RE: [ActiveDir] How much of the DIT is cached in RAM ?
Correcting myself inline (full of that today aren't I?).
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 10:41 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
> I think it would be kind of interesting if the STATS control
> could tell you what % of the result set came from cache or something
> like that
Actually, that's not really what you want. If I may, let me change your
ask in to what I think you really would like
What you really want is the % of pages touched to service the query that
were in the cache. It doesn't matter if those pages are returned or not,
it only matters that you needed the pages to effective service the
search. As that's what defines the amt of time it takes to service it.
[Efleis] - I shouldn't say this, it isn't quite true. What I meant was,
this defines the amt of time that we would spend on I/O, should those
pages not be in memory. Other things might necessitate more time spent
on the search.
That said, assuming you got what you really want, I'm not totally sold
of the value. What will you learn?
1) More db cache -> inefficient searches are faster
2) Better search filter optimization -> better index selection -> faster
searches with less cache needed and less I/O needed
Searches that hit infrequently used indexes will have a lower % of pages
in memory, but still be faster than inefficient ones that hit many pages
in memory. And the avg IT admin will wonder why. :)
Inefficient searches are still inefficient, and are still going to
require a large db cache to service them in any sort of timely manner.
How much cache? As much as you have dataset that need be traversed for
the inefficient search in question. Whatever that dataset might be.
Sell me on the learning opportunity here? Sorry, I'm just not seeing it.
I like the idea on paper, and would be more than happy to file the bug.
I'm just not seeing what you think you can do better with this data
point than you can today.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, April 26, 2005 9:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Thanks ~Eric. I think it would be kind of interesting if the STATS
control
could tell you what % of the result set came from cache or something
like
that. How feasible would something like that be? Possibly the results of
that would only be for educational reasons but I, at least, would find
that
info interesting.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 8:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett.
A better way to think of this Joe is that a subset of the DIT is in RAM,
as
much as we can fit, assuming 1) we don't run out of memory to use 2) we
don't have pressure to back off. And we try and pick the best pages to
cache
("best" definition omitted for now).
The one thing we can't do today is that we can't proactively cache
something. Though I've thought a lot about whether or not it is
something
that I should personally be pushing Brett's team to work on.
There's good and bad, but the bottom line today is that you can "warm"
the cache. In the absence of memory pressure, this warming technique
will
help get things in the first time. But there are some things it doesn't
do
1) It doesn't let you tell buffer manager to keep something in the cache
no
matter what, if you think you're smarter than the buffer manager. I
would
point out, almost never are you smarter than buffer manager, even when
you
think you are. But that doesn't mean you won't complain that we don't
have a
mechanism for it.
2) You can't really guarantee that something is in the cache with these
sorts of warming techniques. You can get close, but you can't (for
example) say "please prefetch this index". But warming the cache can do
the
big stuff, like walking ancestry and pulling in the mass of the data
table.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, April 26, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Joe,
When you say
> the actual DIT isn't cached in RAM, the tables, indexes, and such
> are cached.
I'd take issue with that ... that isn't a good way to explain what is
really
happening.
The DIT is most definately cached in RAM, it is cached directly 1 or
more
pages at a time. Where a page is an 8k chunk for Active Directory. We
do
not extrude the tables and indexes from those pages, they stay in the
pages,
and we "take a latch" on that page's memory when we want to update the
page
... then later we write t
[ActiveDir] Outlook Messages Signature
Hello, Could i configure the Outlook messages signature with a GPO? Thanks, Sergio S T Este correo electrónico y, en su caso, cualquier fichero anexo, contiene información confidencial exclusivamente dirigida a su(s) destinatario(s). Toda copia o divulgación deberá ser autorizada por la Empresa Pública de Emergencias Sanitarias (EPES). This e-mail and any attachments are confidential and exclusively directed to its adressee(s). Any copy or distribution will have to be authorized by the Empresa Pública de Emergencias Sanitarias (EPES).
RE: [ActiveDir] How much of the DIT is cached in RAM ?
> I think it would be kind of interesting if the STATS control
> could tell you what % of the result set came from cache or something
> like that
Actually, that's not really what you want. If I may, let me change your
ask in to what I think you really would like
What you really want is the % of pages touched to service the query that
were in the cache. It doesn't matter if those pages are returned or not,
it only matters that you needed the pages to effective service the
search. As that's what defines the amt of time it takes to service it.
That said, assuming you got what you really want, I'm not totally sold
of the value. What will you learn?
1) More db cache -> inefficient searches are faster
2) Better search filter optimization -> better index selection -> faster
searches with less cache needed and less I/O needed
Searches that hit infrequently used indexes will have a lower % of pages
in memory, but still be faster than inefficient ones that hit many pages
in memory. And the avg IT admin will wonder why. :)
Inefficient searches are still inefficient, and are still going to
require a large db cache to service them in any sort of timely manner.
How much cache? As much as you have dataset that need be traversed for
the inefficient search in question. Whatever that dataset might be.
Sell me on the learning opportunity here? Sorry, I'm just not seeing it.
I like the idea on paper, and would be more than happy to file the bug.
I'm just not seeing what you think you can do better with this data
point than you can today.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, April 26, 2005 9:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Thanks ~Eric. I think it would be kind of interesting if the STATS
control
could tell you what % of the result set came from cache or something
like
that. How feasible would something like that be? Possibly the results of
that would only be for educational reasons but I, at least, would find
that
info interesting.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 8:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett.
A better way to think of this Joe is that a subset of the DIT is in RAM,
as
much as we can fit, assuming 1) we don't run out of memory to use 2) we
don't have pressure to back off. And we try and pick the best pages to
cache
("best" definition omitted for now).
The one thing we can't do today is that we can't proactively cache
something. Though I've thought a lot about whether or not it is
something
that I should personally be pushing Brett's team to work on.
There's good and bad, but the bottom line today is that you can "warm"
the cache. In the absence of memory pressure, this warming technique
will
help get things in the first time. But there are some things it doesn't
do
1) It doesn't let you tell buffer manager to keep something in the cache
no
matter what, if you think you're smarter than the buffer manager. I
would
point out, almost never are you smarter than buffer manager, even when
you
think you are. But that doesn't mean you won't complain that we don't
have a
mechanism for it.
2) You can't really guarantee that something is in the cache with these
sorts of warming techniques. You can get close, but you can't (for
example) say "please prefetch this index". But warming the cache can do
the
big stuff, like walking ancestry and pulling in the mass of the data
table.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, April 26, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Joe,
When you say
> the actual DIT isn't cached in RAM, the tables, indexes, and such
> are cached.
I'd take issue with that ... that isn't a good way to explain what is
really
happening.
The DIT is most definately cached in RAM, it is cached directly 1 or
more
pages at a time. Where a page is an 8k chunk for Active Directory. We
do
not extrude the tables and indexes from those pages, they stay in the
pages,
and we "take a latch" on that page's memory when we want to update the
page
... then later we write that 8k chunk directly from that memory to the
offest (based on it's pgno) of the DIT file it belongs at.
