RE: [ActiveDir] How much of the DIT is cached in RAM ?
Correcting myself inline (full of that today aren't I?). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that Actually, that's not really what you want. If I may, let me change your ask in to what I think you really would like What you really want is the % of pages touched to service the query that were in the cache. It doesn't matter if those pages are returned or not, it only matters that you needed the pages to effective service the search. As that's what defines the amt of time it takes to service it. [Efleis] - I shouldn't say this, it isn't quite true. What I meant was, this defines the amt of time that we would spend on I/O, should those pages not be in memory. Other things might necessitate more time spent on the search. That said, assuming you got what you really want, I'm not totally sold of the value. What will you learn? 1) More db cache - inefficient searches are faster 2) Better search filter optimization - better index selection - faster searches with less cache needed and less I/O needed Searches that hit infrequently used indexes will have a lower % of pages in memory, but still be faster than inefficient ones that hit many pages in memory. And the avg IT admin will wonder why. :) Inefficient searches are still inefficient, and are still going to require a large db cache to service them in any sort of timely manner. How much cache? As much as you have dataset that need be traversed for the inefficient search in question. Whatever that dataset might be. Sell me on the learning opportunity here? Sorry, I'm just not seeing it. I like the idea on paper, and would be more than happy to file the bug. I'm just not seeing what you think you can do better with this data point than you can today. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 26, 2005 9:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Thanks ~Eric. I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that. How feasible would something like that be? Possibly the results of that would only be for educational reasons but I, at least, would find that info interesting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 8:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Hi, That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. In W2K3SP1 this changed. It is possible to specify a group in the managedBy and allow it change groupmembership by checking the checkbox #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/27/2005 1:31 AM Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Segregating and delegating _msdcs
Title: Segregating and delegating _msdcs For various reasons we would like to split out _msdcs and the other _* domains within one specific DNS zone, into separate zones. These new zones will then, eventually, be hosted on non-Windows DNS servers, whilst the 'parent' zone will remain hosted on w2k DCs. Our current environment is w2k DCs [in a 4 domain forest] so app partitions are not an option just yet. Root domain is named test.com and 3 children exist, a.test.com, b.test.com and c.test.com. We wish to delegate the _ domains within a.test.com only to non-Windows DNS servers, with a.test.com remaining hosted on w2k DCs.. I have found fairly useful technotes etc and have started to flesh out a plan but wondered if anyone would be prepared to share any real world experiences of such an operation. i.e. how was the change performed? Any pitfalls or gotchas? Thanks in advance, neil == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
[ActiveDir] Issues
Title: Segregating and delegating _msdcs Source: Userrnv EventID 1000: Windows cannot determined the user or account name. Return value (5). I have taken the server(W2K) off the domain(W2k), renamed it, cleaned the old name off the domain, renamed it back to the original name, added it to the domain and still getting this error. Thank you, Z.V == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. ==
RE: [ActiveDir] Email Addresses in AD
Im not sure that its what you want to do, but http://support.microsoft.com/default.aspx?scid=kb;en-us;285136Product=exch2k From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Tuesday, April 19, 2005 4:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Email Addresses in AD If I don't have user email addresses setup in AD (on all user profiles/account) can I setup Exchange to pull the account name and then add the domain information to it to create the email address automatically for users? Thanks, Brenda
RE: [ActiveDir] Email Addresses in AD
Thank you, that is exactly what I was looking for. Your help is appreciated! Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, MichelSent: Wednesday, April 27, 2005 8:03 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Email Addresses in AD Im not sure that its what you want to do, but http://support.microsoft.com/default.aspx?scid=kb;en-us;285136Product=exch2k From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, April 19, 2005 4:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Email Addresses in AD If I don't have user email addresses setup in AD (on all user profiles/account) can I setup Exchange to pull the account name and then add the domain information to it to create the email address automatically for users? Thanks, Brenda
[ActiveDir] Requesting data from the exchange server
Hello every one, Always get Requesting data from the exchange server message. We have a Problem for about 20 users, only users of one particular exchange server are affected. Only one person on the same server has no problems to access his mailbox. Also not possible to access outlook web access. Get timeout error from Internet Explorer, except the one person who has no problems. Steps tried: 1. Took control of one of the faulty mailboxes using ADUC. Could access without any issues.(I am in a different domain and different exchange server) 2. Unchecked cached exchange and checked back. 3. Re-added one of the computers to the domain 4. Checked all the network settingsDNS suffixes..etc Any help is hugely appreciated. Regards sam List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Requesting data from the exchange server
Did you check the server itself to see about performance issues? What about the network path? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Requesting data from the exchange server Hello every one, Always get Requesting data from the exchange server message. We have a Problem for about 20 users, only users of one particular exchange server are affected. Only one person on the same server has no problems to access his mailbox. Also not possible to access outlook web access. Get timeout error from Internet Explorer, except the one person who has no problems. Steps tried: 1. Took control of one of the faulty mailboxes using ADUC. Could access without any issues.(I am in a different domain and different exchange server) 2. Unchecked cached exchange and checked back. 3. Re-added one of the computers to the domain 4. Checked all the network settingsDNS suffixes..etc Any help is hugely appreciated. Regards sam List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Importing AD into a test lab ...
Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that An attemp was made to add an object to the directory with a name that is already in use or Directory Object not found. my other choice was 2. http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 But since this is a test lab, my library is not available and neither is my backup server. Plus, it's a DC and I don't want to introduce it to my existing domain. I guess I could DCPROMO it back out and then bring it into the existing domain as a standalone and then do a directed recover to it, but this seems like a huge amount of time and effort for something that should be pretty easy. Especillay for DR purposes. How many of us will recover AD to a system that has identical hardware? but I digress ;-) Any advice or ideas would bre greatly appreciated. Thanks in advance. Phil. Philip H. McDougal Application Support Engineer Jenner Block LLP One IBM Plaza Chicago, IL 60611-7603 Tel (312) 222-9350 Fax (312) 840-8879 [EMAIL PROTECTED] www.jenner.com CONFIDENTIALITY WARNING: This email may contain privileged or confidential information and is for the sole use of the intended recipient(s). Any unauthorized use or disclosure of this communication is prohibited. If you believe that you have received this email in error, please notify the sender immediately and delete it from your system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] Requesting data from the exchange server
Hello, There are no issues with performance since i can access the same mailboxes from my site here . One more strange thing is one person in the same exchange server and site can access the mailbox Regards samarth - Original Message - From: Al Mulnick [EMAIL PROTECTED] Date: Wednesday, April 27, 2005 7:58 pm Subject: RE: [ActiveDir] Requesting data from the exchange server Did you check the server itself to see about performance issues? What about the network path? -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Requesting data from the exchange server Hello every one, Always get Requesting data from the exchange server message. We have a Problem for about 20 users, only users of one particular exchange server are affected. Only one person on the same server has no problems to access his mailbox. Also not possible to access outlook web access. Get timeout error from Internet Explorer, except the one person who has no problems. Steps tried: 1. Took control of one of the faulty mailboxes using ADUC. Could accesswithout any issues.(I am in a different domain and different exchangeserver) 2. Unchecked cached exchange and checked back. 3. Re-added one of the computers to the domain 4. Checked all the network settingsDNS suffixes..etc Any help is hugely appreciated. Regards sam List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] Requesting data from the exchange server
After checking the client settings have you checked name resolution working OK, WINS and DNS? Are their any errors in the event logs on the client? Are there any networking issues for these clients? Have they tried from a different workstation that does not usually experience these problems? Are these users in adifferent site to all other users?[EMAIL PROTECTED] wrote: Hello,There are no issues with performance since i can access the same mailboxes from my site here .One more strange thing is one person in the same exchange server and site can access the mailboxRegardssamarth- Original Message -From: Al Mulnick <[EMAIL PROTECTED]>Date: Wednesday, April 27, 2005 7:58 pmSubject: RE: [ActiveDir] Requesting data from the exchange server Did you check the server itself to see about performance issues? What about the network path? -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Requesting data from the exchange server Hello every one, Always get "Requesting data from the exchange server" message. We have a Problem for about 20 users, only users of one particular exchange server are affected. Only one person on the same server has no problems to access his mailbox. Also not possible to access outlook web access. Get timeout error from Internet Explorer, except the one person who has no problems. Steps tried: 1. Took control of one of the faulty mailboxes using ADUC. Could accesswithout any issues.(I am in a different domain and different exchangeserver) 2. Unchecked cached exchange and checked back. 3. Re-added one of the computers to the domain 4. Checked all the network settingsDNS suffixes..etc Any help is hugely appreciated. Regards sam List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/List info : http://www.activedir.org/List.aspxList FAQ : http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing AD into a test lab ...
