RE: [ActiveDir] How much of the DIT is cached in RAM ?

[Nathan Muggli]

Checking the working set size of LSASS is not reliable. There's process
overhead for things like lsa session handles and other stuff related to
the security sub system.

The most accurate method is to enable the ESE Database performance
counters and look at "Cache Size". To enable the DB counters, install
Server Performance Advisor, or check out
http://www.microsoft.com/resources/documentation/Windows/2000/server/res
kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r
eskit/en-us/distrib/dsbm_mon_pzgc.asp 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Thursday, April 14, 2005 8:45 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?

By checking the working set size of by LSASS?


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Fugleberg, David A
> Sent: Thursday, April 14, 2005 2:22 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] How much of the DIT is cached in RAM ?
> 
> How can I determine how much of the DIT is being cached in 
> RAM on a given DC ?
> 
> Dave
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] NTDS.dit size

[Eric Fleischman]

Oops, I typo'd. First paragraph should have read:

--
It's hard to characterize how "much" connectivity you need vs. how big
your db is.  A huge db of mostly static info doesn't need nearly as much
connectivity as a smaller db that changes a _ton_. So really, it's all
about your rate of change, with the size only being a guideline.
--

I would also add, that in the average case, you're rightlarge DBs
_tend_ to require more bandwidth than smaller ones. I can't picture a
100gb DB on the other side of a 64k link being good in the average case.
:)

~Eric



-Original Message-
From: Eric Fleischman 
Sent: Thursday, April 14, 2005 8:56 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] NTDS.dit size

It's hard to characterize how "much" connectivity you need vs. how big
your db is.  A huge db of mostly static info doesn't need nearly as much
connectivity as a smaller db that doesn't change very much. So really,
it's all about your rate of change, with the size only being a
guideline.

For promotion, at that scale, IFM is clearly the way to go. But there's
nothing wrong with the occasional promotion that is over the wire. It'll
finish, it will just take a while, even on a fast network.

With a 20gb db, a few things might help you:
1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case
cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram
at a DC, and it will use it to cache more of the db. DB caching cuts
down on the I/O required for reads (which for most people are the bulk
of their load) and help your perf a lot.
2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing
else on them, and /3gb set. It lets you really use your cache well, and
still have some headroom for the OS and tools you might use here and
there.
3) I'm a fan of profiling traffic hitting my DCs and optimizing the
queries for AD, and possibly optimizing AD for the queries (both are on
the table). Tools like SPA, field engineering logging (mentioned in a
thread on this dl earlier today) and any 3rd party tools you might like
all can help here. Though this advise isn't specific to large DBs..I
like making things faster at any scale. :)
4) Standard disk logic about optimizing I/O throughput applies.
5) Some people "warm" the cache on DC boot. This is particularly
interesting on 64bit DCs where you have tons of memory headroom. That
is, after the box boots they run some really expensive queries that walk
very expensive indexes (ancestry, dnt, etc.) to traverse as many objects
as they can, and get them off of the disk and in to memory. It hits the
DC hard from an I/O standpoint on boot, but it does get a lot of the db
in to memory for actual load that starts to hit the box after. It's done
in more environments than one. I like the idea quite a bit, and have
thought about if there is anything we should do in the product to help
facilitate this.

The list is of course endless, but these are a few things that come to
mind.

My $0.02
~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Thursday, April 14, 2005 8:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] NTDS.dit size

Eric/Joe,

Thanks for the great input!  My test lab is VM ware running on 20
GB TB SAN that you can use as a test = very nice setup.

100 GB did those sites have really good connectivity?  You can install
AD from media in 2003 but I would think there would be problems in a
2000 domain with poorly connected offices.

Joe, do you run joeware.net... if you do great site and thanks for the
nice tools.


Thanks again

Mike

On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote:
> Well I've seen very very large in test on many occasions. The numbers
I
> cited below (with those very descriptive adjectives) are just what
I've
> seen in production. I didn't think test counted.
> 
> If you want to count test, I could fire up a test db that is a TB or
so
> on a san I have nearby. :)
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 14, 2005 4:58 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.dit size
> 
> See I almost cc'ed you on the response to get your input on this too
as
> I
> knew you had played with some 16GB+ DITS but didn't want to bother you
> for
> this and didn't want to speak out of turn for you.
> 
>  joe
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric
Fleischman
> Sent: Thursday, April 14, 2005 7:35 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.dit size
> 
> I've seen larger.
> I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and
> 100GB+ on a few occasions.
> 
> ~Eric
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 14, 2005 4:28 PM
> To: Act

RE: [ActiveDir] NTDS.dit size

[Eric Fleischman]

It's hard to characterize how "much" connectivity you need vs. how big
your db is.  A huge db of mostly static info doesn't need nearly as much
connectivity as a smaller db that doesn't change very much. So really,
it's all about your rate of change, with the size only being a
guideline.

For promotion, at that scale, IFM is clearly the way to go. But there's
nothing wrong with the occasional promotion that is over the wire. It'll
finish, it will just take a while, even on a fast network.

With a 20gb db, a few things might help you:
1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case
cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram
at a DC, and it will use it to cache more of the db. DB caching cuts
down on the I/O required for reads (which for most people are the bulk
of their load) and help your perf a lot.
2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing
else on them, and /3gb set. It lets you really use your cache well, and
still have some headroom for the OS and tools you might use here and
there.
3) I'm a fan of profiling traffic hitting my DCs and optimizing the
queries for AD, and possibly optimizing AD for the queries (both are on
the table). Tools like SPA, field engineering logging (mentioned in a
thread on this dl earlier today) and any 3rd party tools you might like
all can help here. Though this advise isn't specific to large DBs..I
like making things faster at any scale. :)
4) Standard disk logic about optimizing I/O throughput applies.
5) Some people "warm" the cache on DC boot. This is particularly
interesting on 64bit DCs where you have tons of memory headroom. That
is, after the box boots they run some really expensive queries that walk
very expensive indexes (ancestry, dnt, etc.) to traverse as many objects
as they can, and get them off of the disk and in to memory. It hits the
DC hard from an I/O standpoint on boot, but it does get a lot of the db
in to memory for actual load that starts to hit the box after. It's done
in more environments than one. I like the idea quite a bit, and have
thought about if there is anything we should do in the product to help
facilitate this.

The list is of course endless, but these are a few things that come to
mind.

My $0.02
~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Thursday, April 14, 2005 8:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] NTDS.dit size

Eric/Joe,

Thanks for the great input!  My test lab is VM ware running on 20
GB TB SAN that you can use as a test = very nice setup.

100 GB did those sites have really good connectivity?  You can install
AD from media in 2003 but I would think there would be problems in a
2000 domain with poorly connected offices.

Joe, do you run joeware.net... if you do great site and thanks for the
nice tools.


Thanks again

Mike

On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote:
> Well I've seen very very large in test on many occasions. The numbers
I
> cited below (with those very descriptive adjectives) are just what
I've
> seen in production. I didn't think test counted.
> 
> If you want to count test, I could fire up a test db that is a TB or
so
> on a san I have nearby. :)
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 14, 2005 4:58 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.dit size
> 
> See I almost cc'ed you on the response to get your input on this too
as
> I
> knew you had played with some 16GB+ DITS but didn't want to bother you
> for
> this and didn't want to speak out of turn for you.
> 
>  joe
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric
Fleischman
> Sent: Thursday, April 14, 2005 7:35 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.dit size
> 
> I've seen larger.
> I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and
> 100GB+ on a few occasions.
> 
> ~Eric
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 14, 2005 4:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.dit size
> 
> The largest production DIT I have personally seen was on the order of
> 8GB
> for the GC DIT for a Fortune 5 company running about 250k users of
which
> about 180k were Exchange enabled. Also had some 250k contacts, 200k or
> so
> computer objects, 100k or so group objects and consisted of 9 domains.
> 
>  joe
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
> Sent: Tuesday, April 12, 2005 2:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] NTDS.dit size
> 
> I know that AD can have millions of objects, just trying to see what
the
> real world size of some your AD databases are.  Do

RE: [ActiveDir] How much of the DIT is cached in RAM ?

[Roger Seielstad]

By checking the working set size of by LSASS?


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Fugleberg, David A
> Sent: Thursday, April 14, 2005 2:22 PM
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] How much of the DIT is cached in RAM ?
> 
> How can I determine how much of the DIT is being cached in 
> RAM on a given DC ?
> 
> Dave
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] NTDS.dit size

[mike kline]

Eric/Joe,

Thanks for the great input!  My test lab is VM ware running on 20
GB TB SAN that you can use as a test = very nice setup.

100 GB did those sites have really good connectivity?  You can install
AD from media in 2003 but I would think there would be problems in a
2000 domain with poorly connected offices.

Joe, do you run joeware.net... if you do great site and thanks for the
nice tools.


Thanks again

Mike

On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote:
> Well I've seen very very large in test on many occasions. The numbers I
> cited below (with those very descriptive adjectives) are just what I've
> seen in production. I didn't think test counted.
> 
> If you want to count test, I could fire up a test db that is a TB or so
> on a san I have nearby. :)
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 14, 2005 4:58 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.dit size
> 
> See I almost cc'ed you on the response to get your input on this too as
> I
> knew you had played with some 16GB+ DITS but didn't want to bother you
> for
> this and didn't want to speak out of turn for you.
> 
>  joe
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
> Sent: Thursday, April 14, 2005 7:35 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.dit size
> 
> I've seen larger.
> I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and
> 100GB+ on a few occasions.
> 
> ~Eric
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Thursday, April 14, 2005 4:28 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] NTDS.dit size
> 
> The largest production DIT I have personally seen was on the order of
> 8GB
> for the GC DIT for a Fortune 5 company running about 250k users of which
> about 180k were Exchange enabled. Also had some 250k contacts, 200k or
> so
> computer objects, 100k or so group objects and consisted of 9 domains.
> 
>  joe
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
> Sent: Tuesday, April 12, 2005 2:53 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] NTDS.dit size
> 
> I know that AD can have millions of objects, just trying to see what the
> real world size of some your AD databases are.  Do any of you have
> databases
> greater than 20GB+... or more?
> 
> Thanks
> Mike
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Sniffer

[Roger Seielstad]

Ethereal (and most other sniffers for that matter) use the host machine's
NIC drivers.

Of course, if you're doing a promiscuous sniff on a full GigE network - a
single Gig interface isn't going to cut it.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Medeiros, Jose
> Sent: Wednesday, April 13, 2005 8:54 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Sniffer
> 
> I am sure that Wildpackets has the latest driver support for 
> most Gigabit adapters.
> 
> Jose
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of rubix cube
> Sent: Wednesday, April 13, 2005 12:07 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Sniffer
> 
> 
> Thanks guys
> I will try them all, they do support giga bit right? because 
> when we upgraded to giga the sniffer I used to use couldn't 
> do me any good.
> 
> r.c.
> 
> On 4/12/05, Medeiros, Jose <[EMAIL PROTECTED]> wrote:
> > Greetings,
> > 
> > Try the demo from http://www.wildpackets.com/ Etherpeek is 
> for Ethernet Networks and Airopeek is for Wireless Network 
> Cards. In my opinion Wildpackets has the easiest to use and 
> understand sniffer, Laura Chappell 
> http://www.packet-level.com/ swears by it.
> > 
> http://www.amazon.com/exec/obidos/search-handle-form/104-0192535-47351
> > 32
> > 
> > Hope this helps,
> > 
> > Jose :-)
> > 
> > ---
> > 
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of rubix cube
> > Sent: Tuesday, April 12, 2005 1:09 AM
> > To: ActiveDir@mail.activedir.org
> > Subject: [ActiveDir] Sniffer
> > 
> > Any one recommends a specific good sniffer that he uses?
> > Thanks
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activedir.org/
> >
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] NTDS.dit size

[Eric Fleischman]

Well I've seen very very large in test on many occasions. The numbers I
cited below (with those very descriptive adjectives) are just what I've
seen in production. I didn't think test counted.

If you want to count test, I could fire up a test db that is a TB or so
on a san I have nearby. :)


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 14, 2005 4:58 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size

See I almost cc'ed you on the response to get your input on this too as
I
knew you had played with some 16GB+ DITS but didn't want to bother you
for
this and didn't want to speak out of turn for you.

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, April 14, 2005 7:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size

I've seen larger.
I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and
100GB+ on a few occasions.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 14, 2005 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size

The largest production DIT I have personally seen was on the order of
8GB
for the GC DIT for a Fortune 5 company running about 250k users of which
about 180k were Exchange enabled. Also had some 250k contacts, 200k or
so
computer objects, 100k or so group objects and consisted of 9 domains.

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Tuesday, April 12, 2005 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTDS.dit size

I know that AD can have millions of objects, just trying to see what the
real world size of some your AD databases are.  Do any of you have
databases
greater than 20GB+... or more?

Thanks
Mike
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DNS queries and actual trace

[Roger Seielstad]

I tend to use dig from *nix hosts for real DNS work. IIRC 
there are windows ports available.
 
Roger SeielstadE-mail Geek 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Murray 
  WallSent: Tuesday, April 12, 2005 2:04 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS queries and 
  actual trace
  
  
  I was wondering what tools/options 
  are required to get an actual dns lookup trace, including internal machine 
  cached/hosts file lookups and external requests to the dns server.  Does 
  such a beast exist?
   
  Murray 
  Wall, 
  MCSE, B.Ed CCNA/DA Master 
  ASE Messaging
   [EMAIL PROTECTED]
   

RE: [ActiveDir] Sniffer

[Roger Seielstad]

That's a cute marketing slogan - so it's a User Interface for a user
interface?

Ethereal is the User Interface for the WinPCAP library that actually does
the captures.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Jorge de Almeida Pinto
> Sent: Tuesday, April 12, 2005 1:44 AM
> To: 'Tomasz Onyszko '; '[EMAIL PROTECTED] '; 
> 'ActiveDir@mail.activedir.org '
> Subject: RE: [ActiveDir] Sniffer
> 
> same comment as below for
> http://www.networkchemistry.com/products/packetyzer/
> 
> Packetyzer(tm) is a Windows user interface for the Ethereal 
> packet capture and dissection library. Packetyzer can decode 
> more than 483 protocols. 
> 
> jorge
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Sent: 4/12/2005 10:24 AM
> Subject: Re: [ActiveDir] Sniffer
> 
> rubix cube wrote:
> > Any one recommends a specific good sniffer that he uses?
> 
> ethereal - http://www.ethereal.com/
> 
> It's good and it's Open Source
> 
> --
> Tomasz Onyszko [MVP]
> [EMAIL PROTECTED]
> http://www.w2k.pl
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> This e-mail and any attachment is for authorised use by the 
> intended recipient(s) only. It may contain proprietary 
> material, confidential information and/or be subject to legal 
> privilege. It should not be copied, disclosed to, retained or 
> used by, any other party. If you are not an intended 
> recipient then please promptly delete this e-mail and any 
> attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] alias not working

[Roger Seielstad]

Try changing it from a Cname to an A record. Chances are it gets fixed.


