RE: [ActiveDir] Very OT: Server room fire suppression

[Roger Seielstad]

Apparently its been found that the non-water based systems 
are just as bad as the water based ones for the electronics, and generally much 
worse for the living occupants of the room.
 
Preaction systems are a must - basically the water lines IN 
the data center are dry - they are only pressurized when they "go 
off".
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Noah 
  EigerSent: Friday, April 01, 2005 6:00 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Very OT: Server 
  room fire suppression
  
  
  Hello:
   
  Sorry for the very OT, but 
  knowing what I know about this list, there will be plenty of opinions about 
  this one. 
   
  I am outfitting a 
  ground-up server room install for a medium-size business (fewer than 200 
  employees). The entire building is being built from the ground up. The 
  architects claim that they have done many server rooms and none have used 
  anything but water-based systems. I also realize that "clean agent" systems 
  are very expensive. I have done some reading about "pre-action water systems" 
  that seems to allow a little delay before going off. 
  
   
  Any thoughts on this topic 
  are welcome.  Again, sorry for the OT.
   
  Thanks.
   
  -- nme
   

Re: [ActiveDir] Very OT: Server room fire suppression

[Kat Collins]

Interesting discussion here about just that subject:

http://itmanager.blogs.com/notes/2004/05/fire_suppressio.html

These guys either have a very powerful PR department, or they have
received a lot of good writeups...

http://www.periphman.com/fire/computer-room-fire-suppression1.shtml

On Apr 1, 2005 6:00 PM, Noah Eiger <[EMAIL PROTECTED]> wrote:
> 
> 
> Hello:
> 
>  
> 
> Sorry for the very OT, but knowing what I know about this list, there will
> be plenty of opinions about this one. 
> 
>  
> 
> I am outfitting a ground-up server room install for a medium-size business
> (fewer than 200 employees). The entire building is being built from the
> ground up. The architects claim that they have done many server rooms and
> none have used anything but water-based systems. I also realize that "clean
> agent" systems are very expensive. I have done some reading about
> "pre-action water systems" that seems to allow a little delay before going
> off. 
> 
>  
> 
> Any thoughts on this topic are welcome.  Again, sorry for the OT.
> 
>  
> 
> Thanks.
> 
>  
> 
> -- nme
> 
>  


-- 
Kat Collins - "The Email of the species is more powerful than the Mail!"

"The human voice is the organ of the soul." Henry Wadsworth Longfellow
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Very OT: Server room fire suppression

[Noah Eiger]

Hello:

 

Sorry
for the very OT, but knowing what I know about this list, there will be plenty
of opinions about this one. 

 

I
am outfitting a ground-up server room install for a medium-size business (fewer
than 200 employees). The entire building is being built from the ground up. The
architects claim that they have done many server rooms and none have used
anything but water-based systems. I also realize that "clean agent"
systems are very expensive. I have done some reading about "pre-action
water systems" that seems to allow a little delay before going off. 

 

Any
thoughts on this topic are welcome. 
Again, sorry for the OT.

 

Thanks.

 

--
nme

 

RE: [ActiveDir] Server 2003 SP1 for Datacenter

[David Adner]

Regardless if there's a technical way for you to do this, I would think
there are supportability concerns if you did so.  Do you really want to
install a non-certified SP onto your datacenter server/cluster? There could
be updated drivers, configuration settings, etc that need to accompany the
SP that your hardware vendor has to provide.

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> David J. Kinsella
> Sent: Friday, April 01, 2005 13:06
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Server 2003 SP1 for Datacenter 
> 
> In my rush to install SP1 on Datacenter I wanted to know if 
> there was a way to disable the necessary need for my hardware 
> vendor to have signed SP1. With the normal edition from 
> Microsoft's Web site I'm obviously prompted with an error 
> that it cannot be installed due to my hardware vendor not 
> allowing me to install it.
> 
>  
> 
> I've searched around for any switches but I can't find any. I 
> suppose I could wait but I'm willing to give it a go if 
> anyone can tell me how to do it. 
> 
>  
> 
> Kind regards,
> 
>  
> 
> David J. Kinsella
> 
>  
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Log changes to AD

[Alain Lissoir]

You can also refer to some WMI features to do this. But that implies
scripting.
http://www.windowsitpro.com/WindowsScripting/Articles/ArticleID/41835/pg/4/4
.html

/Alain 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: Thursday, March 31, 2005 1:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Log changes to AD

You can use the auditing facilities in AD that, when enabled and configured,
add log messages to the system audit log on the DC where the changes are
made. See the section "Establishing Domain Controller Audit Policy Settings"
in the document Best Practice Guide for Securing Active Directory
Installations and Day-to-Day Operations: Part I at
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologie
s/activedirectory/maintain/bpguide/part1/adsecp1.mspx.

Basically, you have to enable auditing of AD object access using group
policy, then set the SACLs on the objects that you want to audit. Then you
have to grab the data from the audit logs on the domain controllers.

MSFT has been sitting on a product called Audit Collection Service (ACS) for
about a year that will aggregate the audit information for you in a SQL
database. They've recently changed the distribution scheme for ACS (this is
about the 4th time I think), and I just don't know when or how it will be
made available to the general public. I'm sure its Real Soon Now.

There are 3rd-party apps that can do the auditing job as well, such as
Change Auditor from NetPro. Quest Software has something along these lines
as well. There are numerous 3rd party products that can aggreagte log
information in a database.

HTH,

-gil

Gil Kirkpatrick
CTO, NetPro
"To fly, flip away backhanded. Flat flip flies straight. Tilted flip curves.
Experiment!"


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway
Sent: Thursday, March 31, 2005 12:30 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Log changes to AD

Is there some logging I can enable to track changes to user attributes
(phone number, location, etc) We are running a windows 2000 AD in mixed
mode.

Thank you
jb
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] OT: Error Running Exmerge 2003 Against An RSG

[Robert Mezzone]

Title: OT: Error Running Exmerge 2003 Against An RSG






I realize this is off topic but thought someone here might have a suggestion. I'm not making any progress on the Exchange newsgroups.

I'm trying to run Exmerge 2003 against an RSG on a Exchange 2003 SP1 Enterprise server. Windows Server 2003 in native mode. I'm able to run Exmerge against the primary mailbox store without any problems, I had to run adsiedit and change some permissions first to get this to work. However, when I run it against the RSG I get the following in the log file (see below). I checked permissions for the RSG using adsi and everything is fine. The Send and Receive permissions in Exchange System Manager for the RSG are set correctly for the account I'm using to run Exmerge. It's the same account that I used to install Exchange. All groups the account is a member of also have permissions set correctly. I've read every TechNet article I could find, but all they talk about are permissions problems. Nothing in Event Viewer either.

