date:20050502

FW: [ActiveDir] Create Trusted Domain Object permission

2005-05-02 Thread Manjeet Singh









 

Hi,

 

I have two windows 2003 forest and one of my forests is in
mixed mode environment.

 

I want to create a trust relationship from one domain controller
in one forest to the entire domain controller in other forest.

 

I know that transitive trust will only work in Native when
both forests are in native mode. I can not raise the level of my second forest.

 

Now I want to create a user in the second forest with Create
Trusted domain object permission so that I can create the trust between two
forest using that users.

 

My problem is that that permission are not working in
windows 2003.

I have tested this permission in windows 2000 some time
back, and it was working.

 

 

Any body has an idea, has Microsoft changed something with
this permission???

 

 

Or any other way, so that I by giving the minimum rights to
a user just for creation of trust….

 

 

Thanks,

Manjeet

[ActiveDir] Solaris authentication

2005-05-02 Thread Douglas M. Long

Anyone know if this is passed in plain text? If so, i dont see any advantage to 
this versus the NIS server in SFU. Seems that the *nix community is making no 
progress in the secure authentication arena if this is the case. Any ideas or 
thoughts?
 
http://docs.sun.com/source/816-6775-10/a_activedirauth.html
 
<>

RE: [ActiveDir] using GPO with scripts

2005-05-02 Thread Al Mulnick

Depends how you setup the attribute (search for extending schema in AD).


I wouldn't have the website do this based on authentication.  You want
to be sure they read it, so you would want to treat it like you do with
other agreements i.e. EULA agreements and have the OK navigation button
disabled unless and until they click 'I Agree' 


As for notification, use email and bug the crud out of them.  Or bug
their manager if they don't respond in x amount of days. I see the .mil
in the addr, which tells me you likely have managers that don't like to
be bothered with this kind of piddly stuff.  :)

As for whether or not to update in AD, I'm not one to agree so easily
that adding a custom attribute or even using an existing one is so worth
it. I suppose it depends and there are many pros and cons both
directions I'm sure.  I'd favor some other recording method in many
instances myself. 

As for permissions, you would have to permissions to modify the
attribute using the credentials provided.  For the sake of
tamper-resistance, I would guess that you would want to make this a
restricted attribute field.  You may additionally want to lock out or
disable their account until they read this if it's that important.
Makes me wonder how they'll get to the page if they're locked out,
but


Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 7:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

I like this idea of using the custom attribute in AD.  I am assuming
that I need to use ADSI or similar tool to create this Custom Attribute.


Once the attribute is there.  I would need to configure Active X script
or something that will update this attribute when the user authenticates
to the website correct?   Do I need the web services account to run this
script so that it has privileges to change the attribute within AD?

Jeff

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Monday, May 02, 2005 4:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

"You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go to a website to do it, that website forces them to read that page
first." 

and if they don't agree to what's listed on the HR site you can go ahead
and lock their account ;-)

I'd likely vote for a custom attribute in AD where you store the last
time they've checked the HR website => you can then send out eMails to
the user (and their manager) that it's time to re-confirm their HR data.
We use this mechanism for many things (the place where you store the
"last confirmation date" naturally depends on your environment - if AD
is your main central directory, there's nothing bad in using it for
this.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Montag, 2. Mai 2005 22:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Does it have to be displayed every 90 days or do they have to
acknowledge reading it every 90 days?

I expect the latter in case there are some sort of legal implications.  

Have the website be authenticated and have it update a custom created
field in AD for each user as they acknowledge the page. 

Have a logon script that reads that attribute from AD and pops the IE
window based on it. You could also have something else sending emails as
the time approaches as well for people who don't log off and on or
otherwise don't see the logon script (such as someone who logs in via
VPN or logs into their workstation instead of the domain - like me). 

You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go to a website to do it, that website forces them to read that page
first.
Not
that I would really recommend this strongly, but it is a mechanism that
could be used. 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] using GPO with scripts

I am looking for some help scripting or a way to have a GPO apply only
at certain times.  Basically I need to have users go to a website once
every 90 days.  Some HR requirement to keep their information up to
date.  Should I do this with a script some how or is there a way thru AD
to accomplish this easier or perhaps a combination. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List arch

RE: [ActiveDir] ACTIVE DIRECTORY AND WEBSITE CONFLICTS

2005-05-02 Thread Marcus.Oh

Hmmm.  That's a good point.  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Monday, May 02, 2005 11:09 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ACTIVE DIRECTORY AND WEBSITE CONFLICTS

On 4/30/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Yep, to illustrate this point, run nslookup xyz.com.  You'll get a
> return of all the IP addresses (hopefully) of your DNS servers.  If
you
> start adding empty A record names pointing to your web servers,
they'll
> get listed in the return.  This is problematic if your clients are
> looking for DNS servers of xyz.com zone and get returned a web server
IP
> address as the first in the list.

Anyone looking for a DNS server for xyz.com should be looking for NS
records so having an A record for xyz.com is perfectly fine. However
if you have the same DNS domain internally as you do externally then
you might have an issue with this as Deji pointed out previously.

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Item: Accounts: Rename administrator account

2005-05-02 Thread David Adner

When you disabled the GPO, it doesn't revert any renames back to their
original names.  Rename it back yourself. 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Charlie Saliba
> Sent: Monday, May 02, 2005 18:32
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] GPO Item: Accounts: Rename administrator account
> 
> Greetings
> 
> I recently created and linked a GPO where the only setting 
> was Accounts: Rename the administrator account to (for 
> illustrative purposes) CharlieAdmin I linked it to the 
> domain.  It was under my impression that this would only 
> rename the local administrator accounts... was i wrong.  I've 
> already disabled this GPO and unlinked it from the domain.
> The kicker is my domain administrator userid is still 
> CharlieAdmin and it will not revert to what it was.  I have 
> done gpupdate and that hasn't worked.. i checked gpresult and 
> it does not show anything about the gpo that i created.  Does 
> anyone have a clue where I could go next?
> 
> Thanks!
> 
> Charlie Saliba
> [EMAIL PROTECTED]
> 
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO Item: Accounts: Rename administrator account

2005-05-02 Thread freddy_hartono









Modify CharlieAdmin GPO – settings
to newadminusername and re-link it?

 



Thank you and have a splendid day!

 

Kind Regards,

 

Freddy Hartono

Windows Administrator (ADSM/NT Security)

Spherion Technology Group, Singapore

For Agilent Technologies

E-mail: [EMAIL PROTECTED]



 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Charlie Saliba
Sent: Tuesday, May 03, 2005 7:32
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO Item:
Accounts: Rename administrator account



 

Greetings

I recently created and linked a GPO where the only setting was Accounts: Rename
the administrator account to (for illustrative purposes) CharlieAdmin
I linked it to the domain.  It was under my impression that this would
only rename the local administrator accounts... was i wrong.  I've already
disabled this GPO and unlinked it from the domain.
The kicker is my domain administrator userid is still CharlieAdmin and it will
not revert to what it was.  I have done gpupdate and that hasn't worked..
i checked gpresult and it does not show anything about the gpo that i
created.  Does anyone have a clue where I could go next?

Thanks!

Charlie Saliba
[EMAIL PROTECTED]

[ActiveDir] GPO Item: Accounts: Rename administrator account

2005-05-02 Thread Charlie Saliba

Greetings

I recently created and linked a GPO where the only setting was
Accounts: Rename the administrator account to (for illustrative
purposes) CharlieAdmin
I linked it to the domain.  It was under my impression that this
would only rename the local administrator accounts... was i
wrong.  I've already disabled this GPO and unlinked it from the
domain.
The kicker is my domain administrator userid is still CharlieAdmin and
it will not revert to what it was.  I have done gpupdate and that
hasn't worked.. i checked gpresult and it does not show anything about
the gpo that i created.  Does anyone have a clue where I could go
next?

Thanks!Charlie Saliba[EMAIL PROTECTED]

RE: [ActiveDir] using GPO with scripts

2005-05-02 Thread Cothern Jeff D. Team EITC

I like this idea of using the custom attribute in AD.  I am assuming
that I need to use ADSI or similar tool to create this Custom Attribute.


Once the attribute is there.  I would need to configure Active X script
or something that will update this attribute when the user authenticates
to the website correct?   Do I need the web services account to run this
script so that it has privileges to change the attribute within AD?

Jeff

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Monday, May 02, 2005 4:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

"You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go
to a website to do it, that website forces them to read that page
first." 

and if they don't agree to what's listed on the HR site you can go ahead
and lock their account ;-)

I'd likely vote for a custom attribute in AD where you store the last
time they've checked the HR website => you can then send out eMails to
the user (and their manager) that it's time to re-confirm their HR data.
We use this mechanism for many things (the place where you store the
"last confirmation date" naturally depends on your environment - if AD
is your main central directory, there's nothing bad in using it for
this.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Montag, 2. Mai 2005 22:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Does it have to be displayed every 90 days or do they have to
acknowledge
reading it every 90 days?

I expect the latter in case there are some sort of legal implications.  

Have the website be authenticated and have it update a custom created
field
in AD for each user as they acknowledge the page. 

Have a logon script that reads that attribute from AD and pops the IE
window
based on it. You could also have something else sending emails as the
time
approaches as well for people who don't log off and on or otherwise
don't
see the logon script (such as someone who logs in via VPN or logs into
their
workstation instead of the domain - like me). 

You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go
to a website to do it, that website forces them to read that page first.
Not
that I would really recommend this strongly, but it is a mechanism that
could be used. 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] using GPO with scripts

I am looking for some help scripting or a way to have a GPO apply only
at
certain times.  Basically I need to have users go to a website once
every 90
days.  Some HR requirement to keep their information up to date.  Should
I
do this with a script some how or is there a way thru AD to accomplish
this
easier or perhaps a combination. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Scripting DC cleanup?

2005-05-02 Thread Ken Cornetet

Why? Because a DC won't become a DC if it cannot replicate with other DCs. In 
our disaster recovery testing, we only recover one DC from each domain. I have 
to remove the other DCs from AD, or the one DC will not start acting as a DC.

As a side note, I found a fairly easy solution to my problem. I remembered that 
NTDSUtil prompts before actually removing the DC from AD. I simply wrote a text 
file with all the required incantations for deleting server number 1 from site 
number 1, and duplicated for the other 20 sites. I just answered "no" to the 
prompt for the one DC I wanted to keep. 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Saturday, April 30, 2005 3:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting DC cleanup?

Thoughts on metadata cleanup, from many points on this thread, in importance 
order ...

from Ken Cornenet:

> recover one of those during the test. This means I have to perform the 
> ntdsutil dance outlined in KB216498 23 times to remove the phantom

Why?!?

This made me suspicious ... BTW ... and this is probably the most important 
thing I'll say all day ... so I'll indent it:

  I hope it is clear you should NOT NOT NOT be cleaning up metadata of
  DCs for live DCs.  Demote the DC.  Try not to use force removal
  ... you'll just get it wrong.

When you delete meta-data for a live DC (obviously on some 2nd DC, b/c a DC 
will not voluntarily commit sebuku), the live DC actually decides you didn't 
really know what you're doing, and when it replicates in the delete of it's own 
DSA object, it resurrects it.  I wonder if this is what you're experiencing?  
This was a dubious design choice back pre-Win2k RTM, when some beta customer 
hosed thier environment by cleaning up meta-data for DCs.  I hope we retract 
this behavior at some future point, myself.

from Marcus:

> Hmm... 2003 dsa seems to remove the metadata when you delete the 
> domain controller reference from the domain controller container.
> Anyone else notice this?

Not sure what you mean by this ... what _exactly_ are you doing?  "2003 dsa" 
isn't an action.  Also are you talking 2k3 or 2k3 SP1?

from joe:

> I would recommend watching your AD to see exactly what NTDSUTIL is 
> doing, you can actually just get away from using it and deleting the 
> appropriate objects directly (hint look at the objects under the 
> server containers of sites...) . In fact you can make a solution that

I wouldn't do this, this is bad layering, the logic here is complicated, and 
the checks that we're making may not be obvious, this kind of logic should be 
pushed into one logical mechanism, and that mechanism should be usable (it 
wasn't usable in Win2k/Win2k3-RTM, but we tried to make it usable in SP1) ... 
further I wouldn't do this, b/c IIRC, we actually changed ntdsutil in SP1 to do 
more ...

