RE: [ActiveDir] Storing dates in AD

[Lee, Wook]

Title: Storing dates in AD








What that google doesn’t tell you is
that NT got it because Dave Cutler used it in his other operating system, VMS. It
probably has it’s origins even before VMS though I’d have to check
to be sure. We ex-Digits (a.k.a. DECcies oddly enough) have been using 64 bit
integers for time for years. The 100 nanosecond interval is referred to as a “clunk”
in VMS internals documentation.

 

Wook

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 1:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD



 

Actually I just googled this and found
something interesting that I didn't know:

Windows
NT uses a 64-bit integer to track time. However, it uses 100 nanoseconds as its
increment and the beginning of time is January 1, 1601, so NT suffers from the Year
2184 problem. 

I don't think we'll be on the same system in 2,184, but I
don't want to be short sighted :)  Does Microsoft still use a 64-bit
integer?

That's a good point Al, the date is not going to be compared
to the other date types in AD so I suppose it really doesn't matter.  I
may go with the NT date just to be consistent.

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 29, 2005 1:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

I think it still depends on how you
intend to use the data.

 

For example, if you're going to pull other
information of similar type (maybe pwdLastSet?) it would make sense to use the
same format. 

 

Al

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 4:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

We are going to be modifying the field
programmatically so from what Gil said it sounds like the large integer method
is appropriate.  As a follow up question, do you think I should use nano
seconds from the Jan
 2, 1970 (UNIX style) or January 1, 1601 (The date used by pwdLastSet)?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 5:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

Bingo, how is the data going to be used? I
definitely agree, don't come up with your own format unless you have some
amazing scheme that blows all of the other formats out of the water that makes
it the best thing to do. Not saying you aren't going to come up with something
amazing but I would guess the odds are against you. Anything you put into the
directory, keep it in UTC. Less confusion that way.

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 28, 2005 3:44 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

Depends on the domain of the date values,
and how they are used. If the dates will be passed along to other X.500/LDAP
type directories, you probably should use the Generalized Time syntax
(2.5.5.11). If the dates are manipulated programmatically, use the long integer
representation. Its pretty trivial to manipulate it as a date in your code. I'd
avoid using a string representation unless your code requires a funny string
format or unless it requires unusual date values like "today",
"yesterday", or "when hell freezes over" (we use the latter
for setting development dates for certain silly feature requests in our
products :)

 

-gil

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, March 28, 2005 1:15 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Storing dates
in AD

I'm
looking for some opinions on a schema extension.  I need to store a date
type in AD.  I figure I have several options.

Store
it as a long integer.  To determine the date the consumer will need to
count the nano seconds from a certain date (the way that pwdLastSet works)

Store
it as a date type (which I've never used, and looking at the current schema it
appears that most people do not choose this option).

Store
it as a unicode string and come up with a format like:  MMDD[ss][ss]


Does
anyone have an opinion on how this should be done? 

Thanks

RE: [ActiveDir] Storing dates in AD

[joseph.e.kaplan]

Title: Storing dates in AD








That’s just the thing.  There
are way too many string choices.  You have general string, teletex,
printable, IA5 and Unicode.  I basically don’t have any idea when it
would be more appropriate to use the ones besides Unicode.  Unicode is by
far the most prevalent in my directory although teletex gets used a fair
amount.  Printable and IA5 are pretty rare.  General is never used at
all, so I assume it is only the schema for standards compliance.

 

I take your point about case sensitive as
that is sure to cause chaos with search filters.  It seems like mostly
Exchange attributes that use the case sensitive versions.

 

Does someone have a clear use case on when
to use the non-unicode syntaxes?

 

Joe K.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 30, 2005
8:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD



 

I am not sure it is limited to SAM, I
think it may be when it is likely they will be doing comparisons and modifying
by a delta or finding a delta. I could be wrong though. 

 

What kind of conversation on strings are
you looking for? Generally use case insensitive unicode strings. If you use
case sensitive get ready to hear Windows Admins/Devs screaming because they
don't know what is happening.

 

  joe

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Wednesday, March 30, 2005
12:29 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

My observation is that MS uses integer8
when they are representing OS data that is manipulated as FILETIME in normal
Windows routines.  I’m guessing that the SAM functions use FILETIME
internally, so it was natural to store them natively in AD this way for
compatibility.

 

They use the LDAP time formats when they
are creating attributes that try to match existing LDAP standards.

 

Then there is the rest of the time in
between where I have no idea what made them decide to go one way or the
other.  J  I would love to hear how their schema designers actually make
these decisions.  Maybe we can get someone from the product team to
comment (hint hint).  

 

I’d also love to hear a good
discussion on which string syntax to use in which situation.  Good schema
design takes some real knowledge that isn’t that easy to come by. 
It is a lot harder to dive into than SQL for example.

 

Joe K.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Wednesday, March 30, 2005
11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD



 

I really appreciate all of the opinions on
this.  I've been playing around with these different types in my
sandbox.  I've used VBS, C#, VB.NET, and pretty much all of the languages
that we hack programmers use :)

The generalized date type worked really
well.  From looking at the base AD schema it appears that there is a
difference of opinion among the MS programmers because the use of these
different types is roughly the same.

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 8:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

If you use large int use filetime - Number
100 nanosecond intervals from jan 1, 1601. There is some docs (in
fact I think there are some typos in Gil's book) that mention the 1970 date but
I am not aware of anything in AD that uses anything but filetime. 

 

http://msdn.microsoft.com/library/default.asp?url="">

 

If you use int8 and don't use
filetime, you will have some developer hunt you down most likely later on
because their generic function that works on all other int8's doesn't work
on yours.

 

   joe 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 4:06
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

We are going to be modifying the field
programmatically so from what Gil said it sounds like the large integer method
is appropriate.  As a follow up question, do you think I should use nano
seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by
pwdLastSet)?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 5:33
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

Bingo, how is the data going to be used? I
definitely agree, don't come up with your own format unless you have some
amazing scheme that blows all of the other formats out of the water that makes
it the best thing to do. Not saying you aren't going to come up with something
amazing but I would guess the odds are against you. Anything you put into the
directory, keep it in UTC. Less confusion that way.

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL P

RE: [ActiveDir] Compelling arguments?

[Isenhour, Joseph]

Title: Compelling arguments?



Just the service records.  I don't care about the A 
records, our process for getting those statically created is pretty 
painless.  It's the ACLs for dynamic updates that cause us 
pain.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roger 
SeielstadSent: Wednesday, March 30, 2005 8:17 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

What are you trying to delegate - PTR creation or the A 
record creation?
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 7:49 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  This is a bit off the topic of the thread, but since we 
  are talking about using BIND DNS with AD I'll go ahead and ask.  Has 
  anyone figured out a good way of delegating the update DNS right to your 
  DCs?  At my company the DNS admins are on a completely different team and 
  getting them to manage the ACLs is a real pain.  I'd love to use TSIG or 
  something along those lines but as far as I can tell this is not supported in 
  windows.
   
  Any suggestions?
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 7:27 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  True,
   
  I've had the same experience with SQL and Kerberos.  
  On the bright side the issues forced all of our server admins to understand 
  Kerberos and engage my team to make sure that it's working 
  properly.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Wednesday, March 30, 2005 6:32 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  SQL Server has all sorts of dorked up issues with SPNs, 
  you have to always check them anyway. Someone was on crack that worked out 
  that functionality for SQL Server, I have had my share of arguments with PSS 
  over that. Instead of trying to do things through the computer account 
  they do things through the admin installing the service who often doesn't have 
  the appropriate rights in AD.
   
    joe
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 12:01 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  Not only is being able to register it important, but also 
  that DNS resolves to the correct SPN.  Let's say you have a SQL server 
  that is a member of the us.widget.net domain; however, in DNS it is registered 
  as sql1.sea.widget.net.  If you look in AD it's likely that the SPN 
  registered will be: MSSql/sql1.us.widget.net.  So when a user attempts to 
  get a service ticket, they will pass sql.sea.widget.net and it will fail 
  and the user will use NTLM auth instead.  So if you're going to use a 
  different DNS domain model (like we do at my company, we us QIP with 
  regionalized domains) then make sure your SPNs match 
  up.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  The permission mod you need to make is to correct this. 
  
   
  http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
   
   
  Again, disjoint namespace works fine in the core OS. The 
  issues that crop up are around poorly written/tested 
  applications.
   
     joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  If you're also talking about servers don't forget that by 
  default computers register their SPN using the AD domain name.  So 
  if you have a server that registers HOST/someserver.myadname.net and the 
  server actually resolves to someserver.mydnszone.net Kerberos will not work 
  for the clients that try to connect using the DNS 
name.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brent 
  WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
  arguments?
  Are there compelling arguments to use the DNS Domain 
  name of your AD Domain as the primary DNS Suffix versus a different DNS 
  extension from a client functionality perspective?Clients are still 
  able to resolve the AD DNS Domain but most do not use it as their primary 
  suffix.Any thoughts welcome. 

RE: [ActiveDir] Compelling arguments?

[Roger Seielstad]

Title: Compelling arguments?



What are you trying to delegate - PTR creation or the A 
record creation?
 
