RE: [ActiveDir] ad controller moved now another problem
Have you: * Defined AD subnets for network segments where AD clients exists? * Defined AD sites for separate locations * Linked each AD subnet to an AD site? ALSO... By default all DCs register site specific DNS records (for the site they're in and for sites they cover ip applicable) and domain specific DNS records (for the domain the DC is a member of) When a client needs a DC it searches for a DC in the same site as the client. When those are not available it (by default) searches for any random DC in the domain. As you can see the reason the user authenticatied to the branch office DC could be that the the DCs in the same site as the client for some reason is not available. For this see MS-KBQ306602 Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/25/2005 10:10 PM Subject: [ActiveDir] ad controller moved now another problem Thanks to everyone for the help moving the server site. Now I have another issue, when I look at the event log for the server at the remote location, in the security log, it has a lot of entries like this: User Logoff: User Name:mes Domain:WVS Logon ID:(0x0,0x8938C) Logon Type:3 For more information, see Help and Support Center at This user all of the other users listed are users from the main office not the remote office. Does this mean that the users from the main office are authenticating to the remote server? Thanks Jeff This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How to determine which is the default site
Title: Message I guess 'he' is me, so thought I should respond :) Based upon the excellent feedback received, it looks as though my concerns have been allayed. I was discussing this over a beer with an ex colleague and we both thought the behaviour in scenario 3 was different and hence the original post. I therefore don't really care which is/was the default site anymore, as you suggested. Thanks to all, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: 25 April 2005 23:06To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site Yeah, if you don't have one numbered in the low thousands, then it's gone. I wonder which method he finally picked? Maybe he doesn't care anymore. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 3:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site My lowest numbered site has a USN of 1.8 million. Though I know I deleted the original one and probably 50 after that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Wednesday, April 13, 2005 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site From the tests I've run so far, it's been pretty consistent that the first site has a USNCreated of 4112 for an fresh Window 2003 AD. For forests that started life as Windows 2000, I've been seeing 3493, but at least one forest has it at 1171. Not sure what that's about. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, April 13, 2005 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site Why? Nothing I have seen in my experience would seem to indicate anything special about that first site, in fact my home test lab has been running with that first site deleted for some time now and I am running with other sites. Someone mentioned looking at the GUIDs. GUIDs are not sequential, they are semi-randomly created, see MSDN for the algorithm. Trying to divine order from them would be fruitless. Here would be a simple command line to find the oldest site adfind -config -f objectcategory=site whencreated -sort whencreated -maxe 1 This would look at the config container, find all site objects, sort them by whenCreated, then return the DN and whenCreated attribute for the first one. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Wednesday, April 13, 2005 9:54 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] How to determine which is the default site At some point in the dim, dark past, the default site was renamed (I assume it was not removed!) Does anyone have a quick and easy way to determine which of the existing sites was once the default site? [It has been suggested that I look at the create date for all the sites and that the oldest one will be the default site :) I have 100 sites so need something more elegant/quicker. ] Any suggestions more than welcome. Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.== == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
[ActiveDir]Time Service
I have followed the two recent threads over time syncronisation but am still left with a doubt. We have a single domain AD forest with 3 DCs. None of these has Internet connection. I wish to user a member server to syncronise with an external NTP and then have the PDC emulator sync with this server. Is this possible and how is done? Regards Peter Jessop
RE: [ActiveDir]Time Service
Just set the time source for the PDC role owner DC to point to the member server, and set the time source for the member server to the outside time source. From: [EMAIL PROTECTED] on behalf of Peter Jessop Sent: Tue 4/26/2005 1:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir]Time Service I have followed the two recent threads over time syncronisation but am still left with a doubt. We have a single domain AD forest with 3 DCs. None of these has Internet connection. I wish to user a member server to syncronise with an external NTP and then have the PDC emulator sync with this server. Is this possible and how is done? Regards Peter Jessop winmail.dat
RE: [ActiveDir] Kerberos authentication and 2003 /2000