Now, it is true, not all of the DIT may be cached, we'll only cache what
we
need, and it will not pull in free space pages into memory (at least in
most
circumstances ...? I'm thinking of prefetching might ... but lets
ignore).
I _think_ _online_ defrag (I know we're talking offline defrag below,
but
mentioning online defrag is important, it is what makes offline defrag
unnecessay ... online defrag is frequently abbreviate
[ActiveDir] Rogue Site:
Is there any way to manage a rogue site through AD without having to install a firewall or ISA 2004. We have a remote site that we support and they seem to be putting on contractors so quickly that they even seem to forget. These contractors are then coming in with their own laptops and plugging in the blue cables and wondering why things aren't working. We have no IT person down there and management down there just want the job done which is causing us a headache. I would personally like it if we disconnected the site but that is a no go... James
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Hi Joe For some reason the below, doesn't give me access to update member list - am running in 2003 sp1 test domain. dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" Is it different with sp1? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hey Freddy, I put this in the original post I responded in: dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only "Write Property" The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G "domain\user:WP" Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the "Add/Remove self as member" permission. Sort of like dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
np. I just get excited when I can finally contribute. From: [EMAIL PROTECTED] on behalf of joe Sent: Tue 4/26/2005 11:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Ah excellent Scott, thanks for that info, I wasn't aware of that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, April 26, 2005 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? In the W2K3 SP1 version of dsa.msc, you can specify a group in the Managed By tab. You'll need to select Groups under Object Types when searching for the name though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 6:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Hey Freddy, I put this in the original post I responded in: dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only "Write Property" The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G "domain\user:WP" Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the "Add/Remove self as member" permission. Sort of like dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Ah excellent Scott, thanks for that info, I wasn't aware of that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Tuesday, April 26, 2005 7:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? In the W2K3 SP1 version of dsa.msc, you can specify a group in the Managed By tab. You'll need to select Groups under Object Types when searching for the name though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 6:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
It is a "validated" write permission that gets applied to the member attribute of the group object. For all intents and purposes it is a write attribute, it is just listed as a validated write and called "Add/Remove self as member" . joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Does that tickbox and user listed there - actually translates to 'Write Permission' on This object only ACL?? Stupid question - ill try this myself soon enough.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 7:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Thanks ~Eric. I think it would be kind of interesting if the STATS control
could tell you what % of the result set came from cache or something like
that. How feasible would something like that be? Possibly the results of
that would only be for educational reasons but I, at least, would find that
info interesting.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 8:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett.
A better way to think of this Joe is that a subset of the DIT is in RAM, as
much as we can fit, assuming 1) we don't run out of memory to use 2) we
don't have pressure to back off. And we try and pick the best pages to cache
("best" definition omitted for now).
The one thing we can't do today is that we can't proactively cache
something. Though I've thought a lot about whether or not it is something
that I should personally be pushing Brett's team to work on.
There's good and bad, but the bottom line today is that you can "warm"
the cache. In the absence of memory pressure, this warming technique will
help get things in the first time. But there are some things it doesn't do
1) It doesn't let you tell buffer manager to keep something in the cache no
matter what, if you think you're smarter than the buffer manager. I would
point out, almost never are you smarter than buffer manager, even when you
think you are. But that doesn't mean you won't complain that we don't have a
mechanism for it.
2) You can't really guarantee that something is in the cache with these
sorts of warming techniques. You can get close, but you can't (for
example) say "please prefetch this index". But warming the cache can do the
big stuff, like walking ancestry and pulling in the mass of the data table.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, April 26, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Joe,
When you say
> the actual DIT isn't cached in RAM, the tables, indexes, and such
> are cached.
I'd take issue with that ... that isn't a good way to explain what is really
happening.
The DIT is most definately cached in RAM, it is cached directly 1 or more
pages at a time. Where a page is an 8k chunk for Active Directory. We do
not extrude the tables and indexes from those pages, they stay in the pages,
and we "take a latch" on that page's memory when we want to update the page
... then later we write that 8k chunk directly from that memory to the
offest (based on it's pgno) of the DIT file it belongs at.
Now, it is true, not all of the DIT may be cached, we'll only cache what we
need, and it will not pull in free space pages into memory (at least in most
circumstances ...? I'm thinking of prefetching might ... but lets ignore).
I _think_ _online_ defrag (I know we're talking offline defrag below, but
mentioning online defrag is important, it is what makes offline defrag
unnecessay ... online defrag is frequently abbreviated OLD ... which of
course would be the acronym of offline defrag if it had one, trust me OLD is
online defrag (at least as far as the ESE devs are concerned) ...
poor
taste for a TLA in my opinion ... that was a long aside), actually logs an
event on how much free space there is in the database ... I'm 57% sure that
"the DIT size" - "that free size", is the approximate size of the non-empty
data pages (i.e. pages with data) in the DIT ... due to underflow of a
record size on a page, the actual data size is almost assuredly even less
than that ... I just made that up w/o looking at the code, so I may take
that back later ...
You can see exactly how many bytes of the DIT file + Temp DB* are in RAM
with perfmon, counters, by using perfmon ... first set the "Squeaky Lobster"
registry key to get the advanced ESE performance counter, then use the
"Database" performance object the "Database Cache Size" counter.
Also look at the "Database Cache % Clean", b/c you should multiply those by
each other to get real data pages currently in memory.
* Temp DB ... so the database cache is global, so any temporary sorts we
needed to do, during LDAP queries may be taking up some of the database
cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be
no technical way to subtract one from the other, but maybe just subtract the
whole tmp database size, because that gives you a lower bound on what is
definately ntds.dit.
( watch for usage of offline and online here ... ) I agree you shouldn't
worry about offline defrag, but you should make sure that online defrag is
completing every now and then or the space wastage will grow towards (I'll
make a number range here) 3-5x what it could be. Online defrag ensures that
useful data is collected onto the same page whe
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Excellent post Brett. This is good info that generally doesn't seem to make it out of the corridors of msft. I appreciate you taking the time to write this up. Initially your explanation bothered me about loading DIT pages as it seems it would be more efficient to load the tables and indexes up versus chasing from page to page for the info... However, thinking more about it, the mechanism I am visualizing wouldn't scale with any memory pressure, you could and probably would get into a situation where you couldn't load an entire table or index and where would you be then? I am probably going to show even more ignorance on how the backend works, but say you have an index that is spread across several pages. Lets say those pages aren't in consecutive pages on disk, will they get loaded into consecutive pages in memory so you can tear through it sort of like a single structure or will it rely on some sort of a linked list type of scheme where you jump around memory chasing the index rows. I expect the latter and I also would expect this issue would be minimized with the successful online defrags as you mentioned since the indexes/tables will be collected together. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say > the actual DIT isn't cached in RAM, the tables, indexes, and such > are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we "take a latch" on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that "the DIT size" - "that free size", is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the "Squeaky Lobster" registry key to get the advanced ESE performance counter, then use the "Database" performance object the "Database Cache Size" counter. Also look at the "Database Cache % Clean", b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for usage of offline and online here ... ) I agree you shouldn't worry about offline defrag, but you should make sure that online defrag is completing every now and then or the space wastage will grow towards (I'll make a number range here) 3-5x what it could be. Online defrag ensures that useful data is collected onto the same page when it can be, such that the number of non-empty data pages is really quite close to what you'd get if you did an offline defrag. THOUGH, you'd have free pages in the database in the online defrag case, that offline defrag would give you back in the form of a smaller DIT file. So for memory purposes, joe is right, don't worry about offline defrag, unless there are disk space issues ... but do look for the successful online defrag event. Note: There was an issue where online defrag was never completing. Both online defrag and offline defrag basically scrunch all the data closer to where it belongs (on a per table, per index, etc basis), with the online version leaving white space in between "place
[ActiveDir]
SET MODE STANDARD AIG_ANDY
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only "Write Property" The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G "domain\user:WP" Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the "Add/Remove self as member" permission. Sort of like dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Sorry I keep forgetting things.