Should it be easy? Option 3: Create a Virtual environment (Vmware or VirtualServer would work) and introduce a DC into your environment that's only a VM and not used by clients (sites?) What you can do then is shutdown the VM in the prod environment, copy the file to the lab virtual server (could be same server with a separate segment into lab environment depending on how you decide to do this and what you have to work with). Restart the original on the production and restart the lab on the isolated lab segment. Variation: You could just restore the production to a Virtual machine and copy it into the lab (don't restart after restoration). Using LDIFDE has not been my favorite method in the past. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H Sent: Wednesday, April 27, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing AD into a test lab ... Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that An attemp was made to add an object to the directory with a name that is already in use or Directory Object not found. my other choice was 2. http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 But since this is a test lab, my library is not available and neither is my backup server. Plus, it's a DC and I don't want to introduce it to my existing domain. I guess I could DCPROMO it back out and then bring it into the existing domain as a standalone and then do a directed recover to it, but this seems like a huge amount of time and effort for something that should be pretty easy. Especillay for DR purposes. How many of us will recover AD to a system that has identical hardware? but I digress ;-) Any advice or ideas would bre greatly appreciated. Thanks in advance. Phil. Philip H. McDougal Application Support Engineer Jenner Block LLP One IBM Plaza Chicago, IL 60611-7603 Tel (312) 222-9350 Fax (312) 840-8879 [EMAIL PROTECTED] www.jenner.com CONFIDENTIALITY WARNING: This email may contain privileged or confidential information and is for the sole use of the intended recipient(s). Any unauthorized use or disclosure of this communication is prohibited. If you believe that you have received this email in error, please notify the sender immediately and delete it from your system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: RE: [ActiveDir] Requesting data from the exchange server
Can he? Is he configured the same way? Same hardware etc? Sounds like you should check the network health between those clients and your server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 10:31 AM To: ActiveDir@mail.activedir.org Subject: Re: RE: [ActiveDir] Requesting data from the exchange server Hello, There are no issues with performance since i can access the same mailboxes from my site here . One more strange thing is one person in the same exchange server and site can access the mailbox Regards samarth - Original Message - From: Al Mulnick [EMAIL PROTECTED] Date: Wednesday, April 27, 2005 7:58 pm Subject: RE: [ActiveDir] Requesting data from the exchange server Did you check the server itself to see about performance issues? What about the network path? -Original Message- From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 10:07 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Requesting data from the exchange server Hello every one, Always get Requesting data from the exchange server message. We have a Problem for about 20 users, only users of one particular exchange server are affected. Only one person on the same server has no problems to access his mailbox. Also not possible to access outlook web access. Get timeout error from Internet Explorer, except the one person who has no problems. Steps tried: 1. Took control of one of the faulty mailboxes using ADUC. Could accesswithout any issues.(I am in a different domain and different exchangeserver) 2. Unchecked cached exchange and checked back. 3. Re-added one of the computers to the domain 4. Checked all the network settingsDNS suffixes..etc Any help is hugely appreciated. Regards sam List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail- archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Requesting data from the exchange server
Sam, I ran across a similar instance yesterday and the problem turned out an issue with the Trend Micro Anti-Virus application. http://www.trendmicro.com/en/support/pattern594/overview.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 9:07 AM To: ActiveDir@mail.activedir.org Subject:[ActiveDir] Requesting data from the exchange server Hello every one, Always get Requesting data from the exchange server message. We have a Problem for about 20 users, only users of one particular exchange server are affected. Only one person on the same server has no problems to access his mailbox. Also not possible to access outlook web access. Get timeout error from Internet Explorer, except the one person who has no problems. Steps tried: 1. Took control of one of the faulty mailboxes using ADUC. Could access without any issues.(I am in a different domain and different exchange server) 2. Unchecked cached exchange and checked back. 3. Re-added one of the computers to the domain 4. Checked all the network settingsDNS suffixes..etc Any help is hugely appreciated. Regards sam List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing AD into a test lab ...
Philip, below is a doc I wrote to set up or refresh our lab (using the LDIFDE method), with the names changed to protect the guilty. A couple of batch scripts are included that you can modify. Hope it helps. *** 1. Ldifde is loaded by default on servers but not workstations. If running this command on a workstation, you must first copy the ldifde.exe file from the WINNT\System32 folder on a server to a location on your system. 2. Since the command with all of the required attributes is quite long, batch files have been created. The contents of these files are listed in the appendix. 3. The batch files reference specifically the my.domain.com domain, export server SERVER1 (production) and import server SERVER99 (lab). If any of these components change or if the goal is to export/import a different domain, the appropriate changes will have to be made to the batch files 4. Including many attributes creates a very large export file. Verify that enough disk space is available before beginning (about 70 MB currently) 5. Other command options are available, see KB237677 at this link: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/s upport/kb/articles/Q237/6/77.ASPNoWebContent=1 6. Passwords are not included in the export. Therefore, when the import is performed, passwords for each user are blank 7. Administrator is not included in the export, to avoid overwriting the existing Administrator Section 1: Export OUs and Users from the Production Directory 1. Log on to the exporting domain as an administrator 2. Batch files are located on \\SERVER1\C$\SCRIPTS 3. Run the batch file export_OUs.bat (see appendix for command) Note: folder c:\temp must already exist. File created will be exportOU.ldf 4. Run the batch file export_users.bat (see appendix for command) Note: File created will be exportUser.ldf 5. Save the two ldf files to a CD since the production and test environments are not networked together 6. Also copy the following scripts from server \\SERVER1\C$\SCRIPTS to the same CD: a. Import_ous.bat b. Import_users.bat Section 2: Import OUs and Users into the Test Lab Active Directory 1. Copy the files from the CD to C:\Temp on the import domain controller SERVER99 2. Remove the read-only attribute from the files 3. Open a command prompt and launch c:\temp\import_ous.bat. If any OUs are missing in the test lab that are present in the production environment, they will be created. Others are ignored 4. From the command prompt, launch c:\temp\import_users.bat. If any users are missing in the test lab that are present in the production environment, they will be created with their associated attributes. Accounts are created disabled, and the password set to null. This is because LDIFDE does not support exporting/importing passwords 5. When the batch files have completed, verify that no errors were reported, and check for the existence of the new users in ADUC. 6. Close the command prompt window and delete the contents of c:\temp Appendix Script Contents Export_OUs.bat ldifde - f c:\temp\exportOu.ldf -s server1 -d dc=my,dc=domain,dc=com -p subtree -r (objectClass=organizationalUnit) -l cn,objectclass,ou Export_Users.bat ldifde - f c:\temp\exportusers.ldf -s server1 -d dc=my,dc=domain,dc=com -p subtree -r ((objectCategory=person)(objectClass=User)(givenname=*)) - l cn,givenName,objectClass,sAMAccountName,sn,employeeType,title,employeeID,middleName,co mpany,physicalDeliveryOfficeName,scriptPath,userAccountControl,unicodePWD,pwdL astSet,displayName,distinguishedName Import_OUs.bat ldifde - i -k -f c:\temp\exportou.ldf -s server99 Import_Users.bat ldifde - i -k -f c:\temp\exportusers.ldf -s server99 * -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H Sent: Wednesday, April 27, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing AD into a test lab ... Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that An attemp was made to add an object to the directory with a name that is already in use or Directory Object not found. my other choice was 2. http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 But since this is a test lab, my library is not available and neither is my backup server. Plus, it's a DC and I don't want to introduce it to my existing domain. I guess I could DCPROMO it back out and then bring it into the existing domain as a standalone and then do a
RE: [ActiveDir] Importing AD into a test lab ...