Roger Seielstad
E-mail Geek 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Cothern Jeff D. Team EITC
> Sent: Monday, April 11, 2005 1:32 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] alias not working
> 
> It's a cname 
> 
> Fs1  for Fileserver1.domain.com
> 
> This server is a Netapps machine so not running windows on 
> it.  Our 2000 machine can user the short name just fine and 
> get to the shares.  
> 
> Only the machines that have had security applied seem to have 
> an issue using the short name.  
> 
> I even checked wins and we have a static wins name setup for 
> the short one also.  
> 
> I think its something with wins though.  On a 2000 machine I 
> bring up a command prompt and do this
> 
>   Net view fileserver1
>I get the proper response back
> 
> When I do
> 
>   Net View fs1
>I get the proper response back
> 
> If I do the same thing on a 2003 or xp machine when I do the alias. 
> 
>   I get system error 50 has occurred. 
> 
>   The request is not supported. 
> 
> Thanks for any help you can give.
> 
> Jeff
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Roger Seielstad
> Sent: Saturday, April 09, 2005 2:14 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] alias not working
> 
> Actually, we do it with a number of our servers.
> 
> Is the DNS record a CNAME or an A record? 
> 
> If it's a CNAME, is the target the FQDN of the box??
>   fs1 in cname fileserver1.domain.com
> Or is it
>   fs1 in cname fileserver1
> Unless it is the former, it won't work.
> 
> Alternately (but less elegant IMO) you could just cut an A record:
>   fs1 in a 192.168.0.1
> 
> 
> Roger Seielstad
> E-mail Geek 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of 
> > [EMAIL PROTECTED]
> > Sent: Friday, April 08, 2005 2:10 PM
> > To: ActiveDir@mail.activedir.org
> > Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
> > Subject: Re: [ActiveDir] alias not working
> > 
> > Hi Jeff
> > 
> > This is because when I access a server it verifies that the server 
> > that I am requesting matches the netbios name on the server 
> itself.  
> > Aliases, A records and WINS / LMHosts will not fix this in any 
> > configuration we have tried.  The access denied is server name does 
> > not match.
> > 
> > Regards;
> > 
> > James R. Day
> > Active Directory Core Team
> > Office of the Chief Information Officer National Park Service
> > (202) 354-1464 (direct)
> > (202) 371-1549 (fax)
> > [EMAIL PROTECTED]
> > 
> > 
> > |-+-->
> > | |   "Cothern Jeff D. Team  |
> > | |   EITC"  |
> > | |   <[EMAIL PROTECTED]>|
> > | |   Sent by:   |
> > | |   [EMAIL PROTECTED]|
> > | |   tivedir.org|
> > | |  |
> > | |  |
> > | |   04/08/2005 04:33 PM AST|
> > | |   Please respond to  |
> > | |   ActiveDir  |
> > |-+-->
> >   
> > >-
> > -|
> >   |   
> >|
> >   |   To:   
> >|
> >   |   cc:   (bcc: James Day/Contractor/NPS)   
> >|
> >   |   Subject:  [ActiveDir] alias not working 
> >|
> >   
> > >-
> > -|
> > 
> > 
> > 
> > 
> > Ok for some reason 2003 and xp machines that are locked down with 
> > policies are not working with an alias that was created 
> within DNS for 
> > a server.
> > 
> > To shortin the length of a server name for share purposes 
> we created 
> > an alias.
> > 
> > IE.  Fileserver1   alias  FS1.
> > 
> > If you go onto the machine and type in \\fs1 you get an 
> access denied 
> > message.  If you type \\Fileserver1  it takes you right into the 
> > server.
> > Anyone have a clue on which policies may be affecting this.
> > 
> > Jeff
> > 
> > 
> > List info   : http://www.activedir.org/List.aspx
> > List FAQ: http://www.activedir.org/ListFAQ.aspx
> > List archive: 
> > http://www.mail-archive.com/activedir%40mail.activ

RE: [ActiveDir] systemFlags

[joe]

See, I knew I would get clobbered. 
:)


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Thursday, April 14, 2005 8:43 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] systemFlags

You 
surprise me ... I thought we'd agreed that we were leaving even the 
suggestion of such 'back-doors' alone ... bad Joe ;-)
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, April 14, 2005 8:32 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
systemFlags

[Thu 
04/14/2005 20:16:01.31]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default -dsq |admod -exterr systemflags::2147483648
 
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: 
[2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation   
Extended Error: 20B1: AtrErr: DSID-030F0C06, 
#1:    0: 20B1: DSID-030F0C06, 
problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags)
 
 
 
ERROR: Too 
many errors encountered, terminating...
 
The 
command did not complete successfully
 
The directory itself is purposely throwing the error. The 
DSID tells you exactly where in the source the error is being thrown from and 
looking at the source it is because this attribute is reserved for update. 

 
It is however, possible to update, I will not share 
that mechanism as I may get clobbered for it. You can find the mechanism in 
public archives though if you look carefully...
 
 
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default 
systemflags
 
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
Using server: 2k3dc01.joe.comDirectory: Windows Server 
2003Base DN: DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
 
1 Objects 
returned
 
[Thu 04/14/2005 
20:22:06.03]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags::2147483648
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...
 
The command 
completed successfully
 
[Thu 
04/14/2005 20:22:52.39]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default systemflags
 
AdFind 
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
Using server: 
2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com>systemFlags: 
-2147483648
 
1 Objects 
returned
 
[Thu 04/14/2005 
20:23:01.32]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags:-
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...
 
The command 
completed successfully
 
[Thu 04/14/2005 
20:23:29.92]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default 
systemflags
 
AdFind 
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
Using server: 
2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
 
1 Objects 
returned
 
 
[Thu 04/14/2005 
20:23:49.17]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags::2147483648
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: 
[2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation   
Extended Error: 20B1: AtrErr: DSID-030F0C06, 
#1:    0: 20B1: DSID-030F0C06, 
problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags)
 
 
 
ERROR: Too many 
errors encountered, terminating...
 
The command did 
not complete successfully
 
[Thu 
04/14/2005 20:24:02.09]F:\DEV\cpp\SecTok>
 
 
Consider it to be like the whole "trust us, someone who can 
get interactive access on your DC can take over your forest" argument. Just 
because one person doesn't know how to do it doesn't mean no one else does... If 
you don't trust the people who are on your DCs, you are in a very very very bad 
way.
 
Oh yeah, but does that disallow of the delete actually 
work??
 
[Thu 04/14/2005 20:29:59.01]F:\DEV\cpp\SecTok>adfind 
-f name=sysflagsou -default -dsq |admod -del
 
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
DN Count: 1Using server: 2k3dc01.joe.comDeleting 
specified objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - 
Unwilling To Perform
 
ERROR: 
Too many errors encountered, terminating...
 
The 
command did not complete successfully
 
 
[Thu 
04/14/2005 20:30:17.96]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default -dsq |admod -del
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February

RE: [ActiveDir] SLOWWWWWW Logons

[joe]

Which packets?

Kerberos?
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, April 14, 2005 10:22 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SLOWW Logons

A network trace was done using ethereal and I found that packets were just
failing over and over.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 14, 2005 6:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SLOWW Logons

I would tend to agree though I wonder how much this 

"and updating the drivers for the NIC cards" 

played into it. I could visualize a scenerio where the driver update changed
how it was packaging udp packets and in fact the whole time it was kerberos
biting him in the ass with fragmented packet sizes. I have seen cases where
updating drivers cleared up the kerberos packet frag issue.
Unfortunately it
seems a network trace was never done to verify what the actual issue might
have been.

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, April 13, 2005 11:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SLOWW Logons

Also interesting that this would be happening when the computer was logged
off and not shut down. Once the machine is up and on the network there
shouldn't be anymore issues with the media sensing of the NIC.

If it fixed the issue then it's all good, but I'm perplexed as to why this
would fix your preticular problem as well.

Thanks for the followup!

Phil

On 4/12/05, Mulnick, Al <[EMAIL PROTECTED]> wrote:
> That's very interesting.  Like I said, it's most interesting that the 
> symptoms didn't occur for all users on that machine.
> 
> Either way, glad you're making progress and thanks for posting the
findings.
> 
> -ajm
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SLOWWWWWW Logons

[Salandra, Justin A.]

A network trace was done using ethereal and I found that packets were
just failing over and over.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 14, 2005 6:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] SLOWW Logons

I would tend to agree though I wonder how much this 

"and updating the drivers for the NIC cards" 

played into it. I could visualize a scenerio where the driver update
changed
how it was packaging udp packets and in fact the whole time it was
kerberos
biting him in the ass with fragmented packet sizes. I have seen cases
where
updating drivers cleared up the kerberos packet frag issue.
Unfortunately it
seems a network trace was never done to verify what the actual issue
might
have been.

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, April 13, 2005 11:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SLOWW Logons

Also interesting that this would be happening when the computer was
logged
off and not shut down. Once the machine is up and on the network there
shouldn't be anymore issues with the media sensing of the NIC.

If it fixed the issue then it's all good, but I'm perplexed as to why
this
would fix your preticular problem as well.

Thanks for the followup!

Phil

On 4/12/05, Mulnick, Al <[EMAIL PROTECTED]> wrote:
> That's very interesting.  Like I said, it's most interesting that the 
> symptoms didn't occur for all users on that machine.
> 
> Either way, glad you're making progress and thanks for posting the
findings.
> 
> -ajm
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] systemFlags

[Dean Wells]

You 
surprise me ... I thought we'd agreed that we were leaving even the 
suggestion of such 'back-doors' alone ... bad Joe ;-)
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, April 14, 2005 8:32 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
systemFlags

[Thu 
04/14/2005 20:16:01.31]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default -dsq |admod -exterr systemflags::2147483648
 
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: 
[2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation   
Extended Error: 20B1: AtrErr: DSID-030F0C06, 
#1:    0: 20B1: DSID-030F0C06, 
problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags)
 
 
 
ERROR: Too 
many errors encountered, terminating...
 
The 
command did not complete successfully
 
The directory itself is purposely throwing the error. The 
DSID tells you exactly where in the source the error is being thrown from and 
looking at the source it is because this attribute is reserved for update. 

 
It is however, possible to update, I will not share 
that mechanism as I may get clobbered for it. You can find the mechanism in 
public archives though if you look carefully...
 
 
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default 
systemflags
 
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
Using server: 2k3dc01.joe.comDirectory: Windows Server 
2003Base DN: DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
 
1 Objects 
returned
 
[Thu 04/14/2005 
20:22:06.03]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags::2147483648
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...
 
The command 
completed successfully
 
[Thu 
04/14/2005 20:22:52.39]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default systemflags
 
AdFind 
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
Using server: 
2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com>systemFlags: 
-2147483648
 
1 Objects 
returned
 
[Thu 04/14/2005 
20:23:01.32]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags:-
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...
 
The command 
completed successfully
 
[Thu 04/14/2005 
20:23:29.92]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default 
systemflags
 
AdFind 
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
Using server: 
2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
 
1 Objects 
returned
 
 
[Thu 04/14/2005 
20:23:49.17]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags::2147483648
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: 
[2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation   
Extended Error: 20B1: AtrErr: DSID-030F0C06, 
#1:    0: 20B1: DSID-030F0C06, 
problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags)
 
 
 
ERROR: Too many 
errors encountered, terminating...
 
The command did 
not complete successfully
 
[Thu 
04/14/2005 20:24:02.09]F:\DEV\cpp\SecTok>
 
 
Consider it to be like the whole "trust us, someone who can 
get interactive access on your DC can take over your forest" argument. Just 
because one person doesn't know how to do it doesn't mean no one else does... If 
you don't trust the people who are on your DCs, you are in a very very very bad 
way.
 
Oh yeah, but does that disallow of the delete actually 
work??
 
[Thu 04/14/2005 20:29:59.01]F:\DEV\cpp\SecTok>adfind 
-f name=sysflagsou -default -dsq |admod -del
 
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
DN Count: 1Using server: 2k3dc01.joe.comDeleting 
specified objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - 
Unwilling To Perform
 
ERROR: 
Too many errors encountered, terminating...
 
The 
command did not complete successfully
 
 
[Thu 
04/14/2005 20:30:17.96]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default -dsq |admod -del
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comDeleting specified 
objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...
 
The 
command completed successfully
 
 
 
 
The answer is yes. Possibly that would be a g

RE: [ActiveDir] systemFlags

[joe]

[Thu 
04/14/2005 20:16:01.31]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default -dsq |admod -exterr systemflags::2147483648
 
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: 
[2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation   
Extended Error: 20B1: AtrErr: DSID-030F0C06, 
#1:    0: 20B1: DSID-030F0C06, 
problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags)
 
 
 
ERROR: Too 
many errors encountered, terminating...
 
The 
command did not complete successfully
 
The directory itself is purposely throwing the error. The 
DSID tells you exactly where in the source the error is being thrown from and 
looking at the source it is because this attribute is reserved for update. 

 
It is however, possible to update, I will not share 
that mechanism as I may get clobbered for it. You can find the mechanism in 
public archives though if you look carefully...
 
 
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default 
systemflags
 
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
Using server: 2k3dc01.joe.comDirectory: Windows Server 
2003Base DN: DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
 
1 Objects 
returned
 
[Thu 04/14/2005 
20:22:06.03]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags::2147483648
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...
 
The command 
completed successfully
 
[Thu 
04/14/2005 20:22:52.39]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default systemflags
 
AdFind 
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
Using server: 
2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com>systemFlags: 
-2147483648
 
1 Objects 
returned
 
[Thu 04/14/2005 
20:23:01.32]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags:-
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...
 