Brett mentioned:
> Note: There was an issue where online defrag was never completing.
This was an issue on 2k. You might want to know how you would know if
you are hitting this.it shows itself with a series of even 602's in
the event logs. If you see this, holler, and we can provide steps to
clear this. It's a trivial fix.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 5:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Sorry should have said:
> I _think_ _online_ defrag actually logs an event on how much
> free space there is in the database
Yes, it should. It might require turning up GC logging (to 1?) but
either way, yes it does.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett.
A better way to think of this Joe is that a subset of the DIT is in RAM,
as much as we can fit, assuming 1) we don't run out of memory to use 2)
we don't have pressure to back off. And we try and pick the best pages
to cache ("best" definition omitted for now).
The one thing we can't do today is that we can't proactively cache
something. Though I've thought a lot about whether or not it is
something that I should personally be pushing Brett's team to work on.
There's good and bad, but the bottom line today is that you can "warm"
the cache. In the absence of memory pressure, this warming technique
will help get things in the first time. But there are some things it
doesn't do
1) It doesn't let you tell buffer manager to keep something in the cache
no matter what, if you think you're smarter than the buffer manager. I
would point out, almost never are you smarter than buffer manager, even
when you think you are. But that doesn't mean you won't complain that we
don't have a mechanism for it.
2) You can't really guarantee that something is in the cache with these
sorts of warming techniques. You can get close, but you can't (for
example) say "please prefetch this index". But warming the cache can do
the big stuff, like walking ancestry and pulling in the mass of the data
table.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, April 26, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Joe,
When you say
> the actual DIT isn't cached in RAM, the tables, indexes, and such
> are cached.
I'd take issue with that ... that isn't a good way to explain what is
really happening.
The DIT is most definately cached in RAM, it is cached directly 1 or
more
pages at a time. Where a page is an 8k chunk for Active Directory. We
do
not extrude the tables and indexes from those pages, they stay in the
pages, and we "take a latch" on that page's memory when we want to
update
the page ... then later we write that 8k chunk directly from that memory
to the offest (based on it's pgno) of the DIT file it belongs at.
Now, it is true, not all of the DIT may be cached, we'll only cache what
we need, and it will not pull in free space pages into memory (at least
in
most circumstances ...? I'm thinking of prefetching might ... but lets
ignore).
I _think_ _online_ defrag (I know we're talking offline defrag below,
but
mentioning online defrag is important, it is what makes offline defrag
unnecessay ... online defrag is frequently abbreviated OLD ... which of
course would be the acronym of offline defrag if it had one, trust me
OLD
is online defrag (at least as far as the ESE devs are concerned) ...
poor
taste for a TLA in my opinion ... that was a long aside), actually logs
an
event on how much free space there is in the database ... I'm 57% sure
that "the DIT size" - "that free size", is the approximate size of the
non-empty data pages (i.e. pages with data) in the DIT ... due to
underflow of a record size on a page, the actual data size is almost
assuredly even less than that ... I just made that up w/o looking at
the
code, so I may take that back later ...
You can see exactly how many bytes of the DIT file + Temp DB* are in RAM
with perfmon, counters, by using perfmon ... first set the "Squeaky
Lobster" registry key to get the advanced ESE performance counter, then
use the "Database" performance object the "Database Cache Size" counter.
Also look at the "Database Cache % Clean", b/c you should multiply those
by each other to get real data pages currently in memory.
* Temp DB ... so the database cache is global, so any temporary sorts we
needed to do, during LDAP queries may be taking up some of the database
cache ... I think it's like tmp.edb next to the ntds.dit file. There'd
be
no te
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Sorry should have said:
> I _think_ _online_ defrag actually logs an event on how much
> free space there is in the database
Yes, it should. It might require turning up GC logging (to 1?) but
either way, yes it does.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, April 26, 2005 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett.
A better way to think of this Joe is that a subset of the DIT is in RAM,
as much as we can fit, assuming 1) we don't run out of memory to use 2)
we don't have pressure to back off. And we try and pick the best pages
to cache ("best" definition omitted for now).
The one thing we can't do today is that we can't proactively cache
something. Though I've thought a lot about whether or not it is
something that I should personally be pushing Brett's team to work on.
There's good and bad, but the bottom line today is that you can "warm"
the cache. In the absence of memory pressure, this warming technique
will help get things in the first time. But there are some things it
doesn't do
1) It doesn't let you tell buffer manager to keep something in the cache
no matter what, if you think you're smarter than the buffer manager. I
would point out, almost never are you smarter than buffer manager, even
when you think you are. But that doesn't mean you won't complain that we
don't have a mechanism for it.
2) You can't really guarantee that something is in the cache with these
sorts of warming techniques. You can get close, but you can't (for
example) say "please prefetch this index". But warming the cache can do
the big stuff, like walking ancestry and pulling in the mass of the data
table.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, April 26, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Joe,
When you say
> the actual DIT isn't cached in RAM, the tables, indexes, and such
> are cached.
I'd take issue with that ... that isn't a good way to explain what is
really happening.
The DIT is most definately cached in RAM, it is cached directly 1 or
more
pages at a time. Where a page is an 8k chunk for Active Directory. We
do
not extrude the tables and indexes from those pages, they stay in the
pages, and we "take a latch" on that page's memory when we want to
update
the page ... then later we write that 8k chunk directly from that memory
to the offest (based on it's pgno) of the DIT file it belongs at.
Now, it is true, not all of the DIT may be cached, we'll only cache what
we need, and it will not pull in free space pages into memory (at least
in
most circumstances ...? I'm thinking of prefetching might ... but lets
ignore).
I _think_ _online_ defrag (I know we're talking offline defrag below,
but
mentioning online defrag is important, it is what makes offline defrag
unnecessay ... online defrag is frequently abbreviated OLD ... which of
course would be the acronym of offline defrag if it had one, trust me
OLD
is online defrag (at least as far as the ESE devs are concerned) ...
poor
taste for a TLA in my opinion ... that was a long aside), actually logs
an
event on how much free space there is in the database ... I'm 57% sure
that "the DIT size" - "that free size", is the approximate size of the
non-empty data pages (i.e. pages with data) in the DIT ... due to
underflow of a record size on a page, the actual data size is almost
assuredly even less than that ... I just made that up w/o looking at
the
code, so I may take that back later ...