Have you tried running netdiag /fix? Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, April 22, 2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos authentication and 2003 /2000 Domain running 2000 native mode. DC are 2000. Have member servers with 2003. when I run netdiag I see that Kerberos authentication failed. Should I be concerned or is something wrong on either the member server or the Domain controllers. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] branding IE through AD
Title: branding IE through AD I've been playing with W2K3 AD and I know you can do easy IE branding with it, but I seem to be having trouble finding that ability in W2K AD. Anyone with any thoughts? This e-mail is the property of RedDaulphin.com It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-mail. html
RE: [ActiveDir] GPO errors on logon
Hi, Sorry for the delay, I've been quite busy lately. Checking the DNS was the first thing I did when I got the error. After checking a bit further I found 3 other machines that have this error (including my own laptop where the error started out of nowhere). I tried some things in the GPOs but nothing seemed to work. Any other ideas are welcomed! (I may try to call PSS to get that hot fix, but as I said, the article talks about XP SP1 only and we are under SP2) -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC Envoyé : Saturday, April 23, 2005 3:21 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO errors on logon Verify your network settings. Is the Primary DNS set to the correct DNS server? I found this happening on a system and it was cause it couldn't find the Domain Controller properly. Not sure if that is your problem per se but its definitely worth a look. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, April 22, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO errors on logon Hi, I have 2 laptops that have the same problem. They are very slow to logon the domain and they generates the following events: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1006 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot bind to workgroup domain. (Erreur locale). Group Policy processing aborted. I've done some research and I found an article that seems to cover this issue though it's applicable on XP sp1 and the laptops are SP2. The solution on this article was a hot fix that needs to be sent by PSS. The other problem (that seems to be related to the first one) is that it takes almost 1 minute to logon. Both laptops are Toshiba with Windows XP sp2 full patched. The domain is a Win2k native domain. Anyone has seen that already? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] GPO errors on logon
Hi, Could you post an output of netdiag run on your XP ? Thanks -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Bruyere, Michel Envoyé : mardi 26 avril 2005 16:45 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO errors on logon Hi, Sorry for the delay, I've been quite busy lately. Checking the DNS was the first thing I did when I got the error. After checking a bit further I found 3 other machines that have this error (including my own laptop where the error started out of nowhere). I tried some things in the GPOs but nothing seemed to work. Any other ideas are welcomed! (I may try to call PSS to get that hot fix, but as I said, the article talks about XP SP1 only and we are under SP2) -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC Envoyé : Saturday, April 23, 2005 3:21 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO errors on logon Verify your network settings. Is the Primary DNS set to the correct DNS server? I found this happening on a system and it was cause it couldn't find the Domain Controller properly. Not sure if that is your problem per se but its definitely worth a look. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, April 22, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO errors on logon Hi, I have 2 laptops that have the same problem. They are very slow to logon the domain and they generates the following events: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1006 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot bind to workgroup domain. (Erreur locale). Group Policy processing aborted. I've done some research and I found an article that seems to cover this issue though it's applicable on XP sp1 and the laptops are SP2. The solution on this article was a hot fix that needs to be sent by PSS. The other problem (that seems to be related to the first one) is that it takes almost 1 minute to logon. Both laptops are Toshiba with Windows XP sp2 full patched. The domain is a Win2k native domain. Anyone has seen that already? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Guido, thanks for your help on this! Best regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please
[ActiveDir] Offline Address Book Error
Does anyone knowhowtofix for this? I tried a rebuild of the OAB it failed. 12:59:34 Synchronizer Version 11.0.6352 12:59:35 Synchronizing Mailbox 'Don Murawski (Lenox)' 12:59:35 Done 12:59:35 Microsoft Exchange offline address book 12:59:35 0X8004010F Thanks,
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not
RE: [ActiveDir] GPO errors on logon