Does anyone know how to troubleshoot this error? I'm starting to wonder if I should recreate the RSG now that the permissions are set correctly for the primary storage group. I don't see why this would help but I'm at a loss right now.

Thanks.




Microsoft Exchange Mailbox Merge Program, v6.5.7408.1

Start Logging:April 01, 2005   15:37:53



[15:37:53] Logging Level: Maximum

[15:37:53] Reading settings from file 'C:\Program Files\Exchsrvr\bin\EXMERGE.INI'.

[15:37:53] Data directory name read from .INI file: 'D:\EXMERGE'.

[15:37:53] Merge action read from .INI file: 0

[15:37:53] DomainControllerForSourceServer read from INI file: 'pjscfs'

[15:37:53] SrcServerLDAP-Port read from INI file: '389'

[15:37:53] Source server name read from .INI file: 'PJSCMS'.

[15:37:53] Entered Routine:  (CADRoutines::IdentifyFamilyOfExchangeRunningOnServer)

[15:37:53] Entered Routine:  (CADRoutines::GetNamingContextData)

[15:37:53] BaseDN: 'LDAP://PJSCMS:389/rootDSE'

[15:37:54] Error 8007203a opening an LDAP connection. ('LDAP://PJSCMS:389/rootDSE')  (CADRoutines::GetNamingContextData)

[15:37:54] Ending Routine:  (CADRoutines::GetNamingContextData)

[15:37:54] Entered Routine:  (CADRoutines::GetNamingContextData)

[15:37:54] BaseDN: 'LDAP://pjscfs:389/rootDSE'

[15:37:54] Ending Routine:  (CADRoutines::GetNamingContextData)

[15:37:54] Default Naming Context: 'DC=pjsc,DC=internal'

[15:37:54] Accessing Domain Controller 'PJSCFS'

[15:37:54] Entered Routine:  (CADRoutines::GetExchangeServerNameInfo)

[15:37:54] BaseDN: 'LDAP://PJSCFS:389/CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=pjsc,DC=internal'

[15:37:54] Got IDirectorySearch interface

[15:37:54] Set search preferences

[15:37:54] Filter used: '(&(objectCategory=msexchExchangeServer)(cn=PJSCMS))'

[15:37:54] Successfully executed directory search

[15:37:54] Ending Routine:  (CADRoutines::GetExchangeServerNameInfo)

[15:37:54] 'PJSCMS' is running Exchange Server 2000 or later

[15:37:54] Ending Routine:  (CADRoutines::IdentifyFamilyOfExchangeRunningOnServer)

[15:37:54] Source server read from settings file is 'PJSCMS'.

[15:37:54] DomainControllerForDestServer read from INI file: ''

[15:37:54] SrcServerLDAP-Port read from INI file: ''

[15:37:54] Invalid LDAP Port number entered in INI file (''). Ignoring this setting.

[15:37:54] Destination server name read from .INI file: ''.

[15:37:54] Message selection start date read from .INI file: ''.

[15:37:54] Reading list of subjects for messages to be selected from file ''

[15:37:54] Subject string match criteria read from INI file: 0

[15:37:54] Reading list of attachment names for messages to be selected from file ''

[15:37:54] Attachment name string match criteria read from INI file: 0

[15:37:54] Folder process setting read from .INI file: 2

[15:37:54] Apply to sub folders setting, read from .INI file: 0

[15:37:54] List of folders to be ignored has been read. 0 folders in the list.

[15:37:54] DelimiterUsedInMailboxFile setting read from .INI file: 0

[15:37:54] File containing list of mailboxes, read from .INI file: 'C:\Program Files\Exchsrvr\bin\MAILBOXES.TXT'.

[15:37:54] Remove intermediate PST files setting read from .INI file: 1

[15:37:54] Date attribute read from .INI file: 0

[15:37:54] Data import method read from .INI file: 1

[15:37:54] ReplaceDataOnlyIfSourceItemIsMoreRecent setting read from .INI file: 1

[15:37:54] Copy user data setting read from .INI file: 1

[15:37:54] Copy associated folder data setting read from .INI file: 0

[15:37:54] Copy folder permissions setting read from .INI file: 0

[15:37:54] Copy dumpster items setting read from .INI file: 0

[15:37:54] UseThisPSTFileForAllMailboxes setting read from .INI file: ''

[15:37:54] MapFolderNameToLocalisedName setting read from .INI file: 0

[15:37:54] RenameFoldersBasedOnFolderMappings set

RE: [ActiveDir] Null Sessions on a 2003 DC

[Mark Parris]

Title: RE: [ActiveDir] Null Sessions on a 2003 DC






Try this as a starter 

823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

This article has many pointers and links to other articles.

Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rogers, James
Sent: 01 April 2005 21:46
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Null Sessions on a 2003 DC

We're currently operating a small domain with two 2003 domain controllers

and a dying NT4 domain controller that I just can't seem to get rid of.

During a recent security audit, I was informed that NetBIOS null session

connects were being permitted on both 2003 domain controllers (and

possibly on other systems).  I've done some research and found that I can

set a registry key called RestrictAnonymous to 0/1/2 for...

0 - No restriction, rely on default permissions.

1 - Do not allow enumeration of SAM accounts.

2 - No access without explicit anonymous permissions.

My question is simply this - can I set this registry key to 2 without

negative side effects, or will my domain controllers get struck down by a

flaming sword of divine justice?  Will my remaining (but soon to be gone)

NT4 BDC and NT4 member servers stop working?

I'm sure there must be a relevant KB on this subject, but I can't find it.

Thanks!

-James

[ActiveDir] Null Sessions on a 2003 DC

[Rogers, James]

We're currently operating a small domain with two 2003 domain controllers
and a dying NT4 domain controller that I just can't seem to get rid of.

During a recent security audit, I was informed that NetBIOS null session
connects were being permitted on both 2003 domain controllers (and
possibly on other systems).  I've done some research and found that I can
set a registry key called RestrictAnonymous to 0/1/2 for...

0 - No restriction, rely on default permissions.
1 - Do not allow enumeration of SAM accounts.
2 - No access without explicit anonymous permissions.

My question is simply this - can I set this registry key to 2 without
negative side effects, or will my domain controllers get struck down by a
flaming sword of divine justice?  Will my remaining (but soon to be gone)
NT4 BDC and NT4 member servers stop working?

I'm sure there must be a relevant KB on this subject, but I can't find it.