> is better than ntdsutil because last I looked, it didn't get rid of 
> FRS references, etc. I recall a tool written by a friend of mine at 
> the widget factory I used to work at that would do this quite well and 
> quite fast and was called Whack-A-DC. It was used to clean up the test 
> environment sucked off of the real environment after it was isolated 
> from the "real" network.

... in fact I think we fixed it to do something very like that.  In addition to 
several other things.

from Dean Wells:

> ... and yet no new (even very small) features will be added within a 
> Service Pack :)

Please stop talking.
(see MG again, it's when they goto Regina's house)

Cheers,
BrettSh [msft]

Posting "as is", confers no rights. 

On Sat, 30 Apr 2005 [EMAIL PROTECTED] wrote:

> Hmm... 2003 dsa seems to remove the metadata when you delete the 
> domain controller reference from the domain controller container.
> Anyone else notice this?
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
> Sent: Wednesday, April 27, 2005 5:01 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Scripting DC cleanup?
> 
>  
> 
> yeah right ;-)  however, I'm quite happy about the additions in SP1 - 
> even though this should have been called R2 and the planned R2 would 
> then be R3... ;-)
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
> Sent: Dienstag, 22. März 2005 02:55
> To: Send - AD mailing list
> Subject: RE: [ActiveDir] Scripting DC cleanup?
> 
> ... and yet no new (even very small) features will be added within a 
> Service Pack :)
> 
> --
> Dean Wells
> MSEtechnology
> * Email: [EMAIL PROTECTED]
> http://msetechnology.com 
> 
>  
> 
>  
> 
> 
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
> Sent: Monday, March 21, 2005 7:46 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [Acti

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread Fuller, Stuart

Title: Cross WINS Pollination



Looking back at your original question - Have you 
considered using a tiered WINS server set up??
 
This scenario divides up your WINS infrastructure into 
levels with the top tier pushing down to the lower tier.  The top tier 
is where you have the DC's and "important Enterprise servers" registered while 
the lower tier(s) are where you register the clients and the "organizationally 
distinct" servers.  The top tier servers do a push only replication to 
the lower tier servers instead of a 
push-pull.   
 
It looks something like this:
 
Tier 
1->    
Enterprise WINS
 
    
    
/ 
 \
   
/    
  \
Tier 2->Company A 
WINS   Company B WINS
 
 
The advantage of using this setup is that Company A clients 
see all of the Enterprise WINS records and the Company A records but not 
any of the Company B records.
 
The disadvantage is that this is more complex, more 
servers/services, and you are relying on WINS replication to get the 
critical WINS DC records down to the Tier 2 servers.
 
_Stuart Fuller
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, May 02, 2005 12:42 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Cross WINS Pollination

 
Consider the methodology of a large organization, a step 
which is manual in nature could be overlooked by a single support person which 
is what is to be avoided.  But again, in the header of my mail, I did not 
want to go into all of the reasons but rather if it could be 
done.
 
-Jon
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 2:41 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Certainly good feedback, but how often are you removing 
  and updating records?  This amounts to a filtered sync in my mind.  
  I understand why you want to do it now, but I'm not sure I agree with the 
  approach to make it semi-automatic.  At least, I don't think I understand 
  the amount of updates and number of possible records.  I'm asking if it's 
  worth it to even automate it vs. just manually doing this due to infrequent 
  changes (this is just for dc and servers). 
   
  And the conversation is academic.  I'm just trying 
  to figure out where to file this type of usage later.
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 02, 2005 12:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  If you have a large WINS architecture you are pushing the 
  records into I would prefer the dynamic insert than the static insert myself. 
  Static records can be a pain to remove from a large WINS architecture or at 
  least they were in the past the few times I tried to clean some up. 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 11:54 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Hmm I see what you're after, but that's a funky place 
  to be to say the least.  
   
  I would *think* that your DC's and servers would be 
  static enough that you *could* manually enter those records into the WINS 
  systems on the respective sites.  I would also *hope* that WINS is not 
  required for that, but if it is, you would have to either script that manual 
  version as Joe described (you could build a list of serrvers and DC's since 
  it's not highly volatile right?) and run this on a regular basis, or you could 
  read the db in the target domain and push that to others.  There are 
  permissions issues as Joe mentioned, but shouldn't be too terribly difficult 
  to workaround that. 
   
  Thanks for assuaging my curiousity and good luck with 
  that :)
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, May 02, 2005 10:43 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Cross WINS Pollination
  
   
  If you had two distinct organizations and did not want to 
  replicate each other's WINS database information that would be first 
  reason.  However, what if both organizations wanted to use a 'shared 
  domain' model.  You can accomplish this by having one set of DC's and 
  Servers register to one set of WINS via normal processes and then create a 
  static entry on the second set of WINS servers.  The problem with this 
  model is it isn't autonomous to changes.  So if I decided to add a new 
  server or DC, one side will automatically get the updates, but the other has 
  to manually be changed.  What would be nice if I could run a command on 
  all servers to refresh a entries at a timed interval against the disjointed 
  WINS server(s).
  


From: [EMAIL PROTECTED]

RE: [ActiveDir] using GPO with scripts

2005-05-02 Thread Grillenmeier, Guido

"You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go
to a website to do it, that website forces them to read that page
first." 

and if they don't agree to what's listed on the HR site you can go ahead
and lock their account ;-)

I'd likely vote for a custom attribute in AD where you store the last
time they've checked the HR website => you can then send out eMails to
the user (and their manager) that it's time to re-confirm their HR data.
We use this mechanism for many things (the place where you store the
"last confirmation date" naturally depends on your environment - if AD
is your main central directory, there's nothing bad in using it for
this.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Montag, 2. Mai 2005 22:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Does it have to be displayed every 90 days or do they have to
acknowledge
reading it every 90 days?

I expect the latter in case there are some sort of legal implications.  

Have the website be authenticated and have it update a custom created
field
in AD for each user as they acknowledge the page. 

Have a logon script that reads that attribute from AD and pops the IE
window
based on it. You could also have something else sending emails as the
time
approaches as well for people who don't log off and on or otherwise
don't
see the logon script (such as someone who logs in via VPN or logs into
their
workstation instead of the domain - like me). 

You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go
to a website to do it, that website forces them to read that page first.
Not
that I would really recommend this strongly, but it is a mechanism that
could be used. 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] using GPO with scripts

I am looking for some help scripting or a way to have a GPO apply only
at
certain times.  Basically I need to have users go to a website once
every 90
days.  Some HR requirement to keep their information up to date.  Should
I
do this with a script some how or is there a way thru AD to accomplish
this
easier or perhaps a combination. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Checking if security principal is used in an ACL on the FS

2005-05-02 Thread Grillenmeier, Guido

Title: Checking if security principal is used in an ACL on the FS



hey Jorge - when you prepare for nr (2), don't forget the 
groups that are nested into other groups - they could be nested into other AD 
groups or into local server groups on the target resource.  This won't make 
your analysis any easier, I know.
 
And who says you can't do this by name?  You'll find a 
few tools that report on ACLs by listing the names of the 
respective security principals (I know that Quest's Reporing tool 
does this - but I'm sure there are others as well) => might be a more 
reasonable approach, esp. if you want to check the results against the existing 
ACLs on the FS
 
Also, before you delete any security group, I'd suggest to 
"disable" the group simply by changing it's scope from security to distribution 
=> this way the group is no longer added to anyone's security token at logon 
and you'll quickly hear from the users if they're missing some 
access...
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida 
PintoSent: Montag, 2. Mai 2005 17:06To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Checking if security 
principal is used in an ACL on the FS

Hi, 
After a migration we 
did we want to cleanup some security principals (mostly groups) 
Situation: 
* File server with 
data that uses AD groups for the ACLs * AD OU structure with groups 
where most of them are used on the file system to protect in some manner. (the 
groups are not used for anything else!)
What I want to 
do: * Cleanup 
ALL unused groups 
Possible unused groups 
that can be removed: (1) groups with no members but used on the file system (2) groups with members but not 
used anywhere on the file system 
Solution for (1) 
* Query AD for al 
empty groups from the OU structure and delete them * Force AD replication 
* Use SUBINACL to 
remove deleted SIDs with the option /CLEANDELETEDSIDSFROM 
Solution for (2) * Get all used SIDs used on the file 
system * Get all GROUP SIDs 
from AD * "Extract the file 
system SIDs from the GROUP sids in AD and remove the groups that are left 

Anyone got any other ideas or a tool 
that can do this for (2) 
PS.: It would be nice if the file 
system was integrated with AD like in the NDS 
Cheers, #JORGE# This e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] using GPO with scripts

2005-05-02 Thread Cothern Jeff D. Team EITC

There is an internal website with each persons personal information like
contact numbers, addresses etc.  Right now they can go to that website
and update their info.  But the management side of things wants them to
automatically go to this site every 90 days when they login.  I am not
sure what the best method would be to make this happen.

Jeff


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, May 02, 2005 4:21 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Can you give more information about what you want to do and what you
have to work with?  

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] using GPO with scripts

I am looking for some help scripting or a way to have a GPO apply only
at certain times.  Basically I need to have users go to a website once
every 90 days.  Some HR requirement to keep their information up to
date.  Should I do this with a script some how or is there a way thru AD
to accomplish this easier or perhaps a combination. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] using GPO with scripts

2005-05-02 Thread joe

Does it have to be displayed every 90 days or do they have to acknowledge
reading it every 90 days?

I expect the latter in case there are some sort of legal implications.  

Have the website be authenticated and have it update a custom created field
in AD for each user as they acknowledge the page. 

Have a logon script that reads that attribute from AD and pops the IE window
based on it. You could also have something else sending emails as the time
approaches as well for people who don't log off and on or otherwise don't
see the logon script (such as someone who logs in via VPN or logs into their
workstation instead of the domain - like me). 

You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them go
to a website to do it, that website forces them to read that page first. Not
that I would really recommend this strongly, but it is a mechanism that
could be used. 





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] using GPO with scripts

I am looking for some help scripting or a way to have a GPO apply only at
certain times.  Basically I need to have users go to a website once every 90
days.  Some HR requirement to keep their information up to date.  Should I
do this with a script some how or is there a way thru AD to accomplish this
easier or perhaps a combination. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] using GPO with scripts

2005-05-02 Thread Al Mulnick

Can you give more information about what you want to do and what you
have to work with?  

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 3:47 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] using GPO with scripts

I am looking for some help scripting or a way to have a GPO apply only
at certain times.  Basically I need to have users go to a website once
every 90 days.  Some HR requirement to keep their information up to
date.  Should I do this with a script some how or is there a way thru AD
to accomplish this easier or perhaps a combination. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] seize schema master question

2005-05-02 Thread deji

>From the way I am reading this, it appears that you are yanking out (a copy
of) a child domain and expecting to be able to transfer the Schema (which
existed in the root) to a DC in the child domain. For all intent and purpose,
you now want your newly-minted (DR'ed) Domain to appear as if it never had a
parent before. You want to do this because you just found out that the DR'ed
domain is headless and Exchange won't install.
 
If that understanding is correct, I think you are SOL. You can't just prune
and graft domains like that. I vaguely remember the "Guido trick" that Jorge
alluded to, but I didn't understand the concept he was describing, so I can't
tell you if that might work for you in this case. Six-pack says it won't. 
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Pelle, Joe
Sent: Mon 5/2/2005 9:18 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question



Why would you want to resurrect the root domain if its working?

The child domain was working fine - but I need Exchange installed - which
meant I needed the schema role 

 

What do you mean with "But since the schema master would in theory never have
been online - ever - the seizure would be the appropriate step "

For the DR test ONLY - the schema master server was not scheduled to be
restored - therefore we would never bring that online - allowing the seizure
of the schema role (assuming that you can seize the role from a parent
domain)

 

Isn't it true that your forest root domain is OK and up and that you were
restoring only the child domain?

No - the root was never restored.  The original question was that would we
need to restore the root to get exchange installed.  The plans were only to
restore the child domain

Trying to understand this one here..

Me too!

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]  

http://www.valassis.com/  

 

This message may include proprietary or protected information. If you are not
the intended recipient, please notify me, delete this message, and do not
further communicate the information contained herein without my express
written consent.

 



From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

 

Why would you want to resurrect the root domain if its working?

 

What do you mean with "But since the schema master would in theory never have
been online - ever - the seizure would be the appropriate step "

 

Isn't it true that your forest root domain is OK and up and that you were
restoring only the child domain?

 

Trying to understand this one here..