Roger SeielstadE-mail Geek & MS-MVP 

 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 7:49 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  This is a bit off the topic of the thread, but since we 
  are talking about using BIND DNS with AD I'll go ahead and ask.  Has 
  anyone figured out a good way of delegating the update DNS right to your 
  DCs?  At my company the DNS admins are on a completely different team and 
  getting them to manage the ACLs is a real pain.  I'd love to use TSIG or 
  something along those lines but as far as I can tell this is not supported in 
  windows.
   
  Any suggestions?
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 7:27 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  True,
   
  I've had the same experience with SQL and Kerberos.  
  On the bright side the issues forced all of our server admins to understand 
  Kerberos and engage my team to make sure that it's working 
  properly.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Wednesday, March 30, 2005 6:32 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  SQL Server has all sorts of dorked up issues with SPNs, 
  you have to always check them anyway. Someone was on crack that worked out 
  that functionality for SQL Server, I have had my share of arguments with PSS 
  over that. Instead of trying to do things through the computer account 
  they do things through the admin installing the service who often doesn't have 
  the appropriate rights in AD.
   
    joe
   
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Wednesday, March 30, 2005 12:01 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  Not only is being able to register it important, but also 
  that DNS resolves to the correct SPN.  Let's say you have a SQL server 
  that is a member of the us.widget.net domain; however, in DNS it is registered 
  as sql1.sea.widget.net.  If you look in AD it's likely that the SPN 
  registered will be: MSSql/sql1.us.widget.net.  So when a user attempts to 
  get a service ticket, they will pass sql.sea.widget.net and it will fail 
  and the user will use NTLM auth instead.  So if you're going to use a 
  different DNS domain model (like we do at my company, we us QIP with 
  regionalized domains) then make sure your SPNs match 
  up.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  The permission mod you need to make is to correct this. 
  
   
  http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
   
   
  Again, disjoint namespace works fine in the core OS. The 
  issues that crop up are around poorly written/tested 
  applications.
   
     joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
  JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
  arguments?
  
  If you're also talking about servers don't forget that by 
  default computers register their SPN using the AD domain name.  So 
  if you have a server that registers HOST/someserver.myadname.net and the 
  server actually resolves to someserver.mydnszone.net Kerberos will not work 
  for the clients that try to connect using the DNS 
name.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Brent 
  WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
  arguments?
  Are there compelling arguments to use the DNS Domain 
  name of your AD Domain as the primary DNS Suffix versus a different DNS 
  extension from a client functionality perspective?Clients are still 
  able to resolve the AD DNS Domain but most do not use it as their primary 
  suffix.Any thoughts welcome. 

RE: [ActiveDir] Compelling arguments?

[Isenhour, Joseph]

Title: Compelling arguments?



This is a bit off the topic of the thread, but since we are 
talking about using BIND DNS with AD I'll go ahead and ask.  Has anyone 
figured out a good way of delegating the update DNS right to your DCs?  At 
my company the DNS admins are on a completely different team and getting them to 
manage the ACLs is a real pain.  I'd love to use TSIG or something along 
those lines but as far as I can tell this is not supported in 
windows.
 
Any suggestions?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Wednesday, March 30, 2005 7:27 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

True,
 
I've had the same experience with SQL and Kerberos.  
On the bright side the issues forced all of our server admins to understand 
Kerberos and engage my team to make sure that it's working 
properly.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, March 30, 2005 6:32 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

SQL Server has all sorts of dorked up issues with SPNs, you 
have to always check them anyway. Someone was on crack that worked out that 
functionality for SQL Server, I have had my share of arguments with PSS over 
that. Instead of trying to do things through the computer account they do 
things through the admin installing the service who often doesn't have the 
appropriate rights in AD.
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Wednesday, March 30, 2005 12:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

Not only is being able to register it important, but also 
that DNS resolves to the correct SPN.  Let's say you have a SQL server that 
is a member of the us.widget.net domain; however, in DNS it is registered as 
sql1.sea.widget.net.  If you look in AD it's likely that the SPN registered 
will be: MSSql/sql1.us.widget.net.  So when a user attempts to get a 
service ticket, they will pass sql.sea.widget.net and it will fail and the 
user will use NTLM auth instead.  So if you're going to use a different DNS 
domain model (like we do at my company, we us QIP with regionalized domains) 
then make sure your SPNs match up.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

The permission mod you need to make is to correct this. 

 
http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
 
 
Again, disjoint namespace works fine in the core OS. The 
issues that crop up are around poorly written/tested 
applications.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

If you're also talking about servers don't forget that by 
default computers register their SPN using the AD domain name.  So if 
you have a server that registers HOST/someserver.myadname.net and the server 
actually resolves to someserver.mydnszone.net Kerberos will not work for the 
clients that try to connect using the DNS name.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
arguments?
Are there compelling arguments to use the DNS Domain 
name of your AD Domain as the primary DNS Suffix versus a different DNS 
extension from a client functionality perspective?Clients are still able 
to resolve the AD DNS Domain but most do not use it as their primary 
suffix.Any thoughts welcome. 

RE: [ActiveDir] Compelling arguments?

[Isenhour, Joseph]

Title: Compelling arguments?



True,
 
I've had the same experience with SQL and Kerberos.  
On the bright side the issues forced all of our server admins to understand 
Kerberos and engage my team to make sure that it's working 
properly.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Wednesday, March 30, 2005 6:32 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

SQL Server has all sorts of dorked up issues with SPNs, you 
have to always check them anyway. Someone was on crack that worked out that 
functionality for SQL Server, I have had my share of arguments with PSS over 
that. Instead of trying to do things through the computer account they do 
things through the admin installing the service who often doesn't have the 
appropriate rights in AD.
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Wednesday, March 30, 2005 12:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

Not only is being able to register it important, but also 
that DNS resolves to the correct SPN.  Let's say you have a SQL server that 
is a member of the us.widget.net domain; however, in DNS it is registered as 
sql1.sea.widget.net.  If you look in AD it's likely that the SPN registered 
will be: MSSql/sql1.us.widget.net.  So when a user attempts to get a 
service ticket, they will pass sql.sea.widget.net and it will fail and the 
user will use NTLM auth instead.  So if you're going to use a different DNS 
domain model (like we do at my company, we us QIP with regionalized domains) 
then make sure your SPNs match up.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

The permission mod you need to make is to correct this. 

 
http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
 
 
Again, disjoint namespace works fine in the core OS. The 
issues that crop up are around poorly written/tested 
applications.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

If you're also talking about servers don't forget that by 
default computers register their SPN using the AD domain name.  So if 
you have a server that registers HOST/someserver.myadname.net and the server 
actually resolves to someserver.mydnszone.net Kerberos will not work for the 
clients that try to connect using the DNS name.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
arguments?
Are there compelling arguments to use the DNS Domain 
name of your AD Domain as the primary DNS Suffix versus a different DNS 
extension from a client functionality perspective?Clients are still able 
to resolve the AD DNS Domain but most do not use it as their primary 
suffix.Any thoughts welcome. 

RE: [ActiveDir] AD Site Confusion

[joe]

> The latter could be optimized when a client asks 
> for the global list of all DCs for the domain (= 
> all DCs that have registered the domain specific 
> resource records) the list is ordered, compared 
> to the clients site, from the lowest 

I am not sure I like that idea, it mucks with how DNS is working. Round
robin should be just that round robin, it shouldn't be the DNS server trying
to figure out how best to roundrobin. Plus you would be required to use
Windows DNS for that functionality.

Prior to this, just limit what gets registered in the DNS global domain
record.

   joe

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Wednesday, March 30, 2005 2:41 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

Thanks joe!

An additional comment to:  

If none of those DCs are cool, ask for the global list of all DCs for the
domain and use one of those. It isn't the most efficient and you will find
odd things like clients in Florida hitting DCs in Seattle when there is
another DC in another city in Florida that would be better to use. The idea
seems to be if you can't use a DC in your site, screw it, use any DC that
responds 

The latter could be optimized when a client asks for the global list of all
DCs for the domain (= all DCs that have registered the domain specific
resource records) the list is ordered, compared to the clients site, from
the lowest site cost (on top of the list) to the highest site cost. This way
it will try the nearest DCs and if those are not available the DCs that are
further away, etc.
Maybe in the "longhorn timeframe" ;-)
Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 30, 2005 07:26
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

Jorge keeps saying it in different ways and I think people are missing the
point...

The coverage of neighboring sites occurs when there is no DC in the site, it
doesn't occur when a site's DCs are down. This is all keyed off of the site
containers in the configuration. I have seen DCs being promoed into a Domain
in a site and the DCs from other sites unregistering their records in that
site before the DC is even promoed up, all because the server object in the
site already replicated around. 

So as Jorge as said

Look up local site DCs by DNS queries to Site based entries for the domain.
If none of those DCs are cool, ask for the global list of all DCs for the
domain and use one of those. It isn't the most efficient and you will find
odd things like clients in Florida hitting DCs in Seattle when there is
another DC in another city in Florida that would be better to use. The idea
seems to be if you can't use a DC in your site, screw it, use any DC that
responds. This is one of the reasons why Exchange doesn't really use the
standard mechanism for DC/GC service location. They walk the metrics of the
site connections trying to find the closest.

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, March 29, 2005 6:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

Hi Neil,

Presuming the clients somehow have access to DNS (preferred or alternate)
they will first try to reach the DCs in their own site (site A). As all DCs
are down in site A the clients then will ask for all DCs in the domain that
have registered the domain specific DNS records.