The command 
completed successfully
 
[Thu 04/14/2005 
20:23:29.92]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default 
systemflags
 
AdFind 
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
Using server: 
2k3dc01.joe.comDirectory: Windows Server 2003Base DN: 
DC=joe,DC=com
 
dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
 
1 Objects 
returned
 
 
[Thu 04/14/2005 
20:23:49.17]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq 
|admod -exterr systemflags::2147483648
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comModifying specified 
objects...   DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: 
[2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation   
Extended Error: 20B1: AtrErr: DSID-030F0C06, 
#1:    0: 20B1: DSID-030F0C06, 
problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags)
 
 
 
ERROR: Too many 
errors encountered, terminating...
 
The command did 
not complete successfully
 
[Thu 
04/14/2005 20:24:02.09]F:\DEV\cpp\SecTok>
 
 
Consider it to be like the whole "trust us, someone who can 
get interactive access on your DC can take over your forest" argument. Just 
because one person doesn't know how to do it doesn't mean no one else does... If 
you don't trust the people who are on your DCs, you are in a very very very bad 
way.
 
Oh yeah, but does that disallow of the delete actually 
work??
 
[Thu 04/14/2005 20:29:59.01]F:\DEV\cpp\SecTok>adfind 
-f name=sysflagsou -default -dsq |admod -del
 
AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
DN Count: 1Using server: 2k3dc01.joe.comDeleting 
specified objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - 
Unwilling To Perform
 
ERROR: 
Too many errors encountered, terminating...
 
The 
command did not complete successfully
 
 
[Thu 
04/14/2005 20:30:17.96]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou 
-default -dsq |admod -del
 
AdMod 
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
 
DN Count: 
1Using server: 2k3dc01.joe.comDeleting specified 
objects...   DN: 
ou=sysflagsou,ou=testou,dc=joe,dc=com...
 
The 
command completed successfully
 
 
 
 
The answer is yes. Possibly that would be a good joeware 
for sale item. ;oP
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Paul 
MayesSent: Saturday, April 09, 2005 12:21 PMTo: 
activedir@mail.activedir.orgSubject: RE: [ActiveDir] 
systemFlags


 
Suspend all sanity for a 
moment. I’m not wandering down the route of trusted and untrusted 
administrators, that’s just how I arrived at this point. Simply I’m j

RE: [ActiveDir] OT Exchange question.

[joe]

> (Gotta love how many Exchange questions get fielded to 
> this list, isn't it?) 

A lot of us poor schmoes were handling AD so well someone started throwing
Exchange at us to handle as well. 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Friday, April 08, 2005 7:26 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT Exchange question.

(Gotta love how many Exchange questions get fielded to this list, isn't
it?)

Rebuilding an Exchange 2000 server, and received the following error trying
to install the post-SP3 roll-up:

"Setup has detected that the version of the service pack installed on your
system is lower that what is necessary to apply this hotfix.  

At minimum you must have Service Pack 3 installed."

(And yes, I have SP 3 installed.  :-)  Even reinstalled it once or twice for
good measure.)

Google is being uninformative.  Has anyone run into this?

- Laura
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ldap_bind_s failed with = <82

[joe]

Title: Message



Odd error.
 
I don't believe 82 is a valid LDAP error so I will assume 
it is 0x52 which means Local Error Occurred which isn't very helpful 
either...
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Monday, April 11, 2005 11:57 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] ldap_bind_s failed 
with = <82

Any one know why I 
would get this error
 
ldap_bind_s failed 
with = <82 
 
In the userenv.log 
file

RE: [ActiveDir] Retrieving computer accounts

[joe]

Excellent.
 
One change though...
 
Use 
 
objectcategory=computer 
 
versus 
 
objectclass=computer
 
unless you are one of those smart folks who already indexed 
objectclass.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida 
PintoSent: Saturday, April 09, 2005 11:28 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Retrieving 
computer accounts

Hi,
 
For each domain in the 
forest
AdFind.exe  -b 
DC=W2K3DOMAIN,DC=LAN -f "&(objectClass=computer)(operatingSystem=Windows XP 
Professional)"
 
You can't through this query 
against a GC as the attribute "operatingSystem" is not in the 
PAS.
 
You could also use OLDCMP (which 
generates a very nice HTML page!)
OLDCMP -report -age 0 -b 
DC=W2K3DOMAIN,DC=LAN -f "&(objectClass=computer)(operatingSystem=Windows XP 
Professional)"
 
With both you could also 
additionally use the "operatingSystemServicePack" attribute to search for XP 
computers with a certain SP
For SP0: 
operatingSystemServicePack=
For SP1: 
operatingSystemServicePack=Service Pack 1
For SP2: operatingSystemServicePack=Service Pack 
2
 
Cheers
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dave A. 
MarquisSent: Friday, April 08, 2005 16:37To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Retrieving computer 
accounts



Hello 
All,
 
Does anyone know a 
script that will gather all computer accounts in a forest? I want to build a 
list of computer names so I can make a script to send the Win SP2 package to the 
file system, but not install it.
 
Dave
This e-mail message, including all attachments, 
is for the sole use of the intended recipients(s) and may contain confidential 
and privileged information. You may NOT use, disclose, copy, or 
disseminate this information. If you are not the intended recipient, please 
contact the sender by reply e-mail immediately. Please destroy all copies of the 
original message and all attachments.This e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] [List owner] Update Your PayPal Account Information

[joe]

Wow, Tony lives

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, April 11, 2005 6:21 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [List owner] Update Your PayPal Account Information

Interesting!  The list software blocks any posts from unsubscribed sender
addresses, so this should not have got through.  I've just tested this and
the block is working normally.

I need to look into how the list software checks the sender address, i.e.
whether it looks at the envelope or the message header. I'm thinking it
maybe came from a subscribed sender with a modified message header. 

If anyone has any ideas, please feel free to mail me off-list. 

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: 11 April 2005 01:24
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Update Your PayPal Account Information

 JS/Stealus.gen trojan as well

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
Sent: Sunday, April 10, 2005 3:40 PM
To: [EMAIL PROTECTED]
Cc: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Update Your PayPal Account Information

Hi all,

Anyone with Paypal accounts please do not send any information to this post.

This is being forwarded to the Paypal security team.

Thanks,



Original Message Follows
From: "io" 
Reply-To: ActiveDir@mail.activedir.org
To: "activedir" 
Subject: [ActiveDir] Update Your PayPal Account Information
Date: Mon, 11 Apr 2005 00:29:59 +0300


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] NTDS.dit size

[joe]

See I almost cc'ed you on the response to get your input on this too as I
knew you had played with some 16GB+ DITS but didn't want to bother you for
this and didn't want to speak out of turn for you.

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Thursday, April 14, 2005 7:35 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size

I've seen larger.
I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and
100GB+ on a few occasions.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 14, 2005 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size

The largest production DIT I have personally seen was on the order of 8GB
for the GC DIT for a Fortune 5 company running about 250k users of which
about 180k were Exchange enabled. Also had some 250k contacts, 200k or so
computer objects, 100k or so group objects and consisted of 9 domains.

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Tuesday, April 12, 2005 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTDS.dit size

I know that AD can have millions of objects, just trying to see what the
real world size of some your AD databases are.  Do any of you have databases
greater than 20GB+... or more?

Thanks
Mike
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 1000 groups

[joe]

Ah Domain Local Group (DLG) SIDS... Sorry, I misread your 
post and thought you meant Distribution List when you said DL Groups. Looking at 
too much Exchange stuff lately.
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Thursday, April 14, 2005 7:38 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] 1000 groups

That's 
not the way I understand the token construct in later-than-NT4 Windows 
builds.  As I understand it, the effective token is the result of the 
combined TGT and Session ticket PAC (portions directly derived from the TGT) as 
it relates to a particular target resource (PAC = privileged attribute cert., 
the kerb. attr. designated to carry OS proprietary auth. data) ... the 
change you reference simply forces a 2K3 DC to include Domain Local group SIDs 
within the TGT (regardless of domain mode) with a view to making the overall 
authorization process more consistent.
 
As for 
your 2nd question, that's a good one ... let me give that some 
thought.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, April 14, 2005 7:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 
groups

Interesting post Dean, I wasn't aware of the DL SIDS thing. 
Itake it this is a case of the SIDS being in the actual kerb ticket and not in 
the actual token and restricted correct? 
 
Is 
there a mechanism for listing the groups in a given tgt?



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Tuesday, April 12, 2005 1:39 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] 1000 groups

Firstly, the so-called well-known ~1000 limitation and 
the ~5000 limitation are entirely unrelated.  
 
Regarding token bloat; the more accurate max. SIDs 
value is 1015.  This is due to 9 well-known SIDs that are always present 
and should, therefore, not be part of any calculation as to what we can be 
administratively affected. In addition, tickets handed out by 2K3 DCs always 
contain DL group SIDs regardless of domain mode and, as such, are always a 
little bigger than a corresponding ticket issued by a 2000 DC in mixed mode 
(this is done solely to avoid inconsistencies during transition of modes -- 
considered a bug by many, myself included).  
 
In 
contrast, we do attempt to compress specific tokens by maintaining only the RID 
(not the whole SID) where applicable.  A MaxTokenSize registry value exists 
that simply governs the upper limit.  Increasing the value will likely 
cause performance concerns and, more significantly, potential application 
failures due to timeouts (too many SIDs to compare, call does not return and 
app. assumes failure).  This article eludes to the problem 
-
 
http://support.microsoft.com/kb/313661/
 
Real-time token size can be calculated using the 
following tool -
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
FischerSent: Tuesday, April 12, 2005 12:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 1000 
groups


Hi 
All:
Can an AD user be a 
member of more that 1000 groups?  Someone told me that 1000 was an AD 
limitation.   Is that true?
Thanks,
--Brian
 
 
 

  
  

  


  

  
  

  


  
 
  
E-mail 
Full?  Check out our Exchange 
Tools!
  

   
  

  


  
Brian 
FischerMicrosoft Systems 
Consultant 
  
Quest 
Software4320 
Winfield RdSuite 500Warrenville, IL 
60555 


  
[EMAIL PROTECTED] 

  

  
  

  tel: 
  fax: mobile: 


  630-836-3160949-754-8999630-567-2825 
  

  
 
Last year’s email – 
today’s key piece of evidence! Find it fast with Quest Recovery 
Manager for Exc

RE: [ActiveDir] Export Security & Mailbox Rights members

[joe]

Well actually ADFIND can do this. It just may not be as 
clean as you may like. It will dump out the SDDL of the mailbox security 
descriptor. The SDDL will have either a code for a well known security principal 
like DA=Domain Admins and WD=everyone (world). For any non-well knowns it will 
have the SID. For instance here is a dump of a user object from my test domain 
(note that each attribute - lines started with > would be one line in the 
output, you will probably see it wrap...).
 
[Thu 04/14/2005 
19:40:59.62]F:\DEV\cpp\SecTok>adfind -default -f [EMAIL PROTECTED] -sddl msexchmailboxsecuritydescriptor
 
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) 
February 2005
 
Using server: 2k3dc01.joe.comDirectory: Windows 
Server 2003Base DN: DC=joe,DC=com
 
dn:CN=joe,OU=MailUsers,OU=joeware2,OU=Exchange,DC=joe,DC=com>msExchMailboxSecurityDescriptor: 
[SDDL] 
O:S-1-5-21-1862701446-4008382571-2198042679-G:S-1-5-21-1862701446-4008382571-2198042679-D:AI(A;CI;CCDCRC;;;PS)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(D;CIID;CC;;;DA)(D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672)(A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;RC;;;WD)(A;CIID;RC;;;AN)(A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA)>msExchMailboxSecurityDescriptor: 
[OWNER] 
O:S-1-5-21-1862701446-4008382571-2198042679->msExchMailboxSecurityDescriptor: 
[GROUP] 
G:S-1-5-21-1862701446-4008382571-2198042679->msExchMailboxSecurityDescriptor: 
[DACL] 
D:AI(A;CI;CCDCRC;;;PS)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(D;CIID;CC;;;DA)(D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672)(A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;RC;;;WD)(A;CIID;RC;;;AN)(A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA)>msExchMailboxSecurityDescriptor: 
[SACL] Not specified in SD or insufficient rights
 
 
 
1 Objects returned
 
[Thu 04/14/2005 19:41:05.93]
 
 
Now it has always been in the reading that I have done 
that only explicit ACEs are listed in that attribute, however I am not finding 
that to be true now that I can enumerate it directly. 
 
The above cleans up to be 
 
(A;CI;CCDCRC;;;PS)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(D;CIID;CC;;;DA)
(D;CIID;CC;;;EA)(D;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1672)(A;CIID;SDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;RC;;;WD)(A;CIID;RC;;;AN)(A;CIID;CC;;;S-1-5-21-1862701446-4008382571-2198042679-1673)(A;CIID;CCSDRCWDWO;;;S-1-5-21-1862701446-4008382571-2198042679-)(A;CIID;CCSDRCWDWO;;;EA)(A;CIID;CCSDRCWDWO;;;DA)
 
for the DACL (just grab the one line that says 
""msExchMailboxSecurityDescriptor: [DACL]).You can clearly see that inherited 
ACEs are definitely in the data being returned. 
 
For more info on SDDL see
 
http://msdn.microsoft.com/library/default.asp?url="">
 
http://msdn.microsoft.com/library/default.asp?url="">
 
http://msdn.microsoft.com/library/default.asp?url="">
 
 
  joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Harding, 
DevonSent: Thursday, April 07, 2005 11:45 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Export Security 
& Mailbox Rights members


Is there an option for 
this in adfind?
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Harding, 
DevonSent: Thursday, April 07, 
2005 10:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Export Security & 
Mailbox Rights members
 
I have an account that has a few 
unknown SID’s under the Security Tab & Mailbox Rights.  I can use 
psgetsid to get the names of these unknown SIDs, but I want to output these so I 
can copy and paste the SIDs.  Is there any way to do 
this?
 
-Devon

RE: [ActiveDir] 1000 groups

[Dean Wells]

That's 
not the way I understand the token construct in later-than-NT4 Windows 
builds.  As I understand it, the effective token is the result of the 
combined TGT and Session ticket PAC (portions directly derived from the TGT) as 
it relates to a particular target resource (PAC = privileged attribute cert., 
the kerb. attr. designated to carry OS proprietary auth. data) ... the 
change you reference simply forces a 2K3 DC to include Domain Local group SIDs 
within the TGT (regardless of domain mode) with a view to making the overall 
authorization process more consistent.
 
