RE: [ActiveDir] OT Maybe: Import GPO without Domain
Hi Edwin, I'm not very good in VB script but I can help you out with some procedures. Just not sure if you can write a script for this. The complexity depends on which system you are trying Server 2000 or 2003. In 2003 it is quite simple put Microsoft group policy manager on both machines backup the policy and on a floppy etc and import it on the new server with the group policy manager. Kat From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of EdwinSent: Friday, 15 April 2005 10:36 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT Maybe: Import GPO without Domain I am using VB.NET to create an application that will configure the server from beginning to end without manual SysAdmin intervention. Basically, once a server is installed, it must be configured to our specifications. I am aware of ADS and RIS and I am already using these options. But in this particular case, it is not an option. What I would like to do is import a GPO but without the use of a domain. These machines need to be stand alone. I can only import the “Security Settings” section of the GPO by using secedit.exe How can I import/export the “Computer Configuration” and “User Configuration” sections? Thanks, Edwin Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document.Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGTs entire liability will be limited to resupplying the material.Please contact us at www.cvgt.com.au for further information regarding this disclaimer.
RE: [ActiveDir] NTDS.dit size
yep, that's what I meant - but I was too lazy to add these details ;-) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Freitag, 15. April 2005 17:56 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Better yet: http://search.msn.com/results.aspx?q=DNS+2003+%22application+partition%2 2&FORM=QBHP I would point out, moving to app partitions does not _shrink_ the size of the data you have to store in the aggregate as has been eluded to. Rather, it does two things: 1) It lets you control the scope of where it is stored so non-DNS servers don't need to keep a copy around 2) It removes the partial NC copies from GCs in other domains in the forest, who do nothing but house these little guys (at least a PAS-worth of them) I know the posters probably meant this, but they didn't really state it, so I wanted to clarify. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 6:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Well Francis, How is your DNS servers setup are they: 1. Windows DNS servers 2. Have you sepecified that your Zones are Active Directory Intergrated Zones If you haven't created the default DNS app partions right click on your DNS server ---> "Create Default DNS application Partitions" this will create two APP partitions: 1. ForestDNS 2. DomainDNS HTH Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: 15 April 2005 02:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Hi Guido, Can you provide us with some more information on moving the DNS data into the DNS app partition? Thanks! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: 15 avril 2005 04:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size It's also worth to point out, that you have to distinguish heavily between the OS version and the DIT size to expect. Other cleanup tasks can also strongly impact DIT size. At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled the "Distributed Link Tracking" service on all DCs as it feeds AD with a ton of garbage information (actually the information would be quite useful if any app were using it - but as even the MS apps make no use to lookup the new location of moved files in AD, this service is useless). After removal of a ton of link-objects which were collected over the years in each domain's \System\FileLinks container, we decreased the DIT size easily by 6GB (don't have the exact values of the top of my head) - naturally this was after the tombstone lifetime and an offline defrag. So now we were down down to something like 12GB. Checkout Q312403 for more details - if you're running a new Win2003 AD, this service will be turned off by default. Then the first Win2003 DCs were introduced (we did perform some inplace upgrades, but eventually all of them were re-installed) => the single-instance store of ACEs introduced in Win2003 saved us another 5GB and thus got us down to 7GB => so now we're 11GB less than it was for a Win2000 DC with DLT objects ;-) We've further improved DIT size (and replication) by moving the DNS data into the DNS app partitions (so that they're not part of the GC). But this impact is not as dramatic (will mostly impact DIT on those DCs which aren't DNS servers...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Freitag, 15. April 2005 05:43 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote: > Well I've seen very very large in test on many occasions. The numbers I > cited below (with those very descriptive adjectives) are just what I've > seen in production. I didn't think test counted. > > If you want to count test, I could fire up a test db that is a TB or so > on a san I have nearby. :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:58 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > See I almost cc'ed you on the response to get your input on this too as > I > knew you had played with some 16GB+ DITS but didn't want to bother you > for th
RE: [ActiveDir] User Alias Authentication in AD
Couple of reasons, primary one at the top of my head is in response to the question, what is the max length of sAMAccountName attribute? Do you do any sending of mailslot messages to userids - if so what is the max length for the netbios name portion of the 03 record? Or maybe you like checking to see who is on machines by scanning a machines netbios name table for 03 records, same length issue. Personal reason, I think sAMAccountNames should be unique across a company, if you do want to dupe them you can, but it requires spinning up another domain. UPNs need to be unique in the forest but it is pretty easy to spin up a new suffix if really needed plus, you don't, again, bump into length issues when looking for unique values. As you get into larger and large companies the chances of collision on first/last name combinations grows at a tremendous rate until it is quite possible to have 3 or 4 or 50 John Smiths in a single group let alone company so unless you want to do what MS did and start coming up with near random combinations of portions of the first, middle, and last names to produce userids it is good to come up with some standard mechanism up front. My first experience with a large company used first intial and last name chopped to 8 characters so the same ID could be used across all computing platforms and if that wasn't unique some numeric modifier was added in. In that environment my ID was jricha34 meaning there were 34 people before me with a name similar to mine. Eventually they will need to extend that space to more characters because they haven't stopped turning people over yet, probably the will step up to 20 or so as the older systems with the 8 character limitations faze out. In the meanwhile, it has done them well for hundreds of thousands of IDs. If I ever go back there, I know I will be jricha34 again. It is consistent and people understand it and tends to be easier to remember for many people. In fact, I recall a lot of my friends from that company by that ID even though I may not recall how to spell their last or first name. Say I know someone named Panteleimon Putin, much easier to type pputin or if both brothers Panteleimon and Parfenti both work at the same place you could have pputin and pputin1. Add the sister Praskovia and you add in pputin2. :) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, April 15, 2005 2:23 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD Curious as to what the issue your referring to might be. We have a domain here we are using first.last for the login and if that might lead to an issue I would like to know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 15, 2005 8:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD LOL. But you are a very fine German Guido, don't let that be an excuse. If that is their current sam name format, they could already be bumping into the issue. :) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 15, 2005 3:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD what a fine english statement "the astute will understand why"... ;-) had to get a dictionary to understand that one - but I can always say I'm German for an excuse ;-)) agree on what you're getting at and that was my original order when I wanted to reply - then I read Mayuresh's post again: from this, their current samaccountname seems to be firstname_lastname, and now they're looking for an alias for a shorter version... So Mayuresh - as pointed out, it would obviously be best to rename the samAccountName of all your existing account to the short-name and then use the long-name for the UPN. Adds a good amount of work, but may be the better end-result. Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 15. April 2005 00:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD I agree with Guido but would flip it around and make the short name the sAMAccountName... Domain\mkshirsa And [EMAIL PROTECTED] The astute will understand why joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, April 14, 2005 7:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD Jorge is correct that you can't create aliases to security principals in AD, however, you do have two logon names, which may be sufficient for your requirement: you can use the samAccountName (pre-Win2000 User logon name) => mayuresh_kshirsagar or the UserPrincipalName (User lo
[ActiveDir] All Folders Read Only
We have a computer running Windows XP SP2 that all folders are listed as read only. I know that the read only attribute is typically ignored on folders, but the user is no longer able to save any files to the computer. We have followed the steps in KB326549 with no luck. Has anyone else run into this problem that might have a possible work around. Any suggestions would be much appreciated Thanks Mike Michael O'Sullivan Information Technology Specialist College of Veterinary Medicine University of Florida 352.392.4700x4343 352.392.7259 (fax) [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Password complexity requirements
Not why we use this but it will do what your wanting also. http://www.anixis.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Wednesday, April 13, 2005 9:27 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Password complexity requirements The scenario I envision for using password complexity requirements is for network admins (Users!!) who I want to force more complex passwords on, but general users (students) do not need this setting. Are you under the impression that strong password security is not necessary for non-priviledged accounts? I won't bother to the address the other aspects of the policy, as they have been covered by others. If you want to support multiple password policies in a domain, there are 3rd party apps that purport to do this: http://www.ultratech-llc.com/KB/?File=StrongPWD.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 4/11/05, Kurt Hill <[EMAIL PROTECTED]> wrote: Can anyone explain why password complexity requirements are a computer, and not a User setting? The scenario I envision for using password complexity requirements is for network admins (Users!!) who I want to force more complex passwords on, but general users (students) do not need this setting. From what I can see, the way MS set it up, I would set password policy on student computers, and admin policy on admin computers, but that means that an admin can go to a student computer and pick a more convenient password!! How does that pass for security?? Any ideas on that one? Thanks, Kurt
RE: [ActiveDir] User Alias Authentication in AD
Curious as to what the issue your referring to might be. We have a domain here we are using first.last for the login and if that might lead to an issue I would like to know. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 15, 2005 8:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD LOL. But you are a very fine German Guido, don't let that be an excuse. If that is their current sam name format, they could already be bumping into the issue. :) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 15, 2005 3:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD what a fine english statement "the astute will understand why"... ;-) had to get a dictionary to understand that one - but I can always say I'm German for an excuse ;-)) agree on what you're getting at and that was my original order when I wanted to reply - then I read Mayuresh's post again: from this, their current samaccountname seems to be firstname_lastname, and now they're looking for an alias for a shorter version... So Mayuresh - as pointed out, it would obviously be best to rename the samAccountName of all your existing account to the short-name and then use the long-name for the UPN. Adds a good amount of work, but may be the better end-result. Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 15. April 2005 00:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD I agree with Guido but would flip it around and make the short name the sAMAccountName... Domain\mkshirsa And [EMAIL PROTECTED] The astute will understand why joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, April 14, 2005 7:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD Jorge is correct that you can't create aliases to security principals in AD, however, you do have two logon names, which may be sufficient for your requirement: you can use the samAccountName (pre-Win2000 User logon name) => mayuresh_kshirsagar or the UserPrincipalName (User logon name) => [EMAIL PROTECTED] [or whatever suffix you configure] It will likely depend on what your application allows you to do (some do require the Domain\samAccountName format because they've hardcoded this in their logon screens...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Donnerstag, 14. April 2005 13:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD In AD it is not possible to create aliases to security principals (i.e. user accounts) Why do you need separate names? Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: donderdag 14 april 2005 12:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Alias Authentication in AD Hi Experts, I am looking out for a possibility where if I have a user: username: mayuresh_kshirsagar password: I want to create an alias of this user entry say username: mkshirsa password: where I can login using any of the above two usernames. Is this a possibility? Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/a
RE: [ActiveDir] OT Maybe: Import GPO without Domain
I have done something similar but I used a third party program called GPAnywhere by Fullarmor. It allows you to create a policy or import from AD. You can then edit that policy and best of all you can export it into and executable file. This has been great in creating policies that we wanted to be part of the local policy with out having to worry bout someone missing a setting when they are building the server. So if you have a tried and true policy running on a domain you want to use on a standalone or to put it as the local policy I would suggest looking for that software. Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Sent: Friday, April 15, 2005 8:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT Maybe: Import GPO without Domain I am using VB.NET to create an application that will configure the server from beginning to end without manual SysAdmin intervention. Basically, once a server is installed, it must be configured to our specifications. I am aware of ADS and RIS and I am already using these options. But in this particular case, it is not an option. What I would like to do is import a GPO but without the use of a domain. These machines need to be stand alone. I can only import the “Security Settings” section of the GPO by using secedit.exe How can I import/export the “Computer Configuration” and “User Configuration” sections? Thanks, Edwin
RE: [ActiveDir] 1000 groups