 

Cheers

#JORGE#

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 16:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

Thanks for the feedback everyone

 

In retrospect resurrecting the root domain would have been the smart thing to
do for many reasons (dependencies).   But since the schema master would in
theory never have been online - ever - the seizure would be the appropriate
step - I just didn't know if moving the schema master to a child domain would
have any ill effects on the rest of the infrastructure...

 

Thanks again to all who responded! 

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]  

http://www.valassis.com/  

 

This message may include proprietary or protected information. If you are not
the intended recipient, please notify me, delete this message, and do not
further communicate the information contained herein without my express
written consent.

 



From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 9:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

 

oops, I forgot..

 

only seize a FSMO role when really needed. in this case you don't need to
seize the schame role

why restore a domain if it's working? check only dependencies between the
domains

 

#JORGE#

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: maandag 2 mei 2005 15:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Jorge de Almeida Pinto

ohh, for a disaster recovery take a look at MS recovery scenario. It does
not cover everything, but it is a good start. At DEC one of the MS guys
mentioned MS will be releasing their DR plan for W2K3.

The basic DR plan can be found at
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=3EDA
5A79-C99B-4DF9-823C-933FEBA08CFE

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/2/2005 6:18 PM
Subject: RE: [ActiveDir] seize schema master question

Why would you want to resurrect the root domain if its working?

The child domain was working fine - but I need Exchange installed -
which meant I needed the schema role 

 

What do you mean with "But since the schema master would in theory never
have been online - ever - the seizure would be the appropriate step "

For the DR test ONLY - the schema master server was not scheduled to be
restored - therefore we would never bring that online - allowing the
seizure of the schema role (assuming that you can seize the role from a
parent domain)

 

Isn't it true that your forest root domain is OK and up and that you
were restoring only the child domain?

No - the root was never restored.  The original question was that would
we need to restore the root to get exchange installed.  The plans were
only to restore the child domain

Trying to understand this one here..

Me too!

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

  [EMAIL PROTECTED]

  http://www.valassis.com/

 

This message may include proprietary or protected information. If you
are not the intended recipient, please notify me, delete this message,
and do not further communicate the information contained herein without
my express written consent.

 

  _  

From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

 

Why would you want to resurrect the root domain if its working?

 

What do you mean with "But since the schema master would in theory never
have been online - ever - the seizure would be the appropriate step "

 

Isn't it true that your forest root domain is OK and up and that you
were restoring only the child domain?

 

Trying to understand this one here..

 

Cheers

#JORGE#

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 16:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

Thanks for the feedback everyone

 

In retrospect resurrecting the root domain would have been the smart
thing to do for many reasons (dependencies).   But since the schema
master would in theory never have been online - ever - the seizure would
be the appropriate step - I just didn't know if moving the schema master
to a child domain would have any ill effects on the rest of the
infrastructure...

 

Thanks again to all who responded! 

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

  [EMAIL PROTECTED]

  http://www.valassis.com/

 

This message may include proprietary or protected information. If you
are not the intended recipient, please notify me, delete this message,
and do not further communicate the information contained herein without
my express written consent.

 

  _  

From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 9:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

 

oops, I forgot..

 

only seize a FSMO role when really needed. in this case you don't need
to seize the schame role

why restore a domain if it's working? check only dependencies between
the domains

 

#JORGE#

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: maandag 2 mei 2005 15:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

* Ping the Schema master form a child domain DC

* Check the trust between the parent domain and the child domain with
NETDOM or with Active Directory Domains and Trusts (this should be one
of the checks after restoring the child domain)

* Ask for the FSMO role owners with NETDOM QUERY FSMO

* Run DCDIAG /V on the child DC

 

By the way: did the complete child domain go back in time?

 

HINT: think about what happens with objects that were created after the
backups use used

 

TIP: when doing a DR of a certain domain or the complete forest you MUST
in both situations take the complete forest and its owners into account.
There are dependencies and you cannot work alone

 

Cheers,

#JORGE#

 

PS.: not so l

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Jorge de Almeida Pinto

 As I said before... for a disaster recovery plan, you NEED to take
everything into account within an AD forest. There are too many dependencies
to restore only a child domain without having a forest root domain in place.

What I'm still trying to understand is why you want to install exchange
during a disaster recovery scenario. Can you explain that one?

In my opinion when doing a disaster recovery, no new implementations (or
serious changes)(and installing an exchange org in a forest is a serious
change to me) would occur before the forest was working more than OK!

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 5/2/2005 6:18 PM
Subject: RE: [ActiveDir] seize schema master question

Why would you want to resurrect the root domain if its working?

The child domain was working fine - but I need Exchange installed -
which meant I needed the schema role 

 

What do you mean with "But since the schema master would in theory never
have been online - ever - the seizure would be the appropriate step "

For the DR test ONLY - the schema master server was not scheduled to be
restored - therefore we would never bring that online - allowing the
seizure of the schema role (assuming that you can seize the role from a
parent domain)

 

Isn't it true that your forest root domain is OK and up and that you
were restoring only the child domain?

No - the root was never restored.  The original question was that would
we need to restore the root to get exchange installed.  The plans were
only to restore the child domain

Trying to understand this one here..

Me too!

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

  [EMAIL PROTECTED]

  http://www.valassis.com/

 

This message may include proprietary or protected information. If you
are not the intended recipient, please notify me, delete this message,
and do not further communicate the information contained herein without
my express written consent.

 

  _  

From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

 

Why would you want to resurrect the root domain if its working?

 

What do you mean with "But since the schema master would in theory never
have been online - ever - the seizure would be the appropriate step "

 

Isn't it true that your forest root domain is OK and up and that you
were restoring only the child domain?

 

Trying to understand this one here..

 

Cheers

#JORGE#

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 16:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

Thanks for the feedback everyone

 

In retrospect resurrecting the root domain would have been the smart
thing to do for many reasons (dependencies).   But since the schema
master would in theory never have been online - ever - the seizure would
be the appropriate step - I just didn't know if moving the schema master
to a child domain would have any ill effects on the rest of the
infrastructure...

 

Thanks again to all who responded! 

 

Joe Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI 48152

Tel 734.591.7324  Fax 734.632.6151

  [EMAIL PROTECTED]

  http://www.valassis.com/

 

This message may include proprietary or protected information. If you
are not the intended recipient, please notify me, delete this message,
and do not further communicate the information contained herein without
my express written consent.

 

  _  

From: Jorge de Almeida Pinto
[mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 9:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

 

oops, I forgot..

 

only seize a FSMO role when really needed. in this case you don't need
to seize the schame role

why restore a domain if it's working? check only dependencies between
the domains

 

#JORGE#

 

  _  

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de
Almeida Pinto
Sent: maandag 2 mei 2005 15:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

* Ping the Schema master form a child domain DC

* Check the trust between the parent domain and the child domain with
NETDOM or with Active Directory Domains and Trusts (this should be one
of the checks after restoring the child domain)

* Ask for the FSMO role owners with NETDOM QUERY FSMO

* Run DCDIAG /V on the child DC

 

By the way: did the complete child domain go back in time?

 

HINT: think about what happens with objects that were created after the
backups use used

 

TIP:

[ActiveDir] using GPO with scripts

2005-05-02 Thread Cothern Jeff D. Team EITC

I am looking for some help scripting or a way to have a GPO apply only
at certain times.  Basically I need to have users go to a website once
every 90 days.  Some HR requirement to keep their information up to
date.  Should I do this with a script some how or is there a way thru AD
to accomplish this easier or perhaps a combination. 

Jeff


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] [exchangelist] RE: Password protecting OST

2005-05-02 Thread Danny

On 5/2/05, Al Mulnick <[EMAIL PROTECTED]> wrote:
[...]
> I don't see a purpose for a password on OST's (although you could have a
> password prompt for the profile if you want).
> 
> Is there something I'm missing?

I don't think you are missing anything per-say;  I was able to find
the answer between the lines.  I also don't want to argue about it's
value (or lack of value), either.

To all other members of the list, if you are curious about the
possibility of password protecting your OST - similar to a PST, then
the answer is no - it is not possible and has no benefit. :)

Cheers,

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread Al Mulnick

Title: Cross WINS Pollination



Fair enough.  I appreciate you taking the time to 
explain it.  I was just curious about the situations and thinking that 
would lead to this type of solution and the considerations that go into 
it. 
 
 
-ajm


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, May 02, 2005 2:42 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Cross WINS Pollination

 
Consider the methodology of a large organization, a step 
which is manual in nature could be overlooked by a single support person which 
is what is to be avoided.  But again, in the header of my mail, I did not 
want to go into all of the reasons but rather if it could be 
done.
 
-Jon
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 2:41 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Certainly good feedback, but how often are you removing 
  and updating records?  This amounts to a filtered sync in my mind.  
  I understand why you want to do it now, but I'm not sure I agree with the 
  approach to make it semi-automatic.  At least, I don't think I understand 
  the amount of updates and number of possible records.  I'm asking if it's 
  worth it to even automate it vs. just manually doing this due to infrequent 
  changes (this is just for dc and servers). 
   
  And the conversation is academic.  I'm just trying 
  to figure out where to file this type of usage later.
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 02, 2005 12:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  If you have a large WINS architecture you are pushing the 
  records into I would prefer the dynamic insert than the static insert myself. 
  Static records can be a pain to remove from a large WINS architecture or at 
  least they were in the past the few times I tried to clean some up. 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 11:54 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Hmm I see what you're after, but that's a funky place 
  to be to say the least.  
   
  I would *think* that your DC's and servers would be 
  static enough that you *could* manually enter those records into the WINS 
  systems on the respective sites.  I would also *hope* that WINS is not 
  required for that, but if it is, you would have to either script that manual 
  version as Joe described (you could build a list of serrvers and DC's since 
  it's not highly volatile right?) and run this on a regular basis, or you could 
  read the db in the target domain and push that to others.  There are 
  permissions issues as Joe mentioned, but shouldn't be too terribly difficult 
  to workaround that. 
   
  Thanks for assuaging my curiousity and good luck with 
  that :)
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, May 02, 2005 10:43 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Cross WINS Pollination
  
   
  If you had two distinct organizations and did not want to 
  replicate each other's WINS database information that would be first 
  reason.  However, what if both organizations wanted to use a 'shared 
  domain' model.  You can accomplish this by having one set of DC's and 
  Servers register to one set of WINS via normal processes and then create a 
  static entry on the second set of WINS servers.  The problem with this 
  model is it isn't autonomous to changes.  So if I decided to add a new 
  server or DC, one side will automatically get the updates, but the other has 
  to manually be changed.  What would be nice if I could run a command on 
  all servers to refresh a entries at a timed interval against the disjointed 
  WINS server(s).
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, May 02, 2005 10:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

Just for fun, why would you want to do that?? I know 
you didn't want to get into specifics,  but I'm trying to rationalize 
or otherwise apply that concept in a real-world situation and I am having 
some troubles thinking of reasons why I would want to do such a 
thing.
 
Just curious mostly.
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, April 29, 2005 1:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

You would most likely do this netsh using the wins 
portion and doing an add name specifying a rectype=1.
 
That will require admin rights. 
 
An a

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread jon.gimpel

Title: Cross WINS Pollination



 
Consider the methodology of a large organization, a step 
which is manual in nature could be overlooked by a single support person which 
is what is to be avoided.  But again, in the header of my mail, I did not 
want to go into all of the reasons but rather if it could be 
done.
 
-Jon
 
 

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 2:41 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Certainly good feedback, but how often are you removing 
  and updating records?  This amounts to a filtered sync in my mind.  
  I understand why you want to do it now, but I'm not sure I agree with the 
  approach to make it semi-automatic.  At least, I don't think I understand 
  the amount of updates and number of possible records.  I'm asking if it's 
  worth it to even automate it vs. just manually doing this due to infrequent 
  changes (this is just for dc and servers). 
   
  And the conversation is academic.  I'm just trying 
  to figure out where to file this type of usage later.
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Monday, May 02, 2005 12:43 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  If you have a large WINS architecture you are pushing the 
  records into I would prefer the dynamic insert than the static insert myself. 
  Static records can be a pain to remove from a large WINS architecture or at 
  least they were in the past the few times I tried to clean some up. 
  
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 11:54 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Hmm I see what you're after, but that's a funky place 
  to be to say the least.  
   
  I would *think* that your DC's and servers would be 
  static enough that you *could* manually enter those records into the WINS 
  systems on the respective sites.  I would also *hope* that WINS is not 
  required for that, but if it is, you would have to either script that manual 
  version as Joe described (you could build a list of serrvers and DC's since 
  it's not highly volatile right?) and run this on a regular basis, or you could 
  read the db in the target domain and push that to others.  There are 
  permissions issues as Joe mentioned, but shouldn't be too terribly difficult 
  to workaround that. 
   
