Re: [ActiveDir] Policies: ALL ADMINS SHOULD READ THIS...
Blair, James wrote: If any of you have or have had the same problem I wouldn't mind an e-mail as I need as much ammunition as possible for the seemingly large report I am going to have to put together. You will find some description of similiar and other problems with MS05-019 on the NTBugtraq list. http://www.ntbugtraq.com/default.aspx?pid=36&sid=1 -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policies: ALL ADMINS SHOULD READ THIS...
Did uninstallation worked as a workaround? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Thursday, April 21, 2005 12:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: ALL ADMINS SHOULD READ THIS... Importance: High After a night of just about no sleep and spending the day on this problem. I did not let on but it was slightly more complicated in such that our Exchange servers were unable send mail between sites. After placing a call with HP and then getting forwarded to Microsoft Canada we still had no joy. This morning we found that the following patch was applied last Friday, our SUS roll out day: http://support.microsoft.com/kb/893066 This patch caused the following: Exchange servers unable to talk between sites. Workstations only able to access shares on local subnets. Unable to access Corporate intranet..separate subnet. If any of you have or have had the same problem I wouldn't mind an e-mail as I need as much ammunition as possible for the seemingly large report I am going to have to put together. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, 20 April 2005 11:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: Assuming that there is no static(s), ACL, NAT or PAT issues with a firewall or router IOS keeping IP traffic from flowing over what I am guessing to be port 80 traffic. ICMP (ping) means little in the way of connectivity. Just means that a form of traffic can reach the destination host. Have you done a TRACERT to check the timing? Also, what port or mixture of ports seem to be blocked? Understand that ICMP is getting through to the host but if this involves long distances, it may be a propagation issue or a combination of issues. Lets whittle some of these unknowns out one at a time till we find a solution. Brent Eads
RE: [ActiveDir] Policies: ALL ADMINS SHOULD READ THIS...
After a night of just about no sleep and spending the day on this problem. I did not let on but it was slightly more complicated in such that our Exchange servers were unable send mail between sites. After placing a call with HP and then getting forwarded to Microsoft Canada we still had no joy. This morning we found that the following patch was applied last Friday, our SUS roll out day: http://support.microsoft.com/kb/893066 This patch caused the following: Exchange servers unable to talk between sites. Workstations only able to access shares on local subnets. Unable to access Corporate intranet..separate subnet. If any of you have or have had the same problem I wouldn't mind an e-mail as I need as much ammunition as possible for the seemingly large report I am going to have to put together. James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Wednesday, 20 April 2005 11:45 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Policies: Assuming that there is no static(s), ACL, NAT or PAT issues with a firewall or router IOS keeping IP traffic from flowing over what I am guessing to be port 80 traffic. ICMP (ping) means little in the way of connectivity. Just means that a form of traffic can reach the destination host. Have you done a TRACERT to check the timing? Also, what port or mixture of ports seem to be blocked? Understand that ICMP is getting through to the host but if this involves long distances, it may be a propagation issue or a combination of issues. Lets whittle some of these unknowns out one at a time till we find a solution. Brent Eads
[ActiveDir] OT Exchange Move Mailbox Roll Back Plan
Return Receipt Your document: [ActiveDir] OT Exchange Move Mailbox Roll Back Plan was received by: nelson yong/IT/KSL at: 21/04/2005 12:04:15 PM
RE: [ActiveDir] Restricting sensitive information
THat's a philisophical issue. Frankly, the bottom line is two-fold: 1. Use the concept of least necessary permissions - only grant specific people enough access to do their job - no more. Currently, I manage 1000 servers in a domain in which I have nothing more than a general "user" account - no domain admin access at all. Only explicit elevation of privileges is having rights for our OU. 2. If you can't trust the admins, replace them. There are plenty (and I mean PLENTY) of ways to validate that someone isn't doing something they shouldn't - auditing is your friend. Roger Seielstad E-mail Geek _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin Wilhelm Sent: Wednesday, April 20, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricting sensitive information I think if you use the 'deny' flag you should be able to restrict the access to just the 2 admins if you like. As the deny options overrides everything else deny the 12 admin accounts and do nothing to the last two. Deny should over ride the privileges they got from the admin group. Hope this helps. Kat _ From: [EMAIL PROTECTED] on behalf of Perdue David J Contr InDyne/Enterprise IT Sent: Thu 21/04/2005 6:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricting sensitive information You could. If you're trying to keep Admin's out of the information there is a good bet they'd have the password for the local admin account or they could change it with less notice than a user's network account. Dave //SIGNED// David J. Perdue _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, April 20, 2005 10:48 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Restricting sensitive information Can you use a local administrator account of a machine to unencrypt files? I do it all the time on laptops that we have deployed when they bring them in for service. I'm not sure how well this works on servers, but if it does then this might not be such a great option. Charlie -Original Message- From: Perdue David J Contr InDyne/Enterprise IT [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricting sensitive information You could encrypt the files/folders and add in the user accounts of the folks who need access as well as one or two admins to help maintain it. Depending on what your policy has setup for a recovery agent, this would prevent individuals from accessing the files. They could still rename/delete/take ownership, but they couldn't access the data. Dave //SIGNED// David J. Perdue _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, April 20, 2005 04:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Restricting sensitive information Original Message: We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? Reply Why not simply install the server out of the domain completely and use it's local accounts? Regards Peter Jessop ;Arial;Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document. Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGT's entire liability will be limi
RE: [ActiveDir] Restricting sensitive information
Even if you use the deny attribute, if they have admin rights on the system where the file is kept, they can still take ownership and change the security attributes. You would have to deny their accounts access and remove them from the local admin on the system. Not only is that incredibly obvious, but it prevents them from doing necessary portions of their job. Coupled with the fact, that if they are Domain Admins, they probably have physical access to the system. With that and a couple of well placed excuses they are into the files. Your best bet would be to encrypt the file, and only add the accounts/certificates of individuals who require access and a person or two to help the user administrate the encryption on the files/folders. Then you set/specify the recovery agent for the system via GPO. Either remove the recovery agent or specify it as an individual account they do not have access to. Even as an admin, they cannot modify the encryption properties of the file. They could take ownership, modify permissions, but as the security attributes and the encryption information are stored in seperate parts, they can't override it. //SIGNED// David J. PerdueNetwork Security Engineer, InDyne Inc Comm: (805) 606-4597 DSN: 276-4597 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Katrin WilhelmSent: Wednesday, April 20, 2005 15:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restricting sensitive information I think if you use the 'deny' flag you should be able to restrict the access to just the 2 admins if you like. As the deny options overrides everything else deny the 12 admin accounts and do nothing to the last two. Deny should over ride the privileges they got from the admin group. Hope this helps. Kat From: [EMAIL PROTECTED] on behalf of Perdue David J Contr InDyne/Enterprise ITSent: Thu 21/04/2005 6:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restricting sensitive information You could. If you're trying to keep Admin's out of the information there is a good bet they'd have the password for the local admin account or they could change it with less notice than a user's network account. Dave //SIGNED// David J. Perdue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: Wednesday, April 20, 2005 10:48 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Restricting sensitive information Can you use a local administrator account of a machine to unencrypt files? I do it all the time on laptops that we have deployed when they bring them in for service. I'm not sure how well this works on servers, but if it does then this might not be such a great option. Charlie -Original Message-From: Perdue David J Contr InDyne/Enterprise IT [mailto:[EMAIL PROTECTED]Sent: Wednesday, April 20, 2005 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restricting sensitive information You could encrypt the files/folders and add in the user accounts of the folks who need access as well as one or two admins to help maintain it. Depending on what your policy has setup for a recovery agent, this would prevent individuals from accessing the files. They could still rename/delete/take ownership, but they couldn't access the data. Dave //SIGNED// David J. Perdue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 20, 2005 04:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricting sensitive information Original Message:We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? ReplyWhy not simply install the server out of the domain completely and use it's local accounts?RegardsPeter Jessop ;Confidentiality: The contents contain privileged and/or confidential information intended fo