Oh excellent, I was completely unaware of that. Wonder why it hasn't made it to MSDN yet... Time to start emailing people. ;o) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Friday, April 15, 2005 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Just a related thought to this, you might want to be aware of the following change that was put into W2K3/SP1: http://support.microsoft.com/kb/832572/ Mike Thommes -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 14, 2005 6:38 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups That's not the way I understand the token construct in later-than-NT4 Windows builds. As I understand it, the effective token is the result of the combined TGT and Session ticket PAC (portions directly derived from the TGT) as it relates to a particular target resource (PAC = privileged attribute cert., the kerb. attr. designated to carry OS proprietary auth. data) ... the change you reference simply forces a 2K3 DC to include Domain Local group SIDs within the TGT (regardless of domain mode) with a view to making the overall authorization process more consistent. As for your 2nd question, that's a good one ... let me give that some thought. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 7:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Interesting post Dean, I wasn't aware of the DL SIDS thing. Itake it this is a case of the SIDS being in the actual kerb ticket and not in the actual token and restricted correct? Is there a mechanism for listing the groups in a given tgt? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, April 12, 2005 1:39 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated. Regarding token bloat; the more accurate max. SIDs value is 1015. This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included). In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable. A MaxTokenSize registry value exists that simply governs the upper limit. Increasing the value will likely cause performance concerns and, more significantly, potential application failures due to timeouts (too many SIDs to compare, call does not return and app. assumes failure). This article eludes to the problem - http://support.microsoft.com/kb/313661/ Real-time token size can be calculated using the following tool - http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian FischerSent: Tuesday, April 12, 2005 12:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 1000 groups Hi All: Can an AD user be a member of more that 1000 groups? Someone told me that 1000 was an AD limitation. Is that true? Thanks, --Brian E-mail Full? Check out our Exchange Tools! Brian FischerMicrosoft Systems Consultant Quest Software4320 Winfield RdSuite 500Warrenville, IL 60555 [EMAIL PROTECTED] tel: fax: mobile:
RE: [ActiveDir] 1000 groups
Just a related thought to this, you might want to be aware of the following change that was put into W2K3/SP1: http://support.microsoft.com/kb/832572/ Mike Thommes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 14, 2005 6:38 PM To: Send - AD mailing list Subject: RE: [ActiveDir] 1000 groups That's not the way I understand the token construct in later-than-NT4 Windows builds. As I understand it, the effective token is the result of the combined TGT and Session ticket PAC (portions directly derived from the TGT) as it relates to a particular target resource (PAC = privileged attribute cert., the kerb. attr. designated to carry OS proprietary auth. data) ... the change you reference simply forces a 2K3 DC to include Domain Local group SIDs within the TGT (regardless of domain mode) with a view to making the overall authorization process more consistent. As for your 2nd question, that's a good one ... let me give that some thought. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 7:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 1000 groups Interesting post Dean, I wasn't aware of the DL SIDS thing. Itake it this is a case of the SIDS being in the actual kerb ticket and not in the actual token and restricted correct? Is there a mechanism for listing the groups in a given tgt? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, April 12, 2005 1:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] 1000 groups Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated. Regarding token bloat; the more accurate max. SIDs value is 1015. This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included). In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable. A MaxTokenSize registry value exists that simply governs the upper limit. Increasing the value will likely cause performance concerns and, more significantly, potential application failures due to timeouts (too many SIDs to compare, call does not return and app. assumes failure). This article eludes to the problem - http://support.microsoft.com/kb/313661/ Real-time token size can be calculated using the following tool - http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Fischer Sent: Tuesday, April 12, 2005 12:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 1000 groups Hi All: Can an AD user be a member of more that 1000 groups? Someone told me that 1000 was an AD limitation. Is that true? Thanks, --Brian E-mail Full? Check out our Exchange Tools! Brian Fischer Microsoft Systems Consultant Quest Software 4320 Winfield Rd Suite 500 Warrenville, IL 60555 [EMAIL PROTECTED] tel: fax: mobile: 630-836-3160 949-754-8999 630-567-2825 Last year’s email – today’s key piece of evidence! Find it fast with Quest Recovery Manager for Exchange. Get your free Technical Brief on e-Discovery. With Quest Software, you can expect more... more performance, more productivity, more value from your IT investments. Visit www.quest.com to learn how.
RE: [ActiveDir] NTDS.dit size
Sure. There is a good chunk of the db that doesn't replicate because it is outside of the AD object model (example: indexes) or marked to not replicate (ex: some attributes). But in the aggregate, for most objects, a fair statement...without clouding the issue with the nuances. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, April 15, 2005 9:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Just to clarify, it is the parts that change and are tagged to replicate that replicate. You could have shitloads of changes occuring that never leave the DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, April 15, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Trick question? The parts of the 100gb that will replicate are the parts that change. (not counting dcpromo of new boxes) How much is changing? Who knows. Different for everyone. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 2:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Eric, Granted but how much of that actual 100gb will be replicated over that 64k line? I can see the issue if you do a DC promo on a W2k3 server on the other size and it's the first box and has to pull info over 64k, but once established that traffic shouldn't even be close to 100mb.' That said it is also environment dependant :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 15 April 2005 06:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Oops, I typo'd. First paragraph should have read: -- It's hard to characterize how "much" connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that changes a _ton_. So really, it's all about your rate of change, with the size only being a guideline. -- I would also add, that in the average case, you're rightlarge DBs _tend_ to require more bandwidth than smaller ones. I can't picture a 100gb DB on the other side of a 64k link being good in the average case. :) ~Eric -Original Message- From: Eric Fleischman Sent: Thursday, April 14, 2005 8:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] NTDS.dit size It's hard to characterize how "much" connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that doesn't change very much. So really, it's all about your rate of change, with the size only being a guideline. For promotion, at that scale, IFM is clearly the way to go. But there's nothing wrong with the occasional promotion that is over the wire. It'll finish, it will just take a while, even on a fast network. With a 20gb db, a few things might help you: 1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram at a DC, and it will use it to cache more of the db. DB caching cuts down on the I/O required for reads (which for most people are the bulk of their load) and help your perf a lot. 2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing else on them, and /3gb set. It lets you really use your cache well, and still have some headroom for the OS and tools you might use here and there. 3) I'm a fan of profiling traffic hitting my DCs and optimizing the queries for AD, and possibly optimizing AD for the queries (both are on the table). Tools like SPA, field engineering logging (mentioned in a thread on this dl earlier today) and any 3rd party tools you might like all can help here. Though this advise isn't specific to large DBs..I like making things faster at any scale. :) 4) Standard disk logic about optimizing I/O throughput applies. 5) Some people "warm" the cache on DC boot. This is particularly interesting on 64bit DCs where you have tons of memory headroom. That is, after the box boots they run some really expensive queries that walk very expensive indexes (ancestry, dnt, etc.) to traverse as many objects as they can, and get them off of the disk and in to memory. It hits the DC hard from an I/O standpoint on boot, but it does get a lot of the db in to memory for actual load that starts to hit the box after. It's done in more environments than one. I like the idea quite a bit, and have thought about if there is anything we should do in the product to help facilitate this. The list is of course endless, but these are a few things that come to mind. My $0.02 ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, April
RE: [ActiveDir] SSL on OWA to change password
Thanks this helps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, April 15, 2005 10:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password Are you using this as your guide? http://support.microsoft.com/default.aspx?kbid=555126 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, April 15, 2005 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password All I have in the inetpub/wwwroot folder is a folder called aspnet_client, iisstart.htm and pageerror.gif -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, April 09, 2005 2:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password That goes into a standard default.htm or index.htm page located on the inetpub/wwwroot folder. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, April 08, 2005 10:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password There's an ASP command called response.redirect that will do it, as well as a static HTML meta tag for redirects - should be able to search pretty quickly for the specific syntax. Roger Seielstad E-mail Geek > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Salandra, Justin A. > Sent: Thursday, April 07, 2005 10:01 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] SSL on OWA to change password > > Not to sound naive but how do I do that? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Tuesday, April 05, 2005 11:41 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] SSL on OWA to change password > > What's to change? Put an http redirect page on port 80 and redirect to > 443 - > they'll never know the difference. > > > Roger Seielstad > E-mail Geek > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, > > Justin A. > > Sent: Tuesday, April 05, 2005 2:32 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] SSL on OWA to change password > > > > I would however my organization is not ready to change yet > to it, but > > I need the Change password function working > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > > Sent: Tuesday, April 05, 2005 3:31 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] SSL on OWA to change password > > > > Why would you not want to use it on the entire site (for the sake of > > argument?) > > > > I'm not sure I get it. Wouldn't you want it for all of owa? > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, > > Justin A. > > Sent: Tuesday, April 05, 2005 12:34 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] SSL on OWA to change password > > > > Guys, I sent this to a different list but also wanted to > bounce it off > > of you. > > > > Justin A. Salandra > > MCSE Windows 2000 & 2003 > > Network and Technology Services Manager Catholic Healthcare System > > 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] > > > > -Original Message- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, April 05, 2005 11:10 AM > > To: [EMAIL PROTECTED] > > Subject: [Exchange2000] SSL on OWA to change password > > > > > > Please check my logic here. TO enable SSL on only the IISADMPWD > > virtual Directory I do the following steps > > > > Create the IISADMPWD Virtual Directory Ensure proper rights and > > authenticated access are set on that directory Apply the hotfixes > > described in the KB Articles for Windows 2003 Run > asutil.vbs script to > > set the PasswordChangeFlag to 0 Generate the SSL > Certificate Apply the > > SSL Certificate Set the IISADMPWD Virtual Directory to require SSL > > Modify the Registry to show the Change Password button > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 > > http://support.microsoft.com/kb/833734/EN-US/ > > http://support.microsoft.com/kb/327134/ > > > > I only want to use HTTPS on the change password screen, not > the entire > > OWA Site. > > > > Tha
RE: [ActiveDir] GPO's not getting there
If it helps, here is how each CSE responds, by default, when a slow link is detected: CSEProcesses on Slow Link? SecurityYes IP Security Yes EFS RecoveryYes Wireless NetworkYes Administrative TemplatesYes Scripts No Folder Redirection No Software Installation No IE Maintenance Yes So if desktop lockdown = administrative templates, you should not be experiencing problems because of the slow link. However, is ICMP enabled between these remote sites and their DCs? If not, then slow link detection will break and no GP processing will occur. That could be what you're seeing. The answer then is to disable slow link detection completely (or enable ICMP). Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tim Hines Sent: Friday, April 15, 2005 6:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] GPO's not getting there What do you mean by "GPO's aren't applied properly on the workstations"? Are you using slow WAN link detection settings for GPO's? That would cause the clients to not process all GPO settings . Even in that scenario the majority of GP Settings apply except for those that are bandwidth intensive. Those would be settings such as folder redirection, logon scripts and application deployment. You should still receive security settings and the settings from administrative templates. Tim - Original Message - From: "Nicolas Blank" <[EMAIL PROTECTED]> To: Sent: Friday, April 15, 2005 9:27 AM Subject: [ActiveDir] GPO's not getting there > I have a customer with small links and 1200+ wan sites. Problem I'm having > is that without local DC's GPO's aren't applied properly on the workstations > on logon, and the workstations are not locked down. The customer is not > willing to buy an extra 1200 dc's. Since WAN costs are a bit silly the size > of our pipes seem to be fixed as well. I don't really know how to get around > this without tatooing the registry for the currently loggon on user, but > that wouldn't give me the flexibility needed to achieve complete lockdown > either. > Any ideas around this? > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS.dit size