As for 
your 2nd question, that's a good one ... let me give that some 
thought.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Thursday, April 14, 2005 7:20 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 
groups

Interesting post Dean, I wasn't aware of the DL SIDS thing. 
Itake it this is a case of the SIDS being in the actual kerb ticket and not in 
the actual token and restricted correct? 
 
Is 
there a mechanism for listing the groups in a given tgt?



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Tuesday, April 12, 2005 1:39 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] 1000 groups

Firstly, the so-called well-known ~1000 limitation and 
the ~5000 limitation are entirely unrelated.  
 
Regarding token bloat; the more accurate max. SIDs 
value is 1015.  This is due to 9 well-known SIDs that are always present 
and should, therefore, not be part of any calculation as to what we can be 
administratively affected. In addition, tickets handed out by 2K3 DCs always 
contain DL group SIDs regardless of domain mode and, as such, are always a 
little bigger than a corresponding ticket issued by a 2000 DC in mixed mode 
(this is done solely to avoid inconsistencies during transition of modes -- 
considered a bug by many, myself included).  
 
In 
contrast, we do attempt to compress specific tokens by maintaining only the RID 
(not the whole SID) where applicable.  A MaxTokenSize registry value exists 
that simply governs the upper limit.  Increasing the value will likely 
cause performance concerns and, more significantly, potential application 
failures due to timeouts (too many SIDs to compare, call does not return and 
app. assumes failure).  This article eludes to the problem 
-
 
http://support.microsoft.com/kb/313661/
 
Real-time token size can be calculated using the 
following tool -
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
FischerSent: Tuesday, April 12, 2005 12:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 1000 
groups


Hi 
All:
Can an AD user be a 
member of more that 1000 groups?  Someone told me that 1000 was an AD 
limitation.   Is that true?
Thanks,
--Brian
 
 
 

  
  

  


  

  
  

  


  
 
  
E-mail 
Full?  Check out our Exchange 
Tools!
  

   
  

  


  
Brian 
FischerMicrosoft Systems 
Consultant 
  
Quest 
Software4320 
Winfield RdSuite 500Warrenville, IL 
60555 


  
[EMAIL PROTECTED] 

  

  
  

  tel: 
  fax: mobile: 


  630-836-3160949-754-8999630-567-2825 
  

  
 
Last year’s email – 
today’s key piece of evidence! Find it fast with Quest Recovery 
Manager for Exchange.
Get your free Technical 
Brief on e-Discovery.
 
  
 
  
  

   
  With Quest Software, you can 
  expect more... more performance, more productivity, more value from your 
  IT investments.
  Visit www.quest.com 
  to learn how.
 

RE: [ActiveDir] LDP guid lookup

[joe]

Also note that you aren't searching by GUID. You are searching for
objectclass=* and your base is the GUID you specify. 

Here is the difference

[Thu 04/14/2005 19:37:28.56]
F:\DEV\cpp\SecTok>adfind -config -binenc -f
"objectguid={{GUID:22857DB8-9281-4660-A16B-D97F40A07AC6}}" objectguid

AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005

Transformed Filter: objectguid=\B8\7D\85\22\81\92\60F\A1k\D9\7F\40\A0z\C6
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: CN=Configuration,DC=joe,DC=com

dn:CN=2K3DC01,CN=Servers,CN=MyMainSite,CN=Sites,CN=Configuration,DC=joe,DC=c
om
>objectGUID: {22857DB8-9281-4660-A16B-D97F40A07AC6}


1 Objects returned

[Thu 04/14/2005 19:37:35.49]
F:\DEV\cpp\SecTok>adfind -b ""
objectguid

AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005

Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN=2K3DC01,CN=Servers,CN=MyMainSite,CN=Sites,CN=Configuration,DC=joe,DC=c
om
>objectGUID: {22857DB8-9281-4660-A16B-D97F40A07AC6}

dn:CN=NTDS
Settings,CN=2K3DC01,CN=Servers,CN=MyMainSite,CN=Sites,CN=Configuration,DC=jo
e,DC=com
>objectGUID: {D44A5269-FCB0-473F-9D19-0A7CE1BCBB81}

dn:CN=917c66cf-dc6e-4ea4-a265-f4bb8563ac2b,CN=NTDS
Settings,CN=2K3DC01,CN=Servers,CN=MyMainSite,CN=Sites,CN=Configuration,DC=jo
e,DC=com
>objectGUID: {8697EB29-A582-4E09-913A-1385397F94CF}

dn:CN=ff357f4a-5bd9-44d7-b157-467f6f9483c9,CN=NTDS
Settings,CN=2K3DC01,CN=Servers,CN=MyMainSite,CN=Sites,CN=Configuration,DC=jo
e,DC=com
>objectGUID: {12812DFA-AFA9-4FE2-95D1-5822E3CE9172}


4 Objects returned

[Thu 04/14/2005 19:37:40.74]
F:\DEV\cpp\SecTok>




  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 12, 2005 11:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDP guid lookup

Note the parameter after your GUID syntax below is a 2. This tells me you're
doing a subtree search. So you're doing a subtree search, with the baseDN
being the object specified by the GUID, and finding all matches below it (
that is the objectclass=* term). So it is subtree "dumping" everything below
that guid.
If you want to just dump the matching object, switch it to a base search.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Tuesday, April 12, 2005 7:15 AM
To: ActiveDir (E-mail)
Subject: [ActiveDir] LDP guid lookup

Quick question.
When i do a search by guid of a DC using ldp.exe, why do I get more than one
server as a result?
example-
dap_search_ext_s(ld, "", 2,
"(objectclass=*)", attrList,  0, svrCtrls, ClntCtrls, 999, 999 ,&msg) Result
<0>: (null) Matched DNs: 
Getting 4 entries:
>> Dn: CN=NTDS
Settings,CN=MYRTLEBEACH,CN=Servers,CN=BA-MYRTLEBEACH,CN=Sites,CN=Configu
ration,DC=CSG-IT,DC=NET
>> Dn: CN=BA-FILE-SERVER,CN=NTDS
Settings,CN=MYRTLEBEACH,CN=Servers,CN=BA-MYRTLEBEACH,CN=Sites,CN=Configu
ration,DC=CSG-IT,DC=NET
>> Dn: CN=CSG-DS1,CN=NTDS
Settings,CN=MYRTLEBEACH,CN=Servers,CN=BA-MYRTLEBEACH,CN=Sites,CN=Configu
ration,DC=CSG-IT,DC=NET
>> Dn: CN=664b0575-574b-42fb-bc93-d76051ceb384,CN=NTDS
Settings,CN=MYRTLEBEACH,CN=Servers,CN=BA-MYRTLEBEACH,CN=Sites,CN=Configu
ration,DC=CSG-IT,DC=NET


I get 3 DC's- myrtlebeach,ba-fileserver,and csg-ds1.

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] NTDS.dit size

[Eric Fleischman]

I've seen larger.
I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and
100GB+ on a few occasions.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, April 14, 2005 4:28 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] NTDS.dit size

The largest production DIT I have personally seen was on the order of
8GB
for the GC DIT for a Fortune 5 company running about 250k users of which
about 180k were Exchange enabled. Also had some 250k contacts, 200k or
so
computer objects, 100k or so group objects and consisted of 9 domains.

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Tuesday, April 12, 2005 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTDS.dit size

I know that AD can have millions of objects, just trying to see what the
real world size of some your AD databases are.  Do any of you have
databases
greater than 20GB+... or more?

Thanks
Mike
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DC location queries

[joe]

Title: DC location queries



1. Yes. 
2. Yes
3. No.
 
Basically clients go through this 
process
 
A. Determine site of client
B.  Retrieve list of DCs registered for site, this 
could be DCs in the site or other sites covering that site.
C. If none available, retrieve list of DCs for 
domain
 
Your case 3 involves a client in an undefined subnet or a 
subnet not linked to a site. In that case, the site will be null for that client 
and it will jump straight to C.
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, 
NeilSent: Thursday, April 07, 2005 10:07 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC location 
queries

I would like to ask for confirmation relating to the 
below scenarios and DC location: 
1. Client in site with no DCs installed 
Client receives list of DCs which have registered 
SRV records on behalf of that site 
2. Client in site with a DC but that DC is 
unavailable Client requests list of DCs 
registered at the domain level 
3. Client in unknown site Client receives list of DCs associated with the 
defaultFirstNameSite 
We have only hub sites register as per point 2 and 
the default site has been renamed. How do I determine which site has assumed the 
role of the default site?
Thanks, neil 
==This 
message is for the sole use of the intended recipient. If you received this 
message in error please delete it and notify us. If this message was 
misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains 
and monitors electronic communications sent through its network. Instructions 
transmitted over this system are not binding on CSFB until they are confirmed by 
us. Message transmission is not guaranteed to be 
secure.==

RE: [ActiveDir] NTDS.dit size

[joe]

The largest production DIT I have personally seen was on the order of 8GB
for the GC DIT for a Fortune 5 company running about 250k users of which
about 180k were Exchange enabled. Also had some 250k contacts, 200k or so
computer objects, 100k or so group objects and consisted of 9 domains.

  joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: Tuesday, April 12, 2005 2:53 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] NTDS.dit size

I know that AD can have millions of objects, just trying to see what the
real world size of some your AD databases are.  Do any of you have databases
greater than 20GB+... or more?

Thanks
Mike
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 1000 groups

[joe]

Interesting post Dean, I wasn't aware of the DL SIDS thing. 
Itake it this is a case of the SIDS being in the actual kerb ticket and not in 
the actual token and restricted correct? 
 
Is 
there a mechanism for listing the groups in a given tgt?



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Tuesday, April 12, 2005 1:39 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] 1000 groups

Firstly, the so-called well-known ~1000 limitation and 
the ~5000 limitation are entirely unrelated.  
 
Regarding token bloat; the more accurate max. SIDs 
value is 1015.  This is due to 9 well-known SIDs that are always present 
and should, therefore, not be part of any calculation as to what we can be 
administratively affected. In addition, tickets handed out by 2K3 DCs always 
contain DL group SIDs regardless of domain mode and, as such, are always a 
little bigger than a corresponding ticket issued by a 2000 DC in mixed mode 
(this is done solely to avoid inconsistencies during transition of modes -- 
considered a bug by many, myself included).  
 
In 
contrast, we do attempt to compress specific tokens by maintaining only the RID 
(not the whole SID) where applicable.  A MaxTokenSize registry value exists 
that simply governs the upper limit.  Increasing the value will likely 
cause performance concerns and, more significantly, potential application 
failures due to timeouts (too many SIDs to compare, call does not return and 
app. assumes failure).  This article eludes to the problem 
-
 
http://support.microsoft.com/kb/313661/
 
Real-time token size can be calculated using the 
following tool -
 
http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brian 
FischerSent: Tuesday, April 12, 2005 12:45 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 1000 
groups


Hi 
All:
Can an AD user be a 
member of more that 1000 groups?  Someone told me that 1000 was an AD 
limitation.   Is that true?
Thanks,
--Brian
 
 
 

  
  

  


  

  
  

  


  
 
  
E-mail 
Full?  Check out our Exchange 
Tools!
  

   
  

  


  
Brian 
FischerMicrosoft Systems 
Consultant 
  
Quest 
Software4320 
Winfield RdSuite 500Warrenville, IL 
60555 


  
[EMAIL PROTECTED] 

  

  
  

  tel: 
  fax: mobile: 


  630-836-3160949-754-8999630-567-2825 
  

  
 
Last year’s email – 
today’s key piece of evidence! Find it fast with Quest Recovery 
Manager for Exchange.
Get your free Technical 
Brief on e-Discovery.
 
  
 
  
  

   
  With Quest Software, you can 
  expect more... more performance, more productivity, more value from your 
  IT investments.
  Visit www.quest.com 
  to learn how.
 

RE: [ActiveDir] 1000 groups

[joe]

Not so much a myth as a general guideline. 
:o)
 
There are people who do and have broken in the 5000 group 
membership, and actually people who have broken sooner if you can believe 
newsgroup postings, and people who have exceeded the guideline and lived to tell 
about it. The issue is around version store and how it is being used on a 
particular DC at a particular time and the fact that it has to be used in 
replication but is also used when people are doing queries and updates. In 2K 
you replicate the entire member attribute (I think someone previously said this 
was object level replication, it is actually attribute level replication and 
with K3 for LV attributes it is value level replication) but in K3 linked value 
attributes are replicated at the value level instead of the attribute level. 

 
Some people think that all multivalue groups are now 
cleared up in terms of they can have limitless size. This is incorrect, the "LVR 
fix" is only, again, for linked value attributes which are DN style attributes 
with forward/back links associated with them. Regular multivalue attributes 
still have a limitation on size. In 2K that is approximately ~850 members and in 
K3 that is approximately ~1300 members. Note that hitting that limit backs you 
into the object size limit as well so you can no longer add any attributes to 
any object that has hit the limit on a single multivalue (non-LV) attributes. 
You will see an admin limit exceeded error for every attribute add you try to do 
after that. You can update already existing attributes, you simply can't add 
more.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, April 12, 2005 4:01 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
1000 groups


Note that the hard 
limit in W2K of 5000 members is actually kind of a myth.  At my current 
employer, we had a group with 80K users on a W2K native domain and it actually 
did work, replication and all.
 
The major issue we ran 
into was trying to promo new DCs and do our 2K3 migration.  That was a near 
complete meltdown as a result of this one particular group.  Thus it is 
still a bad idea to break the recommendation, even if it can be made to 
work.  You’ll definitely regret it later.
 
Joe 
K.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jackson 
ShawSent: Tuesday, April 12, 
2005 11:59 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 
groups
 
Group 
memberships are replicated in W2K3 per object as opposed to the whole group. In 
w2k there is a hard limit of 5000 members per group but a group can be nested in 
another group giving you virtually unlimited group memberships. The problem in 
w2k is that a change to any one member of a group requires full replication of 
the group.
 
In w2k3 the 
limitation was removed and now just the change is replicated as opposed to the 
complete group. So, long and short is that group replication in w2k3 is not as 
serious an issue as it was in w2k.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, April 12, 2005 9:49 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 
groups
 
5000 is the 
'recommended' limitation for groups on both Win2k and Win2k3 - but that 
limitation is only due to replication issues with 
AD.
 
-Jon

   
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Brian 
  FischerSent: Tuesday, April 
  12, 2005 12:45 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] 1000 
  groups
  Hi 
  All:
  Can an AD user be a 
  member of more that 1000 groups?  Someone told me that 1000 was an AD 
  limitation.   Is that true?
  Thanks,
  --Brian
   
   
   
  


  

  
  

  


  

  
  

   

  E-mail 
  Full?  Check out our Exchange 
  Tools!