You can see exactly how many bytes of the DIT file + Temp DB* are in RAM
with perfmon, counters, by using perfmon ... first set the "Squeaky
Lobster" registry key to get the advanced ESE performance counter, then
use the "Database" performance object the "Database Cache Size" counter.
Also look at the "Database Cache % Clean", b/c you should multiply those
by each other to get real data pages currently in memory.
* Temp DB ... so the database cache is global, so any temporary sorts we
needed to do, during LDAP queries may be taking up some of the database
cache ... I think it's like tmp.edb next to the ntds.dit file. There'd
be
no technical way to subtract one from the other, but maybe just subtract
the whole tmp database size, because that gives you a lower bound on
what
is definately ntds.dit.
( watch for usage of offline and online here ... )
I agree you shouldn't worry about offline defrag, but you should make
sure that online defrag is completing every now and then or the space
wastage will grow towards (I'll make a number range here) 3-5x what it
could be. Online defrag ensures that useful data is collected onto the
same page when it can be, such that the number of non-empty data pages
is
really quite close to what you'd get i
RE: [ActiveDir] How much of the DIT is cached in RAM ?
You beat me to the reply, thanks Brett.
A better way to think of this Joe is that a subset of the DIT is in RAM,
as much as we can fit, assuming 1) we don't run out of memory to use 2)
we don't have pressure to back off. And we try and pick the best pages
to cache ("best" definition omitted for now).
The one thing we can't do today is that we can't proactively cache
something. Though I've thought a lot about whether or not it is
something that I should personally be pushing Brett's team to work on.
There's good and bad, but the bottom line today is that you can "warm"
the cache. In the absence of memory pressure, this warming technique
will help get things in the first time. But there are some things it
doesn't do
1) It doesn't let you tell buffer manager to keep something in the cache
no matter what, if you think you're smarter than the buffer manager. I
would point out, almost never are you smarter than buffer manager, even
when you think you are. But that doesn't mean you won't complain that we
don't have a mechanism for it.
2) You can't really guarantee that something is in the cache with these
sorts of warming techniques. You can get close, but you can't (for
example) say "please prefetch this index". But warming the cache can do
the big stuff, like walking ancestry and pulling in the mass of the data
table.
~Eric
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Tuesday, April 26, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ?
Joe,
When you say
> the actual DIT isn't cached in RAM, the tables, indexes, and such
> are cached.
I'd take issue with that ... that isn't a good way to explain what is
really happening.
The DIT is most definately cached in RAM, it is cached directly 1 or
more
pages at a time. Where a page is an 8k chunk for Active Directory. We
do
not extrude the tables and indexes from those pages, they stay in the
pages, and we "take a latch" on that page's memory when we want to
update
the page ... then later we write that 8k chunk directly from that memory
to the offest (based on it's pgno) of the DIT file it belongs at.
Now, it is true, not all of the DIT may be cached, we'll only cache what
we need, and it will not pull in free space pages into memory (at least
in
most circumstances ...? I'm thinking of prefetching might ... but lets
ignore).
I _think_ _online_ defrag (I know we're talking offline defrag below,
but
mentioning online defrag is important, it is what makes offline defrag
unnecessay ... online defrag is frequently abbreviated OLD ... which of
course would be the acronym of offline defrag if it had one, trust me
OLD
is online defrag (at least as far as the ESE devs are concerned) ...
poor
taste for a TLA in my opinion ... that was a long aside), actually logs
an
event on how much free space there is in the database ... I'm 57% sure
that "the DIT size" - "that free size", is the approximate size of the
non-empty data pages (i.e. pages with data) in the DIT ... due to
underflow of a record size on a page, the actual data size is almost
assuredly even less than that ... I just made that up w/o looking at
the
code, so I may take that back later ...
You can see exactly how many bytes of the DIT file + Temp DB* are in RAM
with perfmon, counters, by using perfmon ... first set the "Squeaky
Lobster" registry key to get the advanced ESE performance counter, then
use the "Database" performance object the "Database Cache Size" counter.
Also look at the "Database Cache % Clean", b/c you should multiply those
by each other to get real data pages currently in memory.
* Temp DB ... so the database cache is global, so any temporary sorts we
needed to do, during LDAP queries may be taking up some of the database
cache ... I think it's like tmp.edb next to the ntds.dit file. There'd
be
no technical way to subtract one from the other, but maybe just subtract
the whole tmp database size, because that gives you a lower bound on
what
is definately ntds.dit.
( watch for usage of offline and online here ... )
I agree you shouldn't worry about offline defrag, but you should make
sure that online defrag is completing every now and then or the space
wastage will grow towards (I'll make a number range here) 3-5x what it
could be. Online defrag ensures that useful data is collected onto the
same page when it can be, such that the number of non-empty data pages
is
really quite close to what you'd get if you did an offline defrag.
THOUGH, you'd have free pages in the database in the online defrag case,
that offline defrag would give you back in the form of a smaller DIT
file.
So for memory purposes, joe is right, don't worry about offline defrag,
unless there are disk space issues ... but do look for the successful
online defrag event.
Note: There was an issue where online defrag was never
completing.
Both online defrag and offline defrag basic
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
In the W2K3 SP1 version of dsa.msc, you can specify a group in the Managed By tab. You'll need to select Groups under Object Types when searching for the name though. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 6:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Joe, When you say > the actual DIT isn't cached in RAM, the tables, indexes, and such > are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we "take a latch" on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that "the DIT size" - "that free size", is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the "Squeaky Lobster" registry key to get the advanced ESE performance counter, then use the "Database" performance object the "Database Cache Size" counter. Also look at the "Database Cache % Clean", b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for usage of offline and online here ... ) I agree you shouldn't worry about offline defrag, but you should make sure that online defrag is completing every now and then or the space wastage will grow towards (I'll make a number range here) 3-5x what it could be. Online defrag ensures that useful data is collected onto the same page when it can be, such that the number of non-empty data pages is really quite close to what you'd get if you did an offline defrag. THOUGH, you'd have free pages in the database in the online defrag case, that offline defrag would give you back in the form of a smaller DIT file. So for memory purposes, joe is right, don't worry about offline defrag, unless there are disk space issues ... but do look for the successful online defrag event. Note: There was an issue where online defrag was never completing. Both online defrag and offline defrag basically scrunch all the data closer to where it belongs (on a per table, per index, etc basis), with the online version leaving white space in between "places" ... BUT all that said, there is technically one difference between online defrag and offline defrag data layout ... the offline defrag will reorder burst long values, into a order that matches the rows in the database ... I don't feel lik delving into that yet ... That's off the top of my head, I'll check facts, and try to write more later ... Cheers, Brett Shirley [msft] posting is as is, but ... On Tue, 26 Apr 2005, joe wrote: > Possibly Eric will see my response to this and come on and smack me but I > think your PSS guy may be less than accurate. It is entirely my opinion > though. > > Reducing the physical size of the DIT I don't believe will increase the perf > of your queries. As Carlos mentioned, the actual DIT isn't cached in RAM, > the tables, indexes, and such are cached. The empty spaces in the DIT > physical file should have little if any impact on those tables in memory > unless you start looking at things like how long does it take the head to > get from the physical location on the spindle of one entry of the table to > the next which again, once in memory, shouldn't come into play. > > The big bene of offline defrag that I am aware of is simply to reduce DIT > bloat and bring it down to a smaller size. You can accomplish the same with > a dcpromo demote and repromote and you can automate that with an unattended > script. :o) But honestly, unless you are having disk space issues,
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Does that tickbox and user listed there - actually translates to 'Write Permission' on This object only ACL?? Stupid question - ill try this myself soon enough.. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 7:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the "Add/Remove self as member" permission. Sort of like dsacls GROUP_DN /I:T /G "domain\secprin:WS;Add/Remove self as member" Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] More than 1 user having 'managed by' for a group?
Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 Native - gpresult shows domain = 2000?
Thanks Joe Got me worried for a little before I saw this and the other replies :D Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 5:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] 2003 Native - gpresult shows domain = 2000? Unfortunately yes. You should see one of three messages there Windows 2000 WindowsNT 4 Where you see Windows 2000 it should just say Active Directory Domain. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, April 24, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 Native - gpresult shows domain = 2000? Gpresult shows Domain Type: Windows 2000 Ldp shows these 1> domainFunctionality: 2; 1> forestFunctionality: 2; 1> domainControllerFunctionality: 2; Is this expected? Or should I be getting a different output? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Possibly Eric will see my response to this and come on and smack me but I think your PSS guy may be less than accurate. It is entirely my opinion though. Reducing the physical size of the DIT I don't believe will increase the perf of your queries. As Carlos mentioned, the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. The empty spaces in the DIT physical file should have little if any impact on those tables in memory unless you start looking at things like how long does it take the head to get from the physical location on the spindle of one entry of the table to the next which again, once in memory, shouldn't come into play. The big bene of offline defrag that I am aware of is simply to reduce DIT bloat and bring it down to a smaller size. You can accomplish the same with a dcpromo demote and repromote and you can automate that with an unattended script. :o) But honestly, unless you are having disk space issues, I don't know many people who worry overly much about doing offline defrags. Even once you enable the counters, I am not sure if you will know whether or not the whole DB is cached or not simply because the DIT size may not accurately reflect how much data you really have due to free space in the DIT. I saw go out and buy a 64 bit machine, load 64 bit Windows Server 2003 on it and buy RAM = 4GB+2xDIT size and you can be pretty sure your entire DB is cached. ;o) >From the numbers Wook posted on his slide deck between poems and haiku's at the most recent DEC you should see a remarkable increase in perf. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Monday, April 18, 2005 11:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? The reason I asked was out of curiosity, not because of any problem. A MS engineer told us that if the DIT is small enough in relation to the amount of RAM in the DC, the entire DIT would be cached, increasing directory query performance. I was just curious if there was a way to objectively measure this. It's always interesting to measure things to see how changes affect performance. For example, if I delete a large number of objects and wait for the tombstones to age out, I know I could shrink the DIT with an offline defrag. Would doing so have any measurable effect on perfomance ? I don't know, but it would be interesting to do some before and after measurements to find out. By the way, the context of the conversation was that the engineer was recommending offline defrags after removing a large number of objects (and waiting the requisite time for garbage collection). I have no argument with that, but it's nice to be able to measure what if anything it's buying (besides a smaller DIT file). Some of us are just funny that way, I guess Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Friday, April 15, 2005 4:27 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Well none of the actually DIT is cached (into the RAM), IMO. The engine might cache regular/common lookups, indexes etc but none to the actually DC's RAM. But then again you have to define but what you mean by "into RAM". Nathan is quite right with "Checking the working set size of LSASS is not reliable." There are many more processes that the LSASS is taking care of. You could dump the LSASS process and take a look and then determine from there what is happening. But now I am curious why you asking :P Do you have a hungry LSASS process? If you do what Patch/Service Pack level do you have on that box? Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Muggli Sent: 15 April 2005 06:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Checking the working set size of LSASS is not reliable. There's process overhead for things like lsa session handles and other stuff related to the security sub system. The most accurate method is to enable the ESE Database performance counters and look at "Cache Size". To enable the DB counters, install Server Performance Advisor, or check out http://www.microsoft.com/resources/documentation/Windows/2000/server/res kit/en-us/Default.asp?url=/resources/documentation/Windows/2000/server/r eskit/en-us/distrib/dsbm_mon_pzgc.asp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Thursday, April 14, 2005 8:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? By checking the working set size of by LSASS? Roger Seielstad E-mail Geek > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, > David A > Sent: Th
RE: [ActiveDir] Windows Server 2003 Access-based Enumeration
You know if anyone is on this list that is also on the team that put this tool out... why do I have to install to a K3 SP1 machine?? I should be able to install to XP or whatever else. This just means people will unpack once and then wrap it themselves for installing around a company, or at least the people in companies that don't have admins TSing into servers to do admin work. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francis OuelletSent: Tuesday, April 19, 2005 2:35 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Windows Server 2003 Access-based Enumeration Enjoy! GUI and CLI tool from Microsoft to enable Access-based Enumeration. http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en Francis
RE: [ActiveDir] Not able to achieve restircted access to Domain Controllers
Anyone who logs into DCs interactively should be domain admins. If they are bright, they will just make themselves one anyway. Anyone who can maipulate files or control services running as localsystem or administrator accounts should be domain admins. If they are bright, they will just make themselves one anyway. You are wrong in thinking you can safely protect a domain controller from someone with too much rights to a domain controller escalating themselves into a domain or better admin. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shuchipan Sharma Sent: Monday, April 18, 2005 3:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Not able to achieve restircted access to Domain Controllers Dear All, It's been quite some time that I have been following this tech group and it really has helped me in resolving a lot of my issues with AD. I'm facing some issue with controlled access to Domain Controllers. Following the best practices we have changed the Administrator account name and have provided access depending on the functions carried out by the Administrators. But some how even if I add them to Server Operator (Built-in group) they are not able to login to Domain Controllers. I have also modified the Domain Controller Security Policy (Log on locally). I want that the all the admins should be able to log in on the DCs but should not be allowed to mess the group policies etc. Also they should be able to connect the computers to the domain. ( I have delegated the permission to connect to domain thru GP but it is also not working) Please let me where I am wrong and how should I fix it. Thanks, Shuchipan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Email Addresses in AD
Are you asking how to mailbox enable users who are not currently mailbox enabled or something else? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, April 19, 2005 4:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Email Addresses in AD If I don't have user email addresses setup in AD (on all user profiles/account) can I setup Exchange to pull the account name and then add the domain information to it to create the email address automatically for users? Thanks, Brenda
RE: [ActiveDir] Restricting sensitive information
Use third party encryption. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 20, 2005 7:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricting sensitive information Original Message:We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? ReplyWhy not simply install the server out of the domain completely and use it's local accounts?RegardsPeter Jessop
RE: [ActiveDir] Restricting sensitive information
Use third party encryption. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 20, 2005 7:44 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Restricting sensitive information Original Message:We have a problem in discussion where we need to restrict sensitive HIPAA information to a very select few employees in the US and only one or two people overseas. The problem is, we have about 10-15 domain admins worldwide in our single domain, and this is too many people to have access to the HIPAA data. Rather than take domain admin priviledges away, whereby breaking their ability to promote domain controllers, etc - what's an easy way to have a share on a file server restricted to only a select few of the domain admins? We were thinking of maybe adding a 2nd domain just for the server with this share on it. Then only enterprise admins would have access to that other domain, so only they could see that share. Is there an alternative to something this drastic? ReplyWhy not simply install the server out of the domain completely and use it's local accounts?RegardsPeter Jessop
RE: [ActiveDir] 2003 Native - gpresult shows domain = 2000?