Just to clarify, it is the parts that change and are tagged to replicate that replicate. You could have shitloads of changes occuring that never leave the DC. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Friday, April 15, 2005 11:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Trick question? The parts of the 100gb that will replicate are the parts that change. (not counting dcpromo of new boxes) How much is changing? Who knows. Different for everyone. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 2:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Eric, Granted but how much of that actual 100gb will be replicated over that 64k line? I can see the issue if you do a DC promo on a W2k3 server on the other size and it's the first box and has to pull info over 64k, but once established that traffic shouldn't even be close to 100mb.' That said it is also environment dependant :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 15 April 2005 06:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Oops, I typo'd. First paragraph should have read: -- It's hard to characterize how "much" connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that changes a _ton_. So really, it's all about your rate of change, with the size only being a guideline. -- I would also add, that in the average case, you're rightlarge DBs _tend_ to require more bandwidth than smaller ones. I can't picture a 100gb DB on the other side of a 64k link being good in the average case. :) ~Eric -Original Message- From: Eric Fleischman Sent: Thursday, April 14, 2005 8:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] NTDS.dit size It's hard to characterize how "much" connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that doesn't change very much. So really, it's all about your rate of change, with the size only being a guideline. For promotion, at that scale, IFM is clearly the way to go. But there's nothing wrong with the occasional promotion that is over the wire. It'll finish, it will just take a while, even on a fast network. With a 20gb db, a few things might help you: 1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram at a DC, and it will use it to cache more of the db. DB caching cuts down on the I/O required for reads (which for most people are the bulk of their load) and help your perf a lot. 2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing else on them, and /3gb set. It lets you really use your cache well, and still have some headroom for the OS and tools you might use here and there. 3) I'm a fan of profiling traffic hitting my DCs and optimizing the queries for AD, and possibly optimizing AD for the queries (both are on the table). Tools like SPA, field engineering logging (mentioned in a thread on this dl earlier today) and any 3rd party tools you might like all can help here. Though this advise isn't specific to large DBs..I like making things faster at any scale. :) 4) Standard disk logic about optimizing I/O throughput applies. 5) Some people "warm" the cache on DC boot. This is particularly interesting on 64bit DCs where you have tons of memory headroom. That is, after the box boots they run some really expensive queries that walk very expensive indexes (ancestry, dnt, etc.) to traverse as many objects as they can, and get them off of the disk and in to memory. It hits the DC hard from an I/O standpoint on boot, but it does get a lot of the db in to memory for actual load that starts to hit the box after. It's done in more environments than one. I like the idea quite a bit, and have thought about if there is anything we should do in the product to help facilitate this. The list is of course endless, but these are a few things that come to mind. My $0.02 ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, April 14, 2005 8:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools
RE: [ActiveDir] NTDS.dit size
Better yet: http://search.msn.com/results.aspx?q=DNS+2003+%22application+partition%2 2&FORM=QBHP I would point out, moving to app partitions does not _shrink_ the size of the data you have to store in the aggregate as has been eluded to. Rather, it does two things: 1) It lets you control the scope of where it is stored so non-DNS servers don't need to keep a copy around 2) It removes the partial NC copies from GCs in other domains in the forest, who do nothing but house these little guys (at least a PAS-worth of them) I know the posters probably meant this, but they didn't really state it, so I wanted to clarify. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 6:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Well Francis, How is your DNS servers setup are they: 1. Windows DNS servers 2. Have you sepecified that your Zones are Active Directory Intergrated Zones If you haven't created the default DNS app partions right click on your DNS server ---> "Create Default DNS application Partitions" this will create two APP partitions: 1. ForestDNS 2. DomainDNS HTH Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: 15 April 2005 02:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Hi Guido, Can you provide us with some more information on moving the DNS data into the DNS app partition? Thanks! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: 15 avril 2005 04:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size It's also worth to point out, that you have to distinguish heavily between the OS version and the DIT size to expect. Other cleanup tasks can also strongly impact DIT size. At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled the "Distributed Link Tracking" service on all DCs as it feeds AD with a ton of garbage information (actually the information would be quite useful if any app were using it - but as even the MS apps make no use to lookup the new location of moved files in AD, this service is useless). After removal of a ton of link-objects which were collected over the years in each domain's \System\FileLinks container, we decreased the DIT size easily by 6GB (don't have the exact values of the top of my head) - naturally this was after the tombstone lifetime and an offline defrag. So now we were down down to something like 12GB. Checkout Q312403 for more details - if you're running a new Win2003 AD, this service will be turned off by default. Then the first Win2003 DCs were introduced (we did perform some inplace upgrades, but eventually all of them were re-installed) => the single-instance store of ACEs introduced in Win2003 saved us another 5GB and thus got us down to 7GB => so now we're 11GB less than it was for a Win2000 DC with DLT objects ;-) We've further improved DIT size (and replication) by moving the DNS data into the DNS app partitions (so that they're not part of the GC). But this impact is not as dramatic (will mostly impact DIT on those DCs which aren't DNS servers...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Freitag, 15. April 2005 05:43 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote: > Well I've seen very very large in test on many occasions. The numbers I > cited below (with those very descriptive adjectives) are just what I've > seen in production. I didn't think test counted. > > If you want to count test, I could fire up a test db that is a TB or so > on a san I have nearby. :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:58 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > See I almost cc'ed you on the response to get your input on this too as > I > knew you had played with some 16GB+ DITS but didn't want to bother you > for this and didn't want to speak out of turn for you. > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman > Sent: Thursday, April 14, 2005 7:35 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > >
RE: [ActiveDir] NTDS.dit size
Trick question? The parts of the 100gb that will replicate are the parts that change. (not counting dcpromo of new boxes) How much is changing? Who knows. Different for everyone. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 2:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Eric, Granted but how much of that actual 100gb will be replicated over that 64k line? I can see the issue if you do a DC promo on a W2k3 server on the other size and it's the first box and has to pull info over 64k, but once established that traffic shouldn't even be close to 100mb.' That said it is also environment dependant :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 15 April 2005 06:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Oops, I typo'd. First paragraph should have read: -- It's hard to characterize how "much" connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that changes a _ton_. So really, it's all about your rate of change, with the size only being a guideline. -- I would also add, that in the average case, you're rightlarge DBs _tend_ to require more bandwidth than smaller ones. I can't picture a 100gb DB on the other side of a 64k link being good in the average case. :) ~Eric -Original Message- From: Eric Fleischman Sent: Thursday, April 14, 2005 8:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] NTDS.dit size It's hard to characterize how "much" connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that doesn't change very much. So really, it's all about your rate of change, with the size only being a guideline. For promotion, at that scale, IFM is clearly the way to go. But there's nothing wrong with the occasional promotion that is over the wire. It'll finish, it will just take a while, even on a fast network. With a 20gb db, a few things might help you: 1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram at a DC, and it will use it to cache more of the db. DB caching cuts down on the I/O required for reads (which for most people are the bulk of their load) and help your perf a lot. 2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing else on them, and /3gb set. It lets you really use your cache well, and still have some headroom for the OS and tools you might use here and there. 3) I'm a fan of profiling traffic hitting my DCs and optimizing the queries for AD, and possibly optimizing AD for the queries (both are on the table). Tools like SPA, field engineering logging (mentioned in a thread on this dl earlier today) and any 3rd party tools you might like all can help here. Though this advise isn't specific to large DBs..I like making things faster at any scale. :) 4) Standard disk logic about optimizing I/O throughput applies. 5) Some people "warm" the cache on DC boot. This is particularly interesting on 64bit DCs where you have tons of memory headroom. That is, after the box boots they run some really expensive queries that walk very expensive indexes (ancestry, dnt, etc.) to traverse as many objects as they can, and get them off of the disk and in to memory. It hits the DC hard from an I/O standpoint on boot, but it does get a lot of the db in to memory for actual load that starts to hit the box after. It's done in more environments than one. I like the idea quite a bit, and have thought about if there is anything we should do in the product to help facilitate this. The list is of course endless, but these are a few things that come to mind. My $0.02 ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, April 14, 2005 8:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote: > Well I've seen very very large in test on many occasions. The numbers I > cited below (with those very descriptive adjectives) are just what I've > seen in production. I didn't think test counted. > > If you want to count test, I could fire up a test db that is a TB or so > on a san I have nearby. :) >
RE: [ActiveDir] Password complexity requirements
Oh I am not saying don't have complex passwords for users. If you can pull it off in a secure way, go for it. One issue you have to keep in mind is that the more complex/long your passwords are that you require, the more likely someone is going to document it in some other localtion with the most likely candidate being the postit on the side of the monitor and for the "secure" business users on a postit in the bottom drawer. However, as complex as your normal user IDs are, it would be handy to have even more complex or require more freqent changing for high power IDs like those associated with services or admins. I know some people are looking at that going, change service passwords, what is he mad Yes, mad that there is even an option to have non-expiring passwords, that is such a huge bad security issue it isn't even funny. You change passwords so people can't guess them or so people who learned them somehow can't always use it. So what do you do, take some of your most critical and potent IDs and make it so you don't have to change their passwords As my young English friend would say... brilliant. Having access to a normal userid doesn't necessarily make an AD more insecure or less resilent to DOS, but obviously, the less info a hacker has about an environment the better. Unfortunately, a good portion of the hacks that do occur are by inside people so you always want multiple levels of security, don't have the complex password for a user as the single bastion in place. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Friday, April 15, 2005 10:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Password complexity requirements I kind of thought the idea of only having one password policy per domain was that you are theoretically protecting the domain admin accounts (when enforcing complexity) from an escalation type attack from a “user” account. Or for that matter, protecting the whole domain with more complex passwords. What good does it do to have a domain admin account with a complex password if a user has a 2 letter password that someone easily guesses, and then runs a DDOS on AD, or obtains some other critical directory information that would not have been accessible without a simple domain user account? I am sure there are lot more things that can be done with a domain user account than you think (or at least more than you think you didn’t overlook). In my eyes it makes total sense why it is the way it is. Although I know it all comes back to users not putting their passwords on their monitor and all that crap (or complex password vs. pass phrase). I guess it isn’t that simple :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 6:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Password complexity requirements The way the policy is implemented now is a direct descendent of the policy as it existed on NT4. There was no hierarchical layout for users, it was a flat space. When coming to 2K, it was easiest, least troubleprone, and less confusing to implement the same system. Basically it is the concept of the shared SAM/Policy realm within a domain that was there before. Had they just arbitrarily changed that they could have impacted many customers with programs that read the single domain policy and make judgements based on that info. Say for instance apps that manage their own password, etc. They could have added the functionality and tied it to a functionality level say W2K Native but again, that is a lot of work for something customers can already handle on their own if they so choose. So anyway, as others have mentioned, the policy is a computer policy that applies to domain controllers, the domain controllers write the policy settings to the NC head of AD and the domain controllers read from that to determine how to enforce rules. If you apply the policies at lower levels of OU hierarchy you will impact the password policies on the member machines in those levels. This will not allow you to put a weaker password on a domain account based on what member machine you use to change your password. If you flip it around, if you applied the policy to users there would be no way to apply global policies to local machine users since they don't exist in Active Directory. Finally, as ASB pointed out, there are mechanisms out there to help you do what you want to do. They generally cost a decent amount of money. It uses a built in functionality to allow you to create your own complexity filters for passwords. If you are a GREAT C++ programmer, look at the info in MSDN on password change filters. If you aren't a great c++ programmer, don't even both as you are playing with key aspects of your security and stability. If you are a VB programmer err I mean coder - no soup for you. Another way
RE: [ActiveDir] Password complexity requirements