Thanks for the reply Al. I was also thinking of checking VMware to do this but, of course, my resources are very limited at the moment. I know what you mean about the LDIFDE option. But of course, right after I sent out my email, I had an epiphany to those errors I was getting. I had notice that when it exported the AD data, it didn't export it logically, so the problem I was having was trying to import a child OU to an OU that doesn't exist yet. So I got my OUs and then Users back, but I'm still having Schema issues. Doing the restore to the another system can be done as I've done it a long time ago. It just takes too much time if you're under the gun. A simple Export/Import of your AD or certain aspects of your AD would be a nice option to get running smoothly. Hopefully, I can get my schema back and running before the developers get too worked up ;-) Thanks for the insight, I appreciate it. Phil. From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Wed 4/27/2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Importing AD into a test lab ... Should it be easy? Option 3: Create a Virtual environment (Vmware or VirtualServer would work) and introduce a DC into your environment that's only a VM and not used by clients (sites?) What you can do then is shutdown the VM in the prod environment, copy the file to the lab virtual server (could be same server with a separate segment into lab environment depending on how you decide to do this and what you have to work with). Restart the original on the production and restart the lab on the isolated lab segment. Variation: You could just restore the production to a Virtual machine and copy it into the lab (don't restart after restoration). Using LDIFDE has not been my favorite method in the past. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H Sent: Wednesday, April 27, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing AD into a test lab ... Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that An attemp was made to add an object to the directory with a name that is already in use or Directory Object not found. my other choice was 2. http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 But since this is a test lab, my library is not available and neither is my backup server. Plus, it's a DC and I don't want to introduce it to my existing domain. I guess I could DCPROMO it back out and then bring it into the existing domain as a standalone and then do a directed recover to it, but this seems like a huge amount of time and effort for something that should be pretty easy. Especillay for DR purposes. How many of us will recover AD to a system that has identical hardware? but I digress ;-) Any advice or ideas would bre greatly appreciated. Thanks in advance. Phil. Philip H. McDougal Application Support Engineer Jenner Block LLP One IBM Plaza Chicago, IL 60611-7603 Tel (312) 222-9350 Fax (312) 840-8879 [EMAIL PROTECTED] www.jenner.com CONFIDENTIALITY WARNING: This email may contain privileged or confidential information and is for the sole use of the intended recipient(s). Any unauthorized use or disclosure of this communication is prohibited. If you believe that you have received this email in error, please notify the sender immediately and delete it from your system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing AD into a test lab ...
One way I had done it in the past was using the LDIFDE to export users, ou's, etc. and then editing the output files to work with the new domain, (i.e., replace domain1 with domain2) and also manually removing default entries (such as Administrator accounts, etc.) Also - take care when exporting in the first place...not all fields are going to import nicely. For my purposes I just needed essentially a boatload of users migrated to the test domain and all groups, and OU's. So I only exported the following attributes on users: (Command used = ldifde -f exportUsers.ldf -d dc=MyDomain,dc=COM -r (objectClass=user) -l cn,objectclass,ou,samAccountName ) Groups and OU's had similar limitations. If I can dig up the original BAT files I used to create those LDIFDE dumps, I'll send them to you if you're interested. Hope that helps! Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H Sent: Wednesday, April 27, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing AD into a test lab ... Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that An attemp was made to add an object to the directory with a name that is already in use or Directory Object not found. my other choice was 2. http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 But since this is a test lab, my library is not available and neither is my backup server. Plus, it's a DC and I don't want to introduce it to my existing domain. I guess I could DCPROMO it back out and then bring it into the existing domain as a standalone and then do a directed recover to it, but this seems like a huge amount of time and effort for something that should be pretty easy. Especillay for DR purposes. How many of us will recover AD to a system that has identical hardware? but I digress ;-) Any advice or ideas would bre greatly appreciated. Thanks in advance. Phil. Philip H. McDougal Application Support Engineer Jenner Block LLP One IBM Plaza Chicago, IL 60611-7603 Tel (312) 222-9350 Fax (312) 840-8879 [EMAIL PROTECTED] www.jenner.com CONFIDENTIALITY WARNING: This email may contain privileged or confidential information and is for the sole use of the intended recipient(s). Any unauthorized use or disclosure of this communication is prohibited. If you believe that you have received this email in error, please notify the sender immediately and delete it from your system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Exporting Local Group Policies
Hi all, Does anyone know how to export local GPO's (in a Non-Domain environment) to multiple computers? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing AD into a test lab ...
Thanks Mark! This looks great. I will start playing with this immediately. Thank you for the script and doc, very much appreciated.!!! Phil. From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Wed 4/27/2005 9:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Importing AD into a test lab ... Philip, below is a doc I wrote to set up or refresh our lab (using the LDIFDE method), with the names changed to protect the guilty. A couple of batch scripts are included that you can modify. Hope it helps. *** 1. Ldifde is loaded by default on servers but not workstations. If running this command on a workstation, you must first copy the ldifde.exe file from the WINNT\System32 folder on a server to a location on your system. 2. Since the command with all of the required attributes is quite long, batch files have been created. The contents of these files are listed in the appendix. 3. The batch files reference specifically the my.domain.com domain, export server SERVER1 (production) and import server SERVER99 (lab). If any of these components change or if the goal is to export/import a different domain, the appropriate changes will have to be made to the batch files 4. Including many attributes creates a very large export file. Verify that enough disk space is available before beginning (about 70 MB currently) 5. Other command options are available, see KB237677 at this link: http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/s upport/kb/articles/Q237/6/77.ASPNoWebContent=1 6. Passwords are not included in the export. Therefore, when the import is performed, passwords for each user are blank 7. Administrator is not included in the export, to avoid overwriting the existing Administrator Section 1: Export OUs and Users from the Production Directory 1. Log on to the exporting domain as an administrator 2. Batch files are located on \\SERVER1\C$\SCRIPTS 3. Run the batch file export_OUs.bat (see appendix for command) Note: folder c:\temp must already exist. File created will be exportOU.ldf 4. Run the batch file export_users.bat (see appendix for command) Note: File created will be exportUser.ldf 5. Save the two ldf files to a CD since the production and test environments are not networked together 6. Also copy the following scripts from server \\SERVER1\C$\SCRIPTS to the same CD: a. Import_ous.bat b. Import_users.bat Section 2: Import OUs and Users into the Test Lab Active Directory 1. Copy the files from the CD to C:\Temp on the import domain controller SERVER99 2. Remove the read-only attribute from the files 3. Open a command prompt and launch c:\temp\import_ous.bat. If any OUs are missing in the test lab that are present in the production environment, they will be created. Others are ignored 4. From the command prompt, launch c:\temp\import_users.bat. If any users are missing in the test lab that are present in the production environment, they will be created with their associated attributes. Accounts are created disabled, and the password set to null. This is because LDIFDE does not support exporting/importing passwords 5. When the batch files have completed, verify that no errors were reported, and check for the existence of the new users in ADUC. 6. Close the command prompt window and delete the contents of c:\temp Appendix Script Contents Export_OUs.bat ldifde - f c:\temp\exportOu.ldf -s server1 -d dc=my,dc=domain,dc=com -p subtree -r (objectClass=organizationalUnit) -l cn,objectclass,ou Export_Users.bat ldifde - f c:\temp\exportusers.ldf -s server1 -d dc=my,dc=domain,dc=com -p subtree -r ((objectCategory=person)(objectClass=User)(givenname=*)) - l cn,givenName,objectClass,sAMAccountName,sn,employeeType,title,employeeID,middleName,co mpany,physicalDeliveryOfficeName,scriptPath,userAccountControl,unicodePWD,pwdL astSet,displayName,distinguishedName Import_OUs.bat ldifde - i -k -f c:\temp\exportou.ldf -s server99 Import_Users.bat ldifde - i -k -f c:\temp\exportusers.ldf -s server99 * -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H Sent: Wednesday, April 27, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing AD into a test lab ... Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that An attemp was made to add an object to the directory with a name that is already in use or Directory Object not found. my other choice
RE: [ActiveDir] Requesting data from the exchange server
Return Receipt Your RE: [ActiveDir] Requesting data from the exchange server document : was Dawn E Salvan/IT/TWP received by: at: 04/27/2005 11:02:03 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Importing AD into a test lab ...