Unfortunately yes. You should see one of three messages there Windows 2000 WindowsNT 4 Where you see Windows 2000 it should just say Active Directory Domain. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, April 24, 2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 Native - gpresult shows domain = 2000? Gpresult shows Domain Type: Windows 2000 Ldp shows these 1> domainFunctionality: 2; 1> forestFunctionality: 2; 1> domainControllerFunctionality: 2; Is this expected? Or should I be getting a different output? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Recommended DNS settings in 3 domain forest
You should have the secondary zones and vice versa. There have been some good posts here about that. I'd like to point you to an excellent article that Mark Minasi wrote last fall in Windows It Pro http://www.windowsitpro.com/Windows/Article/ArticleID/43582/43582.html I can't say it better than Mark so I'll let you digest his article. Thanks Mike On 4/26/05, Creamer, Mark <[EMAIL PROTECTED]> wrote: > Excellent explanation. Thanks again!! > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Grillenmeier, Guido > Sent: Tuesday, April 26, 2005 4:37 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest > > Mark, that depends more on the usage scenarios of your domains. If you > have many cross-domain shared resources, e.g. where users working on > computer in sub1.domain.com often need to access servers in the > sub2.domain.com domain, a secondary could cause less traffic and would > be more independend on the availability of a DC/DNS server of sub2. > > If it is the exception, then I wouldn't bother creating those > secondaries (however, you may still want to add secondaries to the root > of the domain saving another hop to get those names resolved) > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark > Sent: Dienstag, 26. April 2005 20:36 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest > > One more question on this - is it a good idea to have secondary zones > for the other PEER domains on > each subdomain's DCs? > > In other words, domain.com is root. Sub1.domain.com and sub2.domain.com > are subdomains, and peers of > each other. Should the DCs for sub1 all have secondary zones for sub2 > and vice-versa? > > Thanks again! > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Grillenmeier, Guido > Sent: Tuesday, April 26, 2005 1:31 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest > > ah - that changes the picture > > option 3 is still valid for child DCs (DCs point to themselves + another > DC of the same domain), but you should either add a secondary of _msdcs > subzone of the root (i.e make this it's own zone) or - if the root zone > itself is not too large - add a secondary of the root itself to the > child DCs. > > for the root DCs, ensure that they use a different root DC as their > primary DNS server, then either another root DC (if you have three) or > themselves for the secondary DNS server. I you have three, then I'd add > themselves as a third DNS server. > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark > Sent: Montag, 25. April 2005 22:07 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest > > Oops, sorry. I did forget. It's all Win2K. We're probably a while away > from 2003 Guido. What's the > recommendation in that case? > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Grillenmeier, Guido > Sent: Monday, April 25, 2005 4:00 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest > > you don't mention OS version - I'm assuming you will or have implemented > Win2k3. In this case the "island-problem" (which used to be an issue in > a Win2k AD's root domain) is no longer an issue and you're fine to go > ahead with your option 3. > > I would also recommend to setup the _msdcs subzone of the root as a > forest wide app-partition, so that all DCs receive a copy (in this case > DNS queries for GCs and DC GUIDs would still work in the even that no > root DC is available to answer any forwarding queries). > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark > Sent: Montag, 25. April 2005 19:11 > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Recommended DNS settings in 3 domain forest > > I'd like to solicit a little advice on our AD design with respect to > DNS. We have an "empty" forest > root domain, and two subdomains. Each domain has at least 3 DCs, two in > the main subnet at our > corporate office, and one in a remote office. All DCs have DNS > installed, all AD-integrated. Each DC's > DNS has a copy of its own zone, and has forwarders set up to the root > domain. That domain has > forwarders to our "external" DNS servers. > > My question is, on each of the DCs, how should their own DNS settings be > set? That is, what DNS > server(s) should a particular DC use for its DNS queries? > > I've tried a few different approaches, and I think I understand the > concept of islanding, but I'm not > totally clear on that. My goal is simply to ma
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Excellent explanation. Thanks again!! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Mark, that depends more on the usage scenarios of your domains. If you have many cross-domain shared resources, e.g. where users working on computer in sub1.domain.com often need to access servers in the sub2.domain.com domain, a secondary could cause less traffic and would be more independend on the availability of a DC/DNS server of sub2. If it is the exception, then I wouldn't bother creating those secondaries (however, you may still want to add secondaries to the root of the domain saving another hop to get those names resolved) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Dienstag, 26. April 2005 20:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the "island-problem" (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an "empty" forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our "external" DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privi
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Mark, that depends more on the usage scenarios of your domains. If you have many cross-domain shared resources, e.g. where users working on computer in sub1.domain.com often need to access servers in the sub2.domain.com domain, a secondary could cause less traffic and would be more independend on the availability of a DC/DNS server of sub2. If it is the exception, then I wouldn't bother creating those secondaries (however, you may still want to add secondaries to the root of the domain saving another hop to get those names resolved) /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Dienstag, 26. April 2005 20:36 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the "island-problem" (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an "empty" forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our "external" DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to th
Re: [ActiveDir] Offline Address Book Error
Have you seen this KB article? http://support.microsoft.com/?kbid=887409 http://support.microsoft.com/?kbid=867506 Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/26/05, Don Murawski (Lenox) <[EMAIL PROTECTED]> wrote: > > > Does anyone know how to fix for this? I tried a rebuild of the OAB it > failed. > > 12:59:34 Synchronizer Version 11.0.6352 > > 12:59:35 Synchronizing Mailbox 'Don Murawski (Lenox)' > > 12:59:35 Done > > 12:59:35 Microsoft Exchange offline address book > > 12:59:35 0X8004010F > > > > Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO errors on logon