For more info on this see:
* http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935
Authentication Topology by Gil Kirkpatrick
* http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html
Designing for DC Failover by Sean Deuby 

Autositecoverage only works for DC-less sites. So yes, it behaves
differently for situation 1 (autositecoverage will occur) and 2 (no
autositecoverage will occur)

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: dinsdag 29 maart 2005 11:56
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Thanks Jorge.

Are you implying that the answer to the original question is therefore 'no'?
This has huge ramifications in the branch office. Or did I simply explain
how the answer is 'yes', but for the wrong reasons??

Are you also saying that DCs (and sitecoverage) handle the following 2
scenarios in different ways:
1. No DCs installed in some site
2. DCs installed in some site but non available

Can you expand on your previous post please?

Thanks,
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 29 March 2005 10:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


I think that's incorrect if you're talking about autositecoverage.
Au

RE: [ActiveDir] Compelling arguments?

[joe]

Title: Compelling arguments?



SQL Server has all sorts of dorked up issues with SPNs, you 
have to always check them anyway. Someone was on crack that worked out that 
functionality for SQL Server, I have had my share of arguments with PSS over 
that. Instead of trying to do things through the computer account they do 
things through the admin installing the service who often doesn't have the 
appropriate rights in AD.
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Wednesday, March 30, 2005 12:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

Not only is being able to register it important, but also 
that DNS resolves to the correct SPN.  Let's say you have a SQL server that 
is a member of the us.widget.net domain; however, in DNS it is registered as 
sql1.sea.widget.net.  If you look in AD it's likely that the SPN registered 
will be: MSSql/sql1.us.widget.net.  So when a user attempts to get a 
service ticket, they will pass sql.sea.widget.net and it will fail and the 
user will use NTLM auth instead.  So if you're going to use a different DNS 
domain model (like we do at my company, we us QIP with regionalized domains) 
then make sure your SPNs match up.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

The permission mod you need to make is to correct this. 

 
http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
 
 
Again, disjoint namespace works fine in the core OS. The 
issues that crop up are around poorly written/tested 
applications.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

If you're also talking about servers don't forget that by 
default computers register their SPN using the AD domain name.  So if 
you have a server that registers HOST/someserver.myadname.net and the server 
actually resolves to someserver.mydnszone.net Kerberos will not work for the 
clients that try to connect using the DNS name.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
arguments?
Are there compelling arguments to use the DNS Domain 
name of your AD Domain as the primary DNS Suffix versus a different DNS 
extension from a client functionality perspective?Clients are still able 
to resolve the AD DNS Domain but most do not use it as their primary 
suffix.Any thoughts welcome. 

RE: [ActiveDir] Storing dates in AD

[joe]

Title: Storing dates in AD



I am not sure it is limited to SAM, I think it may be when 
it is likely they will be doing comparisons and modifying by a delta or finding 
a delta. I could be wrong though. 
 
What kind of conversation on strings are you looking for? 
Generally use case insensitive unicode strings. If you use case sensitive get 
ready to hear Windows Admins/Devs screaming because they don't know what is 
happening.
 
  joe
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, March 30, 2005 
12:29 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Storing dates in AD


My observation is that 
MS uses integer8 when they are representing OS data that is manipulated as 
FILETIME in normal Windows routines.  I’m guessing that the SAM functions 
use FILETIME internally, so it was natural to store them natively in AD this way 
for compatibility.
 
They use the LDAP time 
formats when they are creating attributes that try to match existing LDAP 
standards.
 
Then there is the rest 
of the time in between where I have no idea what made them decide to go one way 
or the other.  J  I would love to 
hear how their schema designers actually make these decisions.  Maybe we 
can get someone from the product team to comment (hint hint).  

 
I’d also love to hear a 
good discussion on which string syntax to use in which situation.  Good 
schema design takes some real knowledge that isn’t that easy to come by.  
It is a lot harder to dive into than SQL for 
example.
 
Joe 
K.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Isenhour, 
JosephSent: Wednesday, March 
30, 2005 11:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
 
I really appreciate all 
of the opinions on this.  I've been playing around with these different 
types in my sandbox.  I've used VBS, C#, VB.NET, and pretty much all of the 
languages that we hack programmers use :)
The generalized date 
type worked really well.  From looking at the base AD schema it appears 
that there is a difference of opinion among the MS programmers because the use 
of these different types is roughly the same.
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Tuesday, March 29, 2005 8:38 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
If you use large int 
use filetime - Number 100 nanosecond intervals from jan 1, 1601. There 
is some docs (in fact I think there are some typos in Gil's book) that mention 
the 1970 date but I am not aware of anything in AD that uses anything but 
filetime. 
 
http://msdn.microsoft.com/library/default.asp?url="">
 
If you use int8 
and don't use filetime, you will have some developer hunt you down most likely 
later on because their generic function that works on all other int8's 
doesn't work on yours.
 
   
joe 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 
2005 4:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
We are going to be 
modifying the field programmatically so from what Gil said it sounds like the 
large integer method is appropriate.  As a follow up question, do you think 
I should use nano seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 
(The date used by pwdLastSet)?
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Monday, March 28, 2005 5:33 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
Bingo, how is the data 
going to be used? I definitely agree, don't come up with your own format unless 
you have some amazing scheme that blows all of the other formats out of the 
water that makes it the best thing to do. Not saying you aren't going to come up 
with something amazing but I would guess the odds are against you. Anything you 
put into the directory, keep it in UTC. Less confusion that 
way.
 
  
joe
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Gil 
KirkpatrickSent: Monday, March 
28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD
Depends on the domain 
of the date values, and how they are used. If the dates will be passed along to 
other X.500/LDAP type directories, you probably should use the Generalized Time 
syntax (2.5.5.11). If the dates are manipulated programmatically, use the long 
integer representation. Its pretty trivial to manipulate it as a date in your 
code. I'd avoid using a string representation unless your code requires a funny 
string format or unless it requires unusual date values like "today", 
"yesterday", or "when hell freezes over" (we use the latter for setting 
development dates for certain silly feature requests in our products 
:)
 
-gil
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 
2005 1:15 PMTo:

RE: [ActiveDir] AD Site Confusion

[Mulnick, Al]

Always good advice.  You can read some details and the registry keys about
it here (for 2000 in this case):
http://www.microsoft.com/technet/archive/windows2000serv/technologies/active
directory/deploy/adguide/adplan/adpch02.mspx

I would have to say to the original poster's question that the likely
failure results more from lack of DNS resolution than lack of a DC/GC since
one exists in site B or C most likely (that should be checked of course).  

Which leads to an interesting design issue that often gets missed.  If you
configured your clients to only use the local AD integrated DNS thinking you
were saving bandwidth, then you would fail if the DC were down.  That would
be self-defeating although you would "technically" be saving bandwidth.

I think as David points out, it's best to configure some controls in there
and cause it to use a known path vs. using something in a different site
that may be across a slow link, if possible.   

My $0.04 worth anyway.

-ajm



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A
Sent: Wednesday, March 30, 2005 4:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

A common thing to do in a 'hub and spoke' network is to configure the DCs in
'spoke' sites to NOT register domain-wide SRV records.  That way, if the DC
in a spoke site goes down, the client will discover domain-wide SRV records
for only DCs in the hub site.  This prevents the client from authenticating
to a DC in some other spoke site.  If the hub-to-spoke links are relatively
slow, this can make a big difference, as it has to traverse only one slow
link instead of two.
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


Jorge keeps saying it in different ways and I think people are missing the
point...

The coverage of neighboring sites occurs when there is no DC in the site, it
doesn't occur when a site's DCs are down. This is all keyed off of the site
containers in the configuration. I have seen DCs being promoed into a Domain
in a site and the DCs from other sites unregistering their records in that
site before the DC is even promoed up, all because the server object in the
site already replicated around.


So as Jorge as said

Look up local site DCs by DNS queries to Site based entries for the domain.
If none of those DCs are cool, ask for the global list of all DCs for the
domain and use one of those. It isn't the most efficient and you will find
odd things like clients in Florida hitting DCs in Seattle when there is
another DC in another city in Florida that would be better to use. The idea
seems to be if you can't use a DC in your site, screw it, use any DC that
responds. This is one of the reasons why Exchange doesn't really use the
standard mechanism for DC/GC service location.
They walk the metrics of the site connections trying to find the closest.

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Tuesday, March 29, 2005 6:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

Hi Neil,

Presuming the clients somehow have access to DNS (preferred or
alternate) they will first try to reach the DCs in their own site (site A).
As all DCs are down in site A the clients then will ask for all DCs in the
domain that have registered the domain specific DNS records.

For more info on this see:
* http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935
Authentication Topology by Gil Kirkpatrick
* http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html
Designing for DC Failover by Sean Deuby 

Autositecoverage only works for DC-less sites. So yes, it behaves
differently for situation 1 (autositecoverage will occur) and 2 (no
autositecoverage will occur)

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: dinsdag 29 maart 2005 11:56
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Thanks Jorge.

Are you implying that the answer to the original question is therefore 'no'?
This has huge ramifications in the branch office. Or did I simply explain
how the answer is 'yes', but for the wrong reasons??