  Thanks for assuaging my curiousity and good luck with 
  that :)
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Monday, May 02, 2005 10:43 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] Cross WINS Pollination
  
   
  If you had two distinct organizations and did not want to 
  replicate each other's WINS database information that would be first 
  reason.  However, what if both organizations wanted to use a 'shared 
  domain' model.  You can accomplish this by having one set of DC's and 
  Servers register to one set of WINS via normal processes and then create a 
  static entry on the second set of WINS servers.  The problem with this 
  model is it isn't autonomous to changes.  So if I decided to add a new 
  server or DC, one side will automatically get the updates, but the other has 
  to manually be changed.  What would be nice if I could run a command on 
  all servers to refresh a entries at a timed interval against the disjointed 
  WINS server(s).
  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, May 02, 2005 10:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

Just for fun, why would you want to do that?? I know 
you didn't want to get into specifics,  but I'm trying to rationalize 
or otherwise apply that concept in a real-world situation and I am having 
some troubles thinking of reasons why I would want to do such a 
thing.
 
Just curious mostly.
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, April 29, 2005 1:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

You would most likely do this netsh using the wins 
portion and doing an add name specifying a rectype=1.
 
That will require admin rights. 
 
An alternate method would be to write an app that does 
NBN registrations and you could make this a service that runs on any 
machines you need to do this from and it wouldn't require any special 
permissions at all, in fact, you don't even need to be authenticated. 
Everything you need to do that you can find in the SAMBA source or by 
following the RFCs for NBN. 
 
  joe

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread joe

Title: Cross WINS Pollination



If you use dynamic records you will need to keep readding 
the records or they will expire so best to script it. As for how often they are 
removed, probably depends on the implementation and the exact reasons as to why 
they want to do it at all. 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, May 02, 2005 2:41 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

Certainly good feedback, but how often are you removing and 
updating records?  This amounts to a filtered sync in my mind.  I 
understand why you want to do it now, but I'm not sure I agree with the approach 
to make it semi-automatic.  At least, I don't think I understand the amount 
of updates and number of possible records.  I'm asking if it's worth it to 
even automate it vs. just manually doing this due to infrequent changes (this is 
just for dc and servers). 
 
And the conversation is academic.  I'm just trying to 
figure out where to file this type of usage later.
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, May 02, 2005 12:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

If you have a large WINS architecture you are pushing the 
records into I would prefer the dynamic insert than the static insert myself. 
Static records can be a pain to remove from a large WINS architecture or at 
least they were in the past the few times I tried to clean some up. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, May 02, 2005 11:54 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

Hmm I see what you're after, but that's a funky place 
to be to say the least.  
 
I would *think* that your DC's and servers would be static 
enough that you *could* manually enter those records into the WINS systems on 
the respective sites.  I would also *hope* that WINS is not required for 
that, but if it is, you would have to either script that manual version as Joe 
described (you could build a list of serrvers and DC's since it's not highly 
volatile right?) and run this on a regular basis, or you could read the db in 
the target domain and push that to others.  There are permissions issues as 
Joe mentioned, but shouldn't be too terribly difficult to workaround that. 

 
Thanks for assuaging my curiousity and good luck with that 
:)
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, May 02, 2005 10:43 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Cross WINS Pollination

 
If you had two distinct organizations and did not want to 
replicate each other's WINS database information that would be first 
reason.  However, what if both organizations wanted to use a 'shared 
domain' model.  You can accomplish this by having one set of DC's and 
Servers register to one set of WINS via normal processes and then create a 
static entry on the second set of WINS servers.  The problem with this 
model is it isn't autonomous to changes.  So if I decided to add a new 
server or DC, one side will automatically get the updates, but the other has to 
manually be changed.  What would be nice if I could run a command on all 
servers to refresh a entries at a timed interval against the disjointed WINS 
server(s).

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 10:08 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Just for fun, why would you want to do that?? I know you 
  didn't want to get into specifics,  but I'm trying to rationalize or 
  otherwise apply that concept in a real-world situation and I am having some 
  troubles thinking of reasons why I would want to do such a 
  thing.
   
  Just curious mostly.
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Friday, April 29, 2005 1:26 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  You would most likely do this netsh using the wins 
  portion and doing an add name specifying a rectype=1.
   
  That will require admin rights. 
   
  An alternate method would be to write an app that does 
  NBN registrations and you could make this a service that runs on any machines 
  you need to do this from and it wouldn't require any special permissions at 
  all, in fact, you don't even need to be authenticated. Everything you need to 
  do that you can find in the SAMBA source or by following the RFCs for NBN. 
  
   
    joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, April 29, 2005 12:18 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Cross WINS Pollination
  
  Without getting to the specifics we have a need to 
  register WINS e

RE: [ActiveDir] [exchangelist] RE: Password protecting OST

2005-05-02 Thread Al Mulnick

Maybe now would be a good time to mention that OST is a mirrored copy of
your mail store.  The password that protects that data is the password
that protects your mailstore.  AD in this case. 

In other words, you can't just grab a different OST and attach it to a
profile last I checked.  PST is different as you can attach it to any
profile at will.  

Would that stop you from trying with some other software?  I doubt it.
Would it be readily available?  Nope.  

I don't see a purpose for a password on OST's (although you could have a
password prompt for the profile if you want). 

Is there something I'm missing?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Danny
Sent: Monday, May 02, 2005 12:35 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] [exchangelist] RE: Password protecting OST

On 5/2/05, Al Mulnick <[EMAIL PROTECTED]> wrote:
> Agreed that there is little benefit to locking an OST (mirror of your 
> mailbox and is protected by domain credentials inherently).

Yes, there is little benefit if one relies on a password protected PST
(or OST) as the one and only layer of defence.

However, there are casual and undetermined attempts to access other
peoples data, and by password protecting the OST as one of many other
layers of defence, you make it that much more difficult; but of course
- never impossible.

[...]

> Curious why you ask though.  What's the high-level goal?

I simply wanted to know if someone had found a way to password protected
an OST like a PST - separate from domain credentials.  I am not looking
for an elaborate solution or undermining a higher-level goal.  I do
appreciate all of your thoughts.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread Al Mulnick

Title: Cross WINS Pollination



Certainly good feedback, but how often are you removing and 
updating records?  This amounts to a filtered sync in my mind.  I 
understand why you want to do it now, but I'm not sure I agree with the approach 
to make it semi-automatic.  At least, I don't think I understand the amount 
of updates and number of possible records.  I'm asking if it's worth it to 
even automate it vs. just manually doing this due to infrequent changes (this is 
just for dc and servers). 
 
And the conversation is academic.  I'm just trying to 
figure out where to file this type of usage later.
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Monday, May 02, 2005 12:43 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

If you have a large WINS architecture you are pushing the 
records into I would prefer the dynamic insert than the static insert myself. 
Static records can be a pain to remove from a large WINS architecture or at 
least they were in the past the few times I tried to clean some up. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, May 02, 2005 11:54 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

Hmm I see what you're after, but that's a funky place 
to be to say the least.  
 
I would *think* that your DC's and servers would be static 
enough that you *could* manually enter those records into the WINS systems on 
the respective sites.  I would also *hope* that WINS is not required for 
that, but if it is, you would have to either script that manual version as Joe 
described (you could build a list of serrvers and DC's since it's not highly 
volatile right?) and run this on a regular basis, or you could read the db in 
the target domain and push that to others.  There are permissions issues as 
Joe mentioned, but shouldn't be too terribly difficult to workaround that. 

 
Thanks for assuaging my curiousity and good luck with that 
:)
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, May 02, 2005 10:43 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Cross WINS Pollination

 
If you had two distinct organizations and did not want to 
replicate each other's WINS database information that would be first 
reason.  However, what if both organizations wanted to use a 'shared 
domain' model.  You can accomplish this by having one set of DC's and 
Servers register to one set of WINS via normal processes and then create a 
static entry on the second set of WINS servers.  The problem with this 
model is it isn't autonomous to changes.  So if I decided to add a new 
server or DC, one side will automatically get the updates, but the other has to 
manually be changed.  What would be nice if I could run a command on all 
servers to refresh a entries at a timed interval against the disjointed WINS 
server(s).

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 10:08 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Just for fun, why would you want to do that?? I know you 
  didn't want to get into specifics,  but I'm trying to rationalize or 
  otherwise apply that concept in a real-world situation and I am having some 
  troubles thinking of reasons why I would want to do such a 
  thing.
   
  Just curious mostly.
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Friday, April 29, 2005 1:26 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  You would most likely do this netsh using the wins 
  portion and doing an add name specifying a rectype=1.
   
  That will require admin rights. 
   
  An alternate method would be to write an app that does 
  NBN registrations and you could make this a service that runs on any machines 
  you need to do this from and it wouldn't require any special permissions at 
  all, in fact, you don't even need to be authenticated. Everything you need to 
  do that you can find in the SAMBA source or by following the RFCs for NBN. 
  
   
    joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, April 29, 2005 12:18 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Cross WINS Pollination
  
  Without getting to the specifics we have a need to 
  register WINS entries to a non listed WINS server. 
  For example, if I have Domain Controller or Server 
  A with the following IP stack info: 
      168.120.2.10 - Host 
      168.140.140.30 - WINS1 
      168.140.140.31 - WINS2 
      140.110.12.20 - DNS1 
      140.110.12.21 - DNS2 
  By performing an NBTSTAT -RR, I will trigger a 
  registration to the two WINS servers above. 
  What if I wanted to register to an alternate WINS 
  se

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Carerros, Charles




So in 
the end, you have to restore the root domain?  (If so, I have a whole bunch 
of political arguments to start drafting.)
 
I'm 
going to run into this problem in about two months and I would like to save 
myself some headaches.
 
 

  -Original Message-From: Bahta Nathaniel V Contr 
  NASIC/SCNA [mailto:[EMAIL PROTECTED]Sent: Monday, May 
  02, 2005 12:29 PMTo: ActiveDir@mail.activedir.orgCc: 
  Pelle, JoeSubject: RE: [ActiveDir] seize schema master 
  question
  Joe,
   
  DR testing is always a time for learning some important 
  lessons.  Its good to learn them then, rather than in a production 
  environment.
   
  OT:
   
  How about those Pistons!  Tuesday's game and 
  then we can 86 the 76'ers!  I am originally from Ann 
  Arbor.
   
  Later,
   
  Nathaniel Bahta
  General Dynamics
  Network Systems
  Senior Field Engineer
   
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
  JoeSent: Monday, May 02, 2005 12:18 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
  master question
  
  
  Why 
  would you want to resurrect the root domain if its 
  working?
  The 
  child domain was working fine - but I need Exchange installed - which meant I 
  needed the schema role 
   
  What 
  do you mean with "But since the schema 
  master would in theory never have been online - ever - the seizure would be 
  the appropriate step "
  For 
  the DR test ONLY - the schema master server was not scheduled to be restored - 
  therefore we would never bring that online - allowing the seizure of the 
  schema role (assuming that you can seize the role from a parent 
  domain)
   
  Isn't 
  it true that your forest root domain is OK and up and that you were restoring 
  only the child domain?
  No - the root was never restored.  
  The original question was that would we need to restore the root to get 
  exchange installed.  The plans were only to restore the child 
  domain
  Trying 
  to understand this one here..
  Me 
  too!
   
  
  Joe 
  Pelle
  Senior 
  Infrastructure Architect
  Information 
  Technology
  Valassis / 
  IT
  19975 
  Victor Parkway 
  Livonia, MI 
  48152
  Tel 
  734.591.7324  Fax 734.632.6151
  [EMAIL PROTECTED]
  http://www.valassis.com/
   
  This message may 
  include proprietary or protected information. If you are not the intended 
  recipient, please notify me, delete this message, and do not further 
  communicate the information contained herein without my express written 
  consent.
   
  
  
  
  
  From: Jorge 
  de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:13 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
  master question
   
  Why 
  would you want to resurrect the root domain if its 
  working?
   
  What 
  do you mean with "But since the schema 
  master would in theory never have been online - ever - the seizure would be 
  the appropriate step "
   
  Isn't 
  it true that your forest root domain is OK and up and that you were restoring 
  only the child domain?
   
  Trying 
  to understand this one here..
   