I kind of thought the idea of only having one password policy per domain was that you are theoretically protecting the domain admin accounts (when enforcing complexity) from an escalation type attack from a “user” account. Or for that matter, protecting the whole domain with more complex passwords. What good does it do to have a domain admin account with a complex password if a user has a 2 letter password that someone easily guesses, and then runs a DDOS on AD, or obtains some other critical directory information that would not have been accessible without a simple domain user account? I am sure there are lot more things that can be done with a domain user account than you think (or at least more than you think you didn’t overlook). In my eyes it makes total sense why it is the way it is. Although I know it all comes back to users not putting their passwords on their monitor and all that crap (or complex password vs. pass phrase). I guess it isn’t that simple :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 6:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements The way the policy is implemented now is a direct descendent of the policy as it existed on NT4. There was no hierarchical layout for users, it was a flat space. When coming to 2K, it was easiest, least troubleprone, and less confusing to implement the same system. Basically it is the concept of the shared SAM/Policy realm within a domain that was there before. Had they just arbitrarily changed that they could have impacted many customers with programs that read the single domain policy and make judgements based on that info. Say for instance apps that manage their own password, etc. They could have added the functionality and tied it to a functionality level say W2K Native but again, that is a lot of work for something customers can already handle on their own if they so choose. So anyway, as others have mentioned, the policy is a computer policy that applies to domain controllers, the domain controllers write the policy settings to the NC head of AD and the domain controllers read from that to determine how to enforce rules. If you apply the policies at lower levels of OU hierarchy you will impact the password policies on the member machines in those levels. This will not allow you to put a weaker password on a domain account based on what member machine you use to change your password. If you flip it around, if you applied the policy to users there would be no way to apply global policies to local machine users since they don't exist in Active Directory. Finally, as ASB pointed out, there are mechanisms out there to help you do what you want to do. They generally cost a decent amount of money. It uses a built in functionality to allow you to create your own complexity filters for passwords. If you are a GREAT C++ programmer, look at the info in MSDN on password change filters. If you aren't a great c++ programmer, don't even both as you are playing with key aspects of your security and stability. If you are a VB programmer err I mean coder - no soup for you. Another way this can be implemented by a lesser programmer is to set up a web site that you require people to go through for password changes. You simply take everyone's permission away to change their own password and set up a delegated ID used by the website to do all password changes. Of course lots of room for security issues here as well. Will this change in the default OS at some point in the future, possibly, there certainly are a lot of requests for it, but it depends on the prioritization of other functions/features people want as well. Anything that I can pull off on my own through native interfaces I have a lower priority for having MS change than things I can't work with at all. For instance, I would much rather see DCs being able to auth users from multiple domains way before I see built in support for multiple password policies within a single domain. Ditto the removal of IE and the GUI from servers. There is no way for me to implement those items I mention as priority for me but the password issues I can pretty easily handle. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Hill Sent: Thursday, April 14, 2005 5:09 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Password complexity requirements Yes – that makes sense – At least I understand why my OU-level GPO’s seemed to be ignoring the password requirements. I still don’t understand why Microsoft chose to make password requirements a feature of the DC and not the user, however. The only solution is to have multiple sites!! Thanks, Kurt From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 12, 2005 1:29 PM To: ActiveDir@mail.activedir.org S
Re: [ActiveDir] GPO's not getting there
What is the GPO threshold setting? Is it default? Change threshold settings and try Gpupdate again. Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/15/05, Tim Hines <[EMAIL PROTECTED]> wrote: > What do you mean by "GPO's aren't applied properly on the workstations"? > Are you using slow WAN link detection settings for GPO's? That would cause > the clients to not process all GPO settings . Even in that scenario the > majority of GP Settings apply except for those that are bandwidth intensive. > Those would be settings such as folder redirection, logon scripts and > application deployment. You should still receive security settings and the > settings from administrative templates. > > Tim > > > - Original Message - > From: "Nicolas Blank" <[EMAIL PROTECTED]> > To: > Sent: Friday, April 15, 2005 9:27 AM > Subject: [ActiveDir] GPO's not getting there > > > I have a customer with small links and 1200+ wan sites. Problem I'm having > > is that without local DC's GPO's aren't applied properly on the > workstations > > on logon, and the workstations are not locked down. The customer is not > > willing to buy an extra 1200 dc's. Since WAN costs are a bit silly the > size > > of our pipes seem to be fixed as well. I don't really know how to get > around > > this without tatooing the registry for the currently loggon on user, but > > that wouldn't give me the flexibility needed to achieve complete lockdown > > either. > > Any ideas around this? > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Exchange Transaction logs
Thanks to all those that replied. It turned out that I was backing up the "Information store" and the information store files (like regular files). It seems to me that if you back the information store up correctly that it should flush the logs, even if you also back those files up incorrectly during the same backup. Either way, it is working now, and I just wanted to thank everyone for the OT subject. Michel, thanks for the offer of personal assistance -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, April 12, 2005 2:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Exchange Transaction logs I'm using Veritas 9.1 actually but it's almost the same as 10.0, with the exchange agent. You can contact me off list; I may be able to help you out a bit > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] De la part de Douglas M. Long > Envoyé : Tuesday, April 12, 2005 2:03 PM > À : ActiveDir@mail.activedir.org > Objet : RE: [ActiveDir] OT: Exchange Transaction logs > > I am using BackupExec 10. I believe Michel answered my specific > question. I am talking to the Veritas people right now to see what I > have setup wrong. > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SSL on OWA to change password
Are you using this as your guide? http://support.microsoft.com/default.aspx?kbid=555126 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, April 15, 2005 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password All I have in the inetpub/wwwroot folder is a folder called aspnet_client, iisstart.htm and pageerror.gif -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, April 09, 2005 2:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password That goes into a standard default.htm or index.htm page located on the inetpub/wwwroot folder. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, April 08, 2005 10:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password There's an ASP command called response.redirect that will do it, as well as a static HTML meta tag for redirects - should be able to search pretty quickly for the specific syntax. Roger Seielstad E-mail Geek > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Salandra, Justin A. > Sent: Thursday, April 07, 2005 10:01 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] SSL on OWA to change password > > Not to sound naive but how do I do that? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Tuesday, April 05, 2005 11:41 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] SSL on OWA to change password > > What's to change? Put an http redirect page on port 80 and redirect to > 443 - > they'll never know the difference. > > > Roger Seielstad > E-mail Geek > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, > > Justin A. > > Sent: Tuesday, April 05, 2005 2:32 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] SSL on OWA to change password > > > > I would however my organization is not ready to change yet > to it, but > > I need the Change password function working > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > > Sent: Tuesday, April 05, 2005 3:31 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] SSL on OWA to change password > > > > Why would you not want to use it on the entire site (for the sake of > > argument?) > > > > I'm not sure I get it. Wouldn't you want it for all of owa? > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, > > Justin A. > > Sent: Tuesday, April 05, 2005 12:34 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] SSL on OWA to change password > > > > Guys, I sent this to a different list but also wanted to > bounce it off > > of you. > > > > Justin A. Salandra > > MCSE Windows 2000 & 2003 > > Network and Technology Services Manager Catholic Healthcare System > > 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] > > > > -Original Message- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, April 05, 2005 11:10 AM > > To: [EMAIL PROTECTED] > > Subject: [Exchange2000] SSL on OWA to change password > > > > > > Please check my logic here. TO enable SSL on only the IISADMPWD > > virtual Directory I do the following steps > > > > Create the IISADMPWD Virtual Directory Ensure proper rights and > > authenticated access are set on that directory Apply the hotfixes > > described in the KB Articles for Windows 2003 Run > asutil.vbs script to > > set the PasswordChangeFlag to 0 Generate the SSL > Certificate Apply the > > SSL Certificate Set the IISADMPWD Virtual Directory to require SSL > > Modify the Registry to show the Change Password button > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 > > http://support.microsoft.com/kb/833734/EN-US/ > > http://support.microsoft.com/kb/327134/ > > > > I only want to use HTTPS on the change password screen, not > the entire > > OWA Site. > > > > Thanks > > > > Justin A. Salandra > > MCSE Windows 2000 & 2003 > > Network and Technology Services Manager Catholic Healthcare System > > 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] > > > > > > > > > > Post message: [EMAIL PROTE
RE: [ActiveDir] SLOWWWWWW Logons
I don't remember and I did not save the capture. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 10:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons Which packets? Kerberos? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, April 14, 2005 10:22 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons A network trace was done using ethereal and I found that packets were just failing over and over. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 6:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SLOWW Logons I would tend to agree though I wonder how much this "and updating the drivers for the NIC cards" played into it. I could visualize a scenerio where the driver update changed how it was packaging udp packets and in fact the whole time it was kerberos biting him in the ass with fragmented packet sizes. I have seen cases where updating drivers cleared up the kerberos packet frag issue. Unfortunately it seems a network trace was never done to verify what the actual issue might have been. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, April 13, 2005 11:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] SLOWW Logons Also interesting that this would be happening when the computer was logged off and not shut down. Once the machine is up and on the network there shouldn't be anymore issues with the media sensing of the NIC. If it fixed the issue then it's all good, but I'm perplexed as to why this would fix your preticular problem as well. Thanks for the followup! Phil On 4/12/05, Mulnick, Al <[EMAIL PROTECTED]> wrote: > That's very interesting. Like I said, it's most interesting that the > symptoms didn't occur for all users on that machine. > > Either way, glad you're making progress and thanks for posting the findings. > > -ajm List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] GPO's not getting there
What do you mean by "GPO's aren't applied properly on the workstations"? Are you using slow WAN link detection settings for GPO's? That would cause the clients to not process all GPO settings . Even in that scenario the majority of GP Settings apply except for those that are bandwidth intensive. Those would be settings such as folder redirection, logon scripts and application deployment. You should still receive security settings and the settings from administrative templates. Tim - Original Message - From: "Nicolas Blank" <[EMAIL PROTECTED]> To: Sent: Friday, April 15, 2005 9:27 AM Subject: [ActiveDir] GPO's not getting there > I have a customer with small links and 1200+ wan sites. Problem I'm having > is that without local DC's GPO's aren't applied properly on the workstations > on logon, and the workstations are not locked down. The customer is not > willing to buy an extra 1200 dc's. Since WAN costs are a bit silly the size > of our pipes seem to be fixed as well. I don't really know how to get around > this without tatooing the registry for the currently loggon on user, but > that wouldn't give me the flexibility needed to achieve complete lockdown > either. > Any ideas around this? > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SSL on OWA to change password
All I have in the inetpub/wwwroot folder is a folder called aspnet_client, iisstart.htm and pageerror.gif -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, April 09, 2005 2:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password That goes into a standard default.htm or index.htm page located on the inetpub/wwwroot folder. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Friday, April 08, 2005 10:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] SSL on OWA to change password There's an ASP command called response.redirect that will do it, as well as a static HTML meta tag for redirects - should be able to search pretty quickly for the specific syntax. Roger Seielstad E-mail Geek > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Salandra, Justin A. > Sent: Thursday, April 07, 2005 10:01 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] SSL on OWA to change password > > Not to sound naive but how do I do that? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Tuesday, April 05, 2005 11:41 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] SSL on OWA to change password > > What's to change? Put an http redirect page on port 80 and redirect to > 443 - > they'll never know the difference. > > > Roger Seielstad > E-mail Geek > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, > > Justin A. > > Sent: Tuesday, April 05, 2005 2:32 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] SSL on OWA to change password > > > > I would however my organization is not ready to change yet > to it, but > > I need the Change password function working > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > > Sent: Tuesday, April 05, 2005 3:31 PM > > To: ActiveDir@mail.activedir.org > > Subject: RE: [ActiveDir] SSL on OWA to change password > > > > Why would you not want to use it on the entire site (for the sake of > > argument?) > > > > I'm not sure I get it. Wouldn't you want it for all of owa? > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, > > Justin A. > > Sent: Tuesday, April 05, 2005 12:34 PM > > To: ActiveDir@mail.activedir.org > > Subject: [ActiveDir] SSL on OWA to change password > > > > Guys, I sent this to a different list but also wanted to > bounce it off > > of you. > > > > Justin A. Salandra > > MCSE Windows 2000 & 2003 > > Network and Technology Services Manager Catholic Healthcare System > > 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] > > > > -Original Message- > > From: Salandra, Justin A. [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, April 05, 2005 11:10 AM > > To: [EMAIL PROTECTED] > > Subject: [Exchange2000] SSL on OWA to change password > > > > > > Please check my logic here. TO enable SSL on only the IISADMPWD > > virtual Directory I do the following steps > > > > Create the IISADMPWD Virtual Directory Ensure proper rights and > > authenticated access are set on that directory Apply the hotfixes > > described in the KB Articles for Windows 2003 Run > asutil.vbs script to > > set the PasswordChangeFlag to 0 Generate the SSL > Certificate Apply the > > SSL Certificate Set the IISADMPWD Virtual Directory to require SSL > > Modify the Registry to show the Change Password button > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;297121 > > http://support.microsoft.com/kb/833734/EN-US/ > > http://support.microsoft.com/kb/327134/ > > > > I only want to use HTTPS on the change password screen, not > the entire > > OWA Site. > > > > Thanks > > > > Justin A. Salandra > > MCSE Windows 2000 & 2003 > > Network and Technology Services Manager Catholic Healthcare System > > 212.752.7300 - office 917.455.0110 - cell [EMAIL PROTECTED] > > > > > > > > > > Post message: [EMAIL PROTECTED] > > Unsubscribe: [EMAIL PROTECTED] > > > > Exchange 2000 FAQ: > > http://www.exchange-mail.org/faq.html > > > > Yahoo! Groups Links > > > > <*> To visit your group on the web, go to: > > http://groups.yahoo.com/group/Exchange2000/ > > > > <*> To unsubscribe from this group, send an email