Are you also saying that DCs (and sitecoverage) handle the following 2
scenarios in different ways: 1. No DCs installed in some site 2. DCs
installed in some site but non available

Can you expand on your previous post please?

Thanks,
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 29 March 2005 10:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


I think that's incorrect if you're talking about autositecoverage.
Autositecover

RE: [ActiveDir] AD Site Confusion

[Fugleberg, David A]

A common thing to do in a 'hub and spoke' network is to configure the
DCs in 'spoke' sites to NOT register domain-wide SRV records.  That way,
if the DC in a spoke site goes down, the client will discover
domain-wide SRV records for only DCs in the hub site.  This prevents the
client from authenticating to a DC in some other spoke site.  If the
hub-to-spoke links are relatively slow, this can make a big difference,
as it has to traverse only one slow link instead of two.
Dave

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 11:26 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


Jorge keeps saying it in different ways and I think people are missing
the point...

The coverage of neighboring sites occurs when there is no DC in the
site, it doesn't occur when a site's DCs are down. This is all keyed off
of the site containers in the configuration. I have seen DCs being
promoed into a Domain in a site and the DCs from other sites
unregistering their records in that site before the DC is even promoed
up, all because the server object in the site already replicated around.


So as Jorge as said

Look up local site DCs by DNS queries to Site based entries for the
domain. If none of those DCs are cool, ask for the global list of all
DCs for the domain and use one of those. It isn't the most efficient and
you will find odd things like clients in Florida hitting DCs in Seattle
when there is another DC in another city in Florida that would be better
to use. The idea seems to be if you can't use a DC in your site, screw
it, use any DC that responds. This is one of the reasons why Exchange
doesn't really use the standard mechanism for DC/GC service location.
They walk the metrics of the site connections trying to find the
closest.

  joe


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Tuesday, March 29, 2005 6:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion

Hi Neil,

Presuming the clients somehow have access to DNS (preferred or
alternate) they will first try to reach the DCs in their own site (site
A). As all DCs are down in site A the clients then will ask for all DCs
in the domain that have registered the domain specific DNS records.

For more info on this see:
* http://www.windowsitpro.com/Articles/Print.cfm?ArticleID=37935
Authentication Topology by Gil Kirkpatrick
* http://www.windowsitpro.com/Windows/Article/ArticleID/40718/40718.html
Designing for DC Failover by Sean Deuby 

Autositecoverage only works for DC-less sites. So yes, it behaves
differently for situation 1 (autositecoverage will occur) and 2 (no
autositecoverage will occur)

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: dinsdag 29 maart 2005 11:56
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Thanks Jorge.

Are you implying that the answer to the original question is therefore
'no'? This has huge ramifications in the branch office. Or did I simply
explain how the answer is 'yes', but for the wrong reasons??

Are you also saying that DCs (and sitecoverage) handle the following 2
scenarios in different ways: 1. No DCs installed in some site 2. DCs
installed in some site but non available

Can you expand on your previous post please?

Thanks,
neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: 29 March 2005 10:21
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Site Confusion


I think that's incorrect if you're talking about autositecoverage.
Autositecoverage by DCs from some domain for some site will only occur
if some site has no DCs from that same domain. Although DCs are down and
not available, the DCs in other sites in the same domain see in their
own replica that that site has DCs and autositecoverage will occur.
Sitecoverage will occur by other DCs if you configured it manually
through the registry or a GPO

Cheers,
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Tuesday, March 29, 2005 09:25
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] AD Site Confusion

Depending upon your site links, DCs in either site B or C will advertise
themselves as available to site A. The DCs in the site with lowest cost
to site A will perform this role.

What do you mean by 'take down'? Are you taking a WAN link down or
powering off the DCs or demoting them or what?

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt Brown
Sent: 28 March 2005 21:55
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Site Confusion


I have 3 sites, site A has 2 DC's and site B & C each have 1 DC.

When I take down site A (both DC's), the 

RE: [ActiveDir] Storing dates in AD

[joseph.e.kaplan]

Title: Storing dates in AD








My observation is that MS uses integer8
when they are representing OS data that is manipulated as FILETIME in normal
Windows routines.  I’m guessing that the SAM functions use FILETIME
internally, so it was natural to store them natively in AD this way for
compatibility.

 

They use the LDAP time formats when they
are creating attributes that try to match existing LDAP standards.

 

Then there is the rest of the time in
between where I have no idea what made them decide to go one way or the
other.  J  I would love to hear how their schema designers actually
make these decisions.  Maybe we can get someone from the product team to
comment (hint hint).  

 

I’d also love to hear a good
discussion on which string syntax to use in which situation.  Good schema
design takes some real knowledge that isn’t that easy to come by. 
It is a lot harder to dive into than SQL for example.

 

Joe K.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Isenhour, Joseph
Sent: Wednesday, March 30, 2005
11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD



 

I really appreciate all of the opinions on
this.  I've been playing around with these different types in my
sandbox.  I've used VBS, C#, VB.NET, and pretty much all of the languages
that we hack programmers use :)

The generalized date type worked really
well.  From looking at the base AD schema it appears that there is a
difference of opinion among the MS programmers because the use of these
different types is roughly the same.

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, March 29, 2005 8:38
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

If you use large int use filetime - Number
100 nanosecond intervals from jan 1, 1601. There is some docs (in
fact I think there are some typos in Gil's book) that mention the 1970 date but
I am not aware of anything in AD that uses anything but filetime. 

 

http://msdn.microsoft.com/library/default.asp?url="">

 

If you use int8 and don't use
filetime, you will have some developer hunt you down most likely later on
because their generic function that works on all other int8's doesn't work
on yours.

 

   joe 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Tuesday, March 29, 2005 4:06
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

We are going to be modifying the field
programmatically so from what Gil said it sounds like the large integer method
is appropriate.  As a follow up question, do you think I should use nano
seconds from the Jan 2, 1970 (UNIX style) or January 1, 1601 (The date used by
pwdLastSet)?

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 28, 2005 5:33
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

Bingo, how is the data going to be used? I
definitely agree, don't come up with your own format unless you have some
amazing scheme that blows all of the other formats out of the water that makes
it the best thing to do. Not saying you aren't going to come up with something
amazing but I would guess the odds are against you. Anything you put into the
directory, keep it in UTC. Less confusion that way.

 

  joe

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Monday, March 28, 2005 3:44
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Storing
dates in AD

Depends on the domain of the date values,
and how they are used. If the dates will be passed along to other X.500/LDAP
type directories, you probably should use the Generalized Time syntax (2.5.5.11).
If the dates are manipulated programmatically, use the long integer
representation. Its pretty trivial to manipulate it as a date in your code. I'd
avoid using a string representation unless your code requires a funny string
format or unless it requires unusual date values like "today",
"yesterday", or "when hell freezes over" (we use the latter
for setting development dates for certain silly feature requests in our
products :)

 

-gil

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, March 28, 2005 1:15
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Storing dates
in AD

I'm
looking for some opinions on a schema extension.  I need to store a date
type in AD.  I figure I have several options.

Store
it as a long integer.  To determine the date the consumer will need to
count the nano seconds from a certain date (the way that pwdLastSet works)

Store
it as a date type (which I've never used, and looking at the current schema it
appears that most people do not choose this option).

Store
it as a unicode string and come up with a format like:  MMDD[ss][ss]


Does
anyone have an opinion on how this should be 

RE: [ActiveDir] Storing dates in AD

[Isenhour, Joseph]

Title: Storing dates in AD



I really appreciate all of the opinions on this.  I've 
been playing around with these different types in my sandbox.  I've used 
VBS, C#, VB.NET, and pretty much all of the languages that we hack programmers 
use :)
The generalized date type worked really well.  From 
looking at the base AD schema it appears that there is a difference of opinion 
among the MS programmers because the use of these different types is 
roughly the same.
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Tuesday, March 29, 2005 8:38 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

If you use large int use filetime - Number 100 
nanosecond intervals from jan 1, 1601. There is some docs (in fact I 
think there are some typos in Gil's book) that mention the 1970 date but I am 
not aware of anything in AD that uses anything but 
filetime. 
 
http://msdn.microsoft.com/library/default.asp?url="">
 
If you use int8 and don't use filetime, you will have 
some developer hunt you down most likely later on because their generic 
function that works on all other int8's doesn't work on 
yours.
 
   joe 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 4:06 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

We are going to be modifying the field programmatically so 
from what Gil said it sounds like the large integer method is appropriate.  
As a follow up question, do you think I should use nano seconds from the Jan 2, 
1970 (UNIX style) or January 1, 1601 (The date used by 
pwdLastSet)?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, March 28, 2005 5:33 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Bingo, how is the data going to be used? I definitely 
agree, don't come up with your own format unless you have some amazing scheme 
that blows all of the other formats out of the water that makes it the best 
thing to do. Not saying you aren't going to come up with something amazing but I 
would guess the odds are against you. Anything you put into the directory, keep 
it in UTC. Less confusion that way.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Gil 
KirkpatrickSent: Monday, March 28, 2005 3:44 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Storing dates in 
AD

Depends on the domain of the date values, and how they are 
used. If the dates will be passed along to other X.500/LDAP type directories, 
you probably should use the Generalized Time syntax (2.5.5.11). If the dates are 
manipulated programmatically, use the long integer representation. Its pretty 
trivial to manipulate it as a date in your code. I'd avoid using a string 
representation unless your code requires a funny string format or unless it 
requires unusual date values like "today", "yesterday", or "when hell freezes 
over" (we use the latter for setting development dates for certain silly feature 
requests in our products :)
 
-gil


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, March 28, 2005 1:15 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Storing dates in 
AD

I'm looking for some opinions on a schema 
extension.  I need to store a date type in AD.  I figure I have 
several options.
Store it as a long integer.  To determine the 
date the consumer will need to count the nano seconds from a certain date (the 
way that pwdLastSet works)
Store it as a date type (which I've never used, and 
looking at the current schema it appears that most people do not choose this 
option).
Store it as a unicode string and come up with a 
format like:  MMDD[ss][ss] 
Does anyone have an opinion on how this should be 
done? 
Thanks 

RE: [ActiveDir] Compelling arguments?