Thank you Lou! Sounds like I'm on the right track as I've tried to do what you're explaining here. The only part I didn't realize was the chaotic order in which the fields gets exported. And I'd love to see those BAT files if you still have them. Any and all help is appreciated! Thank you!! Phil. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lou Vega Sent: Wednesday, April 27, 2005 9:52 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Importing AD into a test lab ... One way I had done it in the past was using the LDIFDE to export users, ou's, etc. and then editing the output files to work with the new domain, (i.e., replace domain1 with domain2) and also manually removing default entries (such as Administrator accounts, etc.) Also - take care when exporting in the first place...not all fields are going to import nicely. For my purposes I just needed essentially a boatload of users migrated to the test domain and all groups, and OU's. So I only exported the following attributes on users: (Command used = ldifde -f exportUsers.ldf -d dc=MyDomain,dc=COM -r (objectClass=user) -l cn,objectclass,ou,samAccountName ) Groups and OU's had similar limitations. If I can dig up the original BAT files I used to create those LDIFDE dumps, I'll send them to you if you're interested. Hope that helps! Lou -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of McDougal, Philip H Sent: Wednesday, April 27, 2005 10:24 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Importing AD into a test lab ... Hello, I have a question concerning getting my existing AD into a test lab. I saw some help in the archives but I'd like a fresh look on the topic. I am considering 2 options, that I know of: 1. Use LDIFDE to export and import the Schema, OUs, Users and GPs into the test lab. I built a box with W2003 Standard and DCPROMO'd it up with different machine name but same Domain name. This avenue sounded pretty good but I keep getting failure errors when I try to import the ldf files saying that An attemp was made to add an object to the directory with a name that is already in use or Directory Object not found. my other choice was 2. http://support.microsoft.com/default.aspx?scid=kb;en-us;263532 But since this is a test lab, my library is not available and neither is my backup server. Plus, it's a DC and I don't want to introduce it to my existing domain. I guess I could DCPROMO it back out and then bring it into the existing domain as a standalone and then do a directed recover to it, but this seems like a huge amount of time and effort for something that should be pretty easy. Especillay for DR purposes. How many of us will recover AD to a system that has identical hardware? but I digress ;-) Any advice or ideas would bre greatly appreciated. Thanks in advance. Phil. Philip H. McDougal Application Support Engineer Jenner Block LLP One IBM Plaza Chicago, IL 60611-7603 Tel (312) 222-9350 Fax (312) 840-8879 [EMAIL PROTECTED] www.jenner.com CONFIDENTIALITY WARNING: This email may contain privileged or confidential information and is for the sole use of the intended recipient(s). Any unauthorized use or disclosure of this communication is prohibited. If you believe that you have received this email in error, please notify the sender immediately and delete it from your system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Using the Old profile in new domain ?
Hi, I am running 250 users on windows 2000 enterprise Environment. I have purchased new hardware and license for windows 2003 server. Now I need to created windows 2003 environment on the new hardware with new forest and domain name. I have successfully created the new forest. Please suggest the best way of doing below- Want to move all the users from windows 2000 domain to the windows 2003 domain. The users are using local profile, and want to preserve the same profile settings in the new 2003 domain. As my users are running Java and outlook express so the when I join the users desktop to the new domain; when the user will log in it will create the new profile. So please tell me how I can use the same old profile. Thanks, Manjeet
Re: [ActiveDir] Requesting data from the exchange server
What is your AD site configuration? Do you have enough GC servers? I think you have GC issue. Go to the properties of the Exchange server and select the DSAccess tab and make sure all listed GCs are accessible from exchange and client machines. HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/27/05, Dawn E Salvan [EMAIL PROTECTED] wrote: Return Receipt Your RE: [ActiveDir] Requesting data from the exchange server document : was Dawn E Salvan/IT/TWP received by: at: 04/27/2005 11:02:03 AM List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Clock not syncing. Odd Error Logs
Title: Clock not syncing. Odd Error Logs I think Im having a GP problem but Im not sure, although Im experiencing some odd symptoms. The network layout is as follows: 2 Win2003 DCs Name=NJDC1, GC server, gateway, backup WINS. The other is NJMAIL1, Exchange 2003, DNS, WINS. Bunch of XPw/SP2 clients Monday I noticed 1 pc clock off by an hour and over the past few days my desktop have drifted to almost 1.5mins from the server. I have a program called Chronograph running on NJDC1 which is set to act as a NTP server and things have been fine until last Friday which is when they probably broke. GP is supposed to tell the clients to sync with NJDC1 but it is not happening and now clients are getting W32Time errors with Event ID 14 and 29. Event Type: Warning Event Source: W32Time Event Category: None Event ID: 14 Date: 4/27/2005 Time: 9:52:48 AM User: N/A Computer: NJMISJM Description: The time provider NtpClient was unable to find a domain controller to use as a time source. NtpClient will try again in 120 minutes. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Error Event Source: W32Time Event Category: None Event ID: 29 Date: 4/27/2005 Time: 9:52:48 AM User: N/A Computer: NJMISJM Description: The time provider NtpClient is configured to acquire time from one or more time sources, however none of the sources are currently accessible. No attempt to contact a source will be made for 119 minutes. NtpClient has no source of accurate time. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. So now Im guessing my GP settings are not being processed. Just to make sure that its not the program Chronograph I enable the Windows Time NTP settings on NJDC1 using gpedit.msc and I still have no luck. Oddly enough there are no FRS and Directory Service errors on either DC. Thanks for any help, Jared
Re: [ActiveDir] Exporting Local Group Policies
Devan, One way I know of is to use full armor's gp anywhere product http://www.fullarmor.com/product/gpany.htm We are currently evaluating it and it seems to do the trick. Thanks Mike On 4/27/05, Devan Pala [EMAIL PROTECTED] wrote: Hi all, Does anyone know how to export local GPO's (in a Non-Domain environment) to multiple computers? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Exporting Local Group Policies
There is no out of the box way to do this but depending upon which policy areas you wish to copy it can be relatively easy or relatively difficult to automate. For example, if you just need Administrative Templates policy, then you can create a reference machine that has those policies set as you want them. Then, you can copy the registry.pol file found within c:\windows\system32\grouppolicy\machine and c:\windows\system32\grouppolicy\user to the same location on your target machines. If you need other policies then it will depend upon which ones you need as to how easy or hard it is to automate copying. For example, local security policy is not stored on the file system like Admin. Template policy is--it is made directly against the local SAM. So, the best bet for copying local security policy is to use the Security Templates MMC snap-in to create a template of your desired security configuration and then use secedit to automate importing it onto your target machines. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Wednesday, April 27, 2005 7:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exporting Local Group Policies Hi all, Does anyone know how to export local GPO's (in a Non-Domain environment) to multiple computers? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Using the Old profile in new domain ?
Move all the users to new Windows 2003 Domain Answer: Use ADMT to migrate all the all users Migrate compute accounts and keep old Profiles Answer: Use ADMT to migrate computer accounts and Re-ACL their profiles. Done! HTH Santhosh Santhosh Sivarajan MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+ Houston, TX On 4/27/05, Ben D. Kusa [EMAIL PROTECTED] wrote: http://www.forensit.com/Profwiz/ is a tool I have used to keep local profiles From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet Singh Sent: Wednesday, April 27, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Using the Old profile in new domain ? Hi, I am running 250 users on windows 2000 enterprise Environment. I have purchased new hardware and license for windows 2003 server. Now I need to created windows 2003 environment on the new hardware with new forest and domain name. I have successfully created the new forest. Please suggest the best way of doing below- Want to move all the users from windows 2000 domain to the windows 2003 domain. The users are using local profile, and want to preserve the same profile settings in the new 2003 domain. As my users are running Java and outlook express so the when I join the user's desktop to the new domain; when the user will log in it will create the new profile. So please tell me how I can use the same old profile. Thanks, Manjeet List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] How much of the DIT is cached in RAM ?