  
 

  

  
  

  Brian 
  FischerMicrosoft Systems 
  Consultant 

  Quest 
  Software4320 
  Winfield RdSuite 500Warrenville, IL 
  60555 

  

  [EMAIL PROTECTED] 
  

  


  
  

RE: [ActiveDir] Sniffer

[joe]

I would second this one. I don't really care that it is open source,
especially GNU, but it is open source if that spins your propeller. I like
it because it is a good tool.

  joe 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko
Sent: Tuesday, April 12, 2005 4:24 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Sniffer

rubix cube wrote:
> Any one recommends a specific good sniffer that he uses?

ethereal - http://www.ethereal.com/

It's good and it's Open Source

--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Files missing from sysvol folder

[joe]

Is Sysvol properly replicating amongst your other 
DCs?
 
The fact that your 2 DCs never got sysvol/netlogon means 
they never truly became DCs, this is something you should check every time you 
promote new DCs. It used to be a horrible pain back in early 2K days but is much 
better now. 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Wednesday, April 13, 2005 1:07 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Files missing from 
sysvol folder

While attempting to complete an Exchange 2003 install on a W2K3 
Server (not a dc), we have discovered that we have some AD problems with our W2K 
AD.  It appears that 2 of our DC servers are missing the shared SYSVol and 
Netlogon folders.  I have read numerous KB articles, but have found not 
solutions, as restoring is not a solution at this 
point.   After 
looking at the actual Sysvol folder on these particular server, I noticed that 
several of the files/folders that should be present are not.  

 
I have tried all of the following:
-Demoting the server and the re-running dcpromo.  This was 
successfully run, but didn't help.
-Copying the contents of the sysvol folder from a "good" dc to the "bad" 
dc.  The files were there automatically deleted, by the OS (I am 
assuming).
-Re-applying SP4 on the "bad" dc which is running W2K 
Server.
-After running DCdiag, the only error that is reported is that the domain 
membership test failed: [Warning] the system volume has not been completely 
replicated to the local machine.  This machine is not working properly as a 
dc.
-I am also getting Event ID 13552 in the Event 
Viewer.
    "The file replication service is unable to add 
this computer to the following replica set:  "Domain system volume (sysvol 
share)""
 
Any additional insight would be greatly 
appreciated!
 

Thanks,
Brenda 
Casey
 

RE: [ActiveDir] Time synchronisation in a W2K domain

[joe]

Why?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Wednesday, April 13, 2005 7:49 
PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] 
Time synchronisation in a W2K domain



My advice is to run net time on your PDC Emulator role server to 
point to an atomic clock (US Naval Observatory) by IP address and not to a 
"hardware clock" locally.
 
Regards,
 
Chuck Gafford
Architect 2
 
Unisys
Imagine It.  Done.  -Original 
Message-From: Abbiss, Mark <[EMAIL PROTECTED]>To: 
ActiveDir@mail.activedir.orgSent: Wed, 13 Apr 2005 16:14:40 
+0200Subject: [ActiveDir] Time synchronisation in a W2K domain


I was recently handed a new hardware clock to install into our domain. As the 
device needs to be placed in an area with good radio reception I decided to 
install it onto a PC. Our server farm is located in a secure bunker with no 
reception at all.

I know the usual time sync model is for DC's to get the time from the PDC role 
holder and then the time filters down from there to members servers and 
workstations. However, my PC is running Windows XP. 

So the question is, is it possible to set the XP workstation (with hardware 
connected) as the reliable primary source for time in the domain ? Should the 
Windows Time service be disabled on the PC ? What changes need to be nmade to 
the PDC Role holder and other DC's in the domain to make sure they are forced to 
sync with the XP workstation. Or is it just not possible to use an XP 
workstation ?

I have noticed that some of my machines are synching with the PC but others are 
not and I have not as yet determine why there is this erratic behviour. If I use 
the "w32tm /resync" command then on some machines it works and on others it 
doesn't.

Do I need to manually configure all DC's t point to the XP machine ? Do members 
servers need special configuration ? Why are general user workstations not 
showing the same time as the Time PC ?

Any advice greatly appreciated.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] SLOWWWWWW Logons

[joe]

I would tend to agree though I wonder how much this 

"and updating the drivers for the NIC cards" 

played into it. I could visualize a scenerio where the driver update changed
how it was packaging udp packets and in fact the whole time it was kerberos
biting him in the ass with fragmented packet sizes. I have seen cases where
updating drivers cleared up the kerberos packet frag issue. Unfortunately it
seems a network trace was never done to verify what the actual issue might
have been.

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, April 13, 2005 11:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] SLOWW Logons

Also interesting that this would be happening when the computer was logged
off and not shut down. Once the machine is up and on the network there
shouldn't be anymore issues with the media sensing of the NIC.

If it fixed the issue then it's all good, but I'm perplexed as to why this
would fix your preticular problem as well.

Thanks for the followup!

Phil

On 4/12/05, Mulnick, Al <[EMAIL PROTECTED]> wrote:
> That's very interesting.  Like I said, it's most interesting that the 
> symptoms didn't occur for all users on that machine.
> 
> Either way, glad you're making progress and thanks for posting the
findings.
> 
> -ajm
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User Alias Authentication in AD

[joe]

I agree with Guido but would flip it around and make the short name the
sAMAccountName...

Domain\mkshirsa

And 

[EMAIL PROTECTED]


The astute will understand why


   joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Thursday, April 14, 2005 7:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User Alias Authentication in AD

Jorge is correct that you can't create aliases to security principals in AD,
however, you do have two logon names, which may be sufficient for your
requirement:  

you can use the
samAccountName (pre-Win2000 User logon name) => mayuresh_kshirsagar 

or the
UserPrincipalName (User logon name) => [EMAIL PROTECTED] [or whatever
suffix you configure]

It will likely depend on what your application allows you to do (some do
require the Domain\samAccountName format because they've hardcoded this in
their logon screens...)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Donnerstag, 14. April 2005 13:13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User Alias Authentication in AD

In AD it is not possible to create aliases to security principals (i.e.
user
accounts)

Why do you need separate names?

Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: donderdag 14 april 2005 12:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User Alias Authentication in AD

Hi Experts,

I am looking out for a possibility where if I have a user:

username: mayuresh_kshirsagar
password: 

I want to create an alias of this user entry say

username: mkshirsa
password: 

where I can login using any of the above two usernames.

Is this a possibility?

Regards,
Mayuresh.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to determine which is the default site

[joe]

Title: How to determine which is the default site



My lowest numbered site has a USN of > 1.8 million. 
Though I know I deleted the original one and probably 50 after 
that.
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Lee, 
WookSent: Wednesday, April 13, 2005 2:36 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine 
which is the default site


From the tests I’ve run 
so far, it’s been pretty consistent that the first site has a USNCreated of 4112 
for an fresh Window 2003 AD. For forests that started life as Windows 2000, I’ve 
been seeing 3493, but at least one forest has it at 1171. Not sure what that’s 
about.
 
Wook
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Wednesday, April 13, 2005 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine 
which is the default site
 
Why?
 
Nothing I have seen in 
my experience would seem to indicate anything special about that first site, in 
fact my home test lab has been running with that first site deleted for some 
time now and I am running with other sites.
 
Someone mentioned 
looking at the GUIDs. GUIDs are not sequential, they are semi-randomly created, 
see MSDN for the algorithm. Trying to divine order from them would be 
fruitless.
 
Here would be a simple 
command line to find the oldest site
 
adfind -config -f 
objectcategory=site whencreated -sort whencreated -maxe 
1
 
 
This would look at the 
config container, find all site objects, sort them by whenCreated, then return 
the DN and whenCreated attribute for the first one.
 
   
joe
 
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Ruston, NeilSent: Wednesday, April 13, 2005 9:54 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] How to determine which 
is the default site
At 
some point in the dim, dark past, the default site was renamed (I assume it was 
not removed!) 
Does anyone have a quick and easy 
way to determine which of the existing sites was once the default site? [It has 
been suggested that I look at the create date for all the sites and that the 
oldest one will be the default site :) I have >100 sites so need something 
more elegant/quicker. ]
Any 
suggestions more than welcome. 
Thanks, neil 
==This 
message is for the sole use of the intended recipient. If you received this 
message in error please delete it and notify us. If this message was 
misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains 
and monitors electronic communications sent through its network. Instructions 
transmitted over this system are not binding on CSFB until they are confirmed by 
us. Message transmission is not guaranteed to be 
secure.==

RE: [ActiveDir] Password complexity requirements

[joe]

The way the policy is implemented now is a direct 
descendent of the policy as it existed on NT4. There was no hierarchical layout 
for users, it was a flat space. When coming to 2K, it was easiest, least 
troubleprone, and less confusing to implement the same system. Basically it 
is the concept of the shared SAM/Policy realm within a domain that was there 
before. Had they just arbitrarily changed that they could have impacted 
many customers with programs that read the single domain policy and make 
judgements based on that info. Say for instance apps that manage their own 
password, etc. They could have added the functionality and tied it to a 
functionality level say W2K Native but again, that is a lot of work for 
something customers can already handle on their own if they so 
choose.
 
So anyway, as others have mentioned, the policy is a 
computer policy that applies to domain controllers, the domain controllers write 
the policy settings to the NC head of AD and the domain controllers read from 
that to determine how to enforce rules. If you apply the policies at lower 
levels of OU hierarchy you will impact the password policies on the member 
machines in those levels. This will not allow you to put a weaker password on a 
domain account based on what member machine you use to change your password. 

 
If you flip it around, if you applied the policy to users 
there would be no way to apply global policies to local machine users since they 
don't exist in Active Directory.
 
Finally, as ASB pointed out, there are mechanisms out there 
to help you do what you want to do. They generally cost a decent amount of 
money. It uses a built in functionality to allow you to create your own 
complexity filters for passwords. If you are a GREAT C++ programmer, look at the 
info in MSDN on password change filters. If you aren't a great c++ programmer, 
don't even both as you are playing with key aspects of your security and 
stability. If you are a VB programmer err I mean coder - no soup for you. 

 
Another way this can be implemented by a lesser programmer 
is to set up a web site that you require people to go through for password 
changes. You simply take everyone's permission away to change their own 
password and set up a delegated ID used by the website to do all password 
changes. Of course lots of room for security issues here as 
well.
 
Will this change in 
the default OS at some point in the future, possibly, there certainly are a lot 
of requests for it, but it depends on the prioritization of other 
functions/features people want as well. Anything that I can pull off on my own 
through native interfaces I have a lower priority for having MS change than 
things I can't work with at all. For instance, I would much rather see DCs being 
able to auth users from multiple domains way before I see built in support for 
multiple password policies within a single domain. Ditto the removal of IE and 
the GUI from servers. There is no way for me to implement those items I mention 
as priority for me but the password issues I can pretty easily 
handle.
 
  joe
 
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Kurt 
HillSent: Thursday, April 14, 2005 5:09 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Password 
complexity requirements


Yes – that makes sense 
– At least I understand why my OU-level GPO’s seemed to be ignoring the password 
requirements.  I still don’t understand why Microsoft chose to make 
password requirements a feature of the DC and not the user, however.  The 
only solution is to have multiple sites!!
 
Thanks,
 
Kurt
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
[EMAIL PROTECTED]Sent: Tuesday, April 12, 2005 1:29 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Password 
complexity requirements
 
Kurt, 
The password policy is a 
computer setting, and it can't be configured the way you've described.  Its 
a computer setting for good reason...the computer is the point of enforcement of 
the policy.  In the case of the configuration you've described, the local 
accounts on the computers in those OUs will have the differing password 
requirements, not the users domain accounts that are used to log on to those 
systems.  You can block GPO inheritance all you want, the policy is enfoced 
by the domain controllers for domain accounts. The computer policy is applied, 
and the computer in turn applies that policy to accounts which it "owns". 
 In the case of the DCs, its domain accounts.  In the  case of 
clients systems, its those client systems' local accounts.   
In the case of your Los Alamos example, the users' accounts are on the DC, so 
it doesn't matter where they reset their password from.  The DC owns the 
account and applies the policy rules to the password. 
Hope that made 
sense. rb 


  
  

  Kurt 
  Hill <[EMAIL PROTECTED]> 
  Sent by: 
  [EMAIL PROTECTED] 
  04/12/2005 12:57 
   

[ActiveDir] Recover exchange database file

[Daniel Kolvik]

Hi,
anyone with experience on how to "import" edb files?
I had a crash and the only thing i could get out was the edb and stm files.
Regards,
Daniel
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] How much of the DIT is cached in RAM ?

[Fugleberg, David A]

How can I determine how much of the DIT is being cached in RAM on a
given DC ?

Dave
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Password complexity requirements

[Phil Renouf]

On 4/14/05, Kurt Hill <[EMAIL PROTECTED]> wrote:
> 
> 
> Yes – that makes sense – At least I understand why my OU-level GPO's seemed
> to be ignoring the password requirements.  I still don't understand why
> Microsoft chose to make password requirements a feature of the DC and not
> the user, however.  The only solution is to have multiple sites!!

It is the DCs that facilitate the password changes, not the users
workstations so that is where the password policy has to sit.

Having multiple sites will not help you have more than one password
policy, you need to have multiple domains if you want multiple
password policies, although there are a few 3rd party tools that work
around this I have never used one. Also, why would you want to have a
less restrictive password policy for your general users?

Phil
[EMAIL PROTECTED]   šŠV«r¯yÊ&ý§-Š÷?Š¾4™¨¥iËb½çb®Šà

RE: [ActiveDir] Password complexity requirements

[Kurt Hill]

Yes – that makes sense – At
least I understand why my OU-level GPO’s seemed to be ignoring the
password requirements.  I still don’t understand why Microsoft chose to
make password requirements a feature of the DC and not the user, however.  The
only solution is to have multiple sites!!

 

Thanks,

 

Kurt

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Tuesday, April 12, 2005 1:29
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Password
complexity requirements



 


Kurt, 

The
password policy is a computer setting, and it can't be configured the way
you've described.  Its a computer setting for good reason...the computer
is the point of enforcement of the policy.  In the case of the
configuration you've described, the local accounts on the computers in those
OUs will have the differing password requirements, not the users domain
accounts that are used to log on to those systems.  You can block GPO
inheritance all you want, the policy is enfoced by the domain controllers for
domain accounts. 

