This is all keyed off of the site containers in the configuration. I have seen DCs being promoed into a Domain in a site and the DCs from other sites unregistering their records in that site before the DC is even promoed up, all because the server object in the site already replicated around. So as Jorge as said Look up local site DCs by DNS queries to Site based entries for the domain. If none of those DCs are cool, ask for the global list of all DCs for the domain and use one of those. It isn't the most efficient and you will find odd things like clients in Florida hitting DCs in Seattle when there is another DC in another city in Florida that would be better to use. The idea seems to be if you can't use a DC in your site, screw it, use any DC that responds. This is one of the reasons why Exchange doesn't really use the standard mechanism for DC/GC service location. They walk the metrics of the site connections trying to find the closest. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Tuesday, March 29, 2005 6:08 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion Hi Neil, Presuming the clients somehow have access to DNS (preferred or alternate) they will first try to reach the DCs in their own site (site A). As all DCs are down in site A the clients then will ask for all DCs in the domain that have registered the domain specific DNS records. For more info on this see: * http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935 Authentication Topology by Gil Kirkpatrick * http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html Designing for DC Failover by Sean Deuby Autositecoverage only works for DC-less sites. So yes, it behaves differently for situation 1 (autositecoverage will occur) and 2 (no autositecoverage will occur) Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: dinsdag 29 maart 2005 11:56 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Thanks Jorge. Are you implying that the answer to the original question is therefore 'no'? This has huge ramifications in the branch office. Or did I simply explain how the answer is 'yes', but for the wrong reasons?? Are you also saying that DCs (and sitecoverage) handle the following 2 scenarios in different ways: 1. No DCs installed in some site 2. DCs installed in some site but non available Can you expand on your previous post please? Thanks, neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 29 March 2005 10:21 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD Site Confusion I think that's incorrect if you're talking about autositecoverage. Autositecoverage by DCs from some domain for some site will only occur if some site has no DCs from that same domain. Although DCs are down and not available, the DCs in other sites in the same domain see in their own replica that that site has DCs and autositecoverage will occur. Sitecoverage will occur by other DCs if you configured it manually through the registry or a GPO Cheers, Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Tuesday, March 29, 2005 09:25 To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] AD Site Confusion Depending upon your site links, DCs in either site B or C will advertise themselves as available to site A. The DCs in the site with lowest cost to site A will perform this role. What do you mean by 'take down'? Are
RE: [ActiveDir] AD/ Virus outbreak
Try to sync from the non-infected DC with the infected DCs (as being the inbound replication partners for the non-infected DC), transfer the FSMO roles from the infected DCs to the non-infected DC. From now you can do it in two ways: * Clean the infected DCs (offline) by installing antivirus software with the latest virus definition files OR * Kill the DCs, clean-up metadata for those DCs and rebuild them and finally transfer the FSMO roles back accordingly. Before killing the DCs you could install an additional (safety) DC so that after you remove/kill the infected DCs your forest root domain still has 2 DCs. Reason: If you only have one DC for your root domain and that one also dies, then your forest is dead and needs to be rebuilded unless you have good backups for your forest root DCs. In my opinion each Windows machine connected to the network (and I don't care what role or function it has!) should (MUST) have the latest virusscan engine and definitions and each windows machine should be patched to the latest possible security patches! Two measures that will mitigate the risk of security problems and virus attacks (locally or remotely) on Windows machines connected to the network Cheers Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, March 29, 2005 19:51 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD/ Virus outbreak Hi, I have 3 DC's in a protected root domain and 2 child domains. Unfortunately the 3 root DC's were not running a virus client, totally missedanyway. Looks like it is using known Windows exploitability to drop files and what not. 2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE) If I have to rebuild can I at least for the interim transfer the above roles on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well. Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS should point to...?
The DNS island issue occurs only in Windows 2000 domains begin the forest root domain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paresh Nhathalal Sent: Tuesday, March 29, 2005 19:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS should point to...? On DCs running DNS - point primary DNS to itself and secondary DNS to a nearest site or hub DNS server. Be aware of DNS Island issue in Windows 2000 though! Paresh -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: 29 March 2005 18:47 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS should point to...? http://www.ultratech-llc.com/KB/?File=ADNetwork.TXT No, DNS servers should not only point to themselves. See above. -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On Tue, 29 Mar 2005 09:31:59 -0800, Noah Eiger <[EMAIL PROTECTED]> wrote: > > > Hi - > > > > I have just been brought into a situation where a client has several poorly > connected (VPN and slow connections to the Internet) sites in a single W2k > domain. Each site has a single DC that runs AD-integrated DNS. Previously, > most of the DCs had tombstoned. Microsoft walked the in-house guy through > demoting and re-promoting everything. > > > > The question is this: where should each DC's DNS point? I have always > thought they should point to themselves and only themselves. The DNS server > forwards to the Internet (as everything is poorly connected). The in-house > tech said Microsoft told him to point each DC's primary DNS to the FSMO-role > holder and then to itself as secondary. > > > > Any thoughts? > > > > -- nme List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/