RE: [ActiveDir] Restricting sensitive information
I think if you use the 'deny' flag you should be able to restrict the access to just the 2 admins if you like. As the deny options overrides everything else deny the 12 admin accounts and do nothing to the last two. Deny should over ride the privileges they got from the admin group. Hope this helps. Kat From: [EMAIL PROTECTED] on behalf of Perdue David J Contr InDyne/Enterprise IT Sent: Thu 21/04/2005 6:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricting sensitive information You could. If you're trying to keep Admin's out of the information there is a good bet they'd have the password for the local admin account or they could change it with less notice than a user's network account. Dave //SIGNED// David J. Perdue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Wednesday, April 20, 2005 10:48 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Restricting sensitive information Can you use a local administrator account of a machine to unencrypt files? I do it all the time on laptops that we have deployed when they bring them in for service. I'm not sure how well this works on servers, but if it does then this might not be such a great option. Charlie -Original Message- From: Perdue David J Contr InDyne/Enterprise IT [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Restricting sensitive information You could encrypt the files/folders and add in the user accounts of the folks who need access as well as one or two admins to help maintain it. Depending on what your policy has setup for a recovery agent, this would prevent individuals from accessing the files. They could still rename/delete/take ownership, but they couldn't access the data. Dave //SIGNED// David J. Perdue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, April 20, 2005 04:44 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Restricting sensitive information Original Message: We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? Reply Why not simply install the server out of the domain completely and use it's local accounts? Regards Peter Jessop Confidentiality: The contents contain privileged and/or confidential information intended for the named recipient of this email. CVGT does not warrant that the contents of any electronically transmitted information will remain confidential. If the reader of this email is not the intended recipient you are hereby notified that any use, reproduction, disclosure or distribution of the information contained in the email is prohibited. If you receive this email in error, please reply to us immediately and delete the document. Viruses: It is the recipient/client's duties to virus scan and otherwise test the information provided before loading onto any computer system. No warranty is made that this material is free from computer virus or any other defect or error. Any loss/damage incurred by using this material is not the sender's responsibility. CVGTs entire liability will be limited to resupplying the material. Please contact us at www.cvgt.com.au for further information regarding this disclaimer <>
Re: [ActiveDir] Restricting sensitive information
Administrators all have the "take ownership right" on all ntfs files. They could always take ownership and change the permissions to something they would like... -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricting sensitive information
For Domain Admins I would suggest training them all to comply with HIPAA. HIPPA doesn't say they can't have access but that access is documented, audited and controlled. If you have to worry about HIPAA it will be very hard to keep your domain admins completely isolated from PHI. Assuming that these domain admins have rights to manage email and the desktops of the machines that the people that work with the HIPAA information use. What about old fashioned NTFS permissions. Remove the local Administrators group and that will remove Domain Admins. Or am I forgetting something. :-) Holland + Knight Travis Abrams IT Security & Systems Manager Holland & Knight LLP List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Restricting sensitive information
It is very important that they don't have physical access to the server and have no control over the accounts within it. These administrators who should not have access should not be administrators over these servers in any sense. If the requirement is more lax, that is to say that they should not have access and if they do have access it should be detectable, it could be done under a domain context. Otherwise it should be completely separated from the rest of the servers. It would be prudent to check local legal requirements and consult with the auditors over a satisfactory solution. Peter Jessop
RE: [ActiveDir] Restricting sensitive information
You could. If you're trying to keep Admin's out of the information there is a good bet they'd have the password for the local admin account or they could change it with less notice than a user's network account. Dave //SIGNED// David J. Perdue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: Wednesday, April 20, 2005 10:48 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Restricting sensitive information Can you use a local administrator account of a machine to unencrypt files? I do it all the time on laptops that we have deployed when they bring them in for service. I'm not sure how well this works on servers, but if it does then this might not be such a great option. Charlie -Original Message-From: Perdue David J Contr InDyne/Enterprise IT [mailto:[EMAIL PROTECTED]Sent: Wednesday, April 20, 2005 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restricting sensitive information You could encrypt the files/folders and add in the user accounts of the folks who need access as well as one or two admins to help maintain it. Depending on what your policy has setup for a recovery agent, this would prevent individuals from accessing the files. They could still rename/delete/take ownership, but they couldn't access the data. Dave //SIGNED// David J. Perdue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 20, 2005 04:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricting sensitive information Original Message:We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? ReplyWhy not simply install the server out of the domain completely and use it's local accounts?RegardsPeter Jessop
RE: [ActiveDir] administrator account
Place the servers in a text file (or query those from AD). Adjust the VBS script to read each line (server name) and execute the routine. Output the info into the same file so you can search for your domain name I don't have a script that can do this. However the script repository has one that almost do this. The following scripts enumerate all COMPUTERS from AD: http://www.microsoft.com/technet/scriptcenter/scripts/ad/computer/cptrvb 07.m spx You can also use ADFIND or OLDCMP to get the servers For each domain in the forest AdFind.exe -b DC=W2K3DOMAIN,DC=LAN -f "&(objectcategory=computer)(operatingSystemVersion=X.X)" CN REPLACE X.X with 5.0* for w2k, 5.1* for wxp, 5.2* for w2k3 You could also use OLDCMP (which generates a very nice HTML page!) OLDCMP -report -age 0 -b DC=W2K3DOMAIN,DC=LAN -f "&(objectcategory=computer)(operatingSystemVersion=X.X)" REPLACE X.X with 5.0* for w2k, 5.1* for wxp, 5.2* for w2k3 #JORGE# -Original Message- From: Kern, Tom To: Jorge de Almeida Pinto Sent: 4/20/2005 9:16 PM Subject: RE: [ActiveDir] administrator accont In the MS script, how would you edit it so that it does an enumeration of services on all servers in a domain in one shot? right now, i have to enter the server name as a value for that variable. thanks -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 3:13 PM To: Kern, Tom; Jorge de Almeida Pinto Subject: RE: [ActiveDir] administrator accont Never tried it myself but I think it will work (as the DS commands on a w2k3 srv also work against a w2k domain) if you don't have the correct credentials you'll need to supply them in the scripts #Jorge# -Original Message- From: Kern, Tom To: Jorge de Almeida Pinto Sent: 4/20/2005 9:07 PM Subject: RE: [ActiveDir] administrator accont So, i can run schtasks from a win2k3 server to query tasks on win2k servers? Does the win2k3 server have to be in the same domain as long as I supply the domain admin password in the target domain? thanks -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 3:05 PM To: Kern, Tom; '[EMAIL PROTECTED] '; 'ActiveDir (E-mail) ' Subject: RE: [ActiveDir] administrator accont For scheduled tasks you can use (from a W2K3 server): schtasks /query /S SRVHOST /V /FO CSV /U /P Use the latter 4 only if you are not logged on with credentials that has permissions on the server you connect to For services the following script in the MS scriptcenter may help you: http://www.microsoft.com/technet/scriptcenter/scripts/os/services/ossvvb 08.m spx Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir (E-mail) Sent: 4/20/2005 8:39 PM Subject: [ActiveDir] administrator accont I'm about to change the password for the Domain administrator account and I'd like to know if there is any script that i could run that --Message Truncated-- This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT:Upgrade from 2k to 2k3