Also post the KB articles that you've tried. That will help know what you've done already. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Tuesday, April 26, 2005 7:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO errors on logon Hi, Sorry for the delay, I've been quite busy lately. Checking the DNS was the first thing I did when I got the error. After checking a bit further I found 3 other machines that have this error (including my own laptop where the error started out of nowhere). I tried some things in the GPOs but nothing seemed to work. Any other ideas are welcomed! (I may try to call PSS to get that hot fix, but as I said, the article talks about XP SP1 only and we are under SP2) > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC > Envoyé : Saturday, April 23, 2005 3:21 PM À : > ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO errors on > logon > > Verify your network settings. Is the Primary DNS set to the correct > DNS server? I found this happening on a system and it was cause it > couldn't find the Domain Controller properly. Not sure if that is > your problem per se but its definitely worth a look. > > > Jeff > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, > Michel > Sent: Friday, April 22, 2005 4:14 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] GPO errors on logon > > Hi, > I have 2 laptops that have the same problem. > They are very slow to logon the domain and they generates the > following > events: > > Event Type: Error > Event Source: Userenv > Event Category: None > Event ID: 1030 > Date: 4/22/2005 > Time: 3:55:08 PM > User: Domain\username > Computer: computername > Description: > Windows cannot query for the list of Group Policy objects. A message > that describes the reason for this was previously logged by the policy > engine. > > > Event Type: Error > Event Source: Userenv > Event Category: None > Event ID: 1006 > Date: 4/22/2005 > Time: 3:55:08 PM > User: Domain\username > Computer: computername > Description: > Windows cannot bind to workgroup domain. (Erreur locale). Group Policy > processing aborted. > > > > > I've done some research and I found an article that seems to cover > this issue though it's applicable on XP sp1 and the laptops are SP2. > The solution on this article was a hot fix that needs to be sent by PSS. > > The other problem (that seems to be related to the first one) is that > it takes almost 1 minute to logon. > > Both laptops are Toshiba with Windows XP sp2 full patched. The domain > is a Win2k native domain. > > Anyone has seen that already? > > Thanks! > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
One more question on this - is it a good idea to have secondary zones for the other PEER domains on each subdomain's DCs? In other words, domain.com is root. Sub1.domain.com and sub2.domain.com are subdomains, and peers of each other. Should the DCs for sub1 all have secondary zones for sub2 and vice-versa? Thanks again! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the "island-problem" (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an "empty" forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our "external" DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not a
[ActiveDir] Offline Address Book Error
Does anyone know how to fix for this? I tried a rebuild of the OAB it failed. 12:59:34 Synchronizer Version 11.0.6352 12:59:35 Synchronizing Mailbox 'Don Murawski (Lenox)' 12:59:35 Done 12:59:35 Microsoft Exchange offline address book 12:59:35 0X8004010F Thanks,
RE: [ActiveDir] Recommended DNS settings in 3 domain forest
Guido, thanks for your help on this! Best regards -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, April 26, 2005 1:31 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest ah - that changes the picture option 3 is still valid for child DCs (DCs point to themselves + another DC of the same domain), but you should either add a secondary of _msdcs subzone of the root (i.e make this it's own zone) or - if the root zone itself is not too large - add a secondary of the root itself to the child DCs. for the root DCs, ensure that they use a different root DC as their primary DNS server, then either another root DC (if you have three) or themselves for the secondary DNS server. I you have three, then I'd add themselves as a third DNS server. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 22:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest Oops, sorry. I did forget. It's all Win2K. We're probably a while away from 2003 Guido. What's the recommendation in that case? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, April 25, 2005 4:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Recommended DNS settings in 3 domain forest you don't mention OS version - I'm assuming you will or have implemented Win2k3. In this case the "island-problem" (which used to be an issue in a Win2k AD's root domain) is no longer an issue and you're fine to go ahead with your option 3. I would also recommend to setup the _msdcs subzone of the root as a forest wide app-partition, so that all DCs receive a copy (in this case DNS queries for GCs and DC GUIDs would still work in the even that no root DC is available to answer any forwarding queries). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Montag, 25. April 2005 19:11 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Recommended DNS settings in 3 domain forest I'd like to solicit a little advice on our AD design with respect to DNS. We have an "empty" forest root domain, and two subdomains. Each domain has at least 3 DCs, two in the main subnet at our corporate office, and one in a remote office. All DCs have DNS installed, all AD-integrated. Each DC's DNS has a copy of its own zone, and has forwarders set up to the root domain. That domain has forwarders to our "external" DNS servers. My question is, on each of the DCs, how should their own DNS settings be set? That is, what DNS server(s) should a particular DC use for its DNS queries? I've tried a few different approaches, and I think I understand the concept of islanding, but I'm not totally clear on that. My goal is simply to make sure all DNS queries from the users (who all exist in the two sub-domains) run smoothly, and that replication is reliable. Different ideas I've tried: 1. Each DC has itself as a primary DNS, and a forest root DC as secondary 2. Each DC has a partner DC in the same domain as a primary, and a forest root DC as secondary 3. Each DC has itself as primary, and a partner DC in the same domain as secondary; no root DC defined I'd like to just do whatever best practice would be and then leave it alone. Thanks as always for your advice! Mark This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, pl
RE : [ActiveDir] GPO errors on logon
Hi, Could you post an output of netdiag run on your XP ? Thanks -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Bruyere, Michel Envoyé : mardi 26 avril 2005 16:45 À : ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] GPO errors on logon Hi, Sorry for the delay, I've been quite busy lately. Checking the DNS was the first thing I did when I got the error. After checking a bit further I found 3 other machines that have this error (including my own laptop where the error started out of nowhere). I tried some things in the GPOs but nothing seemed to work. Any other ideas are welcomed! (I may try to call PSS to get that hot fix, but as I said, the article talks about XP SP1 only and we are under SP2) > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC > Envoyé : Saturday, April 23, 2005 3:21 PM > À : ActiveDir@mail.activedir.org > Objet : RE: [ActiveDir] GPO errors on logon > > Verify your network settings. Is the Primary DNS set to the correct DNS > server? I found this happening on a system and it was cause it couldn't > find the Domain Controller properly. Not sure if that is your problem > per se but its definitely worth a look. > > > Jeff > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel > Sent: Friday, April 22, 2005 4:14 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] GPO errors on logon > > Hi, > I have 2 laptops that have the same problem. > They are very slow to logon the domain and they generates the following > events: > > Event Type: Error > Event Source: Userenv > Event Category: None > Event ID: 1030 > Date: 4/22/2005 > Time: 3:55:08 PM > User: Domain\username > Computer: computername > Description: > Windows cannot query for the list of Group Policy objects. A message > that describes the reason for this was previously logged by the policy > engine. > > > Event Type: Error > Event Source: Userenv > Event Category: None > Event ID: 1006 > Date: 4/22/2005 > Time: 3:55:08 PM > User: Domain\username > Computer: computername > Description: > Windows cannot bind to workgroup domain. (Erreur locale). Group Policy > processing aborted. > > > > > I've done some research and I found an article that seems to cover this > issue though it's applicable on XP sp1 and the laptops are SP2. The > solution on this article was a hot fix that needs to be sent by PSS. > > The other problem (that seems to be related to the first one) is that it > takes almost 1 minute to logon. > > Both laptops are Toshiba with Windows XP sp2 full patched. The domain is > a Win2k native domain. > > Anyone has seen that already? > > Thanks! > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO errors on logon