Also post the KB articles that you've tried. That will help know what you've done already. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, April 26, 2005 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO errors on logon Hi, Sorry for the delay, I've been quite busy lately. Checking the DNS was the first thing I did when I got the error. After checking a bit further I found 3 other machines that have this error (including my own laptop where the error started out of nowhere). I tried some things in the GPOs but nothing seemed to work. Any other ideas are welcomed! (I may try to call PSS to get that hot fix, but as I said, the article talks about XP SP1 only and we are under SP2) -Message d'origine- De : [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC Envoyé : Saturday, April 23, 2005 3:21 PM À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO errors on logon Verify your network settings. Is the Primary DNS set to the correct DNS server? I found this happening on a system and it was cause it couldn't find the Domain Controller properly. Not sure if that is your problem per se but its definitely worth a look. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Friday, April 22, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO errors on logon Hi, I have 2 laptops that have the same problem. They are very slow to logon the domain and they generates the following events: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by the policy engine. Event Type: Error Event Source: Userenv Event Category: None Event ID: 1006 Date: 4/22/2005 Time: 3:55:08 PM User: Domain\username Computer: computername Description: Windows cannot bind to workgroup domain. (Erreur locale). Group Policy processing aborted. I've done some research and I found an article that seems to cover this issue though it's applicable on XP sp1 and the laptops are SP2. The solution on this article was a hot fix that needs to be sent by PSS. The other problem (that seems to be related to the first one) is that it takes almost 1 minute to logon. Both laptops are Toshiba with Windows XP sp2 full patched. The domain is a Win2k native domain. Anyone has seen that already? Thanks! List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Offline Address Book Error
Have you seen this KB article? http://support.microsoft.com/?kbid=887409 http://support.microsoft.com/?kbid=867506 Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/26/05, Don Murawski (Lenox) [EMAIL PROTECTED] wrote: Does anyone know how to fix for this? I tried a rebuild of the OAB it failed. 12:59:34 Synchronizer Version 11.0.6352 12:59:35 Synchronizing Mailbox 'Don Murawski (Lenox)' 12:59:35 Done 12:59:35 Microsoft Exchange offline address book 12:59:35 0X8004010F Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Mark, that depends more on the usage scenarios of your domains. If you have many cross-domain shared resources, e.g. where users working on computer in sub1.domain.com often need to access servers in the sub2.domain.com domain, a secondary could cause less traffic and would be more independend on the availability of a DC/DNS server of sub2. If it is the exception, then I wouldn't bother creating those secondaries (however, you may still want to add secondaries to the root of the domain saving another hop to get those names resolved) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Dienstag, 26. April 2005 20:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Excellent explanation. Thanks again!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Mark, that depends more on the usage scenarios of your domains. If you have many cross-domain shared resources, e.g. where users working on computer in sub1.domain.com often need to access servers in the sub2.domain.com domain, a secondary could cause less traffic and would be more independend on the availability of a DC/DNS server of sub2. If it is the exception, then I wouldn't bother creating those secondaries (however, you may still want to add secondaries to the root of the domain saving another hop to get those names resolved) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Dienstag, 26. April 2005 20:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and
Re: [ActiveDir] Recommended DNS settings in 3 domain forest
You should have the secondary zones and vice versa. There have been some good posts here about that. I'd like to point you to an excellent article that Mark Minasi wrote last fall in Windows It Pro http://www.windowsitpro.com/Windows/Article/ArticleID/43582/43582.html I can't say it better than Mark so I'll let you digest his article. Thanks Mike On 4/26/05, Creamer, Mark [EMAIL PROTECTED] wrote: Excellent explanation. Thanks again!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Mark, that depends more on the usage scenarios of your domains. If you have many cross-domain shared resources, e.g. where users working on computer in sub1.domain.com often need to access servers in the sub2.domain.com domain, a secondary could cause less traffic and would be more independend on the availability of a DC/DNS server of sub2. If it is the exception, then I wouldn't bother creating those secondaries (however, you may still want to add secondaries to the root of the domain saving another hop to get those names resolved) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Dienstag, 26. April 2005 20:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the island-problem (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an empty forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our external DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is
RE: [ActiveDir] 2003 Native - gpresult shows domain = 2000?