[Isenhour, Joseph]

Title: Compelling arguments?



Not only is being able to register it important, but also 
that DNS resolves to the correct SPN.  Let's say you have a SQL server that 
is a member of the us.widget.net domain; however, in DNS it is registered as 
sql1.sea.widget.net.  If you look in AD it's likely that the SPN registered 
will be: MSSql/sql1.us.widget.net.  So when a user attempts to get a 
service ticket, they will pass sql.sea.widget.net and it will fail and the 
user will use NTLM auth instead.  So if you're going to use a different DNS 
domain model (like we do at my company, we us QIP with regionalized domains) 
then make sure your SPNs match up.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Tuesday, March 29, 2005 9:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

The permission mod you need to make is to correct this. 

 
http://support.microsoft.com/default.aspx?scid=kb;en-us;258503
 
 
Again, disjoint namespace works fine in the core OS. The 
issues that crop up are around poorly written/tested 
applications.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Tuesday, March 29, 2005 3:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Compelling 
arguments?

If you're also talking about servers don't forget that by 
default computers register their SPN using the AD domain name.  So if 
you have a server that registers HOST/someserver.myadname.net and the server 
actually resolves to someserver.mydnszone.net Kerberos will not work for the 
clients that try to connect using the DNS name.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brent 
WestmorelandSent: Tuesday, March 29, 2005 7:06 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Compelling 
arguments?
Are there compelling arguments to use the DNS Domain 
name of your AD Domain as the primary DNS Suffix versus a different DNS 
extension from a client functionality perspective?Clients are still able 
to resolve the AD DNS Domain but most do not use it as their primary 
suffix.Any thoughts welcome. 

RE: [ActiveDir] Delegating ability to read/write account expiration

[Olegario, Alan]

Actually, found it.  There’s an
actual accountExpires perm that I must’ve blown by.

 

Thanks anyways.

 









From: Olegario, Alan 
Sent: Wednesday, March 30, 2005
11:37 AM
To: ActiveDir@mail.activedir.org
Subject: Delegating ability to
read/write account expiration



 

Is it possible?  I tried giving the Read/Write
expirationTime perms, but that doesn’t appear to be working.

 

Thanks.





The information contained in this email message may be privileged,
confidential, and protected from disclosure. Any unauthorized use, printing,
copying, disclosure, dissemination of or reliance upon this communication by
persons other than the intended recipient may be subject to legal restriction
or sanction. If you think that you have received this E-mail message in error,
please reply to the sender and delete this email promptly.

RE: [ActiveDir] WINS topic

[Mulnick, Al]

I would argue that WINS is required when setting up some applications.  SMS
and Exchange come to mind.  

Using the child WINS servers is more than enough for what you're talking
about. I wouldn't take them away completely, but rather just use the
existing. I do that now and don't usually recommend deploying WINS into an
empty root domain.  Too much unneeded overhead in my opinion.  At 1:1
objects for a WINS server, it doesn't make a lot of sense unless I sell
hardware :)

I wouldn't get rid of it in your environment Joe.  

-ajm 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: Wednesday, March 30, 2005 10:25 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WINS topic

Your assumptions are correct... thanks to all who posted.  I am going to try
and stop the WINS service and see if that breaks anything.  Otherwise I can
just point it back to the child WINS server. 

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]  

http://www.valassis.com/  

 

This message may include proprietary or protected information. If you are
not the intended recipient, please notify me, delete this message, and do
not further communicate the information contained herein without my express
written consent.

 



From: Beelders, Ivor [mailto:[EMAIL PROTECTED]
Sent: Wednesday, March 30, 2005 10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WINS topic

 

Joe,

 

Your initial posting stated that your root domain is empty. I assume that
there are no applications or users in the domain beside the admin users,
i.e. service administrators. I also assume that you're using W2K or later to
administer this domain. If this is the case, use DNS for name resolution
only. WINS is not required.

 

Ivor 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Wednesday, March 30, 2005 10:01 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] WINS topic

 

WINS like DNS, is domain agnostic. 

 

You may host a DNS zone abc.com (corresponding to AD domain abc.com) on a
UNIX server, which exists in some Kerberos realm, perhaps. Similarly, WINS
may be hosted on a Windows NT server which is not part of any Windows
domain.

 

In answer to your question therefore, simply use your existing WINS servers.


 

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 30 March 2005 14:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WINS topic

I know there has been some debate in this group recently about WINS
in AD but I wanted to get your feedback regarding an empty root domain:

 

Do you need a WINS server in an empty root domain?  If so, would
pointing WINS back to the child domain WINS server be a bad idea?  Other
than AD traffic nothing should be happening at the root level (other than
DNS forwarding) so I'm not sure I understand why WINS would be needed...  We
have Exchange 2003 running (which I realize has somewhat of a dependency on
WINS) but the Exchange server(s) are in the child domain where we have WINS
already running.

 

Any insight would be greatly appreciated! 

 

Thanks! 

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]  

http://www.valassis.com/  

 

This message may include proprietary or protected information. If
you are not the intended recipient, please notify me, delete this message,
and do not further communicate the information contained herein without my
express written consent.

 


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.

==


This communication (including any attachments) contains information which is
confidential and may also be privileged. 
It is for the exclusive use of the intended recipient(s). 
If you are not the intended recipient(s), please do not distribu

[ActiveDir] Delegating ability to read/write account expiration

[Olegario, Alan]

Is it possible?  I tried giving the Read/Write
expirationTime perms, but that doesn’t appear to be working.

 

Thanks.





The information contained in this email message may be privileged,
confidential, and protected from disclosure. Any unauthorized use, printing,
copying, disclosure, dissemination of or reliance upon this communication by
persons other than the intended recipient may be subject to legal restriction
or sanction. If you think that you have received this E-mail message in error,
please reply to the sender and delete this email promptly.

Re: [ActiveDir] Accounts disappearing from AD

[Steve Patrick]

Just a note  - you can find the where the 
object was deleted from in 2k or 2k3 by looking at the metadata via repadmin 
/showmeta  on the deleted object. You can pass it the objectGuid had via 
looking at the deleted object. If you had auditing cranked up for AD then you 
should be able to hit that DC returned in the metadata and scrub the event logs 
to see whodunnit.
 
steve
 
http://blogs.msdn.com/spatdsg
 
 

  - Original Message - 
  From: 
  joe 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Tuesday, March 29, 2005 9:38 
  PM
  Subject: RE: [ActiveDir] Accounts 
  disappearing from AD
  
  Yeah adfind will look at deleted objects. Do a search 
  like
   
  adfind -showdel -b dc=domain,dc=com -f name=name* 
  
   
  So for instance if I am looking for the account 
  joedeletetest
   
  F:\DEV\cpp\AccExp>adfind -showdel 
  -default -f name=joedeletetest*
   
  AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
   
  Using server: 
  2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
  DC=joe,DC=com
   
  dn:CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted 
  Objects,DC=joe,DC=com>objectClass: top>objectClass: 
  person>objectClass: organizationalPerson>objectClass: 
  user>cn: 
  joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197>distinguishedName: 
  CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted 
  Objects,DC=joe,DC=com>instanceType: 4>whenCreated: 
  20050330052740.0Z>whenChanged: 
  20050330052811.0Z>uSNCreated: 1773671>isDeleted: 
  TRUE>uSNChanged: 1773678>name: 
  joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197>objectGUID: 
  {5EBBC64E-41ED-4E9D-9776-C13827A31197}>userAccountControl: 
  512>objectSid: 
  S-1-5-21-1862701446-4008382571-2198042679-18526>sAMAccountName: 
  joedeletetest>lastKnownParent: 
  CN=Users,DC=joe,DC=com>dSCorePropagationData: 
  20050330052811.0Z>dSCorePropagationData: 
  20050330052811.0Z>dSCorePropagationData: 
  20050330052811.0Z>dSCorePropagationData: 
  16010108151056.0Z
   
  1 
  Objects returned
   
   
  Note I was 
  logged onto the domain I wanted to look in so I could shortcut -b 
  dc=domain,dc=com with -default
   
  You will 
  note that the name is the old name with \0ADEL:OBJECTGUID so you will need to 
  say name*. You could also do samaccountname=userid if you want though. 
  
   
  When 
  changed will tell you when it was deleted. If you have 2K3 you can look at the 
  msDS-ReplAttributeMetaData which will tell you where the object was deleted 
  at. 
   