I forgot to mention. The following article is very interesting also http://support.microsoft.com/default.aspx?scid=kb;en-us;555040 "Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003 Domain" RE: [ActiveDir] OT:Upgrade from 2k to 2k3 Jorge de Almeida Pinto Tue, 19 Apr 2005 09:52:07 -0700 Hi, I just copied the text below from another thread I responded to yesterday. See MS-KBQ325379 "How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003" (http://support.microsoft.com/?id=325379) for all the details you need to know about upgrading w2k to w2k3. If you are considering in upgrading E2K to E2K3 see MS-KBQ822942 "Considerations When You Upgrade to Exchange Server 2003" (http://support.microsoft.com/?id=822942) About disconnecting the schema master when doing the schema upgrade see MS-KQ821076 "Windows Server 2003 Help Files Contain Incorrect Information About How to Update a Windows 2000 Domain" (http://support.microsoft.com/default.aspx?scid=kb;en-us;821076) I once read what the issue was when disconnecting the schema master from the network, but I don't remember anymore. Maybe someone else on this list can share info on the particular issue. The main reason to disconnect the schema master is if the schema upgrade goes wrong for some reason do don't screw up your forest and so you don't need to do a forest recovery to revert to the last uncorrupt schema. One other way to mitigate this risk could be to: * Do a FULL backup of the schema master * disable OUTBOUND replication for the SCHEMA MASTER FSMO first (REPADMIN /OPTIONS +DISABLE_OUTBOUND_REPL) * verify that outbound replication is disabled with REPLMON * upgrade the schema (after meeting ALL prerequisites mentioned in MS-KBQ325379!!!) * check the event viewer for errors * And IF everything is OK enable replication (REPADMIN /OPTIONS -DISABLE_OUTBOUND_REPL) When replication is enabled again on the schema master fsmo all directory changes concerning AD objects will be halted because replication partners see the schema has been changed (the DC performs a check to see if the schema version has changed). The normal changes will only replicate after the schema update has replicated Ohh, and by the way: TEST FIRST IN A TEST ENVIRONMENT TO GET FAMILIAR WITH THE PROCEDURE AND TO SEE WHAT HAPPENS!!! Cheers Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/19/2005 5:27 PM Subject: [ActiveDir] OT:Upgrade from 2k to 2k3 Hi, I'm just looking to upgrade our domain controllers from 2k to 2k3. I actually have a 2k with exchange 2k that need to be upgraded to 2k3 and Exchange 2k3. Should I upgrade the exchange system before doing the DCs? Anyone have any docs with pros and cons? What is better or would cause fewer troubles. Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Native Mode Switch
Manually re-writing the attribute will not work. Also see: http://support.microsoft.com/kb/322692 http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad.htm Jorge -Original Message- From: Nicolas Blank To: 'Jorge de Almeida Pinto'; ActiveDir@mail.activedir.org Sent: 4/20/2005 8:25 PM Subject: RE: [ActiveDir] Native Mode Switch Thanks for the answer. This is understood, however, what are the implications of manually re-writing the nTMixedDomain value back to 1? Also, what actions does a DC take once the value change is efected that makes the cange non-reversible? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 20 April 2005 08:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch When you convert the domain to native mode the attribute nTMixedDomain on the domain NC head of the replica where the change is made is changed from 1 to 0. This change replicates out to all other replicas. There is no way you can change this attribute back without doing a disaster recovery for the domain. The main thing here is that you don't have legacy DCs in the domain anymore!!! I can think of the following solutions to test the change of the mode switch: * Create a copy of the particular machine with the SNA application and test that in a test environment * Create a full backup of the particular DC with the SNA app, disable OUTBOUND replication for that DC (REPADMIN) and change the mode switch. If something goes wrong restore the DC and enable replication again (the latter is needed as the restored DC will receive the disabled state from the other DCs. Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 7:30 PM Subject: [ActiveDir] Native Mode Switch Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] administrator accont
While you're at it, create service accounts and/or scheduled tasks accounts and reconfigure those tasks/services with the new account so the default built-in admin account is not used! Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir (E-mail) Sent: 4/20/2005 8:39 PM Subject: [ActiveDir] administrator accont I'm about to change the password for the Domain administrator account and I'd like to know if there is any script that i could run that would tell me what services/tasks run under this account on member servers and domain controllers. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] administrator accont
For scheduled tasks you can use (from a W2K3 server): schtasks /query /S SRVHOST /V /FO CSV /U /P Use the latter 4 only if you are not logged on with credentials that has permissions on the server you connect to For services the following script in the MS scriptcenter may help you: http://www.microsoft.com/technet/scriptcenter/scripts/os/services/ossvvb08.m spx Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir (E-mail) Sent: 4/20/2005 8:39 PM Subject: [ActiveDir] administrator accont I'm about to change the password for the Domain administrator account and I'd like to know if there is any script that i could run that would tell me what services/tasks run under this account on member servers and domain controllers. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] administrator accont
I'm about to change the password for the Domain administrator account and I'd like to know if there is any script that i could run that would tell me what services/tasks run under this account on member servers and domain controllers. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Native Mode Switch
Thanks for the answer. This is understood, however, what are the implications of manually re-writing the nTMixedDomain value back to 1? Also, what actions does a DC take once the value change is efected that makes the cange non-reversible? -Original Message- From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: 20 April 2005 08:17 PM To: 'Nicolas Blank '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] Native Mode Switch When you convert the domain to native mode the attribute nTMixedDomain on the domain NC head of the replica where the change is made is changed from 1 to 0. This change replicates out to all other replicas. There is no way you can change this attribute back without doing a disaster recovery for the domain. The main thing here is that you don't have legacy DCs in the domain anymore!!! I can think of the following solutions to test the change of the mode switch: * Create a copy of the particular machine with the SNA application and test that in a test environment * Create a full backup of the particular DC with the SNA app, disable OUTBOUND replication for that DC (REPADMIN) and change the mode switch. If something goes wrong restore the DC and enable replication again (the latter is needed as the restored DC will receive the disabled state from the other DCs. Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 7:30 PM Subject: [ActiveDir] Native Mode Switch Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD access "strong authentication required"
Olivier, In order to make DC allow unsigned LDAP the following settings should be configured in the GPO linked to “Domain Controllers” OU (this by default is “Default Domain Controllers Policy”): - The Domain controller: LDAP server signing requirements = None - The Network security: LDAP client signing requirements = Negotiate (both located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options) I might also need to reboot the DCs (do not remember that part) If you are really adventurous and want to keep those settings in production, you would want to at least minimize the impact by forcing all Windows hosts in your AD to sign LDAP traffic when acting as clients (querying the DCs). This would be done by setting (at a GPO linked at domain level (by default “Default Domain Policy”)): - The Network security: LDAP client signing requirements = Negotiate This last setting is not required for your testing. If you eventually go the SSL route, you won’t need it anyway. To make sure you can search with simple binds, from the RH box, try running something like: ldapsearch –h -x -D “cn=Administrator,dc=domain,dc=com” –W –b “cn=users,dc=domain,dc=com” “objectcategory=*” dn -b - search base -D – the DN of the account you are using to authenticate -x – use simple bind -h – the LDAP server host name -W – will prompt you for the password HTH, Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Sent: Wednesday, April 20, 2005 4:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD access "strong authentication required" Guy, you wrote : If you want to enable simple binds, set: - The Domain controller: LDAP server signing requirements = None - The Network security: LDAP client signing requirements = Negotiate Also set in Default Domain GPO: The Network security: LDAP client signing requirements = Negotiate (to make sure that all windows clients do not try simple binds) We find the two first settings but not the last ("Also set in Default Domain GPO"). We work on french version of win 2003, and our knowledge of 2003 is very poor. Could you tell me how to set this, we can't find the right path for this… Many thanks Olivier De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Olivier Marie Envoyé : lundi 18 avril 2005 16:20 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD access "strong authentication required" Our AD isn't win2000 upgraded to 2003 (it's a new one). Sorry for my "but I can always connect from php to AD using anonymous connection (works great)”… Effectively, I can just bind to rootDSE. We will try to use SSL, but for our tests we will perhaps try in a first time to modify the settings for Ldap settings. Many thanks for your answer, I will tell you if we success or not ! Olivier De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Teverovsky, Guy Envoyé : lundi 18 avril 2005 15:41 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD access "strong authentication required" By default anonymous LDAP operations are disabled in W2K3 AD (you are only allowed to perform base search on RootDSE). First the warning: enabling anonymous LDAP operations and/or disabling LDAP singing weakens the security of your AD and opens some nasty holes that can be exploited by bad people. The best option would be performing an LDAP over SSL bind to DC if you have SSL enabled on the DCs. If not then you can tackle the problem by: 1) If you do not want to send the passwords over the wire, you can allow anonymous binds/searches to a strictly defined set of attributes (assuming that those do not contain sensitive data). More details here: http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm 2) If you still want to pull the data after successful authentication (you’ll need to perform authenticated simple bind from within PHP code). There are 2 settings that control the LDAP signing (both located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options of the Default Domain Controllers GPO): a. Domain Controller: LDAP server signing requirement b. Network security: LDAP client signing requirement (default = undefined) If you want to enable simple binds, set: - The Domain controller: LDAP server signing requirements = None - The Network security: LDAP client signing requirements = Negotiate Also set in Default Domain GPO: The Network security: LDAP client signing requirements = Negotiate (to make sure that all windows clients do not try simple binds) Now this option is VERY nasty as you are opening a door to clear text passwords traveling across your network and letting anyone with a sniffer grab passwords from the wire. I would try to av