No, the pages will not get loaded into consecutive pages in memory, nor do we use a linked list scheme* for the index entries ... * at least we're not using a linked list, like I think you mean it below. Our indexes are B+ trees ... which is a very standard data structure for databases (and many file systems as well). A B+tree is not related to a binary tree. Often we drop the +, and just say b-tree, though technically a B-tree is a very similar precursor to the B+ tree. A real B-tree is not a binary tree either. Hiding a significant amount of details, the data on a page is arranged in a way that allows us to see a sorted array of node keys (node is kind of like a record ...). This way a simple bsearch (in this case the b does stand for binary) within a page finds the next hop down the b-tree, or if on a leaf page, the row/index entry we want. Please read up on B/B+ Trees and re-ask your question ... Cheers, -BrettSh [msft] On Wed, 27 Apr 2005, joe wrote: Excellent post Brett. This is good info that generally doesn't seem to make it out of the corridors of msft. I appreciate you taking the time to write this up. Initially your explanation bothered me about loading DIT pages as it seems it would be more efficient to load the tables and indexes up versus chasing from page to page for the info... However, thinking more about it, the mechanism I am visualizing wouldn't scale with any memory pressure, you could and probably would get into a situation where you couldn't load an entire table or index and where would you be then? I am probably going to show even more ignorance on how the backend works, but say you have an index that is spread across several pages. Lets say those pages aren't in consecutive pages on disk, will they get loaded into consecutive pages in memory so you can tear through it sort of like a single structure or will it rely on some sort of a linked list type of scheme where you jump around memory chasing the index rows. I expect the latter and I also would expect this issue would be minimized with the successful online defrags as you mentioned since the indexes/tables will be collected together. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size - that free size, is the approximate size of the non-empty data pages (i.e. pages with data) in the DIT ... due to underflow of a record size on a page, the actual data size is almost assuredly even less than that ... I just made that up w/o looking at the code, so I may take that back later ... You can see exactly how many bytes of the DIT file + Temp DB* are in RAM with perfmon, counters, by using perfmon ... first set the Squeaky Lobster registry key to get the advanced ESE performance counter, then use the Database performance object the Database Cache Size counter. Also look at the Database Cache % Clean, b/c you should multiply those by each other to get real data pages currently in memory. * Temp DB ... so the database cache is global, so any temporary sorts we needed to do, during LDAP queries may be taking up some of the database cache ... I think it's like tmp.edb next to the ntds.dit file. There'd be no technical way to subtract one from the other, but maybe just subtract the whole tmp database size, because that gives you a lower bound on what is definately ntds.dit. ( watch for
RE: RE : [ActiveDir] GPO errors on logon
Hi,
Sorry for the time it took to get back, the user was out of the office.
I just been able to run it. Here is the result
Computer Name: Computer
DNS Host Name: Computer.domain
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 6 Model 13 Stepping 8, GenuineIntel
List of installed hotfixes :
KB834707
KB884018
KB885855
KB889673
Q147222
Netcard queries test . . . . . . . : Passed
GetStats failed for 'Infrared Port'. [ERROR_NOT_SUPPORTED]
[WARNING] The net card 'SMSC IrCC - Fast Infrared Port' may not be working
because it has not received any packets.
Per interface results:
Adapter : Local Area Connection
Netcard queries test . . . : Passed
Host Name. . . . . . . . . : Computer
IP Address . . . . . . . . : 192.168.0.211
Subnet Mask. . . . . . . . : 255.255.248.0
Default Gateway. . . . . . : 192.168.0.19
Dns Servers. . . . . . . . : 192.168.0.17
192.168.0.10
AutoConfiguration results. . . . . . : Passed
Default gateway test . . . : Passed
NetBT name test. . . . . . : Passed
WINS service test. . . . . : Skipped
There are no WINS servers configured for this interface.
Global results:
Domain membership test . . . . . . : Passed
NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{4F3C9BDE-FC0A-4FFA-B4E3-B0F4C0864A50}
1 NetBt transport currently configured.
Autonet address test . . . . . . . : Passed
IP loopback ping test. . . . . . . : Passed
Default gateway test . . . . . . . : Passed
NetBT name test. . . . . . . . . . : Passed
Winsock test . . . . . . . . . . . : Passed
DNS test . . . . . . . . . . . . . : Passed
Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{4F3C9BDE-FC0A-4FFA-B4E3-B0F4C0864A50}
The redir is bound to 1 NetBt transport.
List of NetBt transports currently bound to the browser
NetBT_Tcpip_{4F3C9BDE-FC0A-4FFA-B4E3-B0F4C0864A50}
The browser is bound to 1 NetBt transport.
DC discovery test. . . . . . . . . : Passed
DC list test . . . . . . . . . . . : Passed
Trust relationship test. . . . . . : Passed
Secure channel for domain 'DOMAIN' is to '\\DC.Domain'.
Kerberos test. . . . . . . . . . . : Passed
LDAP test. . . . . . . . . . . . . : Passed
Bindings test. . . . . . . . . . . : Passed
WAN configuration test . . . . . . : Skipped
No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run ipseccmd /? for more detailed information
The command completed successfully
I just recreated the profile and things seem to be a lot better now... I'll
keep you posted if it really fixed it or if it's just luck.
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] De la part de tvanden
Envoyé : Tuesday, April 26, 2005 1:24 PM
À : ActiveDir@mail.activedir.org
Objet : RE : [ActiveDir] GPO errors on logon
Hi,
Could you post an output of netdiag run on your XP ?
Thanks
-Message d'origine-
De : [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De la part de Bruyere,
Michel
Envoyé : mardi 26 avril 2005 16:45
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] GPO errors on logon
Hi,
Sorry for the delay, I've been quite busy lately. Checking the
DNS was the first thing I did when I got the error. After checking a bit
further I found 3 other machines that have this error (including my own
laptop where the error started out of nowhere). I tried some things in
the GPOs but nothing seemed to work.
Any other ideas are welcomed! (I may try to call PSS to get that hot
fix, but as I said, the article talks about XP SP1 only and we are under
SP2)
-Message d'origine-
De : [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] De la part de Cothern Jeff D. Team EITC
Envoyé : Saturday, April 23, 2005 3:21 PM
À : ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] GPO errors on logon
Verify your network settings. Is the Primary DNS set to the correct
DNS
server? I found this happening on a system and it was cause it
couldn't
find the Domain Controller properly. Not sure if that is your problem
per se but its definitely worth a look.