  F:\DEV\cpp\AccExp>adfind -showdel 
  -default -f name=joedeletetest* msDS-ReplAttributeMetaData
   
  AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
   
  Using server: 
  2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
  DC=joe,DC=com
   
  dn:CN=joedeletetest\0ADEL:5ebbc64e-41ed-4e9d-9776-c13827a31197,CN=Deleted 
  Objects,DC=joe,DC=com>msDS-ReplAttributeMetaData: 
      
  objectCategory    
  2    
  2005-03-30T05:28:11Z    
  d69be175-f343-4937-95d5-aa9efb2fa32b    
  1773678    
  1773678    
  CN=NTDS 
  Settings,CN=2K3DC01,CN=Servers,CN=MainSite,CN=Sites,CN=Configuration,DC=joe,DC=com
   
  >msDS-ReplAttributeMetaData: 
      
  lastKnownParent    
  1    
  2005-03-30T05:28:11Z    
  d69be175-f343-4937-95d5-aa9efb2fa32b    
  1773678    
  1773678    
  CN=NTDS 
  Settings,CN=2K3DC01,CN=Servers,CN=MainSite,CN=Sites,CN=Configuration,DC=joe,DC=com
  
   
  Just look 
  at the originating DSA for the lastKnownParent attribute. 
   
  Also if 
  you have K3, you can use admod to restore that ID back and maintain the 
  current SID, however anything scrubbed in the delete process you will need to 
  put back manually like group memberships, etc.
   
   
  [Wed 03/30/2005  
  0:32:46.26]F:\DEV\cpp\AccExp>adfind -showdel -default -f 
  name=joedeletetest* -dsq |admod -undel
   
  AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
   
  DN Count: 1Using server: 
  2k3dc01.joe.comUndeleting specified objects...   DN: 
  cn=joedeletetest\0adel:5ebbc64e-41ed-4e9d-9776-c13827a31197,cn=deleted 
  objects,dc=joe,dc=com...
   
  The command completed 
  successfully
   
  [Wed 
  03/30/2005  0:36:50.23]F:\DEV\cpp\AccExp>adfind -showdel -default 
  -f name=joedeletetest
   
  AdFind 
  V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
   
  Using server: 
  2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
  DC=joe,DC=com
   
  dn:CN=joedeletetest,CN=Users,DC=joe,DC=com>objectClass: 
  top>objectClass: person>objectClass: 
  organizationalPerson>objectClass: user>cn: 
  joedeletetest>distinguishedName: 
  CN=joedeletetest,CN=Users,DC=joe,DC=com>instanceType: 
  4>whenCreated: 20050330052740.0Z>whenChanged: 
  20050330053650.0Z>uSNCreated: 1773671>uSNChanged: 
  1773719>name: joedeletetest>objectGUID: 
  {5EBBC64E-41ED-4E9D-9776-C13827A31197}>userAccountControl: 
  514>badPwdCount: 0>codePage: 0>country

RE: [ActiveDir] WINS topic

[Pelle, Joe]

Title: Message








Your assumptions are correct… thanks
to all who posted.  I am going to try and stop the WINS service and see if
that breaks anything.  Otherwise I can just point it back to the child
WINS server. 

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or
protected information. If you are not the intended recipient, please notify me,
delete this message, and do not further communicate the information contained
herein without my express written consent.



 









From: Beelders, Ivor
[mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 30, 2005
10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] WINS
topic



 

Joe,

 

Your initial posting stated that your root
domain is empty. I assume that there are no applications or users in the domain
beside the admin users, i.e. service administrators. I also assume that
you’re using W2K or later to administer this domain. If this is the case,
use DNS for name resolution only. WINS is not required.

 



Ivor 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Wednesday, March 30, 2005
10:01 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] WINS
topic



 



WINS like DNS, is domain agnostic. 





 





You may host a DNS zone abc.com
(corresponding to AD domain abc.com) on a UNIX server, which exists in
some Kerberos realm, perhaps. Similarly, WINS may be hosted on a Windows NT
server which is not part of any Windows domain.





 





In answer to your question therefore, simply
use your existing WINS servers. 





 





neil





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 30 March 2005 14:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WINS topic

I know there has been some debate in this group recently
about WINS in AD but I wanted to get your feedback regarding an empty root
domain:

 

Do you need a WINS server in an empty root domain?  If
so, would pointing WINS back to the child domain WINS server be a bad
idea?  Other than AD traffic nothing should be happening at the root level
(other than DNS forwarding) so I'm not sure I understand why WINS would be
needed...  We have Exchange 2003 running (which I realize has somewhat of
a dependency on WINS) but the Exchange server(s) are in the child domain where
we have WINS already running.

 

Any insight would be greatly appreciated! 

 

Thanks! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or protected
information. If you are not the intended recipient, please notify me, delete
this message, and do not further communicate the information contained herein
without my express written consent.

 








==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

This communication (including any attachments) contains information which is confidential and may also be privileged.  
It is for the exclusive use of the intended recipient(s).  
If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. 
Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.

Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.

Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.

RE: [ActiveDir] WINS topic

[Beelders, Ivor]

Title: Message








Joe,

 

Your initial posting stated that your root
domain is empty. I assume that there are no applications or users in the domain
beside the admin users, i.e. service administrators. I also assume that you’re
using W2K or later to administer this domain. If this is the case, use DNS for
name resolution only. WINS is not required.

 



Ivor 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Wednesday, March 30, 2005
10:01 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] WINS
topic



 



WINS like DNS, is domain agnostic. 





 





You may host a DNS zone abc.com
(corresponding to AD domain abc.com) on a UNIX server, which exists in
some Kerberos realm, perhaps. Similarly, WINS may be hosted on a Windows NT
server which is not part of any Windows domain.





 





In answer to your question therefore,
simply use your existing WINS servers. 





 





neil





-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: 30 March 2005 14:09
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WINS topic

I know there has been some debate in this group recently
about WINS in AD but I wanted to get your feedback regarding an empty root
domain:

 

Do you need a WINS server in an empty root domain?  If
so, would pointing WINS back to the child domain WINS server be a bad
idea?  Other than AD traffic nothing should be happening at the root level
(other than DNS forwarding) so I'm not sure I understand why WINS would be
needed...  We have Exchange 2003 running (which I realize has somewhat of
a dependency on WINS) but the Exchange server(s) are in the child domain where
we have WINS already running.

 

Any insight would be greatly appreciated! 

 

Thanks! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or protected information.
If you are not the intended recipient, please notify me, delete this message,
and do not further communicate the information contained herein without my
express written consent.

 








==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

This communication (including any attachments) contains information which is confidential and may also be privileged.  
It is for the exclusive use of the intended recipient(s).  
If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. 
Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.

Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.

Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.

RE: [ActiveDir] WINS topic

[Ruston, Neil]

Title: Message



WINS
like DNS, is domain agnostic. 
 
You 
may host a DNS zone abc.com (corresponding to AD domain abc.com) on
a 
UNIX server, which exists in some Kerberos realm, perhaps. Similarly, WINS may
be hosted on a Windows NT server which is not part of any Windows 
domain.
 
In 
answer to your question therefore, simply use your existing WINS 
servers. 
 
neil

  
  -Original Message-From: 
  [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
  On Behalf Of Pelle, JoeSent: 30 March 2005 
  14:09To: ActiveDir@mail.activedir.orgSubject: 
  [ActiveDir] WINS topic
  
  I know there has been some
debate 
  in this group recently about WINS in AD but I wanted to get your feedback 
  regarding an empty root domain:
   
  Do you need a WINS server in an 
  empty root domain?  If so, would pointing WINS back to the child domain
  WINS server be a bad idea?  Other than AD traffic nothing should be 
  happening at the root level (other than DNS forwarding) so I'm not sure I 
  understand why WINS would be needed...  We have Exchange 2003 running 
  (which I realize has somewhat of a dependency on WINS) but the Exchange 
  server(s) are in the child domain where we have WINS already 
  running.
   
  Any insight would be greatly 
  appreciated! 
   
  Thanks! 
  
   
  Joe 
  Pelle
  Senior 
  Infrastructure Architect
  Information 
  Technology
  Valassis / 
  IT
  19975 Victor 
  Parkway Livonia, MI 
  48152
  Tel 
  734.591.7324  Fax 734.632.6151
  [EMAIL PROTECTED]
  http://www.valassis.com/
   
  This message may include 
  proprietary or protected information. If you are not the intended recipient,
  please notify me, delete this message, and do not further communicate the 
  information contained herein without my express written 
  consent.
   

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

Re: [ActiveDir] WINS topic

[Dennis Depp]

I see no reason why WINS would be needed in an empty root domain.  If
you did decide to use WINS in this domain, I see no problem with using
the WINS from a child domain.

In our environment, we have three separate AD forests and only one set
of WINS servers.