RE: [ActiveDir] Native Mode Switch
When you convert the domain to native mode the attribute nTMixedDomain on the domain NC head of the replica where the change is made is changed from 1 to 0. This change replicates out to all other replicas. There is no way you can change this attribute back without doing a disaster recovery for the domain. The main thing here is that you don't have legacy DCs in the domain anymore!!! I can think of the following solutions to test the change of the mode switch: * Create a copy of the particular machine with the SNA application and test that in a test environment * Create a full backup of the particular DC with the SNA app, disable OUTBOUND replication for that DC (REPADMIN) and change the mode switch. If something goes wrong restore the DC and enable replication again (the latter is needed as the restored DC will receive the disabled state from the other DCs. Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 7:30 PM Subject: [ActiveDir] Native Mode Switch Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] (Slightly OT) GC's
If I remember correctly that option also works in W2K when your using the W2K3 REPADMIN. However this only works against DCs and not GCs Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 8:02 PM Subject: RE: [ActiveDir] (Slightly OT) GC's Curious to know how useful /removelingeringobjects would be if this were 2003 forest. Could I run that on every GC against a reliable source in the other NCs to try and clear up "lingerers"? Also a fairly lengthy prospect, but would you consider it better than the fully removing every GC at once option? -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 20, 2005 1:48 PM To: 'Kern, Tom '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] GC's When you need to rebuild all GCs you'll have to be carefull how you do that. If you rebuild GCs one by one the problem (wrong data like non-existing objects) most likely will not be solved. This is true if a GC uses another GC as inbound replication partner. I don't know what your situation is, but if the wrong data is only in the GCs demoting all GCs at once is the "best way" and promoting again. In a large environment this sounds like "hell on earth". If the "wrong data" is only in a certain domain partition you could remove that NC from the GCs in the other domains using REPADMIN. With the latter the GC keeps advertising itself while the NC is being removed and later on rebuild. Also with this one you need to be sure which replication partner is chosen If you can provide more details, maybe I can give you a more helpfull answer Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 5:48 PM Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted (that > has been addressed for 2K3), the other aspects of the GC take effect > according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/Lis
RE: [ActiveDir] (Slightly OT) GC's
Depends what caused such a consistency-failure in the first place, /removelingeringobjects does exactly as its wording implies and little more. Last time I looked it didn't check for lingering _attributes_ or other plausible (though hard to manufacture) inconsistencies such as temporal issues caused by DCs being thrown back in time using virtualization or SANs or ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Cliffe Sent: Wednesday, April 20, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] (Slightly OT) GC's Curious to know how useful /removelingeringobjects would be if this were 2003 forest. Could I run that on every GC against a reliable source in the other NCs to try and clear up "lingerers"? Also a fairly lengthy prospect, but would you consider it better than the fully removing every GC at once option? -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 20, 2005 1:48 PM To: 'Kern, Tom '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] GC's When you need to rebuild all GCs you'll have to be carefull how you do that. If you rebuild GCs one by one the problem (wrong data like non-existing objects) most likely will not be solved. This is true if a GC uses another GC as inbound replication partner. I don't know what your situation is, but if the wrong data is only in the GCs demoting all GCs at once is the "best way" and promoting again. In a large environment this sounds like "hell on earth". If the "wrong data" is only in a certain domain partition you could remove that NC from the GCs in the other domains using REPADMIN. With the latter the GC keeps advertising itself while the NC is being removed and later on rebuild. Also with this one you need to be sure which replication partner is chosen If you can provide more details, maybe I can give you a more helpfull answer Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 5:48 PM Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted (that > has been addressed for 2K3), the other aspects of the GC take effect > according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mai
RE: [ActiveDir] GC's
My thanks to Jorge for saving me the typing :) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 1:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's it will fail unless the other steps were taken to contrive how the GCs re-sourced their content.- what other steps? repadmin/repmon? thanks -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 12:26 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's "Occupancy level" is an integer (controlled via the DC's registry) that represents how much of the total-partial foreign domain content a newly designated GC must have sourced before announcing itself as "ready". Early builds of Windows 2000 defaulted to 3 I believe, this was later adjusted to 6 where the 3 equates to the insane "a complete-partial replica of all foreign domains in _same site_" and the 6 equates to the more heart-warming "a complete-partial replica of all foreign domains". Unchecking and rechecking the GC box only has an impact if the uncheck action replicated out discreetly and reached the DC to whom it applied (keep in mind that when you uncheck the box you are merely originating a write against a replica of the config. NC which may or may not [most likely not] be the DC to whom the change applies). If the box is rechecked before it reached that owning DC, it is impossible to state with any certainty as to whether the target DC will begin the demotion process since it's dependent upon the replication topology and its inherent end-to-end latency. PS - With all due respect to the support technician that instructed you to demote each GC in turn, wait a while and re-promote ... that wouldn't guarantee a working end-result, there's a chance it will work and an equal chance that it will fail unless the other steps were taken to contrive how the GCs re-sourced their content. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted (that > has been addressed for 2K3), the other aspects of the GC take effect > according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
I IM'd with Dean about this and found the DCR where we took this. Then confirmed the checkin...SP3 is the first SP that adds it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, April 20, 2005 10:43 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's By golly you're right! (As expected.) Thanks. A member of the Exchange team referred me to this KB http://support.microsoft.com/?id=324941 I've also asked for KB 304403 to be corrected. Thanks again, M //me runs off to change the text in a chapter... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 20, 2005 12:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's It is indeed dynamically enabled though I've not put that to the test. I believe it was first fixed in Windows 2000 SP3, review - http://support.microsoft.com/?id=305596 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, April 20, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's NSPI startup/shutdown without a reboot was addressed in w2k3? Can you point me toward any additional information? I had not come across that factoid. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 20, 2005 11:37 AM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's Only sort of wrong, there's a particular interface (NSPI/Named Service Provider Interface) exposed by GCs that is used by Exchange. This interface wasn't exposed on new GCs until they had been rebooted (that has been addressed for 2K3), the other aspects of the GC take effect according to something known as the "occupancy level". In the event I've misunderstood and you are actually asking what happens if you click-it-on and then straight back off again ... well, that depends on a few other clicks but I don't really think that's what you wanted to know. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:29 AM To: ActiveDir (E-mail) Subject: [ActiveDir] GC's Whats the effect of just checking and unchecking the GC box on the NTDS object in AD Sites and Services without a reboot? I don't think it has any affect at all. I thought for a GC to be demoted or promoted, you need a reboot in win2k sp4? Am I wrong? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] (Slightly OT) GC's
Curious to know how useful /removelingeringobjects would be if this were 2003 forest. Could I run that on every GC against a reliable source in the other NCs to try and clear up "lingerers"? Also a fairly lengthy prospect, but would you consider it better than the fully removing every GC at once option? -DaveC Reuters CIO Infrastructure -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 20, 2005 1:48 PM To: 'Kern, Tom '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] GC's When you need to rebuild all GCs you'll have to be carefull how you do that. If you rebuild GCs one by one the problem (wrong data like non-existing objects) most likely will not be solved. This is true if a GC uses another GC as inbound replication partner. I don't know what your situation is, but if the wrong data is only in the GCs demoting all GCs at once is the "best way" and promoting again. In a large environment this sounds like "hell on earth". If the "wrong data" is only in a certain domain partition you could remove that NC from the GCs in the other domains using REPADMIN. With the latter the GC keeps advertising itself while the NC is being removed and later on rebuild. Also with this one you need to be sure which replication partner is chosen If you can provide more details, maybe I can give you a more helpfull answer Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 5:48 PM Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted (that > has been addressed for 2K3), the other aspects of the GC take effect > according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