Jeff
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bruyere,
Michel
Sent: Friday, April 22, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO errors on logon
Hi,
I have 2 laptops
RE: [ActiveDir] Exporting Local Group Policies
Thanks Darren, I will try this out. But yeah, all I need is the administrative template portion Windows Update. This way we can utilize our newly deployed WSUS servers to push updates out to these non-domain machines. In case you're wondering, this is only a handful of infrastructure related pc's. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Exporting Local Group Policies Date: Wed, 27 Apr 2005 08:49:12 -0700 There is no out of the box way to do this but depending upon which policy areas you wish to copy it can be relatively easy or relatively difficult to automate. For example, if you just need Administrative Templates policy, then you can create a reference machine that has those policies set as you want them. Then, you can copy the registry.pol file found within c:\windows\system32\grouppolicy\machine and c:\windows\system32\grouppolicy\user to the same location on your target machines. If you need other policies then it will depend upon which ones you need as to how easy or hard it is to automate copying. For example, local security policy is not stored on the file system like Admin. Template policy is--it is made directly against the local SAM. So, the best bet for copying local security policy is to use the Security Templates MMC snap-in to create a template of your desired security configuration and then use secedit to automate importing it onto your target machines. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Wednesday, April 27, 2005 7:58 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Exporting Local Group Policies Hi all, Does anyone know how to export local GPO's (in a Non-Domain environment) to multiple computers? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Clock not syncing. Odd Error Logs
I might be able to help you with this as I have recently been driven mental by clock problems. Of course clock problems alone cannot cause a psycosis but in certain circumstances they can push you over the edge. I have administred an AD domain since I updated it from NT4 and until about a week ago I had never confronted the clock issue. I started following the news group recently and is has provoked me to reexamine certain issues that I had mentally shelved. Recently there were two threads on this and Jorge provide a fine collection of URLs dealing with this issue. Of course many of you reading this are thinking 'what is this person going on about?'. It's not only fairly simple it doesn't even matter. Ask Einstein, if all the hosts share the same time, what the hell does it matter if it's 30 seconds out. Of course you may have your own ideas but I think the most important reason is that it looks bad when someone points out that the clock on their computer does not show the right time. That's right you have to maintain the illusion that you are in control. Well why was I driven mad by this seemingly trivial topic. I put a query here the other day and Gil gave me some good advice. 'Just set the time source for the PDC role owner DC to point to the member server, and set the time source for the member server to the outside time source.' Did he think I hadn't tried that. No I guess it was a way of saying, this is a simple issue just do it. And that's what I did. I stopped checking the effect on the registry of the net time command. I stopped breaking my head reading KB articles. I just realised that I had been trying to sync the server against a ntp server that was not returning the time. Jared I'm sorry if I've gone off the track here but I don't think you need GPs for this and I don't think you need a client program. All you have to do is follow freddy's advice 'Net time /setsntp:ntpserver', run this command on the PDC emulator. This will sync the DC with the ntp server. The other DCs will get the time from this server and the pcs and member servers will sync with the DCs. By the way can anyone tell me how you activate w32time logging? Well on second thoughts it's probably better if you don't. Regards Peter Jessop
RE: [ActiveDir] Clock not syncing. Odd Error Logs
Here is how to enable W32Time Debugging.. http://support.microsoft.com/kb/816043 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, April 27, 2005 12:07 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Clock not syncing. Odd Error Logs I might be able to help you with this as I have recently been driven mental by clock problems. Of course clock problems alone cannot cause a psycosis but in certain circumstances they can push you over the edge.I have administred an AD domain since I updated it from NT4 and until about a week ago I had never confronted the clock issue.I started following the news group recently and is has provoked me to reexamine certain issues that I had mentally shelved. Recently there were two threads on this and Jorge provide a fine collection of URLs dealing with this issue.Of course many of you reading this are thinking 'what is this person going on about?'. It's not only fairly simple it doesn't even matter. Ask Einstein, if all the hosts share the same time, what the hell does it matter if it's 30 seconds out. Of course you may have your own ideas but I think the most important reason is that it looks bad when someone points out that the clock on their computer does not show the right time. That's right you have to maintain the illusion that you are in control.Well why was I driven mad by this seemingly trivial topic. I put a query here the other day and Gil gave me some good advice. 'Just set the time source for the PDC role owner DC to point to the member server, and set the time source for the member server to the outside time source.' Did he think I hadn't tried that. No I guess it was a way of saying, this is a simple issue just do it. And that's what I did. I stopped checking the effect on the registry of the net time command. I stopped breaking my head reading KB articles. I just realised that I had been trying to sync the server against a ntp server that was not returning the time.Jared I'm sorry if I've gone off the track here but I don't think you need GPs for this and I don't think you need a client program. All you have to do is follow freddy's advice 'Net time /setsntp:ntpserver', run this command on the PDC emulator. This will sync the DC with the ntp server. The other DCs will get the time from this server and the pcs and member servers will sync with the DCs.By the way can anyone tell me how you activate w32time logging? Well on second thoughts it's probably better if you don't.RegardsPeter Jessop
RE: [ActiveDir] Clock not syncing. Odd Error Logs
Maybe I missed something but that is what I have now. The DC syncs with NIST time My email server syncs with the DC my clients are told through Group Policy to sync with the DC via NTP. The problem is that their not in sync, which is why I thought GP might be broken. j From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Jessop Sent: Wednesday, April 27, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Clock not syncing. Odd Error Logs I might be able to help you with this as I have recently been driven mental by clock problems. Of course clock problems alone cannot cause a psycosis but in certain circumstances they can push you over the edge. I have administred an AD domain since I updated it from NT4 and until about a week ago I had never confronted the clock issue. I started following the news group recently and is has provoked me to reexamine certain issues that I had mentally shelved. Recently there were two threads on this and Jorge provide a fine collection of URLs dealing with this issue. Of course many of you reading this are thinking 'what is this person going on about?'. It's not only fairly simple it doesn't even matter. Ask Einstein, if all the hosts share the same time, what the hell does it matter if it's 30 seconds out. Of course you may have your own ideas but I think the most important reason is that it looks bad when someone points out that the clock on their computer does not show the right time. That's right you have to maintain the illusion that you are in control. Well why was I driven mad by this seemingly trivial topic. I put a query here the other day and Gil gave me some good advice. 'Just set the time source for the PDC role owner DC to point to the member server, and set the time source for the member server to the outside time source.' Did he think I hadn't tried that. No I guess it was a way of saying, this is a simple issue just do it. And that's what I did. I stopped checking the effect on the registry of the net time command. I stopped breaking my head reading KB articles. I just realised that I had been trying to sync the server against a ntp server that was not returning the time. Jared I'm sorry if I've gone off the track here but I don't think you need GPs for this and I don't think you need a client program. All you have to do is follow freddy's advice 'Net time /setsntp:ntpserver', run this command on the PDC emulator. This will sync the DC with the ntp server. The other DCs will get the time from this server and the pcs and member servers will sync with the DCs. By the way can anyone tell me how you activate w32time logging? Well on second thoughts it's probably better if you don't. Regards Peter Jessop
[ActiveDir] File Share Access
I am having a problem with accessing a share on a server. The problem is that when I am logged onto a PC with a local administrator account and I connect to a share on a certain server, the contents of the share are displayed without me being prompted for a username/password to make the connection. The problem is that since permissions are set on these files/folders, I cannot access any of them when logged on with the local admin account. When connecting to other server shares, I am prompted for a username/pass, which I enter and am subsequently able to access shares. I have looked into various settings on the server, most notably the anonymous enumeration of shares, but nothing helps. This share I am speaking of is a share cluster resource, but I am not sure if this would have anything to do with it. Also, the everyone group is not in the share or ntfs permissions anywhere. I would appreciate any help provided. Thanks in advance, _ Daniel DeStefano PC Support Specialist IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300 www.iagr.net Measuring Ad Effectiveness on Television The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.
Re: [ActiveDir] Clock not syncing. Odd Error Logs
Disconnect the GP. You don't need it as members will sync with the domain controllers by default. Your GP may be interfering with this process.. Regards Peter Jessop
RE: [ActiveDir] Segregating and delegating _msdcs
Title: Segregating and delegating _msdcs technically, this approach is quite feasable - however, it's usually done the other way around. Many companies dothisso that they can safely enable DDNS on the _MSDCS zones (as AD integrated zone) allowing automatic service record, DC Domain GUID registration etc., while putting the host records on a (static) Bind DNS. So it would be good to know your reason behind your request...? /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Mittwoch, 27. April 2005 09:53To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Segregating and delegating _msdcs For various reasons we would like to split out _msdcs and the other _* domains within one specific DNS zone, into separate zones. These new zones will then, eventually, be hosted on non-Windows DNS servers, whilst the 'parent' zone will remain hosted on w2k DCs. Our current environment is w2k DCs [in a 4 domain forest] so app partitions are not an option just yet. Root domain is named test.com and 3 children exist, a.test.com, b.test.com and c.test.com. We wish to delegate the _ domains within a.test.com only to non-Windows DNS servers, with a.test.com remaining hosted on w2k DCs.. I have found fairly useful technotes etc and have started to flesh out a plan but wondered if anyone would be prepared to share any real world experiences of such an operation. i.e. how was the change performed? Any pitfalls or gotchas? Thanks in advance, neil ==This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure.==
RE: [ActiveDir] Scripting DC cleanup?