Thanks!
-James


smime.p7s
Description: S/MIME cryptographic signature

Re: [ActiveDir] Users to update DLs in AD

[M Fahmy]

Sorry, I knew the answer to this question.  
Users could use Outlook to manage DLs.  I got a request to have the user 
run a script to update DLs and I think this should be done by system admins 
only.
Thanks,
Marie

  - Original Message - 
  From: 
  M Fahmy 

  To: ActiveDir@mail.activedir.org 
  
  Sent: Friday, April 01, 2005 2:45 
PM
  Subject: [ActiveDir] Users to update DLs 
  in AD
  
  Is this possible to give non-technical users 
  access to DLs to manage?
   
  If yes, please help me.
  Thanks,Mary

[ActiveDir] Users to update DLs in AD

[M Fahmy]

Is this possible to give non-technical users access 
to DLs to manage?
 
If yes, please help me.
Thanks,Mary

Re: [ActiveDir] Win 2003 DNS issues

[Santhosh Sivarajan]

Is "Secure cache against pollution" option enabled in DNS Advanced tab?

Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX.  


On Apr 1, 2005 1:09 PM, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> 
> 
> Given what he described, I don't think it's EDNS0. EDNS0 is a problem, but I
> don't think that's what he is seeing here.
> 
>  
> 
> Russ, are your DCs multi-homed, by any chance? Is your ISP's DNS server
> appearing anywhere in your DNS list, being served up by DHCP, perhaps? Have
> you also looked at the KB offered by Mark Parris?
> 
>  
> 
> Deji
> 
>  
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Brahim Bouchaiba
> Sent: Friday, April 01, 2005 10:20 AM
> To: ActiveDir@mail.activedir.org
> Cc: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Win 2003 DNS issues
> Cc: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Win 2003 DNS issues
> 
> 
> 
>  
> 
> what type of firewall do you have ?if you have pix firewall disable edns
> 
> on windows 2003
> 
>  
> 
>  
> 
>  
> 
> ActiveDir@mail.activedir.org on Friday, April 01, 2005 at 12:47 PM +
> 
> wrote:
> 
> > 
> 
> >We're experiencing intermittent DNS outages ever since we upgraded our
> 
> >domain controllers (which are all running DNS) to Windows 2003.  We know
> 
> >we're having a problem because users see "Applying security settings"
> 
> >for an extended length of time when booting up.  Then if we do nslookups
> 
> >on the DNS server having issue, it times out.  If we restart DNS, it
> 
> >works fine.
> 
> > 
> 
> >We applied hotfix KB830381 and thought it fixed it because it didn't
> 
> >happen for awhile, but it happened again finally.  Has anyone else been
> 
> >experiencing this?
> 
>  
> 
> List info   : http://www.activedir.org/List.aspx
> 
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> 
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Orphaned SIDs

[Mulnick, Al]

I understand that very well.  I'm looking to find the 
meaning and perspective behind the request. 
 
Even a transient error could be problematic if you *could* 
match it to the tombstoned object because the same issue could still exist. 

 
To prevent the transient errors from occuring, one approach 
would be to build the userid to sid mapping table in a separate store outside of 
the AD and local to the application.  Another would be to run the app on 
the DC. 
 
With the off-line version you would be able to input logic 
that ensures you either have all relevant information or you don't have 
anything. 
 
But again, what is the value of matching a SID to a 
tombstoned object? 
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Beelders, 
IvorSent: Friday, April 01, 2005 2:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Orphaned 
SIDs


Agreed. It would be 
great to be able to confirm which user the SID belonged to before deleting the 
SID.
 

Ivor 

 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, April 01, 2005 1:58 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Orphaned 
SIDs
 
Al, you know that a 
resolution problem will sometimes prevent SID translations. So, the mere fact 
that you see SIDs (rather than names) listed in your ACL does not necessarily 
indicate that those accounts are dead. So, verification is in order here, 
IMO.
 
Deji
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mulnick, 
AlSent: Friday, April 01, 2005 
10:51 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Orphaned 
SIDs
 
I'm trying to figure 
out why you wouldn't want to assume that the accont is either gone or 
tombstoned?  Why the verification step of looking for tombstoned 
items?
 
In any event, it takes 
different rights and settings to see those tombstoned objects.  I wouldn't 
guess that Zeffy would care about those since they're tombstoned.  

 
Also, if the object is 
listed incorrectly or referenced by something other than the proper dir object, 
then what would be the point of keeping it in the ACLs?  There's obviously 
something wrong at that point right? 
 
 
Help me understand the 
logic/business drivers for this...
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Beelders, 
IvorSent: Friday, April 01, 
2005 11:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Orphaned 
SIDs
I’ve seen quite a bit of info on 
this subject but would like to get a firm grip on the situation. I recently 
deleted a bunch of disabled users from my directory. However, I’m left with 
quite a few orphaned SIDs in the ACLs and User Rights policies, etc. I would 
like to clean these up with VERIFICATION, i.e. I would like to know which user 
SID I’m deleting before ripping the SID out of the 
ACL.
 
I encountered a few tools on the web 
but they don’t really help in this situation.
 
http://www.petri.co.il/obj_sid.htm  
- This is a cool applet that allows you to do a SID lookup or a reverse SID 
lookup. If the object doesn’t exist in the directory, it doesn’t access the 
tombstone information for a match.
 
Then there’s tombstone-user.exe. 
This util will dump all the tombstone objects from a particular DC. I dumped the 
tombstones from a DC (it displays SIDs only) and did a find on a couple of the 
SIDs I see tombstoned in the directory but it doesn’t find the SIDs? Yes, it’s 
still within 60 days of the objects being deleted. 
 
Any help on this issue will be 
appreciated.
 
 
Ivor 
 

  
  

  This communication (including any 
  attachments) contains information which is confidential and may also be 
  privileged. It is for the exclusive use of the intended recipient(s). 
  If you are not the intended recipient(s), please do not distribute, 
  copy or use this communication or the information. Instead, if you 
  have received this communication in error, please notify the sender 
  immediately and then destroy any copies of it.Due to the nature of 
  the Internet, the sender is unable to ensure the integrity of this message 
  and does not accept any liability or responsibility for any errors or 
  omissions (whether as the result of this message having been intercepted 
  or otherwise) in the contents of this message.Any views expressed 
  in this communication are those of the individual sender, except where the 
  sender specifically states them to be the views of the 
  company.
 