  Cheers
  #JORGE#
   
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Pelle, 
  JoeSent: maandag 2 mei 2005 
  16:04To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
  master question
  Thanks for the 
  feedback everyone
   
  In retrospect 
  resurrecting the root domain would have been the smart thing to do for many 
  reasons (dependencies).   But since the schema master would in 
  theory never have been online - ever - the seizure would be the appropriate 
  step - I just didn't know if moving the schema master to a child domain would 
  have any ill effects on the rest of the 
  infrastructure...
   
  Thanks again to all 
  who responded! 
   
  
  Joe 
  Pelle
  Senior 
  Infrastructure Architect
  Information 
  Technology
  Valassis / 
  IT
  19975 
  Victor Parkway 
  Livonia, MI 
  48152
  Tel 
  734.591.7324  Fax 734.632.6151
  [EMAIL PROTECTED]
  http://www.valassis.com/
   
  This message may 
  include proprietary or protected information. If you are not the intended 
  recipient, please notify me, delete this message, and do not further 
  communicate the information contained herein without my express written 
  consent.
   
  
  
  
  
  From: Jorge 
  de Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 9:30 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
  master question
   
  oops, 
  I forgot..
   
  only 
  seize a FSMO role when really needed. in this case you don't need to seize the 
  schame role
  why 
  restore a domain if it's working? check only dependencies between the 
  domains
   
  #JORGE#
   
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Jorge de Almeida 
  PintoSent: maandag 2 mei 
  2005 15:11To: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] s

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Bahta Nathaniel V Contr NASIC/SCNA




Joe,
 
DR testing is always a time for learning some important 
lessons.  Its good to learn them then, rather than in a production 
environment.
 
OT:
 
How about those Pistons!  Tuesday's game and then 
we can 86 the 76'ers!  I am originally from Ann Arbor.
 
Later,
 
Nathaniel Bahta
General Dynamics
Network Systems
Senior Field Engineer
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: Monday, May 02, 2005 12:18 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question


Why 
would you want to resurrect the root domain if its 
working?
The 
child domain was working fine – but I need Exchange installed – which meant I 
needed the schema role 
 
What do 
you mean with "But since the schema 
master would in theory never have been online – ever – the seizure would be the 
appropriate step "
For the 
DR test ONLY – the schema master server was not scheduled to be restored – 
therefore we would never bring that online – allowing the seizure of the schema 
role (assuming that you can seize the role from a parent 
domain)
 
Isn't 
it true that your forest root domain is OK and up and that you were restoring 
only the child domain?
No – the root was never restored.  The 
original question was that would we need to restore the root to get exchange 
installed.  The plans were only to restore the child 
domain
Trying 
to understand this one here..
Me 
too!
 

Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include 
proprietary or protected information. If you are not the intended recipient, 
please notify me, delete this message, and do not further communicate the 
information contained herein without my express written 
consent.
 




From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 11:13 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
 
Why 
would you want to resurrect the root domain if its 
working?
 
What do 
you mean with "But since the schema 
master would in theory never have been online – ever – the seizure would be the 
appropriate step "
 
Isn't 
it true that your forest root domain is OK and up and that you were restoring 
only the child domain?
 
Trying 
to understand this one here..
 
Cheers
#JORGE#
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 
16:04To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
Thanks for the feedback 
everyone….
 
In retrospect 
resurrecting the root domain would have been the smart thing to do for many 
reasons (dependencies).   But since the schema master would in theory 
never have been online – ever – the seizure would be the appropriate step – I 
just didn’t know if moving the schema master to a child domain would have any 
ill effects on the rest of the infrastructure…
 
Thanks again to all who 
responded! 
 

Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include 
proprietary or protected information. If you are not the intended recipient, 
please notify me, delete this message, and do not further communicate the 
information contained herein without my express written 
consent.
 




From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 9:30 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
 
oops, I 
forgot..
 
only 
seize a FSMO role when really needed. in this case you don't need to seize the 
schame role
why 
restore a domain if it's working? check only dependencies between the 
domains
 
#JORGE#
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jorge de Almeida 
PintoSent: maandag 2 mei 2005 
15:11To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
* Ping 
the Schema master form a child domain DC
* Check 
the trust between the parent domain and the child domain with NETDOM or with 
Active Directory Domains and Trusts (this should be one of the checks after 
restoring the child domain)
* Ask 
for the FSMO role owners with NETDOM QUERY FSMO
* Run 
DCDIAG /V on the child DC
 
By the 
way: did the complete child domain go back in time?
 
HINT: 
think about what happens with objects that were created after the backups use 
used
 
TIP: 
when doing a DR of a certain domain or the complete forest you MUST in both 
situations take the complete forest and its owners into account. There are 
dependencies and you cannot work alone
 
Cheers,
#JORGE#
 
PS.: 
not so long ago there was a similar thread where I and I think Guido made some 
suggestions.
 



From: 
[EMAIL PROTECTE

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread joe

Title: Cross WINS Pollination



If you have a large WINS architecture you are pushing the 
records into I would prefer the dynamic insert than the static insert myself. 
Static records can be a pain to remove from a large WINS architecture or at 
least they were in the past the few times I tried to clean some up. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Monday, May 02, 2005 11:54 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

Hmm I see what you're after, but that's a funky place 
to be to say the least.  
 
I would *think* that your DC's and servers would be static 
enough that you *could* manually enter those records into the WINS systems on 
the respective sites.  I would also *hope* that WINS is not required for 
that, but if it is, you would have to either script that manual version as Joe 
described (you could build a list of serrvers and DC's since it's not highly 
volatile right?) and run this on a regular basis, or you could read the db in 
the target domain and push that to others.  There are permissions issues as 
Joe mentioned, but shouldn't be too terribly difficult to workaround that. 

 
Thanks for assuaging my curiousity and good luck with that 
:)
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, May 02, 2005 10:43 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Cross WINS Pollination

 
If you had two distinct organizations and did not want to 
replicate each other's WINS database information that would be first 
reason.  However, what if both organizations wanted to use a 'shared 
domain' model.  You can accomplish this by having one set of DC's and 
Servers register to one set of WINS via normal processes and then create a 
static entry on the second set of WINS servers.  The problem with this 
model is it isn't autonomous to changes.  So if I decided to add a new 
server or DC, one side will automatically get the updates, but the other has to 
manually be changed.  What would be nice if I could run a command on all 
servers to refresh a entries at a timed interval against the disjointed WINS 
server(s).

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 10:08 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Just for fun, why would you want to do that?? I know you 
  didn't want to get into specifics,  but I'm trying to rationalize or 
  otherwise apply that concept in a real-world situation and I am having some 
  troubles thinking of reasons why I would want to do such a 
  thing.
   
  Just curious mostly.
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Friday, April 29, 2005 1:26 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  You would most likely do this netsh using the wins 
  portion and doing an add name specifying a rectype=1.
   
  That will require admin rights. 
   
  An alternate method would be to write an app that does 
  NBN registrations and you could make this a service that runs on any machines 
  you need to do this from and it wouldn't require any special permissions at 
  all, in fact, you don't even need to be authenticated. Everything you need to 
  do that you can find in the SAMBA source or by following the RFCs for NBN. 
  
   
    joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, April 29, 2005 12:18 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Cross WINS Pollination
  
  Without getting to the specifics we have a need to 
  register WINS entries to a non listed WINS server. 
  For example, if I have Domain Controller or Server 
  A with the following IP stack info: 
      168.120.2.10 - Host 
      168.140.140.30 - WINS1 
      168.140.140.31 - WINS2 
      140.110.12.20 - DNS1 
      140.110.12.21 - DNS2 
  By performing an NBTSTAT -RR, I will trigger a 
  registration to the two WINS servers above. 
  What if I wanted to register to an alternate WINS 
  server? Let's say I need to create x00,x03,x20 host info to a different WINS 
  server called WINS3, which is not listed in the above NIC bindings - 
  e.g.  220.166.121.2.
  How can I recreate a 00,03,20 and a 1b,1c record 
  (domain) if I : 
      A- DO 
  NOT want to use this WINS3  server in the replication topology of WINS1 
  and 2     B- DO NOT use it for look ups on that hosting server 
      C- DO 
  NOT want static addresses in WINS3 
  This would effectively allow another group of 
  clients to find information in a disjoined structure. 
  Many thanks Jon

Re: [ActiveDir] [exchangelist] RE: Password protecting OST

2005-05-02 Thread Danny

On 5/2/05, Al Mulnick <[EMAIL PROTECTED]> wrote:
> Agreed that there is little benefit to locking an OST (mirror of your
> mailbox and is protected by domain credentials inherently).

Yes, there is little benefit if one relies on a password protected PST
(or OST) as the one and only layer of defence.

However, there are casual and undetermined attempts to access other
peoples data, and by password protecting the OST as one of many other
layers of defence, you make it that much more difficult; but of course
- never impossible.

[...]

> Curious why you ask though.  What's the high-level goal?

I simply wanted to know if someone had found a way to password
protected an OST like a PST - separate from domain credentials.  I am
not looking for an elaborate solution or undermining a higher-level
goal.  I do appreciate all of your thoughts.

...D
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Pelle, Joe









Why would
you want to resurrect the root domain if its working?

The child
domain was working fine – but I need Exchange installed – which meant
I needed the schema role 

 

What do
you mean with "But since the schema
master would in theory never have been online – ever – the seizure
would be the appropriate step "

For the DR
test ONLY – the schema master server was not scheduled to be restored –
therefore we would never bring that online – allowing the seizure of the
schema role (assuming that you can seize the role from a parent domain)

 

Isn't it
true that your forest root domain is OK and up and that you were restoring only
the child domain?

No – the root was never
restored.  The original question was that would we need to restore the
root to get exchange installed.  The plans were only to restore the child
domain

Trying to
understand this one here..

Me too!

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or
protected information. If you are not the intended recipient, please notify me,
delete this message, and do not further communicate the information contained
herein without my express written consent.



 









From: Jorge de Almeida
Pinto [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 11:13
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question



 

Why would
you want to resurrect the root domain if its working?

 

What do
you mean with "But since the schema
master would in theory never have been online – ever – the seizure
would be the appropriate step "

 

Isn't it
true that your forest root domain is OK and up and that you were restoring only
the child domain?

 

Trying to
understand this one here..

 

Cheers

#JORGE#

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 16:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question

Thanks for the feedback everyone….

 

In retrospect resurrecting the root domain
would have been the smart thing to do for many reasons
(dependencies).   But since the schema master would in theory never
have been online – ever – the seizure would be the appropriate step
– I just didn’t know if moving the schema master to a child domain
would have any ill effects on the rest of the infrastructure…

 

Thanks again to all who responded! 

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975
  Victor Parkway Livonia,
 MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or
protected information. If you are not the intended recipient, please notify me,
delete this message, and do not further communicate the information contained
herein without my express written consent.



 









From: Jorge de Almeida
Pinto [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 9:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question



 

oops, I forgot..

 

only
seize a FSMO role when really needed. in this case you don't need to seize the
schame role

why
restore a domain if it's working? check only dependencies between the domains

 

#JORGE#

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Jorge de Almeida Pinto
Sent: maandag 2 mei 2005 15:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question

* Ping
the Schema master form a child domain DC

* Check
the trust between the parent domain and the child domain with NETDOM or with
Active Directory Domains and Trusts (this should be one of the checks after
restoring the child domain)

* Ask for
the FSMO role owners with NETDOM QUERY FSMO

* Run
DCDIAG /V on the child DC

 

By the
way: did the complete child domain go back in time?

 

HINT:
think about what happens with objects that were created after the backups use
used

 

TIP: when
doing a DR of a certain domain or the complete forest you MUST in both
situations take the complete forest and its owners into account. There are
dependencies and you cannot work alone

 

Cheers,

#JORGE#

 

PS.: not
so long ago there was a similar thread where I and I think Guido made some
suggestions.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 14:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question

W2K3 Domain and E2k3 – 

 

Error related to: unable to contact the
active directory

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975
  Victor Parkway Livonia,
 MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary o

RE: [ActiveDir] Compaq raid controllers(OT)

2005-05-02 Thread Medeiros, Jose

Hi Tom, 

What model controller do you have? I expanded a our raid 5 array on a Compaq 
Proliant 1500 using a Smart 2DH raid controller with NT 3.51 back in 1998 when 
I supported the servers at LSI Logic and it worked with out having to recreate 
the array. Glenn is right that lower end Proliant controllers did not support 
this option. 