it will fail unless the other steps were taken to contrive how the GCs re-sourced their content.- what other steps? repadmin/repmon? thanks -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 12:26 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's "Occupancy level" is an integer (controlled via the DC's registry) that represents how much of the total-partial foreign domain content a newly designated GC must have sourced before announcing itself as "ready". Early builds of Windows 2000 defaulted to 3 I believe, this was later adjusted to 6 where the 3 equates to the insane "a complete-partial replica of all foreign domains in _same site_" and the 6 equates to the more heart-warming "a complete-partial replica of all foreign domains". Unchecking and rechecking the GC box only has an impact if the uncheck action replicated out discreetly and reached the DC to whom it applied (keep in mind that when you uncheck the box you are merely originating a write against a replica of the config. NC which may or may not [most likely not] be the DC to whom the change applies). If the box is rechecked before it reached that owning DC, it is impossible to state with any certainty as to whether the target DC will begin the demotion process since it's dependent upon the replication topology and its inherent end-to-end latency. PS - With all due respect to the support technician that instructed you to demote each GC in turn, wait a while and re-promote ... that wouldn't guarantee a working end-result, there's a chance it will work and an equal chance that it will fail unless the other steps were taken to contrive how the GCs re-sourced their content. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted (that > has been addressed for 2K3), the other aspects of the GC take effect > according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
When you need to rebuild all GCs you'll have to be carefull how you do that. If you rebuild GCs one by one the problem (wrong data like non-existing objects) most likely will not be solved. This is true if a GC uses another GC as inbound replication partner. I don't know what your situation is, but if the wrong data is only in the GCs demoting all GCs at once is the "best way" and promoting again. In a large environment this sounds like "hell on earth". If the "wrong data" is only in a certain domain partition you could remove that NC from the GCs in the other domains using REPADMIN. With the latter the GC keeps advertising itself while the NC is being removed and later on rebuild. Also with this one you need to be sure which replication partner is chosen If you can provide more details, maybe I can give you a more helpfull answer Jorge -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/20/2005 5:48 PM Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted > (that has been addressed for 2K3), the other aspects of the GC take > effect according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricting sensitive information
Can you use a local administrator account of a machine to unencrypt files? I do it all the time on laptops that we have deployed when they bring them in for service. I'm not sure how well this works on servers, but if it does then this might not be such a great option. Charlie -Original Message-From: Perdue David J Contr InDyne/Enterprise IT [mailto:[EMAIL PROTECTED]Sent: Wednesday, April 20, 2005 11:34 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Restricting sensitive information You could encrypt the files/folders and add in the user accounts of the folks who need access as well as one or two admins to help maintain it. Depending on what your policy has setup for a recovery agent, this would prevent individuals from accessing the files. They could still rename/delete/take ownership, but they couldn't access the data. Dave //SIGNED// David J. Perdue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 20, 2005 04:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricting sensitive information Original Message:We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? ReplyWhy not simply install the server out of the domain completely and use it's local accounts?RegardsPeter Jessop
RE: [ActiveDir] GC's
By golly you're right! (As expected.) Thanks. A member of the Exchange team referred me to this KB http://support.microsoft.com/?id=324941 I've also asked for KB 304403 to be corrected. Thanks again, M //me runs off to change the text in a chapter... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 20, 2005 12:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's It is indeed dynamically enabled though I've not put that to the test. I believe it was first fixed in Windows 2000 SP3, review - http://support.microsoft.com/?id=305596 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, April 20, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's NSPI startup/shutdown without a reboot was addressed in w2k3? Can you point me toward any additional information? I had not come across that factoid. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 20, 2005 11:37 AM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's Only sort of wrong, there's a particular interface (NSPI/Named Service Provider Interface) exposed by GCs that is used by Exchange. This interface wasn't exposed on new GCs until they had been rebooted (that has been addressed for 2K3), the other aspects of the GC take effect according to something known as the "occupancy level". In the event I've misunderstood and you are actually asking what happens if you click-it-on and then straight back off again ... well, that depends on a few other clicks but I don't really think that's what you wanted to know. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:29 AM To: ActiveDir (E-mail) Subject: [ActiveDir] GC's Whats the effect of just checking and unchecking the GC box on the NTDS object in AD Sites and Services without a reboot? I don't think it has any affect at all. I thought for a GC to be demoted or promoted, you need a reboot in win2k sp4? Am I wrong? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Native Mode Switch
Sorry, hijacked the topic by mistake. Appologies. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nicolas Blank Sent: 20 April 2005 07:21 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
Eric,Joe,Al,Carlos,Guido Question for you guys and the wider audience. What happens EXACTLY in Win2k on a DC(s) when the native mode switch is pushed, and what are the ramifications of changing the attribute back to reflect mixed mode one this has happened? I have a customer with a nervous disposition that doesn't believe me when I say there ain't no way back that's supported without doing a AD DR. Background is a business critical SNA application that HAS to live on a DC. MS is cool about switching to native, but customer is REALLY nervous. Any insight will be appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
I never talked to the guy from MS, so I don't know how that conversation went, though it did seem a little like "reboot to fix the problem" type solution. Which brings me to another question- under what circumstances would a deleted object still show up as a valid object in GC's? That was the problem they were having. it was claimed that OU's were deleted and that was never reflected in the GC, among other objects. The only thing i can think of, is some admin said they were using movetree to move objects between domains. I've never used movetree, but i'm aware of its limitations as to global and local groups as well that it can't move computer objects. I don't know if it spits out an error when you try these things, but that could've caused the issues. thanks -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 12:26 PM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's "Occupancy level" is an integer (controlled via the DC's registry) that represents how much of the total-partial foreign domain content a newly designated GC must have sourced before announcing itself as "ready". Early builds of Windows 2000 defaulted to 3 I believe, this was later adjusted to 6 where the 3 equates to the insane "a complete-partial replica of all foreign domains in _same site_" and the 6 equates to the more heart-warming "a complete-partial replica of all foreign domains". Unchecking and rechecking the GC box only has an impact if the uncheck action replicated out discreetly and reached the DC to whom it applied (keep in mind that when you uncheck the box you are merely originating a write against a replica of the config. NC which may or may not [most likely not] be the DC to whom the change applies). If the box is rechecked before it reached that owning DC, it is impossible to state with any certainty as to whether the target DC will begin the demotion process since it's dependent upon the replication topology and its inherent end-to-end latency. PS - With all due respect to the support technician that instructed you to demote each GC in turn, wait a while and re-promote ... that wouldn't guarantee a working end-result, there's a chance it will work and an equal chance that it will fail unless the other steps were taken to contrive how the GCs re-sourced their content. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted (that > has been addressed for 2K3), the other aspects of the GC take effect > according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricting sensitive information
You could encrypt the files/folders and add in the user accounts of the folks who need access as well as one or two admins to help maintain it. Depending on what your policy has setup for a recovery agent, this would prevent individuals from accessing the files. They could still rename/delete/take ownership, but they couldn't access the data. Dave //SIGNED// David J. Perdue From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 20, 2005 04:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricting sensitive information Original Message:We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? ReplyWhy not simply install the server out of the domain completely and use it's local accounts?RegardsPeter Jessop
RE: [ActiveDir] GC's