Title: Message yeah right;-) however, I'm quite happy about the additions in SP1 - even though this should have been called R2 and the plannedR2 would then be R3... ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Dienstag, 22. März 2005 02:55To: Send - AD mailing listSubject: RE: [ActiveDir] Scripting DC cleanup? ... and yet no new (even very small) features will be added within a Service Pack :) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida PintoSent: Monday, March 21, 2005 7:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? If you're taling about W2K3 then after installing SP1 you don't need to select the site, domain, etc. Just select the server and kill it! QUOTE The Ntdsutil.exe command-line tool for managing the Active Directory database has new commands that make it easier to remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to remove. You can also specify the server on which to make the deletion. Cheers Jorge From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, March 18, 2005 18:00To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I would recommend watching your AD to see exactly what NTDSUTIL is doing, you can actually just get away from using it and deleting the appropriate objects directly (hint look at the objects under the server containers of sites...). In fact you can make a solution that is better than ntdsutil because last I looked, it didn't get rid of FRS references, etc. I recall a tool written by a friend of mineat the widgetfactory I used to work at that would do this quite well and quite fast and was called Whack-A-DC.It was used to clean up the test environment sucked off of the real environment after it was isolated from the "real" network. I have been slow to duplicate anything like this as a joeware tool because quite frankly, it is pretty dangerous stuff and would prefer to not have my tools used in script kiddies attack tool boxes. oldcmp specifically and very purposely avoids DCs. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Friday, March 18, 2005 10:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? I guess I should have elaborated. NTDSUtil references domains, sites, and servers by sequential numbers. In order to write a simple command file for DC cleanup, I'd have to know what these numbers would be beforehand, and I'm not at all sure they won't change. What I'd like to do is write a perl script that will figure out what these numbers will be and write a script that I can feed into ntdsutil to do the dirty work. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, March 18, 2005 9:40 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Scripting DC cleanup? You can make ntdsutil work in a script. Just make a batch file. The syntax is to put a sapcebetween each command and put them in quotes: ntdsutil "connect to domain 1" "do something cool" "build an arc" ntdsutil "connect to domain 2" "do something cool" "build an arc" etc etc --Brian Desmond[EMAIL PROTECTED]Payton on the web! www.wpcp.orgv - 773.534.0034 x135f - 773.534.8101 c - 312.731.3132 From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Fri 3/18/2005 7:33 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Scripting DC cleanup? It's getting close to time for our annual off-site disaster recovery test, and I'd like to automate a dreaded chore that this testing entails. Our main domain has about two dozen DCs. We only recover one of those during the test. This means I have toperform the ntdsutil dance outlined in KB216498 23 times to remove the phantom DCs. Is there any way I can script this, or at least script creation of a text file that would be piped into ntdsutil? I stumbled across a script called "metacleaner.vbs" written by a gentleman at microsoft, but it did not appear to work. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Does this provide any permissions above and beyond changing group membership ? For example, can the person/group that's been named in the manageBy box do anything else to the group, such as rename it, delete it, etc. ? I hope not, 'cause if it ONLY allows management of the membership list it could be quite useful for a particular need I have at the moment... Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 27, 2005 2:19 AM To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi, That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. In W2K3SP1 this changed. It is possible to specify a group in the managedBy and allow it change groupmembership by checking the checkbox #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/27/2005 1:31 AM Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
nope, all it does (which is quite nice) is to Allow Write Members for the respective security Principal Object on the Group object. If the manager (or manager group) changes, the permissions are adjusted appropriately - however, as I understand, you have to adjust them via ADUC again (i.e. it's not a direct function of AD to grant the permissions to the manager). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Mittwoch, 27. April 2005 23:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Does this provide any permissions above and beyond changing group membership ? For example, can the person/group that's been named in the manageBy box do anything else to the group, such as rename it, delete it, etc. ? I hope not, 'cause if it ONLY allows management of the membership list it could be quite useful for a particular need I have at the moment... Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 27, 2005 2:19 AM To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi, That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. In W2K3SP1 this changed. It is possible to specify a group in the managedBy and allow it change groupmembership by checking the checkbox #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/27/2005 1:31 AM Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Yup. It simply adds an ACE for the group with the Write Members permission for just that object. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Wednesday, April 27, 2005 4:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Does this provide any permissions above and beyond changing group membership ? For example, can the person/group that's been named in the manageBy box do anything else to the group, such as rename it, delete it, etc. ? I hope not, 'cause if it ONLY allows management of the membership list it could be quite useful for a particular need I have at the moment... Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, April 27, 2005 2:19 AM To: 'joe '; '[EMAIL PROTECTED] '; 'ActiveDir@mail.activedir.org ' Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi, That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. In W2K3SP1 this changed. It is possible to specify a group in the managedBy and allow it change groupmembership by checking the checkbox #JORGE# -Original Message- From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: 4/27/2005 1:31 AM Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Ah try this... dsacls GROUP_DN /I:T /G domain\secprin:WP;member Howeverm make note that when dsacls outputs it though it will show Add/Remove self as member, not member. It has been a while since I did this and determined the command from looking at the existing ACL. I ad to go back to my notes, there are a couple of property sets that display weird in dsacls. The Add/Remove self as member and Validated Write to dnsHostName are two that I have previously hit and had issues with. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 1:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe For some reason the below, doesn't give me access to update member list - am running in 2003 sp1 test domain. dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Is it different with sp1? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hey Freddy, I put this in the original post I responded in: dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only Write Property The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G domain\user:WP Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info
RE: [ActiveDir] How much of the DIT is cached in RAM ?
I waffled on posting that at all. I am not sure I can properly illustrate why I think it would be good for educational info. Maybe just to see from the outside the deltas in speeds of the same query when things are in cache versus not, etc. Overall it is just another stat to help understand how your directory is performing. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, April 27, 2005 2:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Correcting myself inline (full of that today aren't I?). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that Actually, that's not really what you want. If I may, let me change your ask in to what I think you really would like What you really want is the % of pages touched to service the query that were in the cache. It doesn't matter if those pages are returned or not, it only matters that you needed the pages to effective service the search. As that's what defines the amt of time it takes to service it. [Efleis] - I shouldn't say this, it isn't quite true. What I meant was, this defines the amt of time that we would spend on I/O, should those pages not be in memory. Other things might necessitate more time spent on the search. That said, assuming you got what you really want, I'm not totally sold of the value. What will you learn? 1) More db cache - inefficient searches are faster 2) Better search filter optimization - better index selection - faster searches with less cache needed and less I/O needed Searches that hit infrequently used indexes will have a lower % of pages in memory, but still be faster than inefficient ones that hit many pages in memory. And the avg IT admin will wonder why. :) Inefficient searches are still inefficient, and are still going to require a large db cache to service them in any sort of timely manner. How much cache? As much as you have dataset that need be traversed for the inefficient search in question. Whatever that dataset might be. Sell me on the learning opportunity here? Sorry, I'm just not seeing it. I like the idea on paper, and would be more than happy to file the bug. I'm just not seeing what you think you can do better with this data point than you can today. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 26, 2005 9:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Thanks ~Eric. I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that. How feasible would something like that be? Possibly the results of that would only be for educational reasons but I, at least, would find that info interesting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 8:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory pressure, this warming technique will help get things in the first time. But there are some things it doesn't do 1) It doesn't let you tell buffer manager to keep something in the cache no matter what, if you think you're smarter than the buffer manager. I would point out, almost never are you smarter than buffer manager, even when you think you are. But that doesn't mean you won't complain that we don't have a mechanism for it. 2) You can't really guarantee that something is in the cache with these sorts of warming techniques. You can get close, but you can't (for example) say please prefetch this index. But warming the cache can do the big stuff, like walking ancestry and pulling in the mass of the data table. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE:
RE: [ActiveDir] How much of the DIT is cached in RAM ?