As for Expanding the C: Partition Power Quest has a product called Server Magic 
( They are now owned by Symantec and changed the name to Volume Manager ).

If your only expanding the data partition's you can do so with Dynamic Volumes 
in 2000 / 2003 server and then add the additional space once you have added it 
to the drive array in the controller raid utility.

Regards, 

Jose Medeiros
MCP+I, MCSE, NT4 MCT
http://www.ntea.net
http://www.sfntug.org

--

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Glenn Corbett
Sent: Saturday, April 30, 2005 4:04 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Compaq raid controllers(OT)

Tom,

First Question.  Some of the older Compaq RAID Controllers didn't allow 
raid expansion, but all of the new models (52xx, 5i, 64xx, 6i) should 
allow this.  Check the firmware levels on the card, and also check the 
version of the PSP (ProLiant Support Pack) your running on the server. 
 From within Windows, you should be able to expand the array no 
problems.  There will be performance hit while it does it (since its 
shuffling data around), but the machine should be reasonably happy.

Second Question.  You *might* be able to extended the C: partition, but 
the requirements outlined in the Microsoft Support Article: 
http://support.microsoft.com/default.aspx?scid=kb;en-us;325590, are 
fairly stringent:

- For Basic volumes, the unallocated space for the extension must be the 
next contiguous space on the same disk (this wouldnt be do-able, unless 
you deleted the second partition before attempting the resize).
- Only the extension of data volumes is supported. System or boot 
volumes may be blocked from being extended. (well, seeing as your trying 
to extend the C: drive, this could be a problem)

Last Question, A Single Channel (scsi bus) within a controller can have 
any number of arrays consisting anywhere from a single drive, up to a 
full bus.  Its purely a logical distinction.

Glenn

Kern, Tom wrote:

>Hi, I have a server with a 70gig raid 5 array(3 physical drives). Is there any 
>way to add more drives to extend the array to more length. Like adding a 30gig 
>drive to the existing raid array and making a 100gig c: drive or is this 
>impossible.
>everytime I add a new drive to the controller, compaq sees 2 arrays-
>arrayA being the 70gig(3 drives) and arrayB being the new drive. It doesn't 
>give me an option of adding the 30gig drive to arrayA. so i have 2 paritions 
>in widows- a 70gig c: volume and a 30 gig E: volume.
>so, i have 2 questions-\is it not possible on the hardware level to add a new 
>drive to an already existing array?
>
>and, is there any way to extend the c: partition?(this is win2k and i assume 
>its not because the drive was originally a basic disk, but i just want to make 
>sure). i assume if you format any drive as basic and later upgrade to dynamic, 
>extending a non-contigious volume won't work...
>
>Ok, i have one more question as well :)-
>when a raid controller shows 2 arrays, does that mean the drives are on 2 diff 
>scsi channels or is that just a logical distinction..
>
>Thanks alot. sorry for the OT, i know this isn't a compaq list...
>List info   : http://www.activedir.org/List.aspx
>List FAQ: http://www.activedir.org/ListFAQ.aspx
>List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
>  
>

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread Al Mulnick

Title: Cross WINS Pollination



Hmm I see what you're after, but that's a funky place 
to be to say the least.  
 
I would *think* that your DC's and servers would be static 
enough that you *could* manually enter those records into the WINS systems on 
the respective sites.  I would also *hope* that WINS is not required for 
that, but if it is, you would have to either script that manual version as Joe 
described (you could build a list of serrvers and DC's since it's not highly 
volatile right?) and run this on a regular basis, or you could read the db in 
the target domain and push that to others.  There are permissions issues as 
Joe mentioned, but shouldn't be too terribly difficult to workaround that. 

 
Thanks for assuaging my curiousity and good luck with that 
:)
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Monday, May 02, 2005 10:43 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Cross WINS Pollination

 
If you had two distinct organizations and did not want to 
replicate each other's WINS database information that would be first 
reason.  However, what if both organizations wanted to use a 'shared 
domain' model.  You can accomplish this by having one set of DC's and 
Servers register to one set of WINS via normal processes and then create a 
static entry on the second set of WINS servers.  The problem with this 
model is it isn't autonomous to changes.  So if I decided to add a new 
server or DC, one side will automatically get the updates, but the other has to 
manually be changed.  What would be nice if I could run a command on all 
servers to refresh a entries at a timed interval against the disjointed WINS 
server(s).

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 10:08 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Just for fun, why would you want to do that?? I know you 
  didn't want to get into specifics,  but I'm trying to rationalize or 
  otherwise apply that concept in a real-world situation and I am having some 
  troubles thinking of reasons why I would want to do such a 
  thing.
   
  Just curious mostly.
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Friday, April 29, 2005 1:26 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  You would most likely do this netsh using the wins 
  portion and doing an add name specifying a rectype=1.
   
  That will require admin rights. 
   
  An alternate method would be to write an app that does 
  NBN registrations and you could make this a service that runs on any machines 
  you need to do this from and it wouldn't require any special permissions at 
  all, in fact, you don't even need to be authenticated. Everything you need to 
  do that you can find in the SAMBA source or by following the RFCs for NBN. 
  
   
    joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, April 29, 2005 12:18 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Cross WINS Pollination
  
  Without getting to the specifics we have a need to 
  register WINS entries to a non listed WINS server. 
  For example, if I have Domain Controller or Server 
  A with the following IP stack info: 
      168.120.2.10 - Host 
      168.140.140.30 - WINS1 
      168.140.140.31 - WINS2 
      140.110.12.20 - DNS1 
      140.110.12.21 - DNS2 
  By performing an NBTSTAT -RR, I will trigger a 
  registration to the two WINS servers above. 
  What if I wanted to register to an alternate WINS 
  server? Let's say I need to create x00,x03,x20 host info to a different WINS 
  server called WINS3, which is not listed in the above NIC bindings - 
  e.g.  220.166.121.2.
  How can I recreate a 00,03,20 and a 1b,1c record 
  (domain) if I : 
      A- DO 
  NOT want to use this WINS3  server in the replication topology of WINS1 
  and 2     B- DO NOT use it for look ups on that hosting server 
      C- DO 
  NOT want static addresses in WINS3 
  This would effectively allow another group of 
  clients to find information in a disjoined structure. 
  Many thanks Jon

RE: [ActiveDir] [exchangelist] RE: Password protecting OST

2005-05-02 Thread Al Mulnick

Agreed that there is little benefit to locking an OST (mirror of your
mailbox and is protected by domain credentials inherently).  A PST can
have a password, but it is pretty easy to crack with available scripts
and software.  Using PKI might be useful, but you have to figure that if
somebody steals the laptop (I'm assuming it's a laptop here we're
talking about but could be anything with a mail client right?) that
cracking the local accounts would be pretty trivial again (since it
needs to be a domain account for access to the OST/Mailbox, read on).
It's the domain accounts that can be useful since somebody would have to
have access to the dc's to gain access as the authorized user.  However,
they *could* have access to the physical file which could be a problem
in any event.  That's where PKI that is domain based or otherwise based
could be useful (you would have to revoke that ID pretty quick if not on
the domain). 

As Jose mentions, it's the phys access that's problematic and is also
why you'd want to use domain credentials (with DC's properly physically
secured) to protect sensitive data.  Using encryption on the file system
of course. 


Curious why you ask though.  What's the high-level goal?
-ajm 


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose
Sent: Friday, April 29, 2005 11:27 AM
Subject: RE: [ActiveDir] [exchangelist] RE: Password protecting OST

Hi Danny, 

I really don't think that having a password on a OST would be that
secure and for that matter having one on a PST is easily cracked in a
matter of minutes. Your best solution is to use NT / 2000 / XP and have
your users lock their desktop when they are away. Keep in mind any
Operating System, including Linux, MAC OS and even Solaris can be broken
into if you have physical access to the system.

Sincerely, 

Jose Medeiros
MCP+I, MCSE, NT4 MCT
www.ntea.net
www.tvnug.org
www.sfntug.org

-

-Original Message-
From: Danny [mailto:[EMAIL PROTECTED]
Sent: Friday, April 29, 2005 6:08 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Password protecting OST


On 4/27/05, Steve Moffat <[EMAIL PROTECTED]> wrote:
> Why ever would you want to do that??? 

To *help* prevent unauthorized access to the email stored on the local
file system.  For the same reasons that you would password protect a
PST.

...D


http://www.MSExchange.org/ Have you found a way to password protect an
Outlook 2003 OST when used in (Exchange) Cached Mode?  Similar to the
way you can password protect a PST.

Thank you,

...D
--

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Jorge de Almeida Pinto




Why would you want to resurrect 
the root domain if its working?
 
What do you mean with "But since the schema master would in theory never have 
been online – ever – the seizure would be the appropriate step 
"
 
Isn't it true that your forest 
root domain is OK and up and that you were restoring only the child 
domain?
 
Trying to understand this one 
here..
 
Cheers
#JORGE#


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 16:04To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question


Thanks for the feedback 
everyone….
 
In retrospect 
resurrecting the root domain would have been the smart thing to do for many 
reasons (dependencies).   But since the schema master would in theory 
never have been online – ever – the seizure would be the appropriate step – I 
just didn’t know if moving the schema master to a child domain would have any 
ill effects on the rest of the infrastructure…
 
Thanks again to all who 
responded! 
 

Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include 
proprietary or protected information. If you are not the intended recipient, 
please notify me, delete this message, and do not further communicate the 
information contained herein without my express written 
consent.
 




From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 9:30 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
 
oops, I 
forgot..
 
only 
seize a FSMO role when really needed. in this case you don't need to seize the 
schame role
why 
restore a domain if it's working? check only dependencies between the 
domains
 
#JORGE#
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Jorge de Almeida 
PintoSent: maandag 2 mei 2005 
15:11To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
* Ping 
the Schema master form a child domain DC
* Check 
the trust between the parent domain and the child domain with NETDOM or with 
Active Directory Domains and Trusts (this should be one of the checks after 
restoring the child domain)
* Ask 
for the FSMO role owners with NETDOM QUERY FSMO
* Run 
DCDIAG /V on the child DC
 
By the 
way: did the complete child domain go back in time?
 
HINT: 
think about what happens with objects that were created after the backups use 
used
 
TIP: 
when doing a DR of a certain domain or the complete forest you MUST in both 
situations take the complete forest and its owners into account. There are 
dependencies and you cannot work alone
 
Cheers,
#JORGE#
 
PS.: 
not so long ago there was a similar thread where I and I think Guido made some 
suggestions.
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 
14:04To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
W2K3 Domain and E2k3 – 

 
Error related to: 
unable to contact the active directory
 

Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include 
proprietary or protected information. If you are not the intended recipient, 
please notify me, delete this message, and do not further communicate the 
information contained herein without my express written 
consent.
 




From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 7:57 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
 
A DR 
test... interesting. I have created such a procedure once for one of my 
customers...damn what a rush! ;-)
 
Is this 
W2K or W2K3 AD?
What 
are the errors or notifications you have experienced when trying to install 
exchange?
 
Cheers,
#JORGE#
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 
13:25To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] seize schema master 
question
Hello! 
 
Our company recently went through a 
DR test and had some interesting results.  One in particular is that we 
couldn’t get Exchange installed because it couldn’t write to the Schema (schema 
master was not restored).  Here is my question:  we have an empty root 
(where the schema master lives) that we did NOT restore… and we have our primary 
domain where users and Exchange lives (this is the domain that we 
restored).  Could I have seized the Schema master role and moved it to the 
restored (child domain) or should we have restore the root? 

 
I am going to try this in the lab 
this week but I wanted some feedback – past experiences, how some of you would 
recommend doing this, etc. 
As always, Thanks! 

 
Joe 
Pel

Re: [ActiveDir] ACTIVE DIRECTORY AND WEBSITE CONFLICTS

2005-05-02 Thread Phil Renouf

On 4/30/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> Yep, to illustrate this point, run nslookup xyz.com.  You'll get a
> return of all the IP addresses (hopefully) of your DNS servers.  If you
> start adding empty A record names pointing to your web servers, they'll
> get listed in the return.  This is problematic if your clients are
> looking for DNS servers of xyz.com zone and get returned a web server IP
> address as the first in the list.

Anyone looking for a DNS server for xyz.com should be looking for NS
records so having an A record for xyz.com is perfectly fine. However
if you have the same DNS domain internally as you do externally then
you might have an issue with this as Deji pointed out previously.