The
computer policy is applied, and the computer in turn applies that policy to
accounts which it "owns".  In the case of the DCs, its domain
accounts.  In the  case of clients systems, its those client systems'
local accounts.   

In
the case of your Los Alamos example, the
users' accounts are on the DC, so it doesn't matter where they reset their
password from.  The DC owns the account and applies the policy rules to
the password. 

Hope
that made sense. 

rb









 
  
  Kurt Hill
  <[EMAIL PROTECTED]> 
  Sent
  by: [EMAIL PROTECTED] 
  04/12/2005 12:57 PM 
  
   

Please
respond to
ActiveDir@mail.activedir.org

   
  
  
  
  
  
   

To


ActiveDir@mail.activedir.org


   
   

cc


 

   
   

Subject


RE: [ActiveDir] Password complexity
requirements

   
  
   
  
   

 


 

   
  
  
  
 





You
can link a GPO to an OU with a different set of password requirements
than the domain policy -- you can block the OU
from inheriting the Default
Domain Policy as well, so AFAIK, you can have many
OU's, each with different
password complexity requirements (or more
generally, each OU with it's own
computer/user GPO settings).  The statement
about "you certainly don't want
policies attached to 2000 users" also makes
no sense -- the GPO is created
once, and "attaches itself" to the user
or computer as appropriate for the
OU...

And finally -- let me suggest that were I running Los Alamos, I would want
my super-gee-whiz nuclear weapons researches to
have complex passwords.  I
WOULD NOT WANT THEM GOING TO A SECRETARIES
COMPUTER AND CHANGING THEIR
PASSWORD TO "foo".  Passwords are
properties of a user, not a computer.
Think about this another way -- it is the user
that has rights to resources
on the network.  Those resources may be
sensitive, so it really should not
matter what computer the user is at when changing
their password.  That
particular users password should always be
complex

Re: [ActiveDir] How to determine which is the default site

[Phil Renouf]

Thanks for cleaning that up joe. I should do a re-read of some emails
before I send them to make sure it makes sense to someone other than
just me ;)

Phil

On 4/14/05, joe <[EMAIL PROTECTED]> wrote:
> Let me finess this a little.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to determine which is the default site

[joe]

Let me finess this a little.

If you only have a single site in your forest, all clients, regardless of
whether they have a subnet defined for them or not will resolve to being
part of that one site. As soon as you have two sites, any clients that are
in an undefined subnet will use any site and will not believe themselves to
be part of any site. 

It basically all works out to be the same thing, client using any DC in the
domain. However if someone is looking at what is actually happening under
the covers with the API calls they will see what I am describing. Basically
a client in an undefined subnet in an AD with one site will say its site is
that one site, a client in an undefined subnet in an AD with more than one
site will say it isn't in any site - i.e. "" for site.

  joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Thursday, April 14, 2005 12:17 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to determine which is the default site

I won't take credit for this answer, I saw this question answered somewhere
else today.

There is nothing special about the Default First Site, it is only created
because there needs to be at least one site to put the first DC into. It
does not have any relevance when a client is trying to locate a DC and the
clients subnet is not defined in any sites. If the clients subnet is not in
any sites then the client will query a DC from ANY site.

That assumes of course that you have more than one subnet defined in more
than one site, and I won't get into whether it is recommended to delete the
site or not as I don't know what the official word is.

Phil

On 4/14/05, Ruston, Neil <[EMAIL PROTECTED]> wrote:
> Testing back in 2000 (the year, not the OS) showed that this site did 
> have special properties. I'm researching and testing before I post further
info.
> 
> I believe it has relevance when a client tries to locate a DC and the 
> client's subnet has no site-subnet mapping defined in AD.
> 
> More to follow...
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to determine which is the default site

[Jorge de Almeida Pinto]

Neil,
Concerning the no site-subnet mapping remark you make...

This is a part of the warning in the event log (for a full description see
http://www.eventid.net/display.asp?eventid=5807&source=NETLOGON)

###QUOTE
During the past  hours there have been  connections to this
Domain Controller from client machines whose IP addresses don't map to any
of the existing sites in the enterprise. Those clients, therefore, have
undefined sites and may connect to any Domain Controller including those
that are in far distant locations from the clients.
###QUOTE


The last sentence simply means: Because the subnet is not mapped to a
certain site in AD, the client cannot query for DCs that service that site
(because these DCs registered the site specific DNS records for that site
--> _ldap._tcp.._sites.dc_msdcs..). As the site
cannot be determined the client asks for all DCs that have registered the
domain specific DNS records --> _ldap._tcp.dc_msdcs..
By default all DCs in a certain AD domain register all domain specific DNS
records for the domain the DC belongs and all site specific DNS records for
the site the DC belongs to and for those sites the DC is configured to cover
(manually) and for those sites the DC determines are DC-less and where the
site of the DC is the nearest to that Dc-less site

Cheers
Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: donderdag 14 april 2005 16:46
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] How to determine which is the default site

Testing back in 2000 (the year, not the OS) showed that this site did have
special properties. I'm researching and testing before I post further info.

I believe it has relevance when a client tries to locate a DC and the
client's subnet has no site-subnet mapping defined in AD.

More to follow...

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: 13 April 2005 17:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to determine which is the default site


Why do you need to know?  You understand there's nothing special about that
particular Site name? 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Wednesday, April 13, 2005 08:54
> To: 'ActiveDir@mail.activedir.org'
> Subject: [ActiveDir] How to determine which is the default site
> 
> At some point in the dim, dark past, the default site was renamed (I 
> assume it was not removed!)
> 
> Does anyone have a quick and easy way to determine which of the 
> existing sites was once the default site? [It has been suggested that 
> I look at the create date for all the sites and that the oldest one 
> will be the default site :) I have
> >100 sites so need something more elegant/quicker. ]
> 
> Any suggestions more than welcome.
> 
> Thanks,
> neil
> 
> ==
> 
> This message is for the sole use of the intended recipient.
> If you received this message in error please delete it and notify us. 
> If this message was misdirected, CSFB does not waive any 
> confidentiality or privilege. CSFB retains and monitors electronic 
> communications sent through its network.
> Instructions transmitted over this system are not binding on CSFB 
> until they are confirmed by us. Message transmission is not guaranteed 
> to be secure.
> ==
> 
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
Lis

Re: [ActiveDir] How to determine which is the default site

[Phil Renouf]

I won't take credit for this answer, I saw this question answered
somewhere else today.

There is nothing special about the Default First Site, it is only
created because there needs to be at least one site to put the first
DC into. It does not have any relevance when a client is trying to
locate a DC and the clients subnet is not defined in any sites. If the
clients subnet is not in any sites then the client will query a DC
from ANY site.

That assumes of course that you have more than one subnet defined in
more than one site, and I won't get into whether it is recommended to
delete the site or not as I don't know what the official word is.

Phil

On 4/14/05, Ruston, Neil <[EMAIL PROTECTED]> wrote:
> Testing back in 2000 (the year, not the OS) showed that this site did have
> special properties. I'm researching and testing before I post further info.
> 
> I believe it has relevance when a client tries to locate a DC and the client's
> subnet has no site-subnet mapping defined in AD.
> 
> More to follow...
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] not able to find share option in windows XP

[Tim Hines]

Make sure that "Simple File Sharing" was not turned on.  The option is under
folder options on the view menu.  If it is enabled it removes the security
and sharing option.

Tim

- Original Message - 
From: "Phil Renouf" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, April 14, 2005 10:59 AM
Subject: Re: [ActiveDir] not able to find share option in windows XP


Are you sure? If your machine has Automatic Updates turned on then you
might have gotten SP2 from Windows Update and not realised it. I
believe that the blocking of SP2 from Automatic Updates was set to be
turned off on April 12th.

Phil

On 4/14/05, rakesh jakhar <[EMAIL PROTECTED]> wrote:
> Thanks for the quick response .. we have updated windows xp but did not
> update the service pack two
>
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] not able to find share option in windows XP

[Phil Renouf]

Are you sure? If your machine has Automatic Updates turned on then you
might have gotten SP2 from Windows Update and not realised it. I
believe that the blocking of SP2 from Automatic Updates was set to be
turned off on April 12th.

Phil

On 4/14/05, rakesh jakhar <[EMAIL PROTECTED]> wrote:
> Thanks for the quick response .. we have updated windows xp but did not
> update the service pack two
> 
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] How to determine which is the default site

[Ruston, Neil]

Testing back in 2000 (the year, not the OS) showed that this site did have
special properties. I'm researching and testing before I post further info.

I believe it has relevance when a client tries to locate a DC and the client's
subnet has no site-subnet mapping defined in AD.

More to follow...

neil


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: 13 April 2005 17:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How to determine which is the default site


Why do you need to know?  You understand there's nothing special about that
particular Site name? 

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Wednesday, April 13, 2005 08:54
> To: 'ActiveDir@mail.activedir.org'
> Subject: [ActiveDir] How to determine which is the default site
> 
> At some point in the dim, dark past, the default site was
> renamed (I assume it was not removed!) 
> 
> Does anyone have a quick and easy way to determine which of
> the existing sites was once the default site? [It has been 
> suggested that I look at the create date for all the sites 
> and that the oldest one will be the default site :) I have 
> >100 sites so need something more elegant/quicker. ]
> 
> Any suggestions more than welcome.
> 
> Thanks,
> neil
> 
> ==
> 
> This message is for the sole use of the intended recipient.
> If you received this message in error please delete it and 
> notify us. If this message was misdirected, CSFB does not 
> waive any confidentiality or privilege. CSFB retains and 
> monitors electronic communications sent through its network. 
> Instructions transmitted over this system are not binding on 
> CSFB until they are confirmed by us. Message transmission is 
> not guaranteed to be secure.
> ==
> 
> 
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Installed NIC's not displayed

[Devan Pala]

Robert/ Bob and Greg,
That was it
Thanks guys. Have a great day

"Firefox - Rediscover the web "

Original Message Follows
From: "Greg Felzer" <[EMAIL PROTECTED]>
Reply-To: ActiveDir@mail.activedir.org
To: 
Subject: RE: [ActiveDir] Installed NIC's not displayed
Date: Wed, 13 Apr 2005 19:31:25 -0400
See
http://support.microsoft.com/default.aspx?scid=kb;en-us;329050
I just fixed the same problem on one of my w2k web servers today.
Greg Felzer
MCSE NT4, MCSE 2000, CCA, CCNA, CNA
Senior Systems Engineer
Windows Infrastructure and Security Team Leader
Office of the CIO Medical University of South Carolina

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob
> Sent: Wednesday, April 13, 2005 6:01 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Installed NIC's not displayed
>
> Is the Netman service (Network Connections) running?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala
> Sent: Wednesday, April 13, 2005 2:47 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Installed NIC's not displayed
>
> Hi,
>
> I have a couple of domain controllers (Windows 2000 Advanced
> Server, SP4).
> When I go to "Network and Dialup Connections" I cannot see
> the installed
>
> NIC's.
>
> The only way I can see them is in a command prompt through
> ipconfig/ all.
>
> Anyone ever experienced anything like this? Everything else
> is OK, pinging, DNS, Replication etc. the only thing out of
> ordinary is that I see DCOM errors (10002 & 10010) when
> RDP'ed into them.
>
> Thanks,
>
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] joining station to the domain and GPO...

[Bruyere, Michel]

Hi all, 
Thanks everyone for your inputs! The solution is now adopted.
I'll go with your suggestions, temporarily I'll pre-create the objects
in AD until I upgrade to Win2k3 (soon) and then ill use the Redircomp
command. 


Keep up the good work! 


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Restore Question

[Grillenmeier, Guido]

it sort of depends on your scenario - just to restore a broken DC,
you're fine. To recover deleted objects, you're also mostly fine, as
long as these don't have links to the unavailable domains (e.g.
group-membership).

to recover the whole domain (i.e. from scratch), you won't get very far
without a root DC for issues described by Jorge + others.  A full domain
restore should not be planned independently of a forest restore - I
would certainly advise to get all of the responsible folks at one table
and discuss DR scenarios and ownerships for tasks etc.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Donnerstag, 14. April 2005 15:31
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AD Restore Question

Just to restore the sub-domain and get it up and running you don't need
the
root domain. Eventually you will need the root domain because one of the
recovery steps are the trusts between the domains, replication will fail
for
the config and schema container with root domain DCs, authentication may
fail (a forest with 2 sub domains and if user 1 sub1 accesses resource
in
sub2 authentication goes through root domain)

Have you seen the Active Directory Forest Recovery document from MS?
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=
3EDA
5A79-C99B-4DF9-823C-933FEBA08CFE

My opinion on this when "designing" a restore procedure and testing it..
Take the complete AD forest into account and all AD aware apps and
clients.
Don't leave anything out.

Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros,
Charles
Sent: donderdag 14 april 2005 15:07
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] AD Restore Question

I have been searching all over for this information, but I can't seem to
find any.

When I test an AD restore of a sub-domain in a setting where a Root
Domain
DC is not present (because we test our restores in a completely isolated
network) do I also need to restore a root domain controller?

I am starting to work on my new DR scheme for AD, but this is the first
time
that I had to worry about the root domain where I didn't have security
to
access it or its backup files (the root controllers are maintained by a
different Division than the one I'm in).

Of course, in a true DR situation, I should have at least one root
controller available.

Thanks.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD Restore Question

[Jorge de Almeida Pinto]

Just to restore the sub-domain and get it up and running you don't need the
root domain. Eventually you will need the root domain because one of the
recovery steps are the trusts between the domains, replication will fail for
the config and schema container with root domain DCs, authentication may
fail (a forest with 2 sub domains and if user 1 sub1 accesses resource in
sub2 authentication goes through root domain)

Have you seen the Active Directory Forest Recovery document from MS?
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA
5A79-C99B-4DF9-823C-933FEBA08CFE

My opinion on this when "designing" a restore procedure and testing it..
Take the complete AD forest into account and all AD aware apps and clients.
Don't leave anything out.

Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: donderdag 14 april 2005 15:07
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] AD Restore Question

I have been searching all over for this information, but I can't seem to
find any.

When I test an AD restore of a sub-domain in a setting where a Root Domain
DC is not present (because we test our restores in a completely isolated
network) do I also need to restore a root domain controller?

I am starting to work on my new DR scheme for AD, but this is the first time
that I had to worry about the root domain where I didn't have security to
access it or its backup files (the root controllers are maintained by a
different Division than the one I'm in).

Of course, in a true DR situation, I should have at least one root
controller available.