  
  
This communication (including any 
  attachments) contains information which is confidential and may also be 
  privileged. It is for the exclusive use of the intended recipient(s). 
  If you are not the intended recipient(s), please do not distribute, 
  copy or use this communication or the information. Instead, if you 
  have received this communication in error, please notify the sender 
  i

[ActiveDir] Server 2003 SP1 for Datacenter

[David J. Kinsella]

In my rush to install SP1 on Datacenter I wanted to know if
there was a way to disable the necessary need for my hardware vendor to have
signed SP1. With the normal edition from Microsoft’s Web site I’m
obviously prompted with an error that it cannot be installed due to my hardware
vendor not allowing me to install it.

 

I’ve searched around for any switches but I can’t
find any. I suppose I could wait but I’m willing to give it a go if
anyone can tell me how to do it. 

 

Kind regards,

 

David J. Kinsella

 

RE: [ActiveDir] Win 2003 DNS issues

[deji]

Given what he described, I don’t think it’s EDNS0. EDNS0 is
a problem, but I don’t think that’s what he is seeing here.

 

Russ, are your DCs multi-homed, by any chance? Is your ISP’s DNS
server appearing anywhere in your DNS list, being served up by DHCP, perhaps? Have
you also looked at the KB offered by Mark Parris?

 

Deji

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brahim Bouchaiba
Sent: Friday, April 01, 2005 10:20 AM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Win 2003 DNS issues

 

what type of firewall do you have ?if you have pix firewall disable
edns

on windows 2003

 

 

 

ActiveDir@mail.activedir.org
on Friday, April 01, 2005 at 12:47 PM +

wrote:

> 

>We're experiencing intermittent DNS outages ever since we upgraded
our

>domain controllers (which are all running DNS) to Windows 2003.  We
know

>we're having a problem because users see "Applying security
settings"

>for an extended length of time when booting up.  Then if we do
nslookups

>on the DNS server having issue, it times out.  If we restart DNS,
it

>works fine.

> 

>We applied hotfix KB830381 and thought it fixed it because it
didn't

>happen for awhile, but it happened again finally.  Has anyone else
been

>experiencing this?

 

List info   : http://www.activedir.org/List.aspx

List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Orphaned SIDs

[Beelders, Ivor]

Agreed. It would be great to be able to
confirm which user the SID belonged to before deleting the SID.

 



Ivor 

 











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, April 01, 2005 1:58
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Orphaned
SIDs



 

Al, you know that a resolution problem
will sometimes prevent SID translations. So, the mere fact that you see SIDs
(rather than names) listed in your ACL does not necessarily indicate that those
accounts are dead. So, verification is in order here, IMO.

 

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, April 01, 2005 10:51
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Orphaned
SIDs



 

I'm trying to figure out why you wouldn't
want to assume that the accont is either gone or tombstoned?  Why the
verification step of looking for tombstoned items?

 

In any event, it takes different rights
and settings to see those tombstoned objects.  I wouldn't guess that Zeffy
would care about those since they're tombstoned.  

 

Also, if the object is listed incorrectly
or referenced by something other than the proper dir object, then what would be
the point of keeping it in the ACLs?  There's obviously something wrong at
that point right? 

 

 

Help me understand the logic/business
drivers for this...

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beelders, Ivor
Sent: Friday, April 01, 2005 11:41
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Orphaned SIDs

I’ve seen quite a bit of info on this subject but
would like to get a firm grip on the situation. I recently deleted a bunch of
disabled users from my directory. However, I’m left with quite a few
orphaned SIDs in the ACLs and User Rights policies, etc. I would like to clean
these up with VERIFICATION, i.e. I would like to know which user SID I’m
deleting before ripping the SID out of the ACL.

 

I encountered a few tools on the web but they don’t
really help in this situation.

 

http://www.petri.co.il/obj_sid.htm 
- This is a cool applet that allows you to do a SID lookup or a reverse SID
lookup. If the object doesn’t exist in the directory, it doesn’t
access the tombstone information for a match.

 

Then there’s tombstone-user.exe. This util will dump
all the tombstone objects from a particular DC. I dumped the tombstones from a
DC (it displays SIDs only) and did a find on a couple of the SIDs I see
tombstoned in the directory but it doesn’t find the SIDs? Yes, it’s
still within 60 days of the objects being deleted. 

 

Any help on this issue will be appreciated.

 

 

Ivor 

 


 
  
  This communication (including any
  attachments) contains information which is confidential and may also be
  privileged. 
  It is for the exclusive use of the intended recipient(s). 
  If you are not the intended recipient(s), please do not distribute, copy or
  use this communication or the information. 
  Instead, if you have received this communication in error, please notify the
  sender immediately and then destroy any copies of it.
  
  Due to the nature of the Internet, the sender is unable to ensure the
  integrity of this message and does not accept any liability or responsibility
  for any errors or omissions (whether as the result of this message having
  been intercepted or otherwise) in the contents of this message.
  
  Any views expressed in this communication are those of the individual sender,
  except where the sender specifically states them to be the views of the
  company.
  
 


 







This communication (including any attachments) contains information which is confidential and may also be privileged.  
It is for the exclusive use of the intended recipient(s).  
If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. 
Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.

Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.

Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.

RE: [ActiveDir] Virus issue on Domain Controller

[deji]

You have the Virus contained. But have you nailed down exactly what the
Virus had done before it was contained? Have you “completely”
undone what the Virus had done before the containment? That’s a tricky
question because it is nearly impossible to do that, especially if it’s a
crafty Virus.

 

So, given what you are seeing, I am thinking that you are seeing the
effects of the Virus. If I were you (of course I’m not you, silly J), my
approach would be to flatten the infected DCs and rebuild them, especially
since you indicated that not all your DCs were infected. Depending on what the
Virus actually did, that, too, may not be a good cure since it’s possible
that the infection had replicated to the “clean” DCs. But, rather
than trying to chase your tails, a reinstall is my best recommendation.

 

Deji

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Devan Pala
Sent: Friday, April 01, 2005 10:42 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Virus issue on Domain Controller

 

Hi,

 

I had recently posted about a virus outbreak in our environment, now
that we 

have the virus contained I notice some of the normal Windows
functionality 

hasn't been working properly.

 

Its a Windows 2000 Domain Controller.

 

Here are some of the issues: the control panel doesn't display the way
it 

should, the window pops up as a split 2-panel window (like in explorer)


instead of a single panel and all of the icons are located in the
smaller 

left-hand panel in two columns; clicking on the add/remove programs
icon 

brings up the Add/Remove Programs window but it's completely blank with
the 

exception of the text from the icons usually on the left-hand side of
the 

window, it displays at the top of the window all ran together; in
Windows 

Explorer the C:\WINNT, the C:\Program Files, and C:\WINNT\system32
folders 

are unviewable - it's completely blank in the right-hand panel of
Windows 

Explorer when I click on these folders; and it doesn'trun vbscripts
anymore.