RE: [ActiveDir] Recover exchange database file
Daniel, have to agree with Al. Depending on the state of these DB's you may have absolute garbage. If the DB shutdown in a dirty state and you don't have logs to replay - problem, means a hard recovery. If a hard recovery works you may only loose a little data. If a hard recover fails you have zero options a far as MS is concerned. There are DR shops out there that specialise in rebuilding these if they make sense. You can run eseutil and examine the header to check the database state. For a bit of automation I've used a 3rd party tool here before, namelly Recovery Manager for Exchange. Even a demo (i.e. download and eval key) will tell you quite quickly if the db CAN be mounted or not, and if not attemtps to rebuild, but uses same dll's as eseutil in the background. That might save you having to build a full exchange environment to DR in. Failing this - build a pristine AD, add exchange, add a SG with DB names that resemble yours, dismount it, swap your files in, attemp a remount, and if all goes well you'll have a db full of disconnected mailboxes. After reconnection, exmerge is your friend ;) Hope that helps. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: 15 April 2005 03:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recover exchange database file Have you read the disaster recovery whitepaper about Exchange on Microsoft's site yet? My guess is that you don't have enough of the relevant information, but it's possible you can salvage some of it. There are also utilities out there that might be helpful if you really want that data. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kolvik Sent: Thursday, April 14, 2005 5:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recover exchange database file Hi, anyone with experience on how to "import" edb files? I had a crash and the only thing i could get out was the edb and stm files. Regards, Daniel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 1000 groups
Regarding DLs (Domain Local for Joe's sake) groups, I'm not certain I've ready anything that states whether we do or we don't ... like you Guido, I can initially see no reason to maintain any more than the RID alone assuming the necessary components exist elsewhere to explode it to a full SID upon authorization. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, April 15, 2005 3:36 AMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups had me worried just the same when reading DL and thinking Distribution Lists ;-)) one thing that I don't understand is, why doesn't the token only store the _RIDs_ of the DLGs - why are they stored with the full SID??? Makes no sense to me, as they are able to use the RID for GGs and UGs - and naturally they have some mechanism on the client side anyways to expand the RIDs in the token back to the full SIDs for the security token used e.g. during resource authorization (I believe this was added in Win2k SP2). It's obvious that the SIDs from SIDhistory are added to the token as as full SIDs as these have a different domain-part in the SID - but I certainly don't grasp why it's required for the DLGs of the same domain...? And don't forget - in a perfect joe-world, all groups would be DLGs so you wouldn't even have any benefit of the new mechanism to store RIDs in the token to limit it's size ;-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Freitag, 15. April 2005 01:57To: ActiveDir@mail.activedir.org; 'Send - AD mailing list'Subject: RE: [ActiveDir] 1000 groups Ah Domain Local Group (DLG) SIDS... Sorry, I misread your post and thought you meant Distribution List when you said DL Groups. Looking at too much Exchange stuff lately. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 14, 2005 7:38 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups That's not the way I understand the token construct in later-than-NT4 Windows builds. As I understand it, the effective token is the result of the combined TGT and Session ticket PAC (portions directly derived from the TGT) as it relates to a particular target resource (PAC = privileged attribute cert., the kerb. attr. designated to carry OS proprietary auth. data) ... the change you reference simply forces a 2K3 DC to include Domain Local group SIDs within the TGT (regardless of domain mode) with a view to making the overall authorization process more consistent. As for your 2nd question, that's a good one ... let me give that some thought. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 7:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Interesting post Dean, I wasn't aware of the DL SIDS thing. Itake it this is a case of the SIDS being in the actual kerb ticket and not in the actual token and restricted correct? Is there a mechanism for listing the groups in a given tgt? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, April 12, 2005 1:39 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated. Regarding token bloat; the more accurate max. SIDs value is 1015. This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included). In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable. A MaxTokenSize registry value exists that simply governs the upper limit. Increasing the value will likely cause performance concerns and, more significantly, potential application failures due to timeouts (too many SIDs to compare, call does not return and app. assumes failure). This article eludes to the problem - http://support.microsoft.com/kb/313661/ Real-time token size can be calculated using the following tool - http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian FischerSent: Tuesday, April 12
[ActiveDir] GPO's not getting there
I have a customer with small links and 1200+ wan sites. Problem I'm having is that without local DC's GPO's aren't applied properly on the workstations on logon, and the workstations are not locked down. The customer is not willing to buy an extra 1200 dc's. Since WAN costs are a bit silly the size of our pipes seem to be fixed as well. I don't really know how to get around this without tatooing the registry for the currently loggon on user, but that wouldn't give me the flexibility needed to achieve complete lockdown either. Any ideas around this? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS.dit size
Well Francis, How is your DNS servers setup are they: 1. Windows DNS servers 2. Have you sepecified that your Zones are Active Directory Intergrated Zones If you haven't created the default DNS app partions right click on your DNS server ---> "Create Default DNS application Partitions" this will create two APP partitions: 1. ForestDNS 2. DomainDNS HTH Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis Ouellet Sent: 15 April 2005 02:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Hi Guido, Can you provide us with some more information on moving the DNS data into the DNS app partition? Thanks! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: 15 avril 2005 04:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size It's also worth to point out, that you have to distinguish heavily between the OS version and the DIT size to expect. Other cleanup tasks can also strongly impact DIT size. At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled the "Distributed Link Tracking" service on all DCs as it feeds AD with a ton of garbage information (actually the information would be quite useful if any app were using it - but as even the MS apps make no use to lookup the new location of moved files in AD, this service is useless). After removal of a ton of link-objects which were collected over the years in each domain's \System\FileLinks container, we decreased the DIT size easily by 6GB (don't have the exact values of the top of my head) - naturally this was after the tombstone lifetime and an offline defrag. So now we were down down to something like 12GB. Checkout Q312403 for more details - if you're running a new Win2003 AD, this service will be turned off by default. Then the first Win2003 DCs were introduced (we did perform some inplace upgrades, but eventually all of them were re-installed) => the single-instance store of ACEs introduced in Win2003 saved us another 5GB and thus got us down to 7GB => so now we're 11GB less than it was for a Win2000 DC with DLT objects ;-) We've further improved DIT size (and replication) by moving the DNS data into the DNS app partitions (so that they're not part of the GC). But this impact is not as dramatic (will mostly impact DIT on those DCs which aren't DNS servers...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Freitag, 15. April 2005 05:43 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote: > Well I've seen very very large in test on many occasions. The numbers I > cited below (with those very descriptive adjectives) are just what I've > seen in production. I didn't think test counted. > > If you want to count test, I could fire up a test db that is a TB or so > on a san I have nearby. :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:58 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > See I almost cc'ed you on the response to get your input on this too as > I > knew you had played with some 16GB+ DITS but didn't want to bother you > for this and didn't want to speak out of turn for you. > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman > Sent: Thursday, April 14, 2005 7:35 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > I've seen larger. > I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and > 100GB+ on a few occasions. > > ~Eric > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:28 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > The largest production DIT I have personally seen was on the order of > 8GB for the GC DIT for a Fortune 5 company running about 250k users of which > about 180k were Exchange enabled. Also had some 250k contacts, 200k or > so computer objects, 100k or so group objects and consisted of 9 > domains. > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of mike kline > Sent: Tuesday, April 12, 2005 2:53 PM > To: ActiveDir@mail.activedi
Re: [ActiveDir] DC location queries
Title: DC location queries Joe has summed it up well but if you want to do some reading on it you should check out this chapter from the Distributed Systems Guide. http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/distrib/dsbc_nar_jevl.asp Tim - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Thursday, April 14, 2005 7:33 PM Subject: RE: [ActiveDir] DC location queries 1. Yes. 2. Yes 3. No. Basically clients go through this process A. Determine site of client B. Retrieve list of DCs registered for site, this could be DCs in the site or other sites covering that site. C. If none available, retrieve list of DCs for domain Your case 3 involves a client in an undefined subnet or a subnet not linked to a site. In that case, the site will be null for that client and it will jump straight to C. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Thursday, April 07, 2005 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC location queries I would like to ask for confirmation relating to the below scenarios and DC location: 1. Client in site with no DCs installed Client receives list of DCs which have registered SRV records on behalf of that site 2. Client in site with a DC but that DC is unavailable Client requests list of DCs registered at the domain level 3. Client in unknown site Client receives list of DCs associated with the defaultFirstNameSite We have only hub sites register as per point 2 and the default site has been renamed. How do I determine which site has assumed the role of the default site? Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.==
RE: [ActiveDir] Recover exchange database file
Have you read the disaster recovery whitepaper about Exchange on Microsoft's site yet? My guess is that you don't have enough of the relevant information, but it's possible you can salvage some of it. There are also utilities out there that might be helpful if you really want that data. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Kolvik Sent: Thursday, April 14, 2005 5:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recover exchange database file Hi, anyone with experience on how to "import" edb files? I had a crash and the only thing i could get out was the edb and stm files. Regards, Daniel List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Files missing from sysvol folder
You may additionally want to check the software running on the DC's in question if the files are copied and then deleted. Until replication I wouldn't expect the files to change on newly promoted dc. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 6:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Files missing from sysvol folder Is Sysvol properly replicating amongst your other DCs? The fact that your 2 DCs never got sysvol/netlogon means they never truly became DCs, this is something you should check every time you promote new DCs. It used to be a horrible pain back in early 2K days but is much better now. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, April 13, 2005 1:07 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Files missing from sysvol folder While attempting to complete an Exchange 2003 install on a W2K3 Server (not a dc), we have discovered that we have some AD problems with our W2K AD. It appears that 2 of our DC servers are missing the shared SYSVol and Netlogon folders. I have read numerous KB articles, but have found not solutions, as restoring is not a solution at this point. After looking at the actual Sysvol folder on these particular server, I noticed that several of the files/folders that should be present are not. I have tried all of the following: -Demoting the server and the re-running dcpromo. This was successfully run, but didn't help. -Copying the contents of the sysvol folder from a "good" dc to the "bad" dc. The files were there automatically deleted, by the OS (I am assuming). -Re-applying SP4 on the "bad" dc which is running W2K Server. -After running DCdiag, the only error that is reported is that the domain membership test failed: [Warning] the system volume has not been completely replicated to the local machine. This machine is not working properly as a dc. -I am also getting Event ID 13552 in the Event Viewer. "The file replication service is unable to add this computer to the following replica set: "Domain system volume (sysvol share)"" Any additional insight would be greatly appreciated! Thanks, Brenda Casey List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT Exchange question.