Thanks Brett, a B+-tree does make sense. I didn't intend to mean linked list as the actual data structure, but instead as the type of data recovery scheme, one node points to the next, etc. I.E. It isn't consecutive memory that can be iterated through with simple memory pointer INCRs, instead requiring more involved (or complex if you prefer) iterator type functions. As for reading up on this, I had my fill of understanding the implementation and use of B-tree and other advanced data structures 15-18 years ago when I had to deal with it regularly. I don't think I will go reaquaint myself with them now to keep this line of questioning going. It was never an area that I found a huge amount of fun in. :o) I do appreciate the time you took to work through the questions. I think I have an overall better grasp of what is going. Thanks again, joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, April 27, 2005 2:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? No, the pages will not get loaded into consecutive pages in memory, nor do we use a linked list scheme* for the index entries ... * at least we're not using a linked list, like I think you mean it below. Our indexes are B+ trees ... which is a very standard data structure for databases (and many file systems as well). A B+tree is not related to a binary tree. Often we drop the +, and just say b-tree, though technically a B-tree is a very similar precursor to the B+ tree. A real B-tree is not a binary tree either. Hiding a significant amount of details, the data on a page is arranged in a way that allows us to see a sorted array of node keys (node is kind of like a record ...). This way a simple bsearch (in this case the b does stand for binary) within a page finds the next hop down the b-tree, or if on a leaf page, the row/index entry we want. Please read up on B/B+ Trees and re-ask your question ... Cheers, -BrettSh [msft] On Wed, 27 Apr 2005, joe wrote: Excellent post Brett. This is good info that generally doesn't seem to make it out of the corridors of msft. I appreciate you taking the time to write this up. Initially your explanation bothered me about loading DIT pages as it seems it would be more efficient to load the tables and indexes up versus chasing from page to page for the info... However, thinking more about it, the mechanism I am visualizing wouldn't scale with any memory pressure, you could and probably would get into a situation where you couldn't load an entire table or index and where would you be then? I am probably going to show even more ignorance on how the backend works, but say you have an index that is spread across several pages. Lets say those pages aren't in consecutive pages on disk, will they get loaded into consecutive pages in memory so you can tear through it sort of like a single structure or will it rely on some sort of a linked list type of scheme where you jump around memory chasing the index rows. I expect the latter and I also would expect this issue would be minimized with the successful online defrags as you mentioned since the indexes/tables will be collected together. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Tuesday, April 26, 2005 7:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Joe, When you say the actual DIT isn't cached in RAM, the tables, indexes, and such are cached. I'd take issue with that ... that isn't a good way to explain what is really happening. The DIT is most definately cached in RAM, it is cached directly 1 or more pages at a time. Where a page is an 8k chunk for Active Directory. We do not extrude the tables and indexes from those pages, they stay in the pages, and we take a latch on that page's memory when we want to update the page ... then later we write that 8k chunk directly from that memory to the offest (based on it's pgno) of the DIT file it belongs at. Now, it is true, not all of the DIT may be cached, we'll only cache what we need, and it will not pull in free space pages into memory (at least in most circumstances ...? I'm thinking of prefetching might ... but lets ignore). I _think_ _online_ defrag (I know we're talking offline defrag below, but mentioning online defrag is important, it is what makes offline defrag unnecessay ... online defrag is frequently abbreviated OLD ... which of course would be the acronym of offline defrag if it had one, trust me OLD is online defrag (at least as far as the ESE devs are concerned) ... poor taste for a TLA in my opinion ... that was a long aside), actually logs an event on how much free space there is in the database ... I'm 57% sure that the DIT size
RE: [ActiveDir] How much of the DIT is cached in RAM ?
From ESE's advanced perf counters exist, that tell you on a non-per-search basis: - Database Pages Transferred/sec - Database Page Latches/sec IIRC, the first is rate of pages being transferred from disk, and the 2nd is the rate at wich you are making a read of something on a page in the cache (that will include the read right after a page is transferred, BTW). It doesn't give you the per query stats you were discussing, but it does give you an idea of how much disk the DC is requiring ... If you were to isolate a DC from load, except your query, it could give a _rough_ idea for a paticular query, but remember latches aren't unique references, so if a single query internally has to read a page several times, that will be several latch counts. ... Cheers, -BrettSh On Wed, 27 Apr 2005, joe wrote: I waffled on posting that at all. I am not sure I can properly illustrate why I think it would be good for educational info. Maybe just to see from the outside the deltas in speeds of the same query when things are in cache versus not, etc. Overall it is just another stat to help understand how your directory is performing. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, April 27, 2005 2:14 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Correcting myself inline (full of that today aren't I?). -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 10:41 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that Actually, that's not really what you want. If I may, let me change your ask in to what I think you really would like What you really want is the % of pages touched to service the query that were in the cache. It doesn't matter if those pages are returned or not, it only matters that you needed the pages to effective service the search. As that's what defines the amt of time it takes to service it. [Efleis] - I shouldn't say this, it isn't quite true. What I meant was, this defines the amt of time that we would spend on I/O, should those pages not be in memory. Other things might necessitate more time spent on the search. That said, assuming you got what you really want, I'm not totally sold of the value. What will you learn? 1) More db cache - inefficient searches are faster 2) Better search filter optimization - better index selection - faster searches with less cache needed and less I/O needed Searches that hit infrequently used indexes will have a lower % of pages in memory, but still be faster than inefficient ones that hit many pages in memory. And the avg IT admin will wonder why. :) Inefficient searches are still inefficient, and are still going to require a large db cache to service them in any sort of timely manner. How much cache? As much as you have dataset that need be traversed for the inefficient search in question. Whatever that dataset might be. Sell me on the learning opportunity here? Sorry, I'm just not seeing it. I like the idea on paper, and would be more than happy to file the bug. I'm just not seeing what you think you can do better with this data point than you can today. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, April 26, 2005 9:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? Thanks ~Eric. I think it would be kind of interesting if the STATS control could tell you what % of the result set came from cache or something like that. How feasible would something like that be? Possibly the results of that would only be for educational reasons but I, at least, would find that info interesting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, April 26, 2005 8:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] How much of the DIT is cached in RAM ? You beat me to the reply, thanks Brett. A better way to think of this Joe is that a subset of the DIT is in RAM, as much as we can fit, assuming 1) we don't run out of memory to use 2) we don't have pressure to back off. And we try and pick the best pages to cache (best definition omitted for now). The one thing we can't do today is that we can't proactively cache something. Though I've thought a lot about whether or not it is something that I should personally be pushing Brett's team to work on. There's good and bad, but the bottom line today is that you can warm the cache. In the absence of memory
RE: [ActiveDir] More than 1 user having 'managed by' for a group?
Hi Joe Is there any reason why we need to grant the right to include the child objects? /I:T I've removed /I:T and it seems to work fine as well, thanks for the member attribute I think that does the things I wanted :D dsacls GROUP_DN /G domain\secprin:WP;member Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 28, 2005 6:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Ah try this... dsacls GROUP_DN /I:T /G domain\secprin:WP;member Howeverm make note that when dsacls outputs it though it will show Add/Remove self as member, not member. It has been a while since I did this and determined the command from looking at the existing ACL. I ad to go back to my notes, there are a couple of property sets that display weird in dsacls. The Add/Remove self as member and Validated Write to dnsHostName are two that I have previously hit and had issues with. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, April 27, 2005 1:37 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe For some reason the below, doesn't give me access to update member list - am running in 2003 sp1 test domain. dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Is it different with sp1? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hey Freddy, I put this in the original post I responded in: dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 8:35 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? Hi Joe Thanks for the quick one. Seems like when I was testing this - the permission that is needed is only Write Property The closest I got to is the below - however this will allow the user to write ALL PROPERTIES - this includes changing group name, description etc. While the standard gui method will not allow this.. any ideas what type of WP should I restrict this too.. dsacls GRPDN /G domain\user:WP Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, April 27, 2005 7:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] More than 1 user having 'managed by' for a group? The managedBy attribute doesn't bestow any rights upon the owner, it just is an attribute that links the user and group together for easy querying. Later versions of ADUC added functionality by letting you specify that ADUC should add an ACE for the principal specified for managedBy but that is two separate operations. That being said, that tab will not let you specify a group, it only looks at users and contacts and will only allow you to specify one. However all of that being said, you can easily add an ACE to the group for any other groups or users directly to the group itself, you want to add (and yes I know this makes no sense) the Add/Remove self as member permission. Sort of like dsacls GROUP_DN /I:T /G domain\secprin:WS;Add/Remove self as member Or through a script. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 26, 2005 7:16 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] More than 1 user having 'managed by' for a group? Hi all, Is it possible to get multiple accounts to be able to perform update of group membership (under the managed by) - both distribution list and security groups? Thanks in advance! Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List