 

Cannot open logs in Event Viewer, you can view the logs but when 

double-clicking one.

 

So far, I have tried;

 

1. Scan File Checker

2. Windows Repair

3. Safe Mode Scan with Symantec

4. Re-install could be an option but I'm avoiding that for now.

 

Any help would be appreciated.

 

Thanks,

 

"Firefox - Rediscover the web "

 

 

List info   : http://www.activedir.org/List.aspx

List FAQ    : http://www.activedir.org/ListFAQ.aspx

List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Orphaned SIDs

[deji]

Al, you know that a resolution problem
will sometimes prevent SID translations. So, the mere fact that you see SIDs
(rather than names) listed in your ACL does not necessarily indicate that those
accounts are dead. So, verification is in order here, IMO.

 

Deji

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, April 01, 2005 10:51
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Orphaned
SIDs



 

I'm trying to figure out why you wouldn't
want to assume that the accont is either gone or tombstoned?  Why the
verification step of looking for tombstoned items?

 

In any event, it takes different rights
and settings to see those tombstoned objects.  I wouldn't guess that Zeffy
would care about those since they're tombstoned.  

 

Also, if the object is listed incorrectly
or referenced by something other than the proper dir object, then what would be
the point of keeping it in the ACLs?  There's obviously something wrong at
that point right? 

 

 

Help me understand the logic/business
drivers for this...

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Beelders, Ivor
Sent: Friday, April 01, 2005 11:41
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Orphaned SIDs

I’ve seen quite a bit of info on this subject but
would like to get a firm grip on the situation. I recently deleted a bunch of
disabled users from my directory. However, I’m left with quite a few
orphaned SIDs in the ACLs and User Rights policies, etc. I would like to clean
these up with VERIFICATION, i.e. I would like to know which user SID I’m
deleting before ripping the SID out of the ACL.

 

I encountered a few tools on the web but they don’t
really help in this situation.

 

http://www.petri.co.il/obj_sid.htm 
- This is a cool applet that allows you to do a SID lookup or a reverse SID
lookup. If the object doesn’t exist in the directory, it doesn’t
access the tombstone information for a match.

 

Then there’s tombstone-user.exe. This util will dump
all the tombstone objects from a particular DC. I dumped the tombstones from a
DC (it displays SIDs only) and did a find on a couple of the SIDs I see
tombstoned in the directory but it doesn’t find the SIDs? Yes, it’s
still within 60 days of the objects being deleted. 

 

Any help on this issue will be appreciated.

 

 

Ivor 

 


 
  
  This communication (including any
  attachments) contains information which is confidential and may also be
  privileged. 
  It is for the exclusive use of the intended recipient(s). 
  If you are not the intended recipient(s), please do not distribute, copy or
  use this communication or the information. 
  Instead, if you have received this communication in error, please notify the
  sender immediately and then destroy any copies of it.
  
  Due to the nature of the Internet, the sender is unable to ensure the
  integrity of this message and does not accept any liability or responsibility
  for any errors or omissions (whether as the result of this message having
  been intercepted or otherwise) in the contents of this message.
  
  Any views expressed in this communication are those of the individual sender,
  except where the sender specifically states them to be the views of the
  company.
  
 


 

[ActiveDir] OT: Corrupt bkf repair

[Creamer, Mark]

Anyone know if Microsoft or anyone else makes available a free
tool to repair a corrupt bkf (ntbackup) file? I see a couple of commercial
tools, but I hate to spend several hundred dollars to find that it won’t
work anyway. Thanks

 

Mark
Creamer

Systems
Engineer

Cintas
Corporation

 

 





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] Orphaned SIDs

[Mulnick, Al]

I'm trying to figure out why you wouldn't want to 
assume that the accont is either gone or tombstoned?  Why the verification 
step of looking for tombstoned items?
 
In any event, it takes different rights and settings to 
see those tombstoned objects.  I wouldn't guess that Zeffy would care about 
those since they're tombstoned.  
 
Also, if the object is listed incorrectly or referenced 
by something other than the proper dir object, then what would be the point of 
keeping it in the ACLs?  There's obviously something wrong at that point 
right? 
 
 
Help me understand the logic/business drivers for 
this...


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Beelders, 
IvorSent: Friday, April 01, 2005 11:41 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Orphaned 
SIDs


I’ve seen quite a bit of info on 
this subject but would like to get a firm grip on the situation. I recently 
deleted a bunch of disabled users from my directory. However, I’m left with 
quite a few orphaned SIDs in the ACLs and User Rights policies, etc. I would 
like to clean these up with VERIFICATION, i.e. I would like to know which user 
SID I’m deleting before ripping the SID out of the 
ACL.
 
I encountered a few tools on the web 
but they don’t really help in this situation.
 
http://www.petri.co.il/obj_sid.htm  
- This is a cool applet that allows you to do a SID lookup or a reverse SID 
lookup. If the object doesn’t exist in the directory, it doesn’t access the 
tombstone information for a match.
 
Then there’s tombstone-user.exe. 
This util will dump all the tombstone objects from a particular DC. I dumped the 
tombstones from a DC (it displays SIDs only) and did a find on a couple of the 
SIDs I see tombstoned in the directory but it doesn’t find the SIDs? Yes, it’s 
still within 60 days of the objects being deleted. 
 
Any help on this issue will be 
appreciated.
 
 
Ivor 
 

  
  
This communication (including any 
  attachments) contains information which is confidential and may also be 
  privileged. It is for the exclusive use of the intended recipient(s). 
  If you are not the intended recipient(s), please do not distribute, 
  copy or use this communication or the information. Instead, if you 
  have received this communication in error, please notify the sender 
  immediately and then destroy any copies of it.Due to the nature of 
  the Internet, the sender is unable to ensure the integrity of this message 
  and does not accept any liability or responsibility for any errors or 
  omissions (whether as the result of this message having been intercepted 
  or otherwise) in the contents of this message.Any views expressed 
  in this communication are those of the individual sender, except where the 
  sender specifically states them to be the views of the 
company.

[ActiveDir] Virus issue on Domain Controller

[Devan Pala]

Hi,
I had recently posted about a virus outbreak in our environment, now that we 
have the virus contained I notice some of the normal Windows functionality 
hasn't been working properly.