Or the reverse of that ;) Welcome back Joe. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 8:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT Exchange question. > (Gotta love how many Exchange questions get fielded to this list, > isn't it?) A lot of us poor schmoes were handling AD so well someone started throwing Exchange at us to handle as well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, April 08, 2005 7:26 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT Exchange question. (Gotta love how many Exchange questions get fielded to this list, isn't it?) Rebuilding an Exchange 2000 server, and received the following error trying to install the post-SP3 roll-up: "Setup has detected that the version of the service pack installed on your system is lower that what is necessary to apply this hotfix. At minimum you must have Service Pack 3 installed." (And yes, I have SP 3 installed. :-) Even reinstalled it once or twice for good measure.) Google is being uninformative. Has anyone run into this? - Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS.dit size
Hi Guido, Can you provide us with some more information on moving the DNS data into the DNS app partition? Thanks! Francis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: 15 avril 2005 04:00 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size It's also worth to point out, that you have to distinguish heavily between the OS version and the DIT size to expect. Other cleanup tasks can also strongly impact DIT size. At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled the "Distributed Link Tracking" service on all DCs as it feeds AD with a ton of garbage information (actually the information would be quite useful if any app were using it - but as even the MS apps make no use to lookup the new location of moved files in AD, this service is useless). After removal of a ton of link-objects which were collected over the years in each domain's \System\FileLinks container, we decreased the DIT size easily by 6GB (don't have the exact values of the top of my head) - naturally this was after the tombstone lifetime and an offline defrag. So now we were down down to something like 12GB. Checkout Q312403 for more details - if you're running a new Win2003 AD, this service will be turned off by default. Then the first Win2003 DCs were introduced (we did perform some inplace upgrades, but eventually all of them were re-installed) => the single-instance store of ACEs introduced in Win2003 saved us another 5GB and thus got us down to 7GB => so now we're 11GB less than it was for a Win2000 DC with DLT objects ;-) We've further improved DIT size (and replication) by moving the DNS data into the DNS app partitions (so that they're not part of the GC). But this impact is not as dramatic (will mostly impact DIT on those DCs which aren't DNS servers...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Freitag, 15. April 2005 05:43 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote: > Well I've seen very very large in test on many occasions. The numbers I > cited below (with those very descriptive adjectives) are just what I've > seen in production. I didn't think test counted. > > If you want to count test, I could fire up a test db that is a TB or so > on a san I have nearby. :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:58 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > See I almost cc'ed you on the response to get your input on this too as > I > knew you had played with some 16GB+ DITS but didn't want to bother you > for this and didn't want to speak out of turn for you. > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman > Sent: Thursday, April 14, 2005 7:35 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > I've seen larger. > I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and > 100GB+ on a few occasions. > > ~Eric > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:28 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > The largest production DIT I have personally seen was on the order of > 8GB for the GC DIT for a Fortune 5 company running about 250k users of which > about 180k were Exchange enabled. Also had some 250k contacts, 200k or > so computer objects, 100k or so group objects and consisted of 9 > domains. > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of mike kline > Sent: Tuesday, April 12, 2005 2:53 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] NTDS.dit size > > I know that AD can have millions of objects, just trying to see what the > real world size of some your AD databases are. Do any of you have > databases greater than 20GB+... or more? > > Thanks > Mike > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.c
RE: [ActiveDir] systemFlags
And clobbered again but offline this time by someone else who didn't even offer up a ;-). I feel obligated to say that anyone working around the "officially" correct mechanisms could jeopardize their entire forest. It is sort of like going out into the water 10 minutes after you ate a meatball sub, something bad "could" happen and in fact has happened to someone previously under some particular set of circumstances. It all depends on what things you are doing and how crazy you are getting with it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 10:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] systemFlags See, I knew I would get clobbered. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 14, 2005 8:43 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] systemFlags You surprise me ... I thought we'd agreed that we were leaving even the suggestion of such 'back-doors' alone ... bad Joe ;-) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 8:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] systemFlags [Thu 04/14/2005 20:16:01.31]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully The directory itself is purposely throwing the error. The DSID tells you exactly where in the source the error is being thrown from and looking at the source it is because this attribute is reserved for update. It is however, possible to update, I will not share that mechanism as I may get clobbered for it. You can find the mechanism in public archives though if you look carefully... F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:22:06.03]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:22:52.39]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com>systemFlags: -2147483648 1 Objects returned [Thu 04/14/2005 20:23:01.32]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags:- AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:23:29.92]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:23:49.17]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully [Thu 04/14/2005 20:24:02.09]F:\DEV\cpp\SecTok> Consider it to be like the whole "trust us, someone who can get interactive access on your DC can take over your forest" argument. Just because one person doesn't know how to do it doesn't mean no one else does... If you don't trust the people who are on your DCs, you are in a very ver
RE: [ActiveDir] 1000 groups
I take it you mean the issue for the originating write, not the replication correct? You can hit this even with a smaller originating write based on the version store depletion on the DC in question, that applies to any large updates I believe. You can also bump against the default LDAP packet size issue as well, default max packet being 10MB (MaxReceiveBuffer=10485760). joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, April 15, 2005 3:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups > Regular multivalue attributes still have a limitation on size. In 2K that is approximately ~850 members and in K3 that is approximately ~1300 members. I'd call these "entries" instead of members to avoid confusion... Not sure if it was mentioned in another part of this thread, but it should be clear, that the version store limit also still applies to 2k3 linked attributes (such as group-memberships) when updating these => i.e. you shouldn't add or delete more than 5000 members at one time to these attributes, otherwise you'll risk hitting the version store limit just like you did in 2k. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Freitag, 15. April 2005 01:17To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Not so much a myth as a general guideline. :o) There are people who do and have broken in the 5000 group membership, and actually people who have broken sooner if you can believe newsgroup postings, and people who have exceeded the guideline and lived to tell about it. The issue is around version store and how it is being used on a particular DC at a particular time and the fact that it has to be used in replication but is also used when people are doing queries and updates. In 2K you replicate the entire member attribute (I think someone previously said this was object level replication, it is actually attribute level replication and with K3 for LV attributes it is value level replication) but in K3 linked value attributes are replicated at the value level instead of the attribute level. Some people think that all multivalue groups are now cleared up in terms of they can have limitless size. This is incorrect, the "LVR fix" is only, again, for linked value attributes which are DN style attributes with forward/back links associated with them. Regular multivalue attributes still have a limitation on size. In 2K that is approximately ~850 members and in K3 that is approximately ~1300 members. Note that hitting that limit backs you into the object size limit as well so you can no longer add any attributes to any object that has hit the limit on a single multivalue (non-LV) attributes. You will see an admin limit exceeded error for every attribute add you try to do after that. You can update already existing attributes, you simply can't add more. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, April 12, 2005 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Note that the hard limit in W2K of 5000 members is actually kind of a myth. At my current employer, we had a group with 80K users on a W2K native domain and it actually did work, replication and all. The major issue we ran into was trying to promo new DCs and do our 2K3 migration. That was a near complete meltdown as a result of this one particular group. Thus it is still a bad idea to break the recommendation, even if it can be made to work. You’ll definitely regret it later. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson ShawSent: Tuesday, April 12, 2005 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Group memberships are replicated in W2K3 per object as opposed to the whole group. In w2k there is a hard limit of 5000 members per group but a group can be nested in another group giving you virtually unlimited group memberships. The problem in w2k is that a change to any one member of a group requires full replication of the group. In w2k3 the limitation was removed and now just the change is replicated as opposed to the complete group. So, long and short is that group replication in w2k3 is not as serious an issue as it was in w2k. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, April 12, 2005 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups 5000 is the 'recommended' limitation for groups on both Win2k and Win2k3 - but that limitation is only due to replication issues with AD. -Jon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian FischerSent: Tuesday, April 12, 2005 12:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 1000 groups Hi All
RE: [ActiveDir] 1000 groups
Yeah I questioned MS-Premier PSS on that several years ago and it spawned a 3 week email conversation where I never got a good answer and I submitted it as a bug to PSS and I think it got lost somewhere. Mostly I think the issue was most of the people I spoke to about it didn't really understand what I was saying and this was before any significant amount of work was being pushed to India. My personal guesses from what I was being told was along the lines that they didn't really expect people to use DLGs very much because MS internally didn't use them much, they were caught up in their whole UGLy model which I thought from the beginning when I first saw it was pretty much crap for a large deployment and (possibly needless) extra work for a small deployment. That belief was further fed as I ran into more and more issues with MS tools/processes that didn't handle domain local groups well back in the day like adding DLGs to rights, etc on member machines. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, April 15, 2005 3:36 AMTo: ActiveDir@mail.activedir.org; Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups had me worried just the same when reading DL and thinking Distribution Lists ;-)) one thing that I don't understand is, why doesn't the token only store the _RIDs_ of the DLGs - why are they stored with the full SID??? Makes no sense to me, as they are able to use the RID for GGs and UGs - and naturally they have some mechanism on the client side anyways to expand the RIDs in the token back to the full SIDs for the security token used e.g. during resource authorization (I believe this was added in Win2k SP2). It's obvious that the SIDs from SIDhistory are added to the token as as full SIDs as these have a different domain-part in the SID - but I certainly don't grasp why it's required for the DLGs of the same domain...? And don't forget - in a perfect joe-world, all groups would be DLGs so you wouldn't even have any benefit of the new mechanism to store RIDs in the token to limit it's size ;-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Freitag, 15. April 2005 01:57To: ActiveDir@mail.activedir.org; 'Send - AD mailing list'Subject: RE: [ActiveDir] 1000 groups Ah Domain Local Group (DLG) SIDS... Sorry, I misread your post and thought you meant Distribution List when you said DL Groups. Looking at too much Exchange stuff lately. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 14, 2005 7:38 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups That's not the way I understand the token construct in later-than-NT4 Windows builds. As I understand it, the effective token is the result of the combined TGT and Session ticket PAC (portions directly derived from the TGT) as it relates to a particular target resource (PAC = privileged attribute cert., the kerb. attr. designated to carry OS proprietary auth. data) ... the change you reference simply forces a 2K3 DC to include Domain Local group SIDs within the TGT (regardless of domain mode) with a view to making the overall authorization process more consistent. As for your 2nd question, that's a good one ... let me give that some thought. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 7:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Interesting post Dean, I wasn't aware of the DL SIDS thing. Itake it this is a case of the SIDS being in the actual kerb ticket and not in the actual token and restricted correct? Is there a mechanism for listing the groups in a given tgt? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, April 12, 2005 1:39 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated. Regarding token bloat; the more accurate max. SIDs value is 1015. This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included). In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable. A MaxTokenSize registry value exists that simply governs the upper limit. Increasing the value will likely cause performance concerns and, mor
RE: [ActiveDir] NTDS.dit size