"Occupancy level" is an integer (controlled via the DC's registry) that represents how much of the total-partial foreign domain content a newly designated GC must have sourced before announcing itself as "ready". Early builds of Windows 2000 defaulted to 3 I believe, this was later adjusted to 6 where the 3 equates to the insane "a complete-partial replica of all foreign domains in _same site_" and the 6 equates to the more heart-warming "a complete-partial replica of all foreign domains". Unchecking and rechecking the GC box only has an impact if the uncheck action replicated out discreetly and reached the DC to whom it applied (keep in mind that when you uncheck the box you are merely originating a write against a replica of the config. NC which may or may not [most likely not] be the DC to whom the change applies). If the box is rechecked before it reached that owning DC, it is impossible to state with any certainty as to whether the target DC will begin the demotion process since it's dependent upon the replication topology and its inherent end-to-end latency. PS - With all due respect to the support technician that instructed you to demote each GC in turn, wait a while and re-promote ... that wouldn't guarantee a working end-result, there's a chance it will work and an equal chance that it will fail unless the other steps were taken to contrive how the GCs re-sourced their content. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted (that > has been addressed for 2K3), the other aspects of the GC take effect > according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Administrative rights
Went through the same thing but only with laptops, desktops had no problem. Go figure. Check to make sure that you have connections available to the client machine and/or log off but leave the machine able to log on. Try doing the remote install that way. The other way is to use the GPO script option in Trend and insert the string into the logon script. That will make the machine contact ControlManager a bit more manually. Brent Eads Employee Technology Solutions, Inc. Office: (312) 762-9224
RE: [ActiveDir] GC's
It is indeed dynamically enabled though I've not put that to the test. I believe it was first fixed in Windows 2000 SP3, review - http://support.microsoft.com/?id=305596 -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael B. Smith Sent: Wednesday, April 20, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GC's NSPI startup/shutdown without a reboot was addressed in w2k3? Can you point me toward any additional information? I had not come across that factoid. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 20, 2005 11:37 AM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's Only sort of wrong, there's a particular interface (NSPI/Named Service Provider Interface) exposed by GCs that is used by Exchange. This interface wasn't exposed on new GCs until they had been rebooted (that has been addressed for 2K3), the other aspects of the GC take effect according to something known as the "occupancy level". In the event I've misunderstood and you are actually asking what happens if you click-it-on and then straight back off again ... well, that depends on a few other clicks but I don't really think that's what you wanted to know. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:29 AM To: ActiveDir (E-mail) Subject: [ActiveDir] GC's Whats the effect of just checking and unchecking the GC box on the NTDS object in AD Sites and Services without a reboot? I don't think it has any affect at all. I thought for a GC to be demoted or promoted, you need a reboot in win2k sp4? Am I wrong? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Administrative rights
Hi John.. I've seen some very odd behavior sometimes as you describe, where even as DA, and being in the local group, I've had to do a runas, and specify the local user, Administrator, to install something. Also, if it's an MSI, you can set it to always run at elevated privliges with policy, which might work. John "John Parker" <[EMAIL PROTECTED] m> To Sent by: [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Administrative 04/20/2005 10:56 rights AM Please respond to [EMAIL PROTECTED] tivedir.org Yes. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] "Be excellent to each other" ---End of Line--- -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 10:47 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Administrative rights Is the Domain Admins group a member of the local Administrators group? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Wednesday, April 20, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Administrative rights Hi all... I have an XP SP2 on a Win2K AD. I am trying to install Trend officescan on the system but no matter which way I approach the install, the system reports that I must have admin privledges to do this... And I do! I am the domain admin... Anyone seen anything like this? Thanks. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video NOTICE OF CONFIDENTIALITY This document and its attachments are intended for the named addressee(s) only. They contain information which may be Confidential, privileged and/or exempt from disclosure. Unless you are the named addressee (or authorized to receive this document and/or its attachment(s) or its contents on behalf of the addressee,)you may not read, copy, use, or disclose the document and/or its attachment(s) or its contents. The unauthorized use, copying or disclosure of this document and/or its attachment(s) or its contents is strictly prohibited and may be unlawful. Alpha Video and Audio inc. disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. Messages and attachments are not scanned for all known viruses. If you have received this document and/or its attachment(s) by mistake, please notify the sender by telephone immediately at 952-896-9898 or by e-mail at [EMAIL PROTECTED] and destroy immediately all physical and/or electronic copies of the document and its attachment(s). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Administrative rights
What does "whoami /groups" yield? Does it make a difference if you logon as the local administrator? Got any custom/strange AD policies in force? Does it work on other computers using the same accounts? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Wednesday, April 20, 2005 11:56 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Administrative rights Yes. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] "Be excellent to each other" ---End of Line--- -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 10:47 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Administrative rights Is the Domain Admins group a member of the local Administrators group? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Wednesday, April 20, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Administrative rights Hi all... I have an XP SP2 on a Win2K AD. I am trying to install Trend officescan on the system but no matter which way I approach the install, the system reports that I must have admin privledges to do this... And I do! I am the domain admin... Anyone seen anything like this? Thanks. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video NOTICE OF CONFIDENTIALITY This document and its attachments are intended for the named addressee(s) only. They contain information which may be Confidential, privileged and/or exempt from disclosure. Unless you are the named addressee (or authorized to receive this document and/or its attachment(s) or its contents on behalf of the addressee,)you may not read, copy, use, or disclose the document and/or its attachment(s) or its contents. The unauthorized use, copying or disclosure of this document and/or its attachment(s) or its contents is strictly prohibited and may be unlawful. Alpha Video and Audio inc. disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. Messages and attachments are not scanned for all known viruses. If you have received this document and/or its attachment(s) by mistake, please notify the sender by telephone immediately at 952-896-9898 or by e-mail at [EMAIL PROTECTED] and destroy immediately all physical and/or electronic copies of the document and its attachment(s). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Administrative rights
Yes. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video 7711 Computer Ave. Edina, MN. 55435 952-896-9898 Local 800-388-0008 Watts 952-896-9899 Fax 612-804-8769 Cell 952-841-3327 Direct [EMAIL PROTECTED] "Be excellent to each other" ---End of Line--- -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 20, 2005 10:47 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Administrative rights Is the Domain Admins group a member of the local Administrators group? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Wednesday, April 20, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Administrative rights Hi all... I have an XP SP2 on a Win2K AD. I am trying to install Trend officescan on the system but no matter which way I approach the install, the system reports that I must have admin privledges to do this... And I do! I am the domain admin... Anyone seen anything like this? Thanks. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video NOTICE OF CONFIDENTIALITY This document and its attachments are intended for the named addressee(s) only. They contain information which may be Confidential, privileged and/or exempt from disclosure. Unless you are the named addressee (or authorized to receive this document and/or its attachment(s) or its contents on behalf of the addressee,)you may not read, copy, use, or disclose the document and/or its attachment(s) or its contents. The unauthorized use, copying or disclosure of this document and/or its attachment(s) or its contents is strictly prohibited and may be unlawful. Alpha Video and Audio inc. disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. Messages and attachments are not scanned for all known viruses. If you have received this document and/or its attachment(s) by mistake, please notify the sender by telephone immediately at 952-896-9898 or by e-mail at [EMAIL PROTECTED] and destroy immediately all physical and/or electronic copies of the document and its attachment(s). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