Thanks.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD Restore Question

[Carerros, Charles]

I have been searching all over for this information, but I can't seem to
find any.

When I test an AD restore of a sub-domain in a setting where a Root Domain
DC is not present (because we test our restores in a completely isolated
network) do I also need to restore a root domain controller?

I am starting to work on my new DR scheme for AD, but this is the first time
that I had to worry about the root domain where I didn't have security to
access it or its backup files (the root controllers are maintained by a
different Division than the one I'm in).

Of course, in a true DR situation, I should have at least one root
controller available.

Thanks.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Recover AD from database files

[Jorge de Almeida Pinto]

Forgot to paste the URL containing info about the DisasterRecovery option:
http://www.msexchange.org/tutorials/Disaster_Recovery.html 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kolvik
Sent: donderdag 14 april 2005 0:08
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recover AD from database files

Hi,

my server "software" crashed and I reinstalled Windows Server 2003 and
Exchange 2003.

(I still have the old drive intact, I can copy files from it to the new
drive.)

What I need to do is to "import" the old AD to the new server. Is it
possible to do that using the ad database files?

The new Windows is installed with the same drivename and folder as the old
one, if it helps.

I've also a backup, made with MS Backup... But when I want to do a restore
and choose System State I'm not able to just choose Active Directory in
detail view. I don't want the other stuff couse I think some shit in that
coused the crash.


I really hope someone can help me out, I've been on this server for a few
hours now :(


Best regards,
Daniel


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Recover AD from database files

[Jorge de Almeida Pinto]

The following comes into my mind:
* Install Windows 2003 on the same HW config.
* After install do systemstate a restore from the available  backup. Get the
server up and running.
* Install Windows 2003 and AD (second DC) on another HW config so you have a
copy of AD on a second server.
* Demote the DC that was restored and do a metadata cleanup
(http://support.microsoft.com/?id=216498) of the restored DC on the second
DC if applicable.
* Do a fresh windows 2003 install of the first server, install exchange
using the DisasterRecovery option and after that restore the databases using
Ntbackup.
* Remove the second DC is needed

Jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kolvik
Sent: donderdag 14 april 2005 0:08
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Recover AD from database files

Hi,

my server "software" crashed and I reinstalled Windows Server 2003 and
Exchange 2003.

(I still have the old drive intact, I can copy files from it to the new
drive.)

What I need to do is to "import" the old AD to the new server. Is it
possible to do that using the ad database files?

The new Windows is installed with the same drivename and folder as the old
one, if it helps.

I've also a backup, made with MS Backup... But when I want to do a restore
and choose System State I'm not able to just choose Active Directory in
detail view. I don't want the other stuff couse I think some shit in that
coused the crash.


I really hope someone can help me out, I've been on this server for a few
hours now :(


Best regards,
Daniel


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] My Docs & Home Folder Redirection

[jpsalemi]

Hey George..

Does the remote site have offline files turned on?

John



   
 "George Arezina"  
 <[EMAIL PROTECTED] 
 yu>To 
 Sent by:
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   [ActiveDir] My Docs & Home Folder   
 04/14/2005 02:52  Redirection 
 AM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




Couples of users in a remote site are experiencing a problem deleting files
in their Home folders and/or My Documents folder.
Scenario:
I have configured folder redirection through GP to redirect My Documents
folder contents to the userâs Home folder. Users within the main network
are not experiencing the same problems, once they delete files in the home
and/or my documents folder, the files are deleted and do not re-appear
after they logoff and login again. In the remote site, once the user
deletes a file in the home and/or my documents folder, the file is only
deleted for the session. Once the user logs back in, the deleted file
re-appears in the userâs home and/or my documents folder.
In the remote site, to save on hardware costs, I had to create a home
folder on a DC. The home folder is shared and access only granted to those
users located in the remote site. Each user on their home folder has been
granted proper ACLs.
Could the it be because the home folder is located on a dc, some access
rights are preventing the user from permanently deleting files that are
redirected from the my documents folder to their home folder? The user has
full access on their home folder located on the dc.
 Any help would be great.




Informacija sa Stedionica Opportunity International A.D. Novi Sad putem
e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija
nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene
informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas
obavestavamo da je svako otkrivanje, kopiranje, distribucija ili
preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo
zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom,
molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email,
a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D.
Novi Sad via e-mail is not binding. Declarations regarding legal
transactions must not be exchanged via this medium. The information
contained in this e-mail message is confidential and intended exclusively
for the addressee. Persons receiving this e-mail message who are not the
named addressee (or his/her co-workers, or persons authorized to take
delivery) must not use, forward or reproduce its contents. If you have
received this e-mail message by mistake, please contact us immediately and
delete this email message beyond retrieval.

[EMAIL PROTECTED]   šŠV«r¯yÊ&ý§-Š÷4™¨¥iËb½çb®Šà

RE: [ActiveDir] Workstations and manipulating DC communication

[Jorge de Almeida Pinto]

Title: Message



On those workstations: what is 
the value of the %LOGONSERVER% variable? Check this by typing the command SET at 
the command prompt
 
You could also use the following 
on the workstation from the command prompt: NLTEST /WHOWILL: 

NLTEST is available in the 
suppor tools
 
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: donderdag 14 april 2005 14:00To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Workstations and 
manipulating DC communication

By 
checking the firewall traffic we could see that traffic in the VPN tunnel was 
trying to reach destinations outside their allowed range. The servers they were 
trying to reach are the FSMO role holders. The roles are split over 2 servers 
and communication was attempted to both of them.
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jorge de Almeida PintoSent: Thursday, April 14, 
  2005 1:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Workstations and manipulating DC 
communication
  how did you determine that 
  these computers connect to the FSMO. By the way, what are the FSMO roles 
  they're connecting to?
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
  MarkSent: donderdag 14 april 2005 13:36To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Workstations 
  and manipulating DC communication
  
  Jorge, I checked the mapping and the subnet is mapped to the correct 
  site (the local German half of the domain).
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de 
Almeida PintoSent: Thursday, April 14, 2005 1:25 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Workstations 
and manipulating DC communication
I think this relates to the 
sites and subnets structure.
 
For each physical subnet 
with AD clients/servers you need to create a logical subnet in AD and map 
that subnet to the AD site. If no subnet is defined in AD and mapped to some 
site the clients will connect to any DC in the domain THAT HAS REGISTERED 
THE DOMAIN SPECIFIC DNS RECORDS.
In the DC that authenticated 
the client you can see event log ID 5807 with source NETLOGON if the above 
is true (http://www.eventid.net/display.asp?eventid=5807&source=NETLOGON)
 
So the first question is: is 
the subnet of those 2 clients defined in AD and mapped to the "nearest" 
site?
 
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: donderdag 14 april 2005 11:33To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Workstations and 
manipulating DC communication

Firstly, thanks for all the excellent responses to my time question 
yesterday. Should have it all sorted by ther end of the 
day.
 
In 
the meantine, another little conundrum has reared its ugly head. We have 2 
workstations that are located in a remote office. They are connecting to the 
corporate domain via a secure line for authentication and logon and have 
access to the necessary resources hosted there. They however have no access 
to the second part of the corporate domain network located in France, as 
they do not make use of any of the systems hosted there.
 
Unfortunalety, what is hosted in France are all the FSMO 
role holders (political reasons, cannot and will never be moved) and it 
seems the workstations are trying to communicate specifically with the FSMO 
servers (port 389 (LDAP) and port 138 (Various uses). The remote 
users are able to work with the resources they need for day-to-day 
business but response times are very very slow. I assume this is because the 
communication to these FSMO roles is blocked and the systems are waiting for 
timeouts ?! 
 
So 
my question is, why do the workstations seek direct access to the FSMO 
servers specifically on the ports identified ? The logon servers are here in 
Germany and all resources they need are here as well. Is there a away to 
force these workstations (XP) to default to local DC's for all their AD 
related communication, or is there no way around the attempts to communicate 
directly to the FSMO role holders.
 
Many thanks in advance for your wisdom.
 This e-mail and any attachment is for 
authorised use by the intended recipient(s) only. It may contain proprietary 
material, confidential information and/or be subject to legal privilege. It 
should not be copied, disclosed to, retained or used by, any other party. If 
you are not an intended recipient then please promptly delete this e-mail 
and any attachment and all copies and inform the sender. Thank 
  you.This e-mail and any attachment is for authorised use 
  by the inten

RE: [ActiveDir] My Docs & Home Folder Redirection

[Quatro Info]

http://searchwinsystems.techtarget.com/tip/1,289483,sid68_gci1039560,00.html
 


Van: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Namens George 
ArezinaVerzonden: donderdag 14 april 2005 9:52Aan: 
ActiveDir@mail.activedir.orgOnderwerp: [ActiveDir] My Docs & Home 
Folder Redirection


Couples of users in a remote site 
are experiencing a problem deleting files in their Home folders and/or My 
Documents folder. 
Scenario:
I have configured folder redirection 
through GP to redirect My Documents folder contents to the user’s Home folder. 
Users within the main network are not experiencing the same problems, once they 
delete files in the home and/or my documents folder, the files are deleted and 
do not re-appear after they logoff and login again. In the remote site, once the 
user deletes a file in the home and/or my documents folder, the file is only 
deleted for the session. Once the user logs back in, the deleted file re-appears 
in the user’s home and/or my documents folder. 
In the remote site, to save on 
hardware costs, I had to create a home folder on a DC. The home folder is shared 
and access only granted to those users located in the remote site. Each user on 
their home folder has been granted proper ACLs.
Could the it be because the home 
folder is located on a dc, some access rights are preventing the user from 
permanently deleting files that are redirected from the my documents folder to 
their home folder? The user has full access on their home folder located on the 
dc.
 Any help would be 
great.
 Informacija 
sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez 
garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj 
e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj 
e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, 
kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog 
sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili 
greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj 
email, a zatim ga izbrisite iz vaseg 
sistema.The 
exchange of messages with Stedionica Opportunity International A.D. Novi Sad via 
e-mail is not binding. Declarations regarding legal transactions must not be 
exchanged via this medium. The information contained in this e-mail message is 
confidential and intended exclusively for the addressee. Persons receiving this 
e-mail message who are not the named addressee (or his/her co-workers, or 
persons authorized to take delivery) must not use, forward or reproduce its 
contents. If you have received this e-mail message by mistake, please contact us 
immediately and delete this email message beyond retrieval.

RE: [ActiveDir] not able to find share option in windows XP

[Quatro Info]

Did u check installed network protocols for your 
network adapter?


Van: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] Namens rakesh 
jakharVerzonden: donderdag 14 april 2005 13:47Aan: 
ActiveDir@mail.activedir.orgOnderwerp: RE: [ActiveDir] not able to 
find share option in windows XP

Thanks for the quick response .. we have updated windows xp but did not 
update the service pack two"Thommes, Michael M." 
<[EMAIL PROTECTED]> wrote: 

  
  

  
  Any chance you picked 
  up the latest Windows updates, including SP2 for XP with the firewall 
  enabled?  That would stop sharing.
   
  Mike 
  Thommes
   
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of rakesh 
  jakharSent: Thursday, April 
  14, 2005 6:02 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] not able to find 
  share option in windows XP
   
  
  Hi All,
  
   
  
  Yesterday my XP system was working fine, 
  today inspite of no changes in my system it is not not showing shared 
  directory sysmbol with the shared directories and more of it m not able to 
  share new directories becose there is not sharing option available when i 
  right click the directories..
  
   
  
   
  
  Thanks,
  
   
  
  Rakesh
  
   
  
  
  
  Do you Yahoo!?Yahoo! Small Business - 
  Try 
  our new resources site! 


Do you Yahoo!?Yahoo! Small Business - Try 
our new resources site! 

RE: [ActiveDir] Workstations and manipulating DC communication

[Abbiss, Mark]

Title: Message



By 
checking the firewall traffic we could see that traffic in the VPN tunnel was 
trying to reach destinations outside their allowed range. The servers they were 
trying to reach are the FSMO role holders. The roles are split over 2 servers 
and communication was attempted to both of them.
 

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jorge de Almeida PintoSent: Thursday, April 14, 
  2005 1:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Workstations and manipulating DC 
communication
  how did you determine that 
  these computers connect to the FSMO. By the way, what are the FSMO roles 
  they're connecting to?
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
  MarkSent: donderdag 14 april 2005 13:36To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Workstations 
  and manipulating DC communication
  
  Jorge, I checked the mapping and the subnet is mapped to the correct 
  site (the local German half of the domain).
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de 
Almeida PintoSent: Thursday, April 14, 2005 1:25 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Workstations 
and manipulating DC communication
I think this relates to the 
sites and subnets structure.
 
For each physical subnet 
with AD clients/servers you need to create a logical subnet in AD and map 
that subnet to the AD site. If no subnet is defined in AD and mapped to some 
site the clients will connect to any DC in the domain THAT HAS REGISTERED 
THE DOMAIN SPECIFIC DNS RECORDS.
In the DC that authenticated 
the client you can see event log ID 5807 with source NETLOGON if the above 
is true (http://www.eventid.net/display.asp?eventid=5807&source=NETLOGON)
 
So the first question is: is 
the subnet of those 2 clients defined in AD and mapped to the "nearest" 
site?
 
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: donderdag 14 april 2005 11:33To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Workstations and 
manipulating DC communication

Firstly, thanks for all the excellent responses to my time question 
yesterday. Should have it all sorted by ther end of the 
day.
 
In 
the meantine, another little conundrum has reared its ugly head. We have 2 
workstations that are located in a remote office. They are connecting to the 
corporate domain via a secure line for authentication and logon and have 
access to the necessary resources hosted there. They however have no access 
to the second part of the corporate domain network located in France, as 
they do not make use of any of the systems hosted there.
 
Unfortunalety, what is hosted in France are all the FSMO 
role holders (political reasons, cannot and will never be moved) and it 
seems the workstations are trying to communicate specifically with the FSMO 
servers (port 389 (LDAP) and port 138 (Various uses). The remote 
users are able to work with the resources they need for day-to-day 
business but response times are very very slow. I assume this is because the 
communication to these FSMO roles is blocked and the systems are waiting for 
timeouts ?! 
 
So 
my question is, why do the workstations seek direct access to the FSMO 
servers specifically on the ports identified ? The logon servers are here in 
Germany and all resources they need are here as well. Is there a away to 
force these workstations (XP) to default to local DC's for all their AD 
related communication, or is there no way around the attempts to communicate 
directly to the FSMO role holders.
 