Unfortunately yes. You should see one of three messages there Windows 2000 WindowsNT 4 Local Computer Where you see Windows 2000 it should just say Active Directory Domain. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, April 24, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 Native - gpresult shows domain = 2000? Gpresult shows Domain Type: Windows 2000 Ldp shows these 1 domainFunctionality: 2; 1 forestFunctionality: 2; 1 domainControllerFunctionality: 2; Is this expected? Or should I be getting a different output? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Restricting sensitive information
Use third party encryption. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 20, 2005 7:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricting sensitive information Original Message:We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? ReplyWhy not simply install the server out of the domain completely and use it's local accounts?RegardsPeter Jessop
RE: [ActiveDir] Restricting sensitive information
Use third party encryption. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 20, 2005 7:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricting sensitive information Original Message:We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? ReplyWhy not simply install the server out of the domain completely and use it's local accounts?RegardsPeter Jessop
RE: [ActiveDir] Email Addresses in AD
Are you asking how to mailbox enable users who are not currently mailbox enabled or something else? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, April 19, 2005 4:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Email Addresses in AD If I don't have user email addresses setup in AD (on all user profiles/account) can I setup Exchange to pull the account name and then add the domain information to it to create the email address automatically for users? Thanks, Brenda
RE: [ActiveDir] Not able to achieve restircted access to Domain Controllers
Anyone who logs into DCs interactively should be domain admins. If they are bright, they will just make themselves one anyway. Anyone who can maipulate files or control services running as localsystem or administrator accounts should be domain admins. If they are bright, they will just make themselves one anyway. You are wrong in thinking you can safely protect a domain controller from someone with too much rights to a domain controller escalating themselves into a domain or better admin. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shuchipan Sharma Sent: Monday, April 18, 2005 3:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Not able to achieve restircted access to Domain Controllers Dear All, It's been quite some time that I have been following this tech group and it really has helped me in resolving a lot of my issues with AD. I'm facing some issue with controlled access to Domain Controllers. Following the best practices we have changed the Administrator account name and have provided access depending on the functions carried out by the Administrators. But some how even if I add them to Server Operator (Built-in group) they are not able to login to Domain Controllers. I have also modified the Domain Controller Security Policy (Log on locally). I want that the all the admins should be able to log in on the DCs but should not be allowed to mess the group policies etc. Also they should be able to connect the computers to the domain. ( I have delegated the permission to connect to domain thru GP but it is also not working) Please let me where I am wrong and how should I fix it. Thanks, Shuchipan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows Server 2003 Access-based Enumeration
You know if anyone is on this list that is also on the team that put this tool out... why do I have to install to a K3 SP1 machine?? I should be able to install to XP or whatever else. This just means people will unpack once and then wrap it themselves for installing around a company, or at least the people in companies that don't have admins TSing into servers to do admin work. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Tuesday, April 19, 2005 2:35 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Windows Server 2003 Access-based Enumeration Enjoy! GUI and CLI tool from Microsoft to enable Access-based Enumeration. http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084displaylang=en Francis
[ActiveDir] More than 1 user having 'managed by' for a group?
Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Does that tickbox and user listed there - actually translates to 'Write Permission' on This object only ACL?? Stupid question - ill try this myself soon enough.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 7:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
In the W2K3 SP1 version of dsa.msc, you can specify a group in the Managed By tab. You'll need to select Groups under Object Types when searching for the name though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 6:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for usage of offline and online here ... ) I agree you shouldn't worry about offline defrag, but you should make sure that online defrag is completing every now and then or the space wastage will grow towards (I'll make a number range here) 3-5x what it could be. Online defrag ensures that useful data is collected onto the same page when it can be, such that the number of non-empty data pages is really quite close to what you'd get if you did an offline defrag. THOUGH, you'd have free pages in the database in the online defrag case, that offline defrag would give you back in the form of a smaller DIT file. So for memory purposes, joe is right, don't worry about offline defrag, unless there are disk space issues ... but do look for the successful online defrag event. Note: There was an issue where online defrag was never completing. Both online defrag and offline defrag basically scrunch all the
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Sorry should have said: I _think_ _online_ defrag actually logs an event on how much free space there is in the database Yes, it should. It might require turning up GC logging (to 1?) but either way, yes it does. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for usage of offline and online here ... ) I agree you shouldn't worry about offline defrag, but you should make sure that online defrag is completing every now and then or the space wastage will grow towards (I'll make a number range here) 3-5x what it could be. Online defrag ensures that useful data is collected onto the same page when it can be, such that the number of non-empty data pages is really quite close to what you'd get if you did an offline