Actually, I did want to know the other stuff as wel :) Also, what exactly is "occupancy level". I had some EA's that saw a issue in AD where there were objects that were deleted in AD but were still present in the GC(for months). They called MS and MS told them this will snowball into a serious issue. So,after much chatting, MS recommended for them to rebuild every GC in the forest. They did this by unchecking the GC tab on the ntds object, waiting a while and then checking it back. This is in a win2k2p4 forest. Only the root domain is in native mode. So, yeah, I'd like to know exactly what it means when you uncheck(and thats all), wait and check again... Thanks Dean Wells wrote: > Only sort of wrong, there's a particular interface (NSPI/Named Service > Provider Interface) exposed by GCs that is used by Exchange. This > interface wasn't exposed on new GCs until they had been rebooted > (that has been addressed for 2K3), the other aspects of the GC take > effect according to something known as the "occupancy level". > > In the event I've misunderstood and you are actually asking what > happens if you click-it-on and then straight back off again ... well, > that depends on a few other clicks but I don't really think that's > what you wanted to know. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Administrative rights
Is the Domain Admins group a member of the local Administrators group? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Parker Sent: Wednesday, April 20, 2005 11:37 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Administrative rights Hi all... I have an XP SP2 on a Win2K AD. I am trying to install Trend officescan on the system but no matter which way I approach the install, the system reports that I must have admin privledges to do this... And I do! I am the domain admin... Anyone seen anything like this? Thanks. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video NOTICE OF CONFIDENTIALITY This document and its attachments are intended for the named addressee(s) only. They contain information which may be Confidential, privileged and/or exempt from disclosure. Unless you are the named addressee (or authorized to receive this document and/or its attachment(s) or its contents on behalf of the addressee,)you may not read, copy, use, or disclose the document and/or its attachment(s) or its contents. The unauthorized use, copying or disclosure of this document and/or its attachment(s) or its contents is strictly prohibited and may be unlawful. Alpha Video and Audio inc. disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. Messages and attachments are not scanned for all known viruses. If you have received this document and/or its attachment(s) by mistake, please notify the sender by telephone immediately at 952-896-9898 or by e-mail at [EMAIL PROTECTED] and destroy immediately all physical and/or electronic copies of the document and its attachment(s). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
NSPI startup/shutdown without a reboot was addressed in w2k3? Can you point me toward any additional information? I had not come across that factoid. Thanks. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Wednesday, April 20, 2005 11:37 AM To: Send - AD mailing list Subject: RE: [ActiveDir] GC's Only sort of wrong, there's a particular interface (NSPI/Named Service Provider Interface) exposed by GCs that is used by Exchange. This interface wasn't exposed on new GCs until they had been rebooted (that has been addressed for 2K3), the other aspects of the GC take effect according to something known as the "occupancy level". In the event I've misunderstood and you are actually asking what happens if you click-it-on and then straight back off again ... well, that depends on a few other clicks but I don't really think that's what you wanted to know. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:29 AM To: ActiveDir (E-mail) Subject: [ActiveDir] GC's Whats the effect of just checking and unchecking the GC box on the NTDS object in AD Sites and Services without a reboot? I don't think it has any affect at all. I thought for a GC to be demoted or promoted, you need a reboot in win2k sp4? Am I wrong? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GC's
Only sort of wrong, there's a particular interface (NSPI/Named Service Provider Interface) exposed by GCs that is used by Exchange. This interface wasn't exposed on new GCs until they had been rebooted (that has been addressed for 2K3), the other aspects of the GC take effect according to something known as the "occupancy level". In the event I've misunderstood and you are actually asking what happens if you click-it-on and then straight back off again ... well, that depends on a few other clicks but I don't really think that's what you wanted to know. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, April 20, 2005 11:29 AM To: ActiveDir (E-mail) Subject: [ActiveDir] GC's Whats the effect of just checking and unchecking the GC box on the NTDS object in AD Sites and Services without a reboot? I don't think it has any affect at all. I thought for a GC to be demoted or promoted, you need a reboot in win2k sp4? Am I wrong? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Administrative rights
Hi all... I have an XP SP2 on a Win2K AD. I am trying to install Trend officescan on the system but no matter which way I approach the install, the system reports that I must have admin privledges to do this... And I do! I am the domain admin... Anyone seen anything like this? Thanks. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems. Alpha Video NOTICE OF CONFIDENTIALITY This document and its attachments are intended for the named addressee(s) only. They contain information which may be Confidential, privileged and/or exempt from disclosure. Unless you are the named addressee (or authorized to receive this document and/or its attachment(s) or its contents on behalf of the addressee,)you may not read, copy, use, or disclose the document and/or its attachment(s) or its contents. The unauthorized use, copying or disclosure of this document and/or its attachment(s) or its contents is strictly prohibited and may be unlawful. Alpha Video and Audio inc. disclaims any responsibility in relation to the information in this e-mail message. No rights can be derived from this message. Messages and attachments are not scanned for all known viruses. If you have received this document and/or its attachment(s) by mistake, please notify the sender by telephone immediately at 952-896-9898 or by e-mail at [EMAIL PROTECTED] and destroy immediately all physical and/or electronic copies of the document and its attachment(s). List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] GC's
Whats the effect of just checking and unchecking the GC box on the NTDS object in AD Sites and Services without a reboot? I don't think it has any affect at all. I thought for a GC to be demoted or promoted, you need a reboot in win2k sp4? Am I wrong? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policies:
Assuming that there is no static(s), ACL, NAT or PAT issues with a firewall or router IOS keeping IP traffic from flowing over what I am guessing to be port 80 traffic. ICMP (ping) means little in the way of connectivity. Just means that a form of traffic can reach the destination host. Have you done a TRACERT to check the timing? Also, what port or mixture of ports seem to be blocked? Understand that ICMP is getting through to the host but if this involves long distances, it may be a propagation issue or a combination of issues. Lets whittle some of these unknowns out one at a time till we find a solution. Brent Eads
Re: [ActiveDir] Policies:
What happens when the client attempts to access paths outside of the network? I'm assuming there is an error of some sort. Have you tried a network trace of the client trying to access the path? - Original Message - From: "Burkes, Jeremy [Contractor]" <[EMAIL PROTECTED]> To: Sent: Wednesday, April 20, 2005 9:04 AM Subject: RE: [ActiveDir] Policies: If he has a router ACL or firewall(s) between the two networks he is going to need port 445 opened for tcp and udp for SMB traffic. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 20, 2005 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: In the end both NetBIOS and FQDN are resolved to IPs. Although you can ping the machines does not mean you can access the same machines on other ports. Are you using firewalls in between or do those target systems have firewalls installed, enabled and configured? If yes, check which ports are allowed Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: woensdag 20 april 2005 14:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: All do not work...IP, Netbios & FQDN James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, 20 April 2005 10:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policies: Are they Netbios UNC or fqdn DNS UNC paths, does one work and not the other ? -Original Message- From: "Blair, James" <[EMAIL PROTECTED]> Date: Wed, 20 Apr 2005 21:19:15 To: Subject: [ActiveDir] Policies: Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policies:
No router ACL or firewall issues...also, no policies @ site level bar some proxy server settings pertinent to respective sites... James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Wednesday, 20 April 2005 11:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: If he has a router ACL or firewall(s) between the two networks he is going to need port 445 opened for tcp and udp for SMB traffic. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 20, 2005 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: In the end both NetBIOS and FQDN are resolved to IPs. Although you can ping the machines does not mean you can access the same machines on other ports. Are you using firewalls in between or do those target systems have firewalls installed, enabled and configured? If yes, check which ports are allowed Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: woensdag 20 april 2005 14:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: All do not work...IP, Netbios & FQDN James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, 20 April 2005 10:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policies: Are they Netbios UNC or fqdn DNS UNC paths, does one work and not the other ? -Original Message- From: "Blair, James" <[EMAIL PROTECTED]> Date: Wed, 20 Apr 2005 21:19:15 To: Subject: [ActiveDir] Policies: Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD access "strong authentication required"