Many thanks in advance for your wisdom.
 This e-mail and any attachment is for 
authorised use by the intended recipient(s) only. It may contain proprietary 
material, confidential information and/or be subject to legal privilege. It 
should not be copied, disclosed to, retained or used by, any other party. If 
you are not an intended recipient then please promptly delete this e-mail 
and any attachment and all copies and inform the sender. Thank 
  you.This e-mail and any attachment is for authorised use 
  by the intended recipient(s) only. It may contain proprietary material, 
  confidential information and/or be subject to legal privilege. It should not 
  be copied, disclosed to, retained or used by, any other party. If you are not 
  an intended recipient then please promptly delete this e-mail and any 
  attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] Workstations and manipulating DC communication

[Jorge de Almeida Pinto]

Title: Message



how did you determine that these 
computers connect to the FSMO. By the way, what are the FSMO roles they're 
connecting to?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: donderdag 14 april 2005 13:36To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Workstations and 
manipulating DC communication

Jorge, 
I checked the mapping and the subnet is mapped to the correct site (the local 
German half of the domain).

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jorge de Almeida PintoSent: Thursday, April 14, 
  2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Workstations and manipulating DC 
communication
  I think this relates to the 
  sites and subnets structure.
   
  For each physical subnet with 
  AD clients/servers you need to create a logical subnet in AD and map that 
  subnet to the AD site. If no subnet is defined in AD and mapped to some site 
  the clients will connect to any DC in the domain THAT HAS REGISTERED THE 
  DOMAIN SPECIFIC DNS RECORDS.
  In the DC that authenticated 
  the client you can see event log ID 5807 with source NETLOGON if the above is 
  true (http://www.eventid.net/display.asp?eventid=5807&source=NETLOGON)
   
  So the first question is: is 
  the subnet of those 2 clients defined in AD and mapped to the "nearest" 
  site?
   
  Jorge
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
  MarkSent: donderdag 14 april 2005 11:33To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Workstations and 
  manipulating DC communication
  
  Firstly, thanks for all the excellent responses to my time question 
  yesterday. Should have it all sorted by ther end of the 
  day.
   
  In 
  the meantine, another little conundrum has reared its ugly head. We have 2 
  workstations that are located in a remote office. They are connecting to the 
  corporate domain via a secure line for authentication and logon and have 
  access to the necessary resources hosted there. They however have no access to 
  the second part of the corporate domain network located in France, as they do 
  not make use of any of the systems hosted there.
   
  Unfortunalety, what is hosted in France are all the FSMO role 
  holders (political reasons, cannot and will never be moved) and it seems the 
  workstations are trying to communicate specifically with the FSMO servers 
  (port 389 (LDAP) and port 138 (Various uses). The remote users are able 
  to work with the resources they need for day-to-day business but response 
  times are very very slow. I assume this is because the communication to these 
  FSMO roles is blocked and the systems are waiting for timeouts ?! 
  
   
  So 
  my question is, why do the workstations seek direct access to the FSMO 
  servers specifically on the ports identified ? The logon servers are here in 
  Germany and all resources they need are here as well. Is there a away to force 
  these workstations (XP) to default to local DC's for all their AD related 
  communication, or is there no way around the attempts to communicate directly 
  to the FSMO role holders.
   
  Many 
  thanks in advance for your wisdom.
   This e-mail and any attachment is for 
  authorised use by the intended recipient(s) only. It may contain proprietary 
  material, confidential information and/or be subject to legal privilege. It 
  should not be copied, disclosed to, retained or used by, any other party. If 
  you are not an intended recipient then please promptly delete this e-mail and 
  any attachment and all copies and inform the sender. Thank 
you.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] not able to find share option in windows XP

[rakesh jakhar]

Thanks for the quick response .. we have updated windows xp but did not update the service pack two"Thommes, Michael M." <[EMAIL PROTECTED]> wrote:





Any chance you picked up the latest Windows updates, including SP2 for XP with the firewall enabled?  That would stop sharing.
 
Mike Thommes
 
-Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakharSent: Thursday, April 14, 2005 6:02 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] not able to find share option in windows XP
 

Hi All,

 

Yesterday my XP system was working fine, today inspite of no changes in my system it is not not showing shared directory sysmbol with the shared directories and more of it m not able to share new directories becose there is not sharing option available when i right click the directories..

 

 

Thanks,

 

Rakesh

 



Do you Yahoo!?Yahoo! Small Business - Try our new resources site! 
		Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site! 

RE: [ActiveDir] Workstations and manipulating DC communication

[Abbiss, Mark]

Title: Message



Jorge, 
I checked the mapping and the subnet is mapped to the correct site (the local 
German half of the domain).

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jorge de Almeida PintoSent: Thursday, April 14, 
  2005 1:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Workstations and manipulating DC 
communication
  I think this relates to the 
  sites and subnets structure.
   
  For each physical subnet with 
  AD clients/servers you need to create a logical subnet in AD and map that 
  subnet to the AD site. If no subnet is defined in AD and mapped to some site 
  the clients will connect to any DC in the domain THAT HAS REGISTERED THE 
  DOMAIN SPECIFIC DNS RECORDS.
  In the DC that authenticated 
  the client you can see event log ID 5807 with source NETLOGON if the above is 
  true (http://www.eventid.net/display.asp?eventid=5807&source=NETLOGON)
   
  So the first question is: is 
  the subnet of those 2 clients defined in AD and mapped to the "nearest" 
  site?
   
  Jorge
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
  MarkSent: donderdag 14 april 2005 11:33To: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Workstations and 
  manipulating DC communication
  
  Firstly, thanks for all the excellent responses to my time question 
  yesterday. Should have it all sorted by ther end of the 
  day.
   
  In 
  the meantine, another little conundrum has reared its ugly head. We have 2 
  workstations that are located in a remote office. They are connecting to the 
  corporate domain via a secure line for authentication and logon and have 
  access to the necessary resources hosted there. They however have no access to 
  the second part of the corporate domain network located in France, as they do 
  not make use of any of the systems hosted there.
   
  Unfortunalety, what is hosted in France are all the FSMO role 
  holders (political reasons, cannot and will never be moved) and it seems the 
  workstations are trying to communicate specifically with the FSMO servers 
  (port 389 (LDAP) and port 138 (Various uses). The remote users are able 
  to work with the resources they need for day-to-day business but response 
  times are very very slow. I assume this is because the communication to these 
  FSMO roles is blocked and the systems are waiting for timeouts ?! 
  
   
  So 
  my question is, why do the workstations seek direct access to the FSMO 
  servers specifically on the ports identified ? The logon servers are here in 
  Germany and all resources they need are here as well. Is there a away to force 
  these workstations (XP) to default to local DC's for all their AD related 
  communication, or is there no way around the attempts to communicate directly 
  to the FSMO role holders.
   
  Many 
  thanks in advance for your wisdom.
   This e-mail and any attachment is for 
  authorised use by the intended recipient(s) only. It may contain proprietary 
  material, confidential information and/or be subject to legal privilege. It 
  should not be copied, disclosed to, retained or used by, any other party. If 
  you are not an intended recipient then please promptly delete this e-mail and 
  any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] Workstations and manipulating DC communication

[Jorge de Almeida Pinto]

Title: Message



I think this relates to the 
sites and subnets structure.
 
For each physical subnet with AD 
clients/servers you need to create a logical subnet in AD and map that subnet to 
the AD site. If no subnet is defined in AD and mapped to some site the clients 
will connect to any DC in the domain THAT HAS REGISTERED THE DOMAIN SPECIFIC DNS 
RECORDS.
In the DC that authenticated the 
client you can see event log ID 5807 with source NETLOGON if the above is true 
(http://www.eventid.net/display.asp?eventid=5807&source=NETLOGON)
 
So the first question is: is the 
subnet of those 2 clients defined in AD and mapped to the "nearest" 
site?
 
Jorge


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Abbiss, 
MarkSent: donderdag 14 april 2005 11:33To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Workstations and 
manipulating DC communication

Firstly, thanks for all the excellent responses to my time question 
yesterday. Should have it all sorted by ther end of the day.
 
In the 
meantine, another little conundrum has reared its ugly head. We have 2 
workstations that are located in a remote office. They are connecting to the 
corporate domain via a secure line for authentication and logon and have access 
to the necessary resources hosted there. They however have no access to the 
second part of the corporate domain network located in France, as they do not 
make use of any of the systems hosted there.
 
Unfortunalety, what is hosted in France are all the FSMO role 
holders (political reasons, cannot and will never be moved) and it seems the 
workstations are trying to communicate specifically with the FSMO servers (port 
389 (LDAP) and port 138 (Various uses). The remote users are able to work 
with the resources they need for day-to-day business but response times are very 
very slow. I assume this is because the communication to these FSMO roles is 
blocked and the systems are waiting for timeouts ?! 
 
So my 
question is, why do the workstations seek direct access to the FSMO servers 
specifically on the ports identified ? The logon servers are here in Germany and 
all resources they need are here as well. Is there a away to force these 
workstations (XP) to default to local DC's for all their AD related 
communication, or is there no way around the attempts to communicate directly to 
the FSMO role holders.
 
Many 
thanks in advance for your wisdom.
 

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] User Alias Authentication in AD

[Grillenmeier, Guido]

Jorge is correct that you can't create aliases to security principals in
AD, however, you do have two logon names, which may be sufficient for
your requirement:  

you can use the 
samAccountName (pre-Win2000 User logon name) => mayuresh_kshirsagar 

or the 
UserPrincipalName (User logon name) => [EMAIL PROTECTED] [or whatever
suffix you configure]

It will likely depend on what your application allows you to do (some do
require the Domain\samAccountName format because they've hardcoded this
in their logon screens...)

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: Donnerstag, 14. April 2005 13:13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] User Alias Authentication in AD

In AD it is not possible to create aliases to security principals (i.e.
user
accounts)

Why do you need separate names?

Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: donderdag 14 april 2005 12:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User Alias Authentication in AD

Hi Experts,

I am looking out for a possibility where if I have a user:

username: mayuresh_kshirsagar
password: 

I want to create an alias of this user entry say

username: mkshirsa
password: 

where I can login using any of the above two usernames.

Is this a possibility?

Regards,
Mayuresh.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] User Alias Authentication in AD

[Jorge de Almeida Pinto]

In AD it is not possible to create aliases to security principals (i.e. user
accounts)

Why do you need separate names?

Jorge 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: donderdag 14 april 2005 12:26
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] User Alias Authentication in AD

Hi Experts,

I am looking out for a possibility where if I have a user:

username: mayuresh_kshirsagar
password: 

I want to create an alias of this user entry say

username: mkshirsa
password: 

where I can login using any of the above two usernames.

Is this a possibility?

Regards,
Mayuresh.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] not able to find share option in windows XP

[Thommes, Michael M.]

Any chance you picked up the latest
Windows updates, including SP2 for XP with the firewall enabled?  That would
stop sharing.

 

Mike Thommes

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rakesh jakhar
Sent: Thursday, April 14, 2005
6:02 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] not able to
find share option in windows XP

 



Hi All,





 





Yesterday my XP system was working fine,
today inspite of no changes in my system it is not not showing shared
directory sysmbol with the shared directories and more of it m not able to
share new directories becose there is not sharing option available when i
right click the directories..





 





 





Thanks,





 





Rakesh





 









Do you Yahoo!?
Yahoo! Small Business - Try
our new resources site! 

[ActiveDir] not able to find share option in windows XP

[rakesh jakhar]

Hi All,
 
Yesterday my XP system was working fine, today inspite of no changes in my system it is not not showing shared directory sysmbol with the shared directories and more of it m not able to share new directories becose there is not sharing option available when i right click the directories..
 
 
Thanks,
 
Rakesh
 
		Do you Yahoo!? 
Yahoo! Small Business - Try our new resources site! 

[ActiveDir] User Alias Authentication in AD

[mayuresh_kshirsagar]

Hi Experts,

I am looking out for a possibility where if I have a user:

username: mayuresh_kshirsagar
password: 

I want to create an alias of this user entry say

username: mkshirsa
password: 

where I can login using any of the above two usernames.

Is this a possibility?

Regards,
Mayuresh.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Workstations and manipulating DC communication

[Abbiss, Mark]

Title: Message



Firstly, thanks for all the excellent responses to my time question 
yesterday. Should have it all sorted by ther end of the day.
 
In the 
meantine, another little conundrum has reared its ugly head. We have 2 
workstations that are located in a remote office. They are connecting to the 
corporate domain via a secure line for authentication and logon and have access 
to the necessary resources hosted there. They however have no access to the 
second part of the corporate domain network located in France, as they do not 
make use of any of the systems hosted there.
 
Unfortunalety, what is hosted in France are all the FSMO role 
holders (political reasons, cannot and will never be moved) and it seems the 
workstations are trying to communicate specifically with the FSMO servers (port 
389 (LDAP) and port 138 (Various uses). The remote users are able to work 
with the resources they need for day-to-day business but response times are very 
very slow. I assume this is because the communication to these FSMO roles is 
blocked and the systems are waiting for timeouts ?! 
 
So my 
question is, why do the workstations seek direct access to the FSMO servers 
specifically on the ports identified ? The logon servers are here in Germany and 
all resources they need are here as well. Is there a away to force these 
workstations (XP) to default to local DC's for all their AD related 
communication, or is there no way around the attempts to communicate directly to 
the FSMO role holders.
 
Many 
thanks in advance for your wisdom.
 

[ActiveDir] My Docs & Home Folder Redirection

[George Arezina]

Couples of users in a remote site are experiencing a problem
deleting files in their Home folders and/or My Documents folder. 

Scenario:

I have configured folder redirection through GP to redirect
My Documents folder contents to the user’s Home folder. Users within the
main network are not experiencing the same problems, once they delete files in
the home and/or my documents folder, the files are deleted and do not re-appear
after they logoff and login again. In the remote site, once the user deletes a
file in the home and/or my documents folder, the file is only deleted for the
session. Once the user logs back in, the deleted file re-appears in the user’s
home and/or my documents folder. 

In the remote site, to save on hardware costs, I had to
create a home folder on a DC. The home folder is shared and access only granted
to those users located in the remote site. Each user on their home folder has
been granted proper ACLs.

Could the it be because the home folder is located on a dc, some
access rights are preventing the user from permanently deleting files that are redirected
from the my documents folder to their home folder? The user has full access on
their home folder located on the dc.

 Any help would be great.

 



Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema.



The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.