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Checking if security principal is used in an ACL on the FS

2005-05-02 Thread Jorge de Almeida Pinto

Title: Checking if security principal is used in an ACL on the FS





Hi,


After a migration we did we want to cleanup some security principals (mostly groups)


Situation:
* File server with data that uses AD groups for the ACLs
* AD OU structure with groups where most of them are used on the file system to protect in some manner. (the groups are not used for anything else!)

What I want to do:
* Cleanup ALL unused groups


Possible unused groups that can be removed:
(1) groups with no members but used on the file system
(2) groups with members but not used anywhere on the file system


Solution for (1)
* Query AD for al empty groups from the OU structure and delete them
* Force AD replication
* Use SUBINACL to remove deleted SIDs with the option /CLEANDELETEDSIDSFROM


Solution for (2)
* Get all used SIDs used on the file system
* Get all GROUP SIDs from AD
* "Extract the file system SIDs from the GROUP sids in AD and remove the groups that are left



Anyone got any other ideas or a tool that can do this for (2)


PS.: It would be nice if the file system was integrated with AD like in the NDS


Cheers,
#JORGE#




This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread jon.gimpel

Title: Cross WINS Pollination



 
If you had two distinct organizations and did not want to 
replicate each other's WINS database information that would be first 
reason.  However, what if both organizations wanted to use a 'shared 
domain' model.  You can accomplish this by having one set of DC's and 
Servers register to one set of WINS via normal processes and then create a 
static entry on the second set of WINS servers.  The problem with this 
model is it isn't autonomous to changes.  So if I decided to add a new 
server or DC, one side will automatically get the updates, but the other has to 
manually be changed.  What would be nice if I could run a command on all 
servers to refresh a entries at a timed interval against the disjointed WINS 
server(s).

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Al 
  MulnickSent: Monday, May 02, 2005 10:08 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  Just for fun, why would you want to do that?? I know you 
  didn't want to get into specifics,  but I'm trying to rationalize or 
  otherwise apply that concept in a real-world situation and I am having some 
  troubles thinking of reasons why I would want to do such a 
  thing.
   
  Just curious mostly.
   
  Al
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  joeSent: Friday, April 29, 2005 1:26 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
  Pollination
  
  You would most likely do this netsh using the wins 
  portion and doing an add name specifying a rectype=1.
   
  That will require admin rights. 
   
  An alternate method would be to write an app that does 
  NBN registrations and you could make this a service that runs on any machines 
  you need to do this from and it wouldn't require any special permissions at 
  all, in fact, you don't even need to be authenticated. Everything you need to 
  do that you can find in the SAMBA source or by following the RFCs for NBN. 
  
   
    joe
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of 
  [EMAIL PROTECTED]Sent: Friday, April 29, 2005 12:18 
  PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
  Cross WINS Pollination
  
  Without getting to the specifics we have a need to 
  register WINS entries to a non listed WINS server. 
  For example, if I have Domain Controller or Server 
  A with the following IP stack info: 
      168.120.2.10 - Host 
      168.140.140.30 - WINS1 
      168.140.140.31 - WINS2 
      140.110.12.20 - DNS1 
      140.110.12.21 - DNS2 
  By performing an NBTSTAT -RR, I will trigger a 
  registration to the two WINS servers above. 
  What if I wanted to register to an alternate WINS 
  server? Let's say I need to create x00,x03,x20 host info to a different WINS 
  server called WINS3, which is not listed in the above NIC bindings - 
  e.g.  220.166.121.2.
  How can I recreate a 00,03,20 and a 1b,1c record 
  (domain) if I : 
      A- DO 
  NOT want to use this WINS3  server in the replication topology of WINS1 
  and 2     B- DO NOT use it for look ups on that hosting server 
      C- DO 
  NOT want static addresses in WINS3 
  This would effectively allow another group of 
  clients to find information in a disjoined structure. 
  Many thanks Jon 

Visit our website at http://www.ubs.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Pelle, Joe









Thanks for the feedback everyone….

 

In retrospect resurrecting the root domain
would have been the smart thing to do for many reasons (dependencies).  
But since the schema master would in theory never have been online – ever
– the seizure would be the appropriate step – I just didn’t know
if moving the schema master to a child domain would have any ill effects on the
rest of the infrastructure…

 

Thanks again to all who responded! 

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or
protected information. If you are not the intended recipient, please notify me,
delete this message, and do not further communicate the information contained
herein without my express written consent.



 









From: Jorge de Almeida
Pinto [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 9:30 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question



 

oops, I
forgot..

 

only
seize a FSMO role when really needed. in this case you don't need to seize the
schame role

why
restore a domain if it's working? check only dependencies between the domains

 

#JORGE#

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto
Sent: maandag 2 mei 2005 15:11
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question

* Ping
the Schema master form a child domain DC

* Check
the trust between the parent domain and the child domain with NETDOM or with
Active Directory Domains and Trusts (this should be one of the checks after
restoring the child domain)

* Ask for
the FSMO role owners with NETDOM QUERY FSMO

* Run
DCDIAG /V on the child DC

 

By the
way: did the complete child domain go back in time?

 

HINT:
think about what happens with objects that were created after the backups use
used

 

TIP: when
doing a DR of a certain domain or the complete forest you MUST in both
situations take the complete forest and its owners into account. There are
dependencies and you cannot work alone

 

Cheers,

#JORGE#

 

PS.: not
so long ago there was a similar thread where I and I think Guido made some
suggestions.

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 14:04
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question

W2K3 Domain and E2k3 – 

 

Error related to: unable to contact the
active directory

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975
  Victor Parkway Livonia,
 MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or
protected information. If you are not the intended recipient, please notify me,
delete this message, and do not further communicate the information contained
herein without my express written consent.



 









From: Jorge de Almeida
Pinto [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 7:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question



 

A DR
test... interesting. I have created such a procedure once for one of my customers...damn
what a rush! ;-)

 

Is this
W2K or W2K3 AD?

What are
the errors or notifications you have experienced when trying to install
exchange?

 

Cheers,

#JORGE#

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 13:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] seize schema
master question

Hello! 

 

Our company recently went through a DR test and had some
interesting results.  One in particular is that we couldn’t get
Exchange installed because it couldn’t write to the Schema (schema master
was not restored).  Here is my question:  we have an empty root
(where the schema master lives) that we did NOT restore… and we have our
primary domain where users and Exchange lives (this is the domain that we
restored).  Could I have seized the Schema master role and moved it to the
restored (child domain) or should we have restore the root? 

 

I am going to try this in the lab this week but I wanted
some feedback – past experiences, how some of you would recommend doing
this, etc. 

As always, Thanks! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975
  Victor Parkway Livonia,
 MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or protected
information. If you are not the intended recipient, please notify me, delete
this message, and do not further communicate the information contained herein
without my express written consent.

 


This e-mail and any attachment is for authorised use by the intended recipient(s)
only. I

RE: [ActiveDir] Cross WINS Pollination

2005-05-02 Thread Al Mulnick

Title: Cross WINS Pollination



Just for fun, why would you want to do that?? I know you 
didn't want to get into specifics,  but I'm trying to rationalize or 
otherwise apply that concept in a real-world situation and I am having some 
troubles thinking of reasons why I would want to do such a 
thing.
 
Just curious mostly.
 
Al


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, April 29, 2005 1:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Cross WINS 
Pollination

You would most likely do this netsh using the wins portion 
and doing an add name specifying a rectype=1.
 
That will require admin rights. 
 
An alternate method would be to write an app that does NBN 
registrations and you could make this a service that runs on any machines you 
need to do this from and it wouldn't require any special permissions at all, in 
fact, you don't even need to be authenticated. Everything you need to do that 
you can find in the SAMBA source or by following the RFCs for NBN. 

 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, April 29, 2005 12:18 
PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Cross WINS Pollination

Without getting to the specifics we have a need to 
register WINS entries to a non listed WINS server. 
For example, if I have Domain Controller or Server A 
with the following IP stack info: 
    168.120.2.10 - Host     
168.140.140.30 - WINS1 
    168.140.140.31 - WINS2 
    140.110.12.20 - DNS1 
    140.110.12.21 - DNS2 
By performing an NBTSTAT -RR, I will trigger a 
registration to the two WINS servers above. 
What if I wanted to register to an alternate WINS 
server? Let's say I need to create x00,x03,x20 host info to a different WINS 
server called WINS3, which is not listed in the above NIC bindings - e.g.  
220.166.121.2.
How can I recreate a 00,03,20 and a 1b,1c record 
(domain) if I : 
    A- DO NOT 
want to use this WINS3  server in the replication topology of WINS1 and 
2     B- DO NOT use it for look ups on that hosting server 
    C- DO NOT 
want static addresses in WINS3 
This would effectively allow another group of clients 
to find information in a disjoined structure. 
Many thanks Jon

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Jorge de Almeida Pinto




oops, I 
forgot..
 
only seize a FSMO role when 
really needed. in this case you don't need to seize the schame 
role
why restore a domain if it's 
working? check only dependencies between the domains
 
#JORGE#


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida 
PintoSent: maandag 2 mei 2005 15:11To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question

* Ping the Schema master form a child 
domain DC
* Check the trust between the parent 
domain and the child domain with NETDOM or with Active Directory Domains and 
Trusts (this should be one of the checks after restoring the child 
domain)
* Ask for the FSMO role owners with NETDOM 
QUERY FSMO
* Run DCDIAG /V on the child 
DC
 
By the way: did the complete child domain 
go back in time?
 
HINT: think about what happens with 
objects that were created after the backups use used
 
TIP: when doing a DR of a certain domain 
or the complete forest you MUST in both situations take the complete forest and 
its owners into account. There are dependencies and you cannot work 
alone
 
Cheers,
#JORGE#
 
PS.: not so long ago there was a similar 
thread where I and I think Guido made some suggestions.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 14:04To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question


W2K3 Domain and E2k3 – 

 
Error related to: 
unable to contact the active directory
 

Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include 
proprietary or protected information. If you are not the intended recipient, 
please notify me, delete this message, and do not further communicate the 
information contained herein without my express written 
consent.
 




From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 7:57 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
 
A DR 
test... interesting. I have created such a procedure once for one of my 
customers...damn what a rush! ;-)
 
Is this 
W2K or W2K3 AD?
What 
are the errors or notifications you have experienced when trying to install 
exchange?
 
Cheers,
#JORGE#
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 
13:25To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] seize schema master 
question
Hello! 
 
Our company recently went through a 
DR test and had some interesting results.  One in particular is that we 
couldn’t get Exchange installed because it couldn’t write to the Schema (schema 
master was not restored).  Here is my question:  we have an empty root 
(where the schema master lives) that we did NOT restore… and we have our primary 
domain where users and Exchange lives (this is the domain that we 
restored).  Could I have seized the Schema master role and moved it to the 
restored (child domain) or should we have restore the root? 

 
I am going to try this in the lab 
this week but I wanted some feedback – past experiences, how some of you would 
recommend doing this, etc. 
As always, Thanks! 

 
Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include proprietary 
or protected information. If you are not the intended recipient, please notify 
me, delete this message, and do not further communicate the information 
contained herein without my express written 
consent.
 
This e-mail and any attachment is for authorised use 
by the intended recipient(s) only. It may contain proprietary material, 
confidential information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are not an 
intended recipient then please promptly delete this e-mail and any attachment 
and all copies and inform the sender. Thank 
you.This e-mail and any attachment is for 
authorised use by the intended recipient(s) only. It may contain proprietary 
material, confidential information and/or be subject to legal privilege. It 
should not be copied, disclosed to, retained or used by, any other party. If you 
are not an intended recipient then please promptly delete this e-mail and any 
attachment and all copies and inform the sender. Thank you.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sen

RE: [ActiveDir] Ocra

2005-05-02 Thread Michael Wassell

http://www.winisp.net/astebner/bin/orca.msi 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Sunday, May 01, 2005 4:34 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Ocra

Hi,

I need Ocra to edit an MSI file, the only way it seems I can get it is
by downloading the whole SDK (400 MegaBytes), its not even on TechNet,
does any one know of a way to get only Ocra file.

Thanks
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] seize schema master question

2005-05-02 Thread meubank





You could try to  transfer  the Schema Role before you seize it
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/d4301a14-dd18-4b3c-a3cc-ec9a773f7ffb.mspx

 Do not seize the schema master role if you can transfer it instead.
 Seizing the schema master role is a drastic step that should be considered 
 only if the current operations master will never be available again. For   
 more information about transferring operations master roles, see Related   
 Topics.