Hi, Sorry for the delay, I've been quite busy lately. Checking the DNS was the first thing I did when I got the error. After checking a bit further I found 3 other machines that have this error (including my own laptop where the error started out of nowhere). I tried some things in the GPOs but nothing seemed to work. Any other ideas are welcomed! (I may try to call PSS to get that hot fix, but as I said, the article talks about XP SP1 only and we are under SP2) > -Message d'origine- > De : [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC > Envoyé : Saturday, April 23, 2005 3:21 PM > À : ActiveDir@mail.activedir.org > Objet : RE: [ActiveDir] GPO errors on logon > > Verify your network settings. Is the Primary DNS set to the correct DNS > server? I found this happening on a system and it was cause it couldn't > find the Domain Controller properly. Not sure if that is your problem > per se but its definitely worth a look. > > > Jeff > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel > Sent: Friday, April 22, 2005 4:14 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] GPO errors on logon > > Hi, > I have 2 laptops that have the same problem. > They are very slow to logon the domain and they generates the following > events: > > Event Type: Error > Event Source: Userenv > Event Category: None > Event ID: 1030 > Date: 4/22/2005 > Time: 3:55:08 PM > User: Domain\username > Computer: computername > Description: > Windows cannot query for the list of Group Policy objects. A message > that describes the reason for this was previously logged by the policy > engine. > > > Event Type: Error > Event Source: Userenv > Event Category: None > Event ID: 1006 > Date: 4/22/2005 > Time: 3:55:08 PM > User: Domain\username > Computer: computername > Description: > Windows cannot bind to workgroup domain. (Erreur locale). Group Policy > processing aborted. > > > > > I've done some research and I found an article that seems to cover this > issue though it's applicable on XP sp1 and the laptops are SP2. The > solution on this article was a hot fix that needs to be sent by PSS. > > The other problem (that seems to be related to the first one) is that it > takes almost 1 minute to logon. > > Both laptops are Toshiba with Windows XP sp2 full patched. The domain is > a Win2k native domain. > > Anyone has seen that already? > > Thanks! > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] branding IE through AD
Title: branding IE through AD I've been playing with W2K3 AD and I know you can do easy IE branding with it, but I seem to be having trouble finding that ability in W2K AD. Anyone with any thoughts? This e-mail is the property of RedDaulphin.com It is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential, or otherwise protected from disclosure. Distribution or copying of this e-mail or the information contained herein by anyone other than the intended recipient is prohibited. If you have received this e-mail in error, please immediately notify us by sending an e-mail to [EMAIL PROTECTED] and destroy all electronic and paper copies of this e-mail. html
RE: [ActiveDir] Kerberos authentication and 2003 /2000
Have you tried running netdiag /fix? Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Friday, April 22, 2005 9:45 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos authentication and 2003 /2000 Domain running 2000 native mode. DC are 2000. Have member servers with 2003. when I run netdiag I see that Kerberos authentication failed. Should I be concerned or is something wrong on either the member server or the Domain controllers. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir]Time Service
Just set the time source for the PDC role owner DC to point to the member server, and set the time source for the member server to the outside time source. From: [EMAIL PROTECTED] on behalf of Peter Jessop Sent: Tue 4/26/2005 1:32 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir]Time Service I have followed the two recent threads over time syncronisation but am still left with a doubt. We have a single domain AD forest with 3 DCs. None of these has Internet connection. I wish to user a member server to syncronise with an external NTP and then have the PDC emulator sync with this server. Is this possible and how is done? Regards Peter Jessop <>
[ActiveDir]Time Service
I have followed the two recent threads over time syncronisation but am still left with a doubt. We have a single domain AD forest with 3 DCs. None of these has Internet connection. I wish to user a member server to syncronise with an external NTP and then have the PDC emulator sync with this server. Is this possible and how is done? Regards Peter Jessop
RE: [ActiveDir] How to determine which is the default site
Title: Message I guess 'he' is me, so thought I should respond :) Based upon the excellent feedback received, it looks as though my concerns have been allayed. I was discussing this over a beer with an ex colleague and we both thought the behaviour in scenario 3 was different and hence the original post. I therefore don't really care which is/was the default site anymore, as you suggested. Thanks to all, neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: 25 April 2005 23:06To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site Yeah, if you don't have one numbered in the low thousands, then it's gone. I wonder which method he finally picked? Maybe he doesn't care anymore. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 3:27 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site My lowest numbered site has a USN of > 1.8 million. Though I know I deleted the original one and probably 50 after that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lee, WookSent: Wednesday, April 13, 2005 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site From the tests I've run so far, it's been pretty consistent that the first site has a USNCreated of 4112 for an fresh Window 2003 AD. For forests that started life as Windows 2000, I've been seeing 3493, but at least one forest has it at 1171. Not sure what that's about. Wook From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Wednesday, April 13, 2005 9:24 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] How to determine which is the default site Why? Nothing I have seen in my experience would seem to indicate anything special about that first site, in fact my home test lab has been running with that first site deleted for some time now and I am running with other sites. Someone mentioned looking at the GUIDs. GUIDs are not sequential, they are semi-randomly created, see MSDN for the algorithm. Trying to divine order from them would be fruitless. Here would be a simple command line to find the oldest site adfind -config -f objectcategory=site whencreated -sort whencreated -maxe 1 This would look at the config container, find all site objects, sort them by whenCreated, then return the DN and whenCreated attribute for the first one. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Wednesday, April 13, 2005 9:54 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] How to determine which is the default site At some point in the dim, dark past, the default site was renamed (I assume it was not removed!) Does anyone have a quick and easy way to determine which of the existing sites was once the default site? [It has been suggested that I look at the create date for all the sites and that the oldest one will be the default site :) I have >100 sites so need something more elegant/quicker. ] Any suggestions more than welcome. Thanks, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.== == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] ad controller moved now another problem
Have you: * Defined AD subnets for network segments where AD clients exists? * Defined AD sites for separate locations * Linked each AD subnet to an AD site? ALSO... By default all DCs register site specific DNS records (for the site they're in and for sites they cover ip applicable) and domain specific DNS records (for the domain the DC is a member of) When a client needs a DC it searches for a DC in the same site as the client. When those are not available it (by default) searches for any random DC in the domain. As you can see the reason the user authenticatied to the branch office DC could be that the the DCs in the same site as the client for some reason is not available. For this see MS-KBQ306602 Cheers, #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/25/2005 10:10 PM Subject: [ActiveDir] ad controller moved now another problem Thanks to everyone for the help moving the server site. Now I have another issue, when I look at the event log for the server at the remote location, in the security log, it has a lot of entries like this: User Logoff: User Name:mes Domain:WVS Logon ID:(0x0,0x8938C) Logon Type:3 For more information, see Help and Support Center at This user all of the other users listed are users from the main office not the remote office. Does this mean that the users from the main office are authenticating to the remote server? Thanks Jeff This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