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Sorry I keep forgetting things. Brett mentioned: Note: There was an issue where online defrag was never completing. This was an issue on 2k. You might want to know how you would know if you are hitting this.it shows itself with a series of even 602's in the event logs. If you see this, holler, and we can provide steps to clear this. It's a trivial fix. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 5:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Sorry should have said: I _think_ _online_ defrag actually logs an event on how much free space there is in the database Yes, it should. It might require turning up GC logging (to 1?) but either way, yes it does. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 5:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract
[ActiveDir]
SET MODE STANDARD AIG_ANDY
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Excellent post Brett. This is good info that generally doesn't seem to make it out of the corridors of msft. I appreciate you taking the time to write this up. Initially your explanation bothered me about loading DIT pages as it seems it would be more efficient to load the tables and indexes up versus chasing from page to page for the info... However, thinking more about it, the mechanism I am visualizing wouldn't scale with any memory pressure, you could and probably would get into a situation where you couldn't load an entire table or index and where would you be then? I am probably going to show even more ignorance on how the backend works, but say you have an index that is spread across several pages. Lets say those pages aren't in consecutive pages on disk, will they get loaded into consecutive pages in memory so you can tear through it sort of like a single structure or will it rely on some sort of a linked list type of scheme where you jump around memory chasing the index rows. I expect the latter and I also would expect this issue would be minimized with the successful online defrags as you mentioned since the indexes/tables will be collected together. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for usage of offline and online here ... ) I agree you shouldn't worry about offline defrag, but you should make sure that online defrag is completing every now and then or the space wastage will grow towards (I'll make a number range here) 3-5x what it could be. Online defrag ensures that useful data is collected onto the same page when it can be, such that the number of non-empty data pages is really quite close to what you'd get if you did an offline defrag. THOUGH, you'd have free pages in the database in the online defrag case, that offline defrag would give you back in the form of a smaller DIT file. So for memory purposes, joe is right, don't worry about offline defrag, unless there are disk space issues ... but do look for the successful online defrag event. Note: There was an issue where online defrag was never completing. Both online defrag and offline defrag basically scrunch all the data closer to where it belongs (on a per table, per index, etc basis), with the online version leaving white space in between places ... BUT all
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Thanks ~Eric. I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that. How feasible would something like that be? Possibly the results of that would only be for educational reasons but I, at least, would find that info interesting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 8:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for usage of offline and online here ... ) I agree you shouldn't worry about offline defrag, but you should make sure that online defrag is completing every now and then or the space wastage will grow towards (I'll make a number range here) 3-5x what it could be. Online defrag ensures that useful data is collected onto the same page when it can be, such
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
It is a validated write permission that gets applied to the member attribute of the group object. For all intents and purposes it is a write attribute, it is just listed as a validated write and called Add/Remove self as member . joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Does that tickbox and user listed there - actually translates to 'Write Permission' on This object only ACL?? Stupid question - ill try this myself soon enough.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 7:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Ah excellent Scott, thanks for that info, I wasn't aware of that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, April 26, 2005 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? In the W2K3 SP1 version of dsa.msc, you can specify a group in the Managed By tab. You'll need to select Groups under Object Types when searching for the name though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 6:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
np. I just get excited when I can finally contribute. From: [EMAIL PROTECTED] on behalf of joe Sent: Tue 4/26/2005 11:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Ah excellent Scott, thanks for that info, I wasn't aware of that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, April 26, 2005 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? In the W2K3 SP1 version of dsa.msc, you can specify a group in the Managed By tab. You'll need to select Groups under Object Types when searching for the name though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 6:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Hi Joe For some reason the below, doesn't give me access to update member list - am running in 2003 sp1 test domain. dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Is it different with sp1? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hey Freddy, I put this in the original post I responded in: dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only Write Property The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G domain\user:WP Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Rogue Site:
Is there any way to manage a rogue site through AD without having to install a firewall or ISA 2004. We have a remote site that we support and they seem to be putting on contractors so quickly that they even seem to forget. These contractors are then coming in with their own laptops and plugging in the blue cables and wondering why things aren't working. We have no IT person down thereand management down there just want the job done which is causing us a headache. I would personally like it if we disconnected the site but that is a no go... James