Its a Windows 2000 Domain Controller.
Here are some of the issues: the control panel doesn't display the way it 
should, the window pops up as a split 2-panel window (like in explorer) 
instead of a single panel and all of the icons are located in the smaller 
left-hand panel in two columns; clicking on the add/remove programs icon 
brings up the Add/Remove Programs window but it's completely blank with the 
exception of the text from the icons usually on the left-hand side of the 
window, it displays at the top of the window all ran together; in Windows 
Explorer the C:\WINNT, the C:\Program Files, and C:\WINNT\system32 folders 
are unviewable - it's completely blank in the right-hand panel of Windows 
Explorer when I click on these folders; and it doesn'trun vbscripts anymore.

Cannot open logs in Event Viewer, you can view the logs but when 
double-clicking one.

So far, I have tried;
1. Scan File Checker
2. Windows Repair
3. Safe Mode Scan with Symantec
4. Re-install could be an option but I'm avoiding that for now.
Any help would be appreciated.
Thanks,
"Firefox - Rediscover the web "
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Orphaned SIDs

[Jorge de Almeida Pinto]

SUBINACL is a tool from MS that can help you remove orphaned SIDs. It can do
a lot except for user rights.

The following option might help you:
/cleandeletedsidsfrom=DomainName [=dacl | =sacl | =owner | =primarygroup |
=sdsize] 
Deletes all ACEs containing deleted (not valid) SIDs from DomainName. The
optional parameters allow you to specify certain parts of the security
descriptor in which to search for invalid SIDs.

It supports the following objects:
/object_type :
   /service/keyreg /subkeyreg
   /file   /subdirectories[=directoriesonly|filesonly]
   /clustershare   /kernelobject   /metabase
   /printer/onlyfile   /process
   /share  /samobject

To download the latest version of SUBINACL:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-
93cf-ed6985e3927b&displaylang=en

For info on SUBINACL:
http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techre
f/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techre
f/en-us/subinacl.asp

Hope this can help you!
Cheers
Jorge




-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 4/1/2005 6:40 PM
Subject: [ActiveDir] Orphaned SIDs

I've seen quite a bit of info on this subject but would like to get a
firm grip on the situation. I recently deleted a bunch of disabled users
from my directory. However, I'm left with quite a few orphaned SIDs in
the ACLs and User Rights policies, etc. I would like to clean these up
with VERIFICATION, i.e. I would like to know which user SID I'm deleting
before ripping the SID out of the ACL.

 

I encountered a few tools on the web but they don't really help in this
situation.

 

http://www.petri.co.il/obj_sid.htm 
- This is a cool applet that allows you to do a SID lookup or a reverse
SID lookup. If the object doesn't exist in the directory, it doesn't
access the tombstone information for a match.

 

Then there's tombstone-user.exe. This util will dump all the tombstone
objects from a particular DC. I dumped the tombstones from a DC (it
displays SIDs only) and did a find on a couple of the SIDs I see
tombstoned in the directory but it doesn't find the SIDs? Yes, it's
still within 60 days of the objects being deleted. 

 

Any help on this issue will be appreciated.

 

 

Ivor 

 

This communication (including any attachments) contains information
which is confidential and may also be privileged. 
It is for the exclusive use of the intended recipient(s). 
If you are not the intended recipient(s), please do not distribute, copy
or use this communication or the information. 
Instead, if you have received this communication in error, please notify
the sender immediately and then destroy any copies of it.

Due to the nature of the Internet, the sender is unable to ensure the
integrity of this message and does not accept any liability or
responsibility for any errors or omissions (whether as the result of
this message having been intercepted or otherwise) in the contents of
this message.

Any views expressed in this communication are those of the individual
sender, except where the sender specifically states them to be the views
of the company.


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Win 2003 DNS issues

[Brahim Bouchaiba]

what type of firewall do you have ?if you have pix firewall disable edns
on windows 2003



ActiveDir@mail.activedir.org on Friday, April 01, 2005 at 12:47 PM +
wrote:
>
>We're experiencing intermittent DNS outages ever since we upgraded our
>domain controllers (which are all running DNS) to Windows 2003.  We know
>we're having a problem because users see "Applying security settings"
>for an extended length of time when booting up.  Then if we do nslookups
>on the DNS server having issue, it times out.  If we restart DNS, it
>works fine.
>
>We applied hotfix KB830381 and thought it fixed it because it didn't
>happen for awhile, but it happened again finally.  Has anyone else been
>experiencing this?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win 2003 DNS issues

[Rimmerman, Russ]

When the problem is not occurring, yes.  When the problem is occurring,
we get 3-4 timeouts before we finally get a response.  The problem
happens on both our 2003 DNS servers, but not simultaneously.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ed Buford
Sent: Friday, April 01, 2005 11:24 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Win 2003 DNS issues

When you do an NSLOOKUP do you get the IP for the DC's you expect?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, April 01, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win 2003 DNS issues


We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups
on the DNS server having issue, it times out.  If we restart DNS, it
works fine.

We applied hotfix KB830381 and thought it fixed it because it didn't
happen for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win 2003 DNS issues

[Chris Gauch]

What's showing up in your DNS event logs?  We upgraded all 4 of our Windows
2003 DCs to SP1 last night and none of them exhibit the aforementioned DNS
issues.  

- Chris

--
Chris Gauch
Systems Administrator
Digicon Communications, Inc.
[EMAIL PROTECTED]


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Ed Buford
> Sent: Friday, April 01, 2005 12:24 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Win 2003 DNS issues
> 
> When you do an NSLOOKUP do you get the IP for the DC's you expect?
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
> Sent: Friday, April 01, 2005 9:37 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Win 2003 DNS issues
> 
> 
> We're experiencing intermittent DNS outages ever since we upgraded our
> domain controllers (which are all running DNS) to Windows 2003.  We know
> we're having a problem because users see "Applying security settings"
> for an extended length of time when booting up.  Then if we do nslookups
> on the DNS server having issue, it times out.  If we restart DNS, it
> works fine.
> 
> We applied hotfix KB830381 and thought it fixed it because it didn't
> happen for awhile, but it happened again finally.  Has anyone else been
> experiencing this?
> 
> 
> ~~
> This e-mail is confidential, may contain proprietary information
> of the Cooper Cameron Corporation and its operating Divisions
> and may be confidential or privileged.
> 
> This e-mail should be read, copied, disseminated and/or used only
> by the addressee. If you have received this message in error please
> delete it, together with any attachments, from your system.
> ~~
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win 2003 DNS issues

[Ed Buford]

When you do an NSLOOKUP do you get the IP for the DC's you expect?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, April 01, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win 2003 DNS issues


We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups
on the DNS server having issue, it times out.  If we restart DNS, it
works fine.