Michael Eubank
Parker Hannifin



   
  Bahta Nathaniel V Contr   
   
  NASIC/SCNA To:   
ActiveDir@mail.activedir.org
  <[EMAIL PROTECTED]cc: 
  
  af.mil>Subject:  RE: [ActiveDir] 
seize schema master question
  Sent by:  
   
  [EMAIL PROTECTED] 
 
  tivedir.org   
   

   

   
  05/02/2005 09:04 AM   
   
  Please respond to 
   
  ActiveDir 
   

   




Joe,

It seems that the root should be stabilized before you begin resurrecting
any child objects.  The schema master must be online before any exchange
installation/resurrection takes place.  Seizing the role of the Schema
master and collapsing the root domain is probably not the preferred method
of DR.

Just a thought,

Nathaniel Bahta
General Dynamics
Network Systems

From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: Monday, May 02, 2005 8:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

W2K3 Domain and E2k3 â

Error related to: unable to contact the active directory

Joe Pelle
Senior Infrastructure Architect
Information Technology
Valassis / IT
19975 Victor Parkway Livonia, MI 48152
Tel 734.591.7324  Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/

This message may include proprietary or protected information. If you are
not the intended recipient, please notify me, delete this message, and do
not further communicate the information contained herein without my express
written consent.


From: Jorge de Almeida Pinto [mailto:[EMAIL PROTECTED]
Sent: Monday, May 02, 2005 7:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize schema master question

A DR test... interesting. I have created such a procedure once for one of
my customers...damn what a rush! ;-)

Is this W2K or W2K3 AD?
What are the errors or notifications you have experienced when trying to
install exchange?

Cheers,
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 13:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] seize schema master question
Hello!

Our company recently went through a DR test and had some interesting
results.  One in particular is that we couldnât get Exchange installed
because it couldnât write to the Schema (schema master was not restored).
Here is my question:  we have an empty root (where the schema master lives)
that we did NOT restoreâ and we have our primary domain where users and
Exchange lives (this is the domain that we restored).  Could I have seized
the Schema master role and moved it to the restored (child domain) or
should we have restore the root?

I am going to try this in the lab this week but I wanted some

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Jorge de Almeida Pinto




* Ping the Schema master form a child 
domain DC
* Check the trust between the parent 
domain and the child domain with NETDOM or with Active Directory Domains and 
Trusts (this should be one of the checks after restoring the child 
domain)
* Ask for the FSMO role owners with NETDOM 
QUERY FSMO
* Run DCDIAG /V on the child 
DC
 
By the way: did the complete child domain 
go back in time?
 
HINT: think about what happens with 
objects that were created after the backups use used
 
TIP: when doing a DR of a certain domain 
or the complete forest you MUST in both situations take the complete forest and 
its owners into account. There are dependencies and you cannot work 
alone
 
Cheers,
#JORGE#
 
PS.: not so long ago there was a similar 
thread where I and I think Guido made some suggestions.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 14:04To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question


W2K3 Domain and E2k3 – 

 
Error related to: 
unable to contact the active directory
 

Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include 
proprietary or protected information. If you are not the intended recipient, 
please notify me, delete this message, and do not further communicate the 
information contained herein without my express written 
consent.
 




From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 7:57 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
 
A DR 
test... interesting. I have created such a procedure once for one of my 
customers...damn what a rush! ;-)
 
Is this 
W2K or W2K3 AD?
What 
are the errors or notifications you have experienced when trying to install 
exchange?
 
Cheers,
#JORGE#
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 
13:25To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] seize schema master 
question
Hello! 
 
Our company recently went through a 
DR test and had some interesting results.  One in particular is that we 
couldn’t get Exchange installed because it couldn’t write to the Schema (schema 
master was not restored).  Here is my question:  we have an empty root 
(where the schema master lives) that we did NOT restore… and we have our primary 
domain where users and Exchange lives (this is the domain that we 
restored).  Could I have seized the Schema master role and moved it to the 
restored (child domain) or should we have restore the root? 

 
I am going to try this in the lab 
this week but I wanted some feedback – past experiences, how some of you would 
recommend doing this, etc. 
As always, Thanks! 

 
Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include proprietary 
or protected information. If you are not the intended recipient, please notify 
me, delete this message, and do not further communicate the information 
contained herein without my express written 
consent.
 
This e-mail and any attachment is for authorised use 
by the intended recipient(s) only. It may contain proprietary material, 
confidential information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are not an 
intended recipient then please promptly delete this e-mail and any attachment 
and all copies and inform the sender. Thank 
you.

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Bahta Nathaniel V Contr NASIC/SCNA




Joe,
 
It seems that the root should be stabilized before you 
begin resurrecting any child objects.  The schema master must be online 
before any exchange installation/resurrection takes place.  Seizing the 
role of the Schema master and collapsing the root domain is probably not the 
preferred method of DR.
 
Just a thought,
 
Nathaniel Bahta
General Dynamics
Network Systems


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: Monday, May 02, 2005 8:04 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question


W2K3 Domain and E2k3 – 

 
Error related to: 
unable to contact the active directory
 

Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include 
proprietary or protected information. If you are not the intended recipient, 
please notify me, delete this message, and do not further communicate the 
information contained herein without my express written 
consent.
 




From: Jorge de 
Almeida Pinto [mailto:[EMAIL PROTECTED] Sent: Monday, May 02, 2005 7:57 
AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] seize schema 
master question
 
A DR 
test... interesting. I have created such a procedure once for one of my 
customers...damn what a rush! ;-)
 
Is this 
W2K or W2K3 AD?
What 
are the errors or notifications you have experienced when trying to install 
exchange?
 
Cheers,
#JORGE#
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 
13:25To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] seize schema master 
question
Hello! 
 
Our company recently went through a 
DR test and had some interesting results.  One in particular is that we 
couldn’t get Exchange installed because it couldn’t write to the Schema (schema 
master was not restored).  Here is my question:  we have an empty root 
(where the schema master lives) that we did NOT restore… and we have our primary 
domain where users and Exchange lives (this is the domain that we 
restored).  Could I have seized the Schema master role and moved it to the 
restored (child domain) or should we have restore the root? 

 
I am going to try this in the lab 
this week but I wanted some feedback – past experiences, how some of you would 
recommend doing this, etc. 
As always, Thanks! 

 
Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include proprietary 
or protected information. If you are not the intended recipient, please notify 
me, delete this message, and do not further communicate the information 
contained herein without my express written 
consent.
 
This e-mail and any attachment is for authorised use 
by the intended recipient(s) only. It may contain proprietary material, 
confidential information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are not an 
intended recipient then please promptly delete this e-mail and any attachment 
and all copies and inform the sender. Thank 
you.

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Pelle, Joe









W2K3 Domain and E2k3 – 

 

Error related to: unable to contact the
active directory

 



Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or
protected information. If you are not the intended recipient, please notify me,
delete this message, and do not further communicate the information contained
herein without my express written consent.



 









From: Jorge de Almeida
Pinto [mailto:[EMAIL PROTECTED] 
Sent: Monday, May 02, 2005 7:57 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] seize
schema master question



 

A DR
test... interesting. I have created such a procedure once for one of my
customers...damn what a rush! ;-)

 

Is this
W2K or W2K3 AD?

What are
the errors or notifications you have experienced when trying to install
exchange?

 

Cheers,

#JORGE#

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Pelle, Joe
Sent: maandag 2 mei 2005 13:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] seize schema
master question

Hello! 

 

Our company recently went through a DR test and had some
interesting results.  One in particular is that we couldn’t get
Exchange installed because it couldn’t write to the Schema (schema master
was not restored).  Here is my question:  we have an empty root
(where the schema master lives) that we did NOT restore… and we have our
primary domain where users and Exchange lives (this is the domain that we
restored).  Could I have seized the Schema master role and moved it to the
restored (child domain) or should we have restore the root? 

 

I am going to try this in the lab this week but I wanted
some feedback – past experiences, how some of you would recommend doing
this, etc. 

As always, Thanks! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975
  Victor Parkway Livonia,
 MI 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or protected
information. If you are not the intended recipient, please notify me, delete
this message, and do not further communicate the information contained herein
without my express written consent.

 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.

RE: [ActiveDir] seize schema master question

2005-05-02 Thread Jorge de Almeida Pinto




A DR test... interesting. I have 
created such a procedure once for one of my customers...damn what a rush! 
;-)
 
Is this W2K or W2K3 AD?
What are the errors or 
notifications you have experienced when trying to install 
exchange?
 
Cheers,
#JORGE#
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Pelle, 
JoeSent: maandag 2 mei 2005 13:25To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] seize schema master 
question


Hello! 
 
Our company recently went through a 
DR test and had some interesting results.  One in particular is that we 
couldn’t get Exchange installed because it couldn’t write to the Schema (schema 
master was not restored).  Here is my question:  we have an empty root 
(where the schema master lives) that we did NOT restore… and we have our primary 
domain where users and Exchange lives (this is the domain that we 
restored).  Could I have seized the Schema master role and moved it to the 
restored (child domain) or should we have restore the root? 

 
I am going to try this in the lab 
this week but I wanted some feedback – past experiences, how some of you would 
recommend doing this, etc. 
As always, Thanks! 

 
Joe 
Pelle
Senior Infrastructure 
Architect
Information 
Technology
Valassis / 
IT
19975 
Victor Parkway 
Livonia, MI 
48152
Tel 734.591.7324  
Fax 734.632.6151
[EMAIL PROTECTED]
http://www.valassis.com/
 
This message may include proprietary 
or protected information. If you are not the intended recipient, please notify 
me, delete this message, and do not further communicate the information 
contained herein without my express written 
consent.
 

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

Re: [ActiveDir] GP question

2005-05-02 Thread rubix cube

Thank you Darren,
I am trynig to install Symantec, the msi file comes in the CD with a
transform file to reboot the machine too, I couldn't get the Orca to
edit the msi file, you can't email me the orca exe file?


On 5/2/05, Darren Mar-Elia <[EMAIL PROTECTED]> wrote:
> I suspect its doing a repair rather than a reinstall. Usually this means
> that some temporary files that get deleted when the user logs off or
> quits the app are key files on a component within the package. Did you
> use a snapshotting utility to make the package? That is usually the
> cause of this. Some temp. files get caught up in the snapshot that
> shouldn't be. If you remove those temporary files I suspect you'll see
> the behavior go away.
> 
> Darren
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
> Sent: Sunday, May 01, 2005 11:34 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] GP question
> 
> Hi
> I have an OU with a GP to install a specific software, every time the
> user restarts his computer the group policy install the software again,
> even though I do not do Redeploy Application, but still the users get
> the software re-deployed at every restart. what could be the reason?
> Thank you
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] seize schema master question

2005-05-02 Thread Pelle, Joe









Hello! 

 

Our company recently went through a DR test and had some
interesting results.  One in particular is that we couldn’t get
Exchange installed because it couldn’t write to the Schema (schema master
was not restored).  Here is my question:  we have an empty root
(where the schema master lives) that we did NOT restore… and we have our
primary domain where users and Exchange lives (this is the domain that we
restored).  Could I have seized the Schema master role and moved it to the
restored (child domain) or should we have restore the root? 

 

I am going to try this in the lab this week but I wanted
some feedback – past experiences, how some of you would recommend doing
this, etc. 

As always, Thanks! 

 

Joe
Pelle

Senior Infrastructure Architect

Information Technology

Valassis / IT

19975 Victor Parkway Livonia, MI
 48152

Tel 734.591.7324  Fax 734.632.6151

[EMAIL PROTECTED]

http://www.valassis.com/

 

This message may include proprietary or protected
information. If you are not the intended recipient, please notify me, delete
this message, and do not further communicate the information contained herein
without my express written consent.

RE: [ActiveDir] GP question

2005-05-02 Thread Darren Mar-Elia

I suspect its doing a repair rather than a reinstall. Usually this means
that some temporary files that get deleted when the user logs off or
quits the app are key files on a component within the package. Did you
use a snapshotting utility to make the package? That is usually the
cause of this. Some temp. files get caught up in the snapshot that
shouldn't be. If you remove those temporary files I suspect you'll see
the behavior go away.

Darren

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Sunday, May 01, 2005 11:34 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GP question

Hi
I have an OU with a GP to install a specific software, every time the
user restarts his computer the group policy install the software again,
even though I do not do Redeploy Application, but still the users get
the software re-deployed at every restart. what could be the reason?
Thank you
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

49 matches

Mail list logo