Guy, you wrote : If you want to enable simple binds, set: - The Domain controller: LDAP server signing requirements = None - The Network security: LDAP client signing requirements = Negotiate Also set in Default Domain GPO: The Network security: LDAP client signing requirements = Negotiate (to make sure that all windows clients do not try simple binds) We find the two first settings but not the last ("Also set in Default Domain GPO"). We work on french version of win 2003, and our knowledge of 2003 is very poor. Could you tell me how to set this, we can't find the right path for this… Many thanks Olivier De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Olivier Marie Envoyé : lundi 18 avril 2005 16:20 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD access "strong authentication required" Our AD isn't win2000 upgraded to 2003 (it's a new one). Sorry for my "but I can always connect from php to AD using anonymous connection (works great)”… Effectively, I can just bind to rootDSE. We will try to use SSL, but for our tests we will perhaps try in a first time to modify the settings for Ldap settings. Many thanks for your answer, I will tell you if we success or not ! Olivier De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Teverovsky, Guy Envoyé : lundi 18 avril 2005 15:41 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] AD access "strong authentication required" By default anonymous LDAP operations are disabled in W2K3 AD (you are only allowed to perform base search on RootDSE). First the warning: enabling anonymous LDAP operations and/or disabling LDAP singing weakens the security of your AD and opens some nasty holes that can be exploited by bad people. The best option would be performing an LDAP over SSL bind to DC if you have SSL enabled on the DCs. If not then you can tackle the problem by: 1) If you do not want to send the passwords over the wire, you can allow anonymous binds/searches to a strictly defined set of attributes (assuming that those do not contain sensitive data). More details here: http://www.petri.co.il/anonymous_ldap_operations_in_windows_2003_ad.htm 2) If you still want to pull the data after successful authentication (you’ll need to perform authenticated simple bind from within PHP code). There are 2 settings that control the LDAP signing (both located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options of the Default Domain Controllers GPO): a. Domain Controller: LDAP server signing requirement b. Network security: LDAP client signing requirement (default = undefined) If you want to enable simple binds, set: - The Domain controller: LDAP server signing requirements = None - The Network security: LDAP client signing requirements = Negotiate Also set in Default Domain GPO: The Network security: LDAP client signing requirements = Negotiate (to make sure that all windows clients do not try simple binds) Now this option is VERY nasty as you are opening a door to clear text passwords traveling across your network and letting anyone with a sniffer grab passwords from the wire. I would try to avoid this one at all cost. Btw, regarding “but I can always connect from php to AD using anonymous connection (works great)”…. Can you elaborate on this one ? can you actually query the AD or you can only bind to RootDSE ? Is this W2K AD upgraded to W2K3 ? Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Sent: Monday, April 18, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD access "strong authentication required" Hello everybody I would add an entry in my AD (win 2003) from a server RedHat/Apache/PHP. I was connecting with ldap_connect, using admin user login and password. Everything was ok but some patches and reboot was done by another person, and now It doesn't work : - When I connect with admin user login and password, I obtain "strong authentication required". - but I can always connect from php to AD using anonymous connection (works great) Admin user login and password have not been modified. We are newbie on AD and we're not ruling win2003 administration… Could you give us an idea to go further in ours investigations ? Many thanks Olivier
RE: [ActiveDir] Policies:
If he has a router ACL or firewall(s) between the two networks he is going to need port 445 opened for tcp and udp for SMB traffic. Jeremy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 20, 2005 8:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: In the end both NetBIOS and FQDN are resolved to IPs. Although you can ping the machines does not mean you can access the same machines on other ports. Are you using firewalls in between or do those target systems have firewalls installed, enabled and configured? If yes, check which ports are allowed Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: woensdag 20 april 2005 14:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: All do not work...IP, Netbios & FQDN James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, 20 April 2005 10:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policies: Are they Netbios UNC or fqdn DNS UNC paths, does one work and not the other ? -Original Message- From: "Blair, James" <[EMAIL PROTECTED]> Date: Wed, 20 Apr 2005 21:19:15 To: Subject: [ActiveDir] Policies: Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policies:
In the end both NetBIOS and FQDN are resolved to IPs. Although you can ping the machines does not mean you can access the same machines on other ports. Are you using firewalls in between or do those target systems have firewalls installed, enabled and configured? If yes, check which ports are allowed Jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: woensdag 20 april 2005 14:40 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Policies: All do not work...IP, Netbios & FQDN James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, 20 April 2005 10:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policies: Are they Netbios UNC or fqdn DNS UNC paths, does one work and not the other ? -Original Message- From: "Blair, James" <[EMAIL PROTECTED]> Date: Wed, 20 Apr 2005 21:19:15 To: Subject: [ActiveDir] Policies: Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policies:
Hi James... A policy shouldn't affect a subnet only, unless it's a "site" policy. Unless I"m misunderstanding you? Sounds more like private addressing actually. 169.245 ip range? At least to me. That would keep clients only accessing others on their perceived subnet. John "Blair, James" <[EMAIL PROTECTED] ream.originenergy To .com.au> Sent by: cc [EMAIL PROTECTED] ail.activedir.org Subject RE: [ActiveDir] Policies: 04/20/2005 07:40 AM Please respond to [EMAIL PROTECTED] tivedir.org All do not work...IP, Netbios & FQDN James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, 20 April 2005 10:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policies: Are they Netbios UNC or fqdn DNS UNC paths, does one work and not the other ? -Original Message- From: "Blair, James" <[EMAIL PROTECTED]> Date: Wed, 20 Apr 2005 21:19:15 To: Subject: [ActiveDir] Policies: Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Policies:
All do not work...IP, Netbios & FQDN James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris Sent: Wednesday, 20 April 2005 10:28 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Policies: Are they Netbios UNC or fqdn DNS UNC paths, does one work and not the other ? -Original Message- From: "Blair, James" <[EMAIL PROTECTED]> Date: Wed, 20 Apr 2005 21:19:15 To: Subject: [ActiveDir] Policies: Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Policies:
Are they Netbios UNC or fqdn DNS UNC paths, does one work and not the other ? -Original Message- From: "Blair, James" <[EMAIL PROTECTED]> Date: Wed, 20 Apr 2005 21:19:15 To: Subject: [ActiveDir] Policies: Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Restricting sensitive information
Original Message: We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? Reply Why not simply install the server out of the domain completely and use it's local accounts? Regards Peter Jessop
[ActiveDir] Restricting sensitive information
--- Begin Message --- We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? <>--- End Message --- ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] Policies:
Hope someone can help. There seems to be a strange policy on our Workstation or Global User baseline that is effecting users on client workstations to not be able to: Access UNC paths outside their subnet even though they are able to ping and resolve these names through DNS. Utilise remote connection software to different subnets. I am going through all the settings and comparing RSOP data but as you are all able to appreciate it is a fairly long and arduous process. One thing I am able to rule out is that is not service related. Any help would be be appreciated. James
[ActiveDir] OT Exchange Move Mailbox Roll Back Plan
Having migrated sites using the move mailbox function previously I'm am pretty confident that I won't need to use a roll back plan however it is obviously important to have one. I am looking at moving approx 1400 mailboxes from one Exchange 5.5 server in a single site multi server organisation to an Exchange 2003 server in the same site. The ADC is in place using one-way synchronisation and is all functioning quite happily. Message flow etc all appears to be working fine and this really is just a confidence booster migration for the client. My question relates to the options available for rollback should there be major issues the following morning. I have looked at several options which include moving the mailboxes back using the same tool, using exmerge to create a backup however I have not got too far with this as I am having difficulties listing mailboxes (maybe due to AV). Finally if most of the users are having issues to restore the Exchange 5.5 server back to its original state. I wanted to check if anyone had ever had to roll back from a large move mailbox process (taking over 5 hours) and if so how they went about it. Secondly with regard to the Exchange 5.5 restore will I need to restore anything in the AD to update where the users mailboxes are or will the ADC sort this out following the restore (I intend to restore the DIR and PRIV edb files) Your experiences would be welcome even if it is just to confirm my feeling that this is a highly unlikely scenario. Regards, Jacqui List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Script Blocking
Just for info, Microsoft's Spyware blocker picks up all script files and prompts if you want to run them - if you say "yes" it remembers it for the future but if you say no then it never runs. I'm not sure if signing the script would help??? Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: 20 April 2005 06:52To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Script Blocking ‘Run logon script synchronously’ should take care of this setting, as it will load startup scripts first before the explorer shell. Check out the settings under Computer config\Admin templates\System\Scripts\ But if its considered as a virus, try creating a batch file which calls this vbs script and see if it works as a workaround.. Thank you and have a splendid day!
Re: [ActiveDir] Script Blocking
Freddy I tried these two methods but they have not solved the problem. Norton detects these scripts and asks the user if (s)he wants to run them. Regards P