We applied hotfix KB830381 and thought it fixed it because it didn't
happen for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win 2003 DNS issues

[Rimmerman, Russ]

May I ask which hotfix it was that you installed that fixed it?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
(NIH/CC/DNA)
Sent: Friday, April 01, 2005 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Win 2003 DNS issues

We saw this problem too on our DC's and we addressed it by installing a
hotfix that fixed a NTFS issue.

Is it possible you have a GPO that might be trying to configure DNS
settings on your DDNS box?

Todd

-Original Message-
From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]
Sent: Friday, April 01, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win 2003 DNS issues


We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups
on the DNS server having issue, it times out.  If we restart DNS, it
works fine.

We applied hotfix KB830381 and thought it fixed it because it didn't
happen for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Orphaned SIDs

[Beelders, Ivor]

I’ve seen quite a bit of info on this subject but
would like to get a firm grip on the situation. I recently deleted a bunch of
disabled users from my directory. However, I’m left with quite a few
orphaned SIDs in the ACLs and User Rights policies, etc. I would like to clean
these up with VERIFICATION, i.e. I would like to know which user SID I’m
deleting before ripping the SID out of the ACL.

 

I encountered a few tools on the web but they don’t
really help in this situation.

 

http://www.petri.co.il/obj_sid.htm 
- This is a cool applet that allows you to do a SID lookup or a reverse SID
lookup. If the object doesn’t exist in the directory, it doesn’t
access the tombstone information for a match.

 

Then there’s tombstone-user.exe. This util will dump
all the tombstone objects from a particular DC. I dumped the tombstones from a
DC (it displays SIDs only) and did a find on a couple of the SIDs I see
tombstoned in the directory but it doesn’t find the SIDs? Yes, it’s
still within 60 days of the objects being deleted. 

 

Any help on this issue will be appreciated.

 

 

Ivor 

 







This communication (including any attachments) contains information which is confidential and may also be privileged.  
It is for the exclusive use of the intended recipient(s).  
If you are not the intended recipient(s), please do not distribute, copy or use this communication or the information. 
Instead, if you have received this communication in error, please notify the sender immediately and then destroy any copies of it.

Due to the nature of the Internet, the sender is unable to ensure the integrity of this message and does not accept any liability or responsibility for any errors or omissions (whether as the result of this message having been intercepted or otherwise) in the contents of this message.

Any views expressed in this communication are those of the individual sender, except where the sender specifically states them to be the views of the company.

RE: [ActiveDir] Win 2003 DNS issues

[David Cliffe]

I've been wondering if anyone else out there would ever describe this
issue.  Yes, we have seen similar here, Russ.  Disabling EDN0 did not
make a difference, and tracking this down has been difficult, because it
has been very intermittent and random.  MS provided us with debug
modules, and we have given them traces, logs, etc...with no true
satisfactory results.  The latest pre-SP1 module we have from them is
v.5.2.3790.196  (the SP1 version is  5.2.3790.1830).  This 196 version
has been tested here on a few DNS (both with debugging on and off) and
has not yet exhibited the cache problem we were seeing (described as
best I can below), so we may roll it out until we can fully test SP1.
However, we are still not 100% sure this is the fix, or what the problem
is.

The only workaround I was able to find (besides a restart of the
service), is to clear the cache.  I had noticed that the cache for a
given zone on a DNS [during the problem] would contain an NS record for
that zone, perhaps an SOA, but no associated A (or glue) record.  If I
cleared the cache, the full set of records would reappear, and the
server would begin resolving again for that zone.  We do not use
forwarders on most of our internal DNS, choosing instead to go with root
hints.  I noticed this problem occuring on random DNS, within random
zones, almost immediately upon upgrading to Windows 2003, and have been
frustrated by it since.  The TTLs for the NS and A records on the root
servers were examined and found to be set to 1 day (86400), which I
believe is "typical".  It's almost as if the A records in the cache on
the 2003 DNS were timing out, but the server continued to "believe" it
still had them cached.  Does that make sense?  I am no DNS cache expert,
so I don't know what normal behavior is, other than to examine the cache
on a zone that is working normally.  To me, if a zone has an NS, but no
associated A, how can it resolve anything for that zone without going
back to the root?

Anyway, I would be curious to know if yours exhibit similar symptoms?

-DaveC
Reuters CIO Infrastructure

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Friday, April 01, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win 2003 DNS issues


We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups
on the DNS server having issue, it times out.  If we restart DNS, it
works fine.

We applied hotfix KB830381 and thought it fixed it because it didn't
happen for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit 
http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win 2003 DNS issues

[Myrick, Todd (NIH/CC/DNA)]

We saw this problem too on our DC's and we addressed it by installing a
hotfix that fixed a NTFS issue.

Is it possible you have a GPO that might be trying to configure DNS settings
on your DDNS box?

Todd

-Original Message-
From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] 
Sent: Friday, April 01, 2005 9:37 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win 2003 DNS issues


We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups
on the DNS server having issue, it times out.  If we restart DNS, it
works fine.

We applied hotfix KB830381 and thought it fixed it because it didn't
happen for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Win 2003 DNS issues

[Jorge de Almeida Pinto]

Could it be EDNS0 and because you are doing DNS queries through some
firewall?
Does the following apply:
SYMPTOMS
After you upgrade your Microsoft Windows 2000-based DNS server to Microsoft
Windows Server 2003, DNS queries to some domains may not be resolved
successfully. 
 Back to the top 

CAUSE
This issue occurs because of the Extension Mechanisms for DNS (EDNS0)
functionality that is supported in Windows Server 2003 DNS. 

ENDS0 permits the use of larger User Datagram Protocol (UDP) packet sizes.
However, some firewall programs may not permit UDP packets that are larger
than 512 bytes. As a result, these DNS packets may be blocked by the
firewall.

See http://support.microsoft.com/kb/832223 (Some DNS Name Queries Are
Unsuccessful After You Upgrade Your DNS Server to Windows Server 2003)

To modify EDNS0 configuration:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serve
rHelp/4d90d400-dc49-4772-a679-917c80096a29.mspx 



If not, enable "Debug logging" on the DNS server. The following articles can
help you with that.
* Select and enable debug logging options on the DNS server
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/9b82dd18-e7b2-4c36-b981-471b7b762c46.mspx)
* Using server debug logging options
(http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv
erHelp/2a2723c5-3462-411d-94e2-fe5fc08db07b.mspx)
* Debug Logging for DNS in Windows 2003
(http://computerperformance.co.uk/w2k3/services/DNS_debug_logging.htm)

Are there Event Viewer entries on the DNS server that can tell you more?