Good points. The link tracking was indeed a bite in the ass. I caught that one pretty early on the game so it didn't give us significant growth though. I was busy shutting down all of the services and I made MS tell me what that one was for and I was like... I don't want that, and killed it in the DC policy and purged the small number of objects we had (maybe 5000). The switch to K3 from 2K did significantly reduce the DIT size as well, I actually think it was on the order of 30-40% and took the GC DIT to around 5-6GB from the 8GB it was on the 2K DCs. For the DITs up in the 50-100GB range that Eric saw I would strongly question the data going into the directory. That sounds like a company that took MS's early ramblings of AD as the every directory to heart and actually did it forgetting the primary functionality of the directory and what I think should be protected at all costs, the NOS aspects of the directory. Remember the more garbage you have in the directory that is undergoing change (or churn if you want) the slower you are getting NOS specific updates replicated around. All of that stuff goes through the same replication system and urgent replication means things are queued urgently, not replicated urgently[1]. joe [1] At least that was the case the last time I watched the replication queue for any serious length of time. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 15, 2005 4:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size It's also worth to point out, that you have to distinguish heavily between the OS version and the DIT size to expect. Other cleanup tasks can also strongly impact DIT size. At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled the "Distributed Link Tracking" service on all DCs as it feeds AD with a ton of garbage information (actually the information would be quite useful if any app were using it - but as even the MS apps make no use to lookup the new location of moved files in AD, this service is useless). After removal of a ton of link-objects which were collected over the years in each domain's \System\FileLinks container, we decreased the DIT size easily by 6GB (don't have the exact values of the top of my head) - naturally this was after the tombstone lifetime and an offline defrag. So now we were down down to something like 12GB. Checkout Q312403 for more details - if you're running a new Win2003 AD, this service will be turned off by default. Then the first Win2003 DCs were introduced (we did perform some inplace upgrades, but eventually all of them were re-installed) => the single-instance store of ACEs introduced in Win2003 saved us another 5GB and thus got us down to 7GB => so now we're 11GB less than it was for a Win2000 DC with DLT objects ;-) We've further improved DIT size (and replication) by moving the DNS data into the DNS app partitions (so that they're not part of the GC). But this impact is not as dramatic (will mostly impact DIT on those DCs which aren't DNS servers...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Freitag, 15. April 2005 05:43 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote: > Well I've seen very very large in test on many occasions. The numbers I > cited below (with those very descriptive adjectives) are just what I've > seen in production. I didn't think test counted. > > If you want to count test, I could fire up a test db that is a TB or so > on a san I have nearby. :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:58 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > See I almost cc'ed you on the response to get your input on this too as > I > knew you had played with some 16GB+ DITS but didn't want to bother you > for this and didn't want to speak out of turn for you. > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman > Sent: Thursday, April 14, 2005 7:35 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > I've seen larger. > I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and > 100GB+ on a few occasions. > > ~Eric > > -Original Message- > From: [EMAIL PROTECT
[ActiveDir] OT Maybe: Import GPO without Domain
I am using VB.NET to create an application that will configure the server from beginning to end without manual SysAdmin intervention. Basically, once a server is installed, it must be configured to our specifications. I am aware of ADS and RIS and I am already using these options. But in this particular case, it is not an option. What I would like to do is import a GPO but without the use of a domain. These machines need to be stand alone. I can only import the “Security Settings” section of the GPO by using secedit.exe How can I import/export the “Computer Configuration” and “User Configuration” sections? Thanks, Edwin
RE: [ActiveDir] DC location queries
Title: DC location queries You know I remember reading this way back in 2000 (the year, not the OS) and I NEVER saw that happen. New DCs that were promoted without an appropriate subnet never landed in the default first site, they landed in a semi-random location, usually (probably always but I can't say for sure now) the first site if you sorted the sites alphabetically. I guess I would have fired the people who did those promo's but I was only a contractor at that location and the management knew better than me and I actually ended up being fired. In the end, I would simply look at the first site in the list and see which DCs were sitting there. There were usually a few because at the height of the migration we were doing 10+ DCs a day. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, April 15, 2005 4:07 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC location queries that default first site would only be used when promoting new DCs to a domain if that DC has an IP address that's not defined for any subnet/site. Naturally, I would fire anyone who even tries to promote a DC without doing the necessary prep-work..., so you should never run into the situation to require the default first site. As far as I recall from testing a very lng time ago in Win2000, if the default first site is renamed or removed, a newly promoted DC (with an IP address for a non-defined subnet) will be added to some random site - I'd have to test this again in 2003, if this mechanism still applies. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Freitag, 15. April 2005 01:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC location queries 1. Yes. 2. Yes 3. No. Basically clients go through this process A. Determine site of client B. Retrieve list of DCs registered for site, this could be DCs in the site or other sites covering that site. C. If none available, retrieve list of DCs for domain Your case 3 involves a client in an undefined subnet or a subnet not linked to a site. In that case, the site will be null for that client and it will jump straight to C. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Thursday, April 07, 2005 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC location queries I would like to ask for confirmation relating to the below scenarios and DC location: 1. Client in site with no DCs installed Client receives list of DCs which have registered SRV records on behalf of that site 2. Client in site with a DC but that DC is unavailable Client requests list of DCs registered at the domain level 3. Client in unknown site Client receives list of DCs associated with the defaultFirstNameSite We have only hub sites register as per point 2 and the default site has been renamed. How do I determine which site has assumed the role of the default site? Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.==
RE: [ActiveDir] User Alias Authentication in AD
LOL. But you are a very fine German Guido, don't let that be an excuse. If that is their current sam name format, they could already be bumping into the issue. :) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, April 15, 2005 3:09 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD what a fine english statement "the astute will understand why"... ;-) had to get a dictionary to understand that one - but I can always say I'm German for an excuse ;-)) agree on what you're getting at and that was my original order when I wanted to reply - then I read Mayuresh's post again: from this, their current samaccountname seems to be firstname_lastname, and now they're looking for an alias for a shorter version... So Mayuresh - as pointed out, it would obviously be best to rename the samAccountName of all your existing account to the short-name and then use the long-name for the UPN. Adds a good amount of work, but may be the better end-result. Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 15. April 2005 00:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD I agree with Guido but would flip it around and make the short name the sAMAccountName... Domain\mkshirsa And [EMAIL PROTECTED] The astute will understand why joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, April 14, 2005 7:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD Jorge is correct that you can't create aliases to security principals in AD, however, you do have two logon names, which may be sufficient for your requirement: you can use the samAccountName (pre-Win2000 User logon name) => mayuresh_kshirsagar or the UserPrincipalName (User logon name) => [EMAIL PROTECTED] [or whatever suffix you configure] It will likely depend on what your application allows you to do (some do require the Domain\samAccountName format because they've hardcoded this in their logon screens...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Donnerstag, 14. April 2005 13:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD In AD it is not possible to create aliases to security principals (i.e. user accounts) Why do you need separate names? Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: donderdag 14 april 2005 12:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Alias Authentication in AD Hi Experts, I am looking out for a possibility where if I have a user: username: mayuresh_kshirsagar password: I want to create an alias of this user entry say username: mkshirsa password: where I can login using any of the above two usernames. Is this a possibility? Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS.dit size
Braggert. ;o) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, April 14, 2005 11:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Well I've seen very very large in test on many occasions. The numbers I cited below (with those very descriptive adjectives) are just what I've seen in production. I didn't think test counted. If you want to count test, I could fire up a test db that is a TB or so on a san I have nearby. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size See I almost cc'ed you on the response to get your input on this too as I knew you had played with some 16GB+ DITS but didn't want to bother you for this and didn't want to speak out of turn for you. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, April 14, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size I've seen larger. I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and 100GB+ on a few occasions. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 4:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size The largest production DIT I have personally seen was on the order of 8GB for the GC DIT for a Fortune 5 company running about 250k users of which about 180k were Exchange enabled. Also had some 250k contacts, 200k or so computer objects, 100k or so group objects and consisted of 9 domains. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Tuesday, April 12, 2005 2:53 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] NTDS.dit size I know that AD can have millions of objects, just trying to see what the real world size of some your AD databases are. Do any of you have databases greater than 20GB+... or more? Thanks Mike List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] NTDS.dit size
Eric, Granted but how much of that actual 100gb will be replicated over that 64k line? I can see the issue if you do a DC promo on a W2k3 server on the other size and it's the first box and has to pull info over 64k, but once established that traffic shouldn't even be close to 100mb.' That said it is also environment dependant :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: 15 April 2005 06:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] NTDS.dit size Oops, I typo'd. First paragraph should have read: -- It's hard to characterize how "much" connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that changes a _ton_. So really, it's all about your rate of change, with the size only being a guideline. -- I would also add, that in the average case, you're rightlarge DBs _tend_ to require more bandwidth than smaller ones. I can't picture a 100gb DB on the other side of a 64k link being good in the average case. :) ~Eric -Original Message- From: Eric Fleischman Sent: Thursday, April 14, 2005 8:56 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] NTDS.dit size It's hard to characterize how "much" connectivity you need vs. how big your db is. A huge db of mostly static info doesn't need nearly as much connectivity as a smaller db that doesn't change very much. So really, it's all about your rate of change, with the size only being a guideline. For promotion, at that scale, IFM is clearly the way to go. But there's nothing wrong with the occasional promotion that is over the wire. It'll finish, it will just take a while, even on a fast network. With a 20gb db, a few things might help you: 1) Explore 64bit (ia64 or x64). Recall that on 2k3 32bit your best case cache is ~2.6gb in size. With 64bit, the sky is the limitthrow ram at a DC, and it will use it to cache more of the db. DB caching cuts down on the I/O required for reads (which for most people are the bulk of their load) and help your perf a lot. 2) If you're on 32bit, I like boxes w/~4gb of physical memory, nothing else on them, and /3gb set. It lets you really use your cache well, and still have some headroom for the OS and tools you might use here and there. 3) I'm a fan of profiling traffic hitting my DCs and optimizing the queries for AD, and possibly optimizing AD for the queries (both are on the table). Tools like SPA, field engineering logging (mentioned in a thread on this dl earlier today) and any 3rd party tools you might like all can help here. Though this advise isn't specific to large DBs..I like making things faster at any scale. :) 4) Standard disk logic about optimizing I/O throughput applies. 5) Some people "warm" the cache on DC boot. This is particularly interesting on 64bit DCs where you have tons of memory headroom. That is, after the box boots they run some really expensive queries that walk very expensive indexes (ancestry, dnt, etc.) to traverse as many objects as they can, and get them off of the disk and in to memory. It hits the DC hard from an I/O standpoint on boot, but it does get a lot of the db in to memory for actual load that starts to hit the box after. It's done in more environments than one. I like the idea quite a bit, and have thought about if there is anything we should do in the product to help facilitate this. The list is of course endless, but these are a few things that come to mind. My $0.02 ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Thursday, April 14, 2005 8:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote: > Well I've seen very very large in test on many occasions. The numbers I > cited below (with those very descriptive adjectives) are just what I've > seen in production. I didn't think test counted. > > If you want to count test, I could fire up a test db that is a TB or so > on a san I have nearby. :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:58 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > See I almost cc'ed you on the response to get your input on this too as > I > knew you had played with some 16GB+ DITS but didn't want to bother you > for > this and didn't want
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Well none of the actually DIT is cached (into the RAM), IMO. The engine might cache regular/common lookups, indexes etc but none to the actually DC's RAM. But then again you have to define but what you mean by "into RAM". Nathan is quite right with "Checking the working set size of LSASS is not reliable." There are many more processes that the LSASS is taking care of. You could dump the LSASS process and take a look and then determine from there what is happening. But now I am curious why you asking :P Do you have a hungry LSASS process? If you do what Patch/Service Pack level do you have on that box? Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: 15 April 2005 06:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Checking the working set size of LSASS is not reliable. There's process overhead for things like lsa session handles and other stuff related to the security sub system. The most accurate method is to enable the ESE Database performance counters and look at "Cache Size". To enable the DB counters, install Server Performance Advisor, or check out http://www.microsoft.com/resources/documentation/Windows/2000/server/res kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r eskit/en-us/distrib/dsbm_mon_pzgc.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, April 14, 2005 8:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? By checking the working set size of by LSASS? Roger Seielstad E-mail Geek > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Fugleberg, David A > Sent: Thursday, April 14, 2005 2:22 PM > To: activedir@mail.activedir.org > Subject: [ActiveDir] How much of the DIT is cached in RAM ? > > How can I determine how much of the DIT is being cached in > RAM on a given DC ? > > Dave > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC location queries