Dennis


On Wed, 30 Mar 2005 08:09:24 -0500, Pelle, Joe <[EMAIL PROTECTED]> wrote:
> 
> 
> I know there has been some debate in this group recently about WINS in AD
> but I wanted to get your feedback regarding an empty root domain:
> 
>  
> 
> Do you need a WINS server in an empty root domain?  If so, would pointing
> WINS back to the child domain WINS server be a bad idea?  Other than AD
> traffic nothing should be happening at the root level (other than DNS
> forwarding) so I'm not sure I understand why WINS would be needed…  We have
> Exchange 2003 running (which I realize has somewhat of a dependency on WINS)
> but the Exchange server(s) are in the child domain where we have WINS
> already running.
> 
>  
> 
> Any insight would be greatly appreciated! 
> 
>  
> 
> Thanks! 
> 
>  
> 
> Joe Pelle
> 
> Senior Infrastructure Architect
> 
> Information Technology
> 
> Valassis / IT
> 
> 19975 Victor Parkway Livonia, MI 48152
> 
> Tel 734.591.7324  Fax 734.632.6151
> 
> [EMAIL PROTECTED]
> 
> http://www.valassis.com/
> 
>  
> 
> This message may include proprietary or protected information. If you are
> not the intended recipient, please notify me, delete this message, and do
> not further communicate the information contained herein without my express
> written consent.
> 
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] WINS topic

[Sergio Fonseca]

Hi,

Our production environment has no WINS and works fine.


On Wed, 30 Mar 2005 13:56:21 + GMT, Mark Parris
<[EMAIL PROTECTED]> wrote:
> But why? Say there are no applications in the root domain. It's just DC's
> -Original Message-
> From: [EMAIL PROTECTED]
> Date: Wed, 30 Mar 2005 08:27:35
> To:ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] WINS topic
> 
> You should consider having at least one WINS server in the empty root domain. 
>  You will need WINS for NetBIOS name resolution that is still required by 
> many applications.
> 
> Chuck Gafford
> Architect 2
> 
> Unisys
> Imagine It.  Done.
> 
> --
> Sent from my blackberry.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Compelling arguments?

[Mulnick, Al]

They make perfect sense, Joe. 

Cheers,
-ajm


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, March 30, 2005 12:09 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?

Ah not really for hire. Well unless someone wants to hire me away from my
current employer which I am sure they wouldn't be happy about. I am not
saying it can't be done, I will do all sorts of things for good money and a
fun position. My main requirements are being very well paid, very little
travel, work from home, you get a hold of me via email - not pager, not
cell. I am in a pretty comfy spot right now for all of that. 

I actually had a headhunter who claimed he represented Dell emailing me a
month or three ago. I asked to hear the ball park number and the headhunter
just kept saying call me I was being asked for by name. I don't like phones,
ask anyone who knows me. Phones are archaic sync'ed communications devices
that do not scale well globally (you think otherwise, try getting US East
Coast, US West Coast, England, Germany, Singapore, Australia, and New
Zealand easily onto a single con call). I spend enough time on con calls, I
try to avoid it all the rest of the times. My home phone has the ringer off,
my personal cell phone usually isn't anywhere near me, my work cell phone is
only near me during business hours and someone has to have the number given
to them or they need to open the full properties of my GAL entry. 

Anyway, Al, let me know if the reasons given for regional in the previous
email make sense or not. I agree, company goals would be paramount. 
 
  joe 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, March 29, 2005 1:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Compelling arguments?

Phil, you know he's for hire right?  He has a "p*mp" and everything last I
heard. :)


That said, it is interesting to see a regional specific approach to name
resolution.  Some like it, some don't.  I'd be interested to hear why, Joe
because I think it would depend on the company goals whether or not that
would make sense. 
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Tuesday, March 29, 2005 12:29 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compelling arguments?

Agreed. I'd love to get more info on your view on that though; get some more
details of how you would set it up in that type of environment given the
chance ;) The issue of geographic DNS isn't something I'd thought of unless
it was also attached to a multi domain geographic type forest (NA, Asia,
Europe etc.)

Phil

On Tue, 29 Mar 2005 12:20:06 -0500, Brent Westmoreland
<[EMAIL PROTECTED]> wrote:
> As always, thanks for the thorough reply, mate...
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] WINS topic

[Mark Parris]

But why? Say there are no applications in the root domain. It's just DC's
-Original Message-
From: [EMAIL PROTECTED]
Date: Wed, 30 Mar 2005 08:27:35 
To:ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] WINS topic

You should consider having at least one WINS server in the empty root domain.  
You will need WINS for NetBIOS name resolution that is still required by many 
applications. 
 
Chuck Gafford 
Architect 2 
 
Unisys 
Imagine It.  Done. 
 
 
 
--
Sent from my blackberry.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WINS topic

[Mulnick, Al]

I see no particular reason that WINS should care what domain it's in.  WINS
job is to do name resolution similar to the function of DNS.  Neither really
cares where it lives as long as it lives. 



Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: Wednesday, March 30, 2005 8:09 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] WINS topic

I know there has been some debate in this group recently about WINS in AD
but I wanted to get your feedback regarding an empty root domain:

 

Do you need a WINS server in an empty root domain?  If so, would pointing
WINS back to the child domain WINS server be a bad idea?  Other than AD
traffic nothing should be happening at the root level (other than DNS
forwarding) so I'm not sure I understand why WINS would be needed...  We
have Exchange 2003 running (which I realize has somewhat of a dependency on
WINS) but the Exchange server(s) are in the child domain where we have WINS
already running.

 

Any insight would be greatly appreciated! 

 

Thanks! 

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]  

http://www.valassis.com/  

 

This message may include proprietary or protected information. If you are
not the intended recipient, please notify me, delete this message, and do
not further communicate the information contained herein without my express
written consent.

 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] WINS topic

[ChuckGaff]

You should consider having at least one WINS server in the empty root 
domain.  You will need WINS for NetBIOS name resolution that is still 
required by many applications.
 
Chuck Gafford
Architect 2
 
Unisys
Imagine It.  Done.
 
 
 

Re: [ActiveDir] Bridgehead in a single-server site

[James Cate]

Is an empty root with one domain under it still considered a
multi-domain forest?  What is the reasoning for the BHS being a GC?


On Tue, 29 Mar 2005 11:48:37 -0500, Myrick, Todd (NIH/CC/DNA)
<[EMAIL PROTECTED]> wrote:
> One more point to add and I will consider the matter closed.  The BHS should
> be a GC in a multi-domain forest.
> 
> Toddler
> 
> -Original Message-
> From: David Cliffe [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 29, 2005 10:33 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Bridgehead in a single-server site
> 
> Thanks everyone.  All replies (opinions) were consistent and are summed
> up effectively by the latest from Todd below.
> 
> For those interested --> Some brief detective work here has revealed
> that, historically, there were some valid reasons for manually selecting
> a BH in several sites.  At the time of my post I had thought EVERY site
> here was configured that way, and so thought this was the norm
> ("assumption" once again a foolish path!).  The MS documentation and
> your recent replies indicate we should consider a change, especially
> since none of those old reasons apply anymore.  Thanks again!
> 
> -DaveC
> Reuters CIO Infrastructure
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
> (NIH/CC/DNA)
> Sent: Tuesday, March 29, 2005 6:54 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Bridgehead in a single-server site
> 
> There are two reasons why you select preferred BHS.
> 
> 1.  You have some security / political requirement to direct traffic to
> a particular server.  (Firewall, Core service DC vs child domain).
> 
> 2.  You don't want the other servers to be targets as BHS.
> (Underpowered box, etc.)
> 
> Todd Myrick
> 
> -Original Message-
> From: Santhosh Sivarajan [mailto:[EMAIL PROTECTED]
> Sent: Monday, March 28, 2005 4:18 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Bridgehead in a single-server site
> 
> I completely agree with Gil's comment.  Let KCC to handle the BH
> selection.  Otherwise you have to manually select the BH server(s).
> You can manually select more than one BH servers if you want.
> 
> Santhosh Sivarajan
> MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
> Houston, TX
> 
> On Mon, 28 Mar 2005 13:52:41 -0700, Gil Kirkpatrick <[EMAIL PROTECTED]>
> wrote:
> > Is there a good reason to NOT let the KCC pick the BH for you
> automatically?
> > That way you get some failover if it craps out for some reason.
> > Otherwise you'll have to watch the DC constantly to reset the BH to
> > make sure replication continues to work. In Windows 2003, the KCC is
> > pretty good
> about
> > picking the best server as a BH.
> >
> > -gil
> > 
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe
> > Sent: Monday, March 28, 2005 1:44 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Bridgehead in a single-server site
> >
> >
> > Hi guys,
> >
> > Just curious...any opinions on denoting a server as a bridgehead
> > in a site where it is currently the only defined server?  We were
> > thinking that it then wouldn't be necessary down the road when other
> > DCs are added.  Is there any harm in this?  Is there any good in this?
> 
> > ; - )
> >
> > (Forest and domain functional levels are Win2003)
> >
> > -DaveC
> > Reuters CIO Infrastructure
> >
> >
> > -
> > Visit our Internet site at http://www.reuters.com
> >
> > To find out more about Reuters Products and Services visit
> > http://www.reuters.com/productinfo
> >
> > Any views expressed in this message are those of the individual
> > sender, except where the sender specifically states them to be the
> > views of Reuters Ltd.
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> -
>Visit our Internet site at http://www.reuters.com
> 
> To find out more about Reuters Products and Services visit
> http://www.reuters.com/productinfo
> 
> Any views expressed in this message are those of  the  individual
> sender,  except  where  the sender specifically states them to be
> the views of Reuters Ltd.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir

[ActiveDir] WINS topic

[Pelle, Joe]

I know there has been some debate in this group recently
about WINS in AD but I wanted to get your feedback regarding an empty root
domain:

 

Do you need a WINS server in an empty root domain?  If
so, would pointing WINS back to the child domain WINS server be a bad
idea?  Other than AD traffic nothing should be happening at the root level
(other than DNS forwarding) so I’m not sure I understand why WINS would
be needed…  We have Exchange 2003 running (which I realize has
somewhat of a dependency on WINS) but the Exchange server(s) are in the child
domain where we have WINS already running.