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: vrijdag 1 april 2005 16:37
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Win 2003 DNS issues


We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups on
the DNS server having issue, it times out.  If we restart DNS, it works
fine.

We applied hotfix KB830381 and thought it fixed it because it didn't happen
for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Win 2003 DNS issues

[Mark Parris]

Have you seen article 832161

Mark
-Original Message-
From: "Rimmerman, Russ" <[EMAIL PROTECTED]>
Date: Fri, 1 Apr 2005 08:36:46 
To:
Subject: [ActiveDir] Win 2003 DNS issues


We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups
on the DNS server having issue, it times out.  If we restart DNS, it
works fine.

We applied hotfix KB830381 and thought it fixed it because it didn't
happen for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


--
Sent from my blackberry.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Win 2003 DNS issues

[Rimmerman, Russ]

We're experiencing intermittent DNS outages ever since we upgraded our
domain controllers (which are all running DNS) to Windows 2003.  We know
we're having a problem because users see "Applying security settings"
for an extended length of time when booting up.  Then if we do nslookups
on the DNS server having issue, it times out.  If we restart DNS, it
works fine.

We applied hotfix KB830381 and thought it fixed it because it didn't
happen for awhile, but it happened again finally.  Has anyone else been
experiencing this?


~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 SP1 RTM

[joe]

I haven't gone through all of this thread, but I think this type of thing
perfectly illustrates some folks "concern" over just throwing it out there.
The concern being, what all IS in there?

Of course there is just the simple, "I want to hear what issues others hit
with it before I throw it out there...". Of course if everyone did this, it
would never get installed. 

If I were still running a production environment. My general policy would be
to run the release at home on some test machines for at least a week or two
(I would have already been running the beta (and RCs) and am right now as
well as R2 but that is pretty much SP1) and when I was fairly comfortable
with no real obvious weird things I would throw into an official work lab
and probably on a couple of production less than critical servers and
started some basic acceptance type tests. Based on that and what I wanted in
the SP I would push the certification process handled by another group to
get done faster or just let them take their time. The certification process
is an official set of test matrixes for the OS and apps that has to be
properly completed for every update and they have a team of people running
through the matrices for various configs. Again, depending on how bad I
needed something in the pack and how slow the certification process was
going (say it got hung up on CAD type machines and I am not running CAD), I
would or wouldn't wait for the final certification to push the SP. As a
general rule, I wouldn't push an SP until it fully went through
certification which could be months after RTM. QFEs on the other hand for
specific things I have been known to have fully deployed worldwide before
the integration team has looked at the package wrap I built on the fly to
make the "official" wrapped package to test for the company. 

I apologize if I missed the gist of what is being discussed here. I am still
spending all day (12+ hours) at that one other widget factory I mentioned
previously and when I got home last night, I set up my MCE system to start
recording TV instead of doing email. :)

Got to cruise, I am hoping one 18 hour day will push us through our final
blocks and I can be done and get back to my regular work life again of nice
relaxing fun work. 

   joe




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, March 31, 2005 10:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 SP1 RTM

What I find interesting is some of the things that I know are in SP1 that
*aren't* listed on that page. Specifically a huge performance improvement in
the TCP stack for servers with more than a few thousand concurrent
connections.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave A. 
> Marquis
> Sent: Thursday, March 31, 2005 11:23 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] 2003 SP1 RTM
> 
> Hello Eric,
> 
> I went to the M$ Windows 2003 server page and found this Doc that lays 
> out all of the changes:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003
> /servicepa
> ck/overview.mspx
> 
> > You referred to SP1 having "too many changes." How did you make this
> determination?
> 
> I just read the above doc and it seems that this is more of a complete 
> overhaul of the OS vs. some fixes rolled up like Win XP SP1. Also, 
> just my opinion here, but I am in the healthcare field and everything 
> is mission critical as far as the directory is concerned. I personally 
> will let other make the jump and find all the pitfalls as MS isn't 
> always as forth coming in issues and fixes for those issues.
> 
> > What is the threshold where we cross in to too many?
> 
> When you are altering the core OS ad the way it works vs. a security 
> fix.
> 
> >2) What steps will you be going through between now and when you do 
> >install it?
> 
> I will cruise the newsgroups to read other accounts as the KB site 
> often has confusing documentation on resolving issues. I find it is 
> better to find the direction one needs to go by other experiences.
> 
> >What will you do between now and deployment to give you the
> confidence
> >level you need to fire it up on a box and see how it goes?
> 
> I will just give it a go as soon as it seems safe in a couple of 
> months.
> 
> It is just like SP2 for win xp. If you install it, the sp2 will break 
> the ability to view other people's sessions on their systems. This was 
> a show stopper for me until I spent about a month searching for a 
> little know regedit that needs to be made on the users system to 
> restore this functionality.
> 
> Just my 2 cents. If you have a good firewall and anti-virus 
> protection, things can slide for a little while as others test it out 
> first.
> 
> David A. Marquis
> Computer Systems Administrator
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL

[ActiveDir] First KB article for W2K3 SP1 ;-)

[Jorge de Almeida Pinto]

Title: First KB article for W2K3 SP1 ;-)





Hi,


The first KB article for W2K3 SP: After you run the Security Configuration Wizard in Windows Server 2003 SP1, Outlook users may not be able to connect to their accounts -> http://support.microsoft.com/default.aspx?scid=kb;en-us;896742

Cheers
Jorge




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

[ActiveDir] Access Based Enumeration in W2K3 SP1

[Jorge de Almeida Pinto]

Title: Access Based Enumeration in W2K3 SP1





Hi,


I installed it today on a VM guest (DC) and it installed OK.
However, configuring the ABE feature is not possible through the GUI. I wonder why they don't provide some checkbox to configure this as I think this is one of the features people have been waiting for!

However you can use the SHAREFLGS tool from JOEWARE to configure ABE


Joe: like the other tools, the SHAREFLGS tool will be famous for its possibilities! ;-))


Cheers
Jorge




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [ActiveDir] 2003 SP1 RTM

[Tomasz Onyszko]

Grillenmeier, Guido wrote:
I'd add these as important ones to the list:
15) ability to set cetain attributes to be "confidential" - i.e. they can't be read with 
normal "Read" permissions on an object
16) ability to configure Drag & Drop in ADUC
17) ability to configure visibility of foreign Universal Group memberships in ADUC
Guido, can You point me to some description of 15 and 16?
--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/