Title: DC location queries that default first site would only be used when promoting new DCs to a domain if that DC has an IP address that's not defined for any subnet/site. Naturally, I would fire anyone who even tries to promote a DC without doing the necessary prep-work..., so you should never run into the situation to require the default first site. As far as I recall from testing a very lng time ago in Win2000, if the default first site is renamed or removed, a newly promoted DC (with an IP address for a non-defined subnet) will be added to some random site - I'd have to test this again in 2003, if this mechanism still applies. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Freitag, 15. April 2005 01:33To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DC location queries 1. Yes. 2. Yes 3. No. Basically clients go through this process A. Determine site of client B. Retrieve list of DCs registered for site, this could be DCs in the site or other sites covering that site. C. If none available, retrieve list of DCs for domain Your case 3 involves a client in an undefined subnet or a subnet not linked to a site. In that case, the site will be null for that client and it will jump straight to C. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Thursday, April 07, 2005 10:07 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DC location queries I would like to ask for confirmation relating to the below scenarios and DC location: 1. Client in site with no DCs installed Client receives list of DCs which have registered SRV records on behalf of that site 2. Client in site with a DC but that DC is unavailable Client requests list of DCs registered at the domain level 3. Client in unknown site Client receives list of DCs associated with the defaultFirstNameSite We have only hub sites register as per point 2 and the default site has been renamed. How do I determine which site has assumed the role of the default site? Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.==
RE: [ActiveDir] NTDS.dit size
It's also worth to point out, that you have to distinguish heavily between the OS version and the DIT size to expect. Other cleanup tasks can also strongly impact DIT size. At HP our Win2000 GCs had an average DIT size of 18GB - we then disabled the "Distributed Link Tracking" service on all DCs as it feeds AD with a ton of garbage information (actually the information would be quite useful if any app were using it - but as even the MS apps make no use to lookup the new location of moved files in AD, this service is useless). After removal of a ton of link-objects which were collected over the years in each domain's \System\FileLinks container, we decreased the DIT size easily by 6GB (don't have the exact values of the top of my head) - naturally this was after the tombstone lifetime and an offline defrag. So now we were down down to something like 12GB. Checkout Q312403 for more details - if you're running a new Win2003 AD, this service will be turned off by default. Then the first Win2003 DCs were introduced (we did perform some inplace upgrades, but eventually all of them were re-installed) => the single-instance store of ACEs introduced in Win2003 saved us another 5GB and thus got us down to 7GB => so now we're 11GB less than it was for a Win2000 DC with DLT objects ;-) We've further improved DIT size (and replication) by moving the DNS data into the DNS app partitions (so that they're not part of the GC). But this impact is not as dramatic (will mostly impact DIT on those DCs which aren't DNS servers...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mike kline Sent: Freitag, 15. April 2005 05:43 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] NTDS.dit size Eric/Joe, Thanks for the great input! My test lab is VM ware running on 20 GB TB SAN that you can use as a test = very nice setup. 100 GB did those sites have really good connectivity? You can install AD from media in 2003 but I would think there would be problems in a 2000 domain with poorly connected offices. Joe, do you run joeware.net... if you do great site and thanks for the nice tools. Thanks again Mike On 4/14/05, Eric Fleischman <[EMAIL PROTECTED]> wrote: > Well I've seen very very large in test on many occasions. The numbers I > cited below (with those very descriptive adjectives) are just what I've > seen in production. I didn't think test counted. > > If you want to count test, I could fire up a test db that is a TB or so > on a san I have nearby. :) > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:58 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > See I almost cc'ed you on the response to get your input on this too as > I > knew you had played with some 16GB+ DITS but didn't want to bother you > for > this and didn't want to speak out of turn for you. > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman > Sent: Thursday, April 14, 2005 7:35 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > I've seen larger. > I've seen 15GB+ on MANY occasions, 30GB+ on quite a few occasions, and > 100GB+ on a few occasions. > > ~Eric > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Thursday, April 14, 2005 4:28 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] NTDS.dit size > > The largest production DIT I have personally seen was on the order of > 8GB > for the GC DIT for a Fortune 5 company running about 250k users of which > about 180k were Exchange enabled. Also had some 250k contacts, 200k or > so > computer objects, 100k or so group objects and consisted of 9 domains. > > joe > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of mike kline > Sent: Tuesday, April 12, 2005 2:53 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] NTDS.dit size > > I know that AD can have millions of objects, just trying to see what the > real world size of some your AD databases are. Do any of you have > databases > greater than 20GB+... or more? > > Thanks > Mike > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List ar
RE: [ActiveDir] wt32
Change the width of your command prompt window to be more than 80 (120 works) and you'll see it's not a random * - it's drawing a chart for you and the * shows the offset: [ * |] [ * |] [ * |] [ * |] [ * |] Is indicating that the computer is slightly behind the time server you're checking. Steve > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of James Green > Sent: 06 April 2005 17:29 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] wt32 > > Hello > > When I use w32tm /stripchart /computer:ServerName I get back > the following: > The current time is 01/03/2005 14:54:08 (local time). > 11:34:08 d:+00.0155807s o:+00.0085187s [ > * > ] > 11:34:10 d:-00.290s o:+00.0017713s [ > * > ] > > What does 'd' and '*' stands for? > > James > > _ > Use MSN Messenger to send music and pics to your friends > http://www.msn.co.uk/messenger > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 1000 groups
had me worried just the same when reading DL and thinking Distribution Lists ;-)) one thing that I don't understand is, why doesn't the token only store the _RIDs_ of the DLGs - why are they stored with the full SID??? Makes no sense to me, as they are able to use the RID for GGs and UGs - and naturally they have some mechanism on the client side anyways to expand the RIDs in the token back to the full SIDs for the security token used e.g. during resource authorization (I believe this was added in Win2k SP2). It's obvious that the SIDs from SIDhistory are added to the token as as full SIDs as these have a different domain-part in the SID - but I certainly don't grasp why it's required for the DLGs of the same domain...? And don't forget - in a perfect joe-world, all groups would be DLGs so you wouldn't even have any benefit of the new mechanism to store RIDs in the token to limit it's size ;-) /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Freitag, 15. April 2005 01:57To: ActiveDir@mail.activedir.org; 'Send - AD mailing list'Subject: RE: [ActiveDir] 1000 groups Ah Domain Local Group (DLG) SIDS... Sorry, I misread your post and thought you meant Distribution List when you said DL Groups. Looking at too much Exchange stuff lately. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 14, 2005 7:38 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups That's not the way I understand the token construct in later-than-NT4 Windows builds. As I understand it, the effective token is the result of the combined TGT and Session ticket PAC (portions directly derived from the TGT) as it relates to a particular target resource (PAC = privileged attribute cert., the kerb. attr. designated to carry OS proprietary auth. data) ... the change you reference simply forces a 2K3 DC to include Domain Local group SIDs within the TGT (regardless of domain mode) with a view to making the overall authorization process more consistent. As for your 2nd question, that's a good one ... let me give that some thought. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 7:20 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Interesting post Dean, I wasn't aware of the DL SIDS thing. Itake it this is a case of the SIDS being in the actual kerb ticket and not in the actual token and restricted correct? Is there a mechanism for listing the groups in a given tgt? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Tuesday, April 12, 2005 1:39 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] 1000 groups Firstly, the so-called well-known ~1000 limitation and the ~5000 limitation are entirely unrelated. Regarding token bloat; the more accurate max. SIDs value is 1015. This is due to 9 well-known SIDs that are always present and should, therefore, not be part of any calculation as to what we can be administratively affected. In addition, tickets handed out by 2K3 DCs always contain DL group SIDs regardless of domain mode and, as such, are always a little bigger than a corresponding ticket issued by a 2000 DC in mixed mode (this is done solely to avoid inconsistencies during transition of modes -- considered a bug by many, myself included). In contrast, we do attempt to compress specific tokens by maintaining only the RID (not the whole SID) where applicable. A MaxTokenSize registry value exists that simply governs the upper limit. Increasing the value will likely cause performance concerns and, more significantly, potential application failures due to timeouts (too many SIDs to compare, call does not return and app. assumes failure). This article eludes to the problem - http://support.microsoft.com/kb/313661/ Real-time token size can be calculated using the following tool - http://www.microsoft.com/downloads/details.aspx?FamilyID=4a303fa5-cf20-43fb-9483-0f0b0dae265c&displaylang=en --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian FischerSent: Tuesday, April 12, 2005 12:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 1000 groups Hi All: Can an AD user be a member of more that 1000 groups? Someone told me that 1000 was an AD limitation. Is that true? Thanks, --Brian E-mail Full? Check out our Exchange Tools!
RE: [ActiveDir] 1000 groups
> Regular multivalue attributes still have a limitation on size. In 2K that is approximately ~850 members and in K3 that is approximately ~1300 members. I'd call these "entries" instead of members to avoid confusion... Not sure if it was mentioned in another part of this thread, but it should be clear, that the version store limit also still applies to 2k3 linked attributes (such as group-memberships) when updating these => i.e. you shouldn't add or delete more than 5000 members at one time to these attributes, otherwise you'll risk hitting the version store limit just like you did in 2k. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Freitag, 15. April 2005 01:17To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Not so much a myth as a general guideline. :o) There are people who do and have broken in the 5000 group membership, and actually people who have broken sooner if you can believe newsgroup postings, and people who have exceeded the guideline and lived to tell about it. The issue is around version store and how it is being used on a particular DC at a particular time and the fact that it has to be used in replication but is also used when people are doing queries and updates. In 2K you replicate the entire member attribute (I think someone previously said this was object level replication, it is actually attribute level replication and with K3 for LV attributes it is value level replication) but in K3 linked value attributes are replicated at the value level instead of the attribute level. Some people think that all multivalue groups are now cleared up in terms of they can have limitless size. This is incorrect, the "LVR fix" is only, again, for linked value attributes which are DN style attributes with forward/back links associated with them. Regular multivalue attributes still have a limitation on size. In 2K that is approximately ~850 members and in K3 that is approximately ~1300 members. Note that hitting that limit backs you into the object size limit as well so you can no longer add any attributes to any object that has hit the limit on a single multivalue (non-LV) attributes. You will see an admin limit exceeded error for every attribute add you try to do after that. You can update already existing attributes, you simply can't add more. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, April 12, 2005 4:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Note that the hard limit in W2K of 5000 members is actually kind of a myth. At my current employer, we had a group with 80K users on a W2K native domain and it actually did work, replication and all. The major issue we ran into was trying to promo new DCs and do our 2K3 migration. That was a near complete meltdown as a result of this one particular group. Thus it is still a bad idea to break the recommendation, even if it can be made to work. You’ll definitely regret it later. Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson ShawSent: Tuesday, April 12, 2005 11:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups Group memberships are replicated in W2K3 per object as opposed to the whole group. In w2k there is a hard limit of 5000 members per group but a group can be nested in another group giving you virtually unlimited group memberships. The problem in w2k is that a change to any one member of a group requires full replication of the group. In w2k3 the limitation was removed and now just the change is replicated as opposed to the complete group. So, long and short is that group replication in w2k3 is not as serious an issue as it was in w2k. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, April 12, 2005 9:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 1000 groups 5000 is the 'recommended' limitation for groups on both Win2k and Win2k3 - but that limitation is only due to replication issues with AD. -Jon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian FischerSent: Tuesday, April 12, 2005 12:45 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 1000 groups Hi All: Can an AD user be a member of more that 1000 groups? Someone told me that 1000 was an AD limitation. Is that true? Thanks, --Brian E-mail Full? Check out our Exchange Tools!
RE: [ActiveDir] User Alias Authentication in AD
what a fine english statement "the astute will understand why"... ;-) had to get a dictionary to understand that one - but I can always say I'm German for an excuse ;-)) agree on what you're getting at and that was my original order when I wanted to reply - then I read Mayuresh's post again: from this, their current samaccountname seems to be firstname_lastname, and now they're looking for an alias for a shorter version... So Mayuresh - as pointed out, it would obviously be best to rename the samAccountName of all your existing account to the short-name and then use the long-name for the UPN. Adds a good amount of work, but may be the better end-result. Cheers, Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 15. April 2005 00:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD I agree with Guido but would flip it around and make the short name the sAMAccountName... Domain\mkshirsa And [EMAIL PROTECTED] The astute will understand why joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Thursday, April 14, 2005 7:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD Jorge is correct that you can't create aliases to security principals in AD, however, you do have two logon names, which may be sufficient for your requirement: you can use the samAccountName (pre-Win2000 User logon name) => mayuresh_kshirsagar or the UserPrincipalName (User logon name) => [EMAIL PROTECTED] [or whatever suffix you configure] It will likely depend on what your application allows you to do (some do require the Domain\samAccountName format because they've hardcoded this in their logon screens...) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Donnerstag, 14. April 2005 13:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] User Alias Authentication in AD In AD it is not possible to create aliases to security principals (i.e. user accounts) Why do you need separate names? Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: donderdag 14 april 2005 12:26 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] User Alias Authentication in AD Hi Experts, I am looking out for a possibility where if I have a user: username: mayuresh_kshirsagar password: I want to create an alias of this user entry say username: mkshirsa password: where I can login using any of the above two usernames. Is this a possibility? Regards, Mayuresh. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