 

Any insight would be greatly appreciated! 

 

Thanks! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or protected
information. If you are not the intended recipient, please notify me, delete
this message, and do not further communicate the information contained herein
without my express written consent.

 

RE: [ActiveDir] LDAP search filter

[Shawn Hayes]

thanks, I was missing  (it's on the first panel of the query editing).

Shawn

>>> "Mulnick, Al" <[EMAIL PROTECTED]> 03/29/05 04:12PM >>>
The filter I used was 

(&(objectClass=User)(objectCategory=Person)) and I set the filter to the OU
I wanted (it's on the first panel of the query editing).  The query was
entered into the custom search | advanced tab section.

That returns all the user objects at the level in the tree specified. In
your case from the OU level down. 

I get one that looks like this:



Better?  If not, create the Query and then export it and send it offline if
you're able.

Al 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Tuesday, March 29, 2005 3:54 PM
To: ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] LDAP search filter

I end up with something like this but get no information 

(&(&(ou>="")(name=Comit*))(objectClass=user)(name=*))

This is not a filter from what I can tell

>>> "Mulnick, Al" <[EMAIL PROTECTED]> 03/29/05 03:46PM >>>
Yes.  When you create the query, choose the OU you want.  Then use a custom
query and use an LDAP filter search filter on the advanced tab. 

Make sense? 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Shawn Hayes
Sent: Tuesday, March 29, 2005 3:32 PM
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] LDAP search filter

Does anyone know how to create an LDAP search filter I can use within a
Saved Query of ADUC that will list the users in an OU?  I can do this with
VBScript, but I am looking for a way to do this within ADUC.

Thanks,
Shawn

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Active directory inheritance checkbox on user obj ect!

[Jorge de Almeida Pinto]

This happens when those user accounts are member of some protected groups.
Permissions on and inheritance of permissions of protected groups are
controlled by the AdminSDHolder object under the SYSTEM container. Every
hour a process on the PDC Emulator checks the permissions settings of all
protected groups against the permission settings of the AdminSDHolder
object. If there exist differences, the permissions/inheritance of the
protected groups are reset to match the permissions/inheritance of the
AdminSDHolder object. This ALSO applies to all users and groups that are
member of those Protected Groups. When some security principal is/has been a
member of the protected group the ADMINCOUNT attribute is set to 1. This is
the way the PDC Emulator sees what objects to check and eventually to reset
if they have inconsistent permissions/inheritance settings compared to the
AdminSDHolder object

This one makes you crazy if you don't know about the AdminSDHolder object
and the process on the PDC Emulator FSMO

For more info see the following articles:
http://support.microsoft.com/?id=817433
http://support.microsoft.com/kb/318180
http://support.microsoft.com/?kbid=232199

Cheers
Jorge


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wilhelmsen Jan
Sent: Wednesday, March 30, 2005 12:17
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Active directory inheritance checkbox on user object!


Hi!
I have a problem regarding security on user objects, I have an OU call users
and under this I have several other OU's which contains user objects.

In 2 (Out of 15) of these child ou's I have some problems with the user
objects, the problem is that for some reason the user object don't inherit
the permissions from the parent OU, when I go to the user object, security,
advanced and then check the checkbox that it should inherit the permissions
from the parent ou, everything is working as planned, but after a while the
permissions is gone and the inherit checkbox is unchecked.

It seems that this is happening when Active directory is replicating, I
compared the security settings on other OU's and they all seem the same.

Can anyone give me some clues on how to troubleshoot, monitor or even better
solve this problem?


Med vennlig hilsen / Best regards
 
Jan Wilhelmsen
IT-Technician
 
Bilia Personbil as
Økernveien 115
0510, Oslo
Norway
Tel:  +47 22882546
Mob:+47 95928392
Fax: +47 22970387
Mail: [EMAIL PROTECTED]
MSN: [EMAIL PROTECTED]
Gmail: [EMAIL PROTECTED]
 
Citrix User Group
http://www.cug.no
[EMAIL PROTECTED]
Visit http://www.cug.no
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Active directory inheritance checkbox on user object!

[Wilhelmsen Jan]

Hi!
I have a problem regarding security on user objects, I have an OU call users
and under this I have several other OU's which contains user objects.

In 2 (Out of 15) of these child ou's I have some problems with the user
objects, the problem is that for some reason the user object don't inherit
the permissions from the parent OU, when I go to the user object, security,
advanced and then check the checkbox that it should inherit the permissions
from the parent ou, everything is working as planned, but after a while the
permissions is gone and the inherit checkbox is unchecked.

It seems that this is happening when Active directory is replicating, I
compared the security settings on other OU's and they all seem the same.

Can anyone give me some clues on how to troubleshoot, monitor or even better
solve this problem?


Med vennlig hilsen / Best regards
 
Jan Wilhelmsen
IT-Technician
 
Bilia Personbil as
Økernveien 115
0510, Oslo
Norway
Tel:  +47 22882546
Mob:+47 95928392
Fax: +47 22970387
Mail: [EMAIL PROTECTED]
MSN: [EMAIL PROTECTED]
Gmail: [EMAIL PROTECTED]
 
Citrix User Group
http://www.cug.no
[EMAIL PROTECTED]
Visit http://www.cug.no
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD/ Virus outbreak

[Ruston, Neil]

"Quite honestly, you really shouldn't need to run AV software on DCs, there
shouldn't be vectors for them to be infected. If they get infected, it usually
means an Admin was careless - actually in every case of an infected DC I have
investigated it has been an admin being careless."

I disagree. All machines have an attack vector. In this case perhaps the admin
is the weakest link, but then that's no reason to exclude DCs from AV
protection.

>From a TCO perspective, an environment where all machines are configured in a
similar fashion must be the optimum. Why manage AV protected and non-AV
protected machines?

I agree wrt the op guidelines - these best practices can be used to minimise
the attack surface but can never reduce it to zero, however.


neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 30 March 2005 06:44
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD/ Virus outbreak


1. Don't log into servers to do daily work, learn how to do things with remote
interfaces. 2. Do not run IE, OE, or pretty much any App interactively on
servers. 3. Do not log into workstations with IDs that have admin rights on
servers, use RUNAS or scripts that require you to specify the creds, etc. Even
avoid fixed drive letters to DCs with admin creds, use UNCs if you want to use
NET USE /USER. 4. Do not allow normal users to write to the file systems of a
DC. 5. Keep DCs fully patched and do not run unnecessary services.

Quite honestly, you really shouldn't need to run AV software on DCs, there
shouldn't be vectors for them to be infected. If they get infected, it usually
means an Admin was careless - actually in every case of an infected DC I have
investigated it has been an admin being careless.

Yes you can put all roles on one DC. In an empty root I would have done it
already anyway and would have made all DCs in the empty root GCs most likely
as well.

   joe



 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Tuesday, March 29, 2005 12:51 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD/ Virus outbreak

Hi,

I have 3 DC's in a protected root domain and 2 child domains. Unfortunately
the 3 root DC's were not running a virus client, totally missedanyway. 
Looks like it is using known Windows exploitability to drop files and what
not.

2 of the 3 seem to be infected. (ones with the Schema Master & DNM and PDCE)

If I have to rebuild can I at least for the interim transfer the above roles
on the 3rd DC (with the RIDM and IM)? GC is on 1 & 2 as well.

Thanks,


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Proxys and users, and ieak

[Jorge de Almeida Pinto]

Yes you can configure different 
proxy servers for different users through GPOs
 
Two ways:
(1) Put users that need the same 
proxy into the same OU. Create for each different proxy a new OU. Create for 
each different proxy config a new GPO with the proxy config and link that GPO 
accordingly to the corresponding OU with the users that need that proxu 
config
(2) Put all users into the SAME 
OU. Create for each different proxy config a new GPO with the proxy config and 
link those GPOs accordingly to the OU where all users are. For each GPO 
create a Security Group and apply group filtering for a certain group to one of 
the GPOs with the proxy config. Make users member of one of the groups so that 
using group filtering they will receive their proxy config
 
jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez 
TrujilloSent: Wednesday, March 30, 2005 09:22To: Lista 
ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] 
Proxys and users, and ieak


Hello, 
 
Can i configure diferent proxys to 
diferent users with group policy?
 
And the other question is if I can 
substitute our ieak config file with group policy.
 
Thanks,
 
Sergio 
Sánchez
www.epes.es 
 
Este 
correo electrónico y, en su caso, cualquier fichero anexo, contiene información 
confidencial exclusivamente dirigida a su(s) destinatario(s). Toda copia o 
divulgación deberá ser autorizada por la Empresa Pública de 
Emergencias Sanitarias (EPES).
This 
e-mail and any attachments are confidential and exclusively directed to its 
adressee(s). Any copy or distribution will have to be authorized by the Empresa 
Pública de Emergencias Sanitarias (EPES).
 

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.