RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)
Al, "Can" and "Will" are two different things. Knowing Brett and his, shall we say, feisty nature - anything is possible. :o) Brett - what's the Xbox game of the week, BTW? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?) My apologies for the demotional insuation. While there are plenty of ways to shoot my foot off, I'd appreciate reducing that number. Is this something we should revise in one of the two docs at least for posterity? Do you know who wrote the docs that disagree and can you drop a note? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, May 04, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?) I'm not a Garage Door Opener, I'm a Garage Door _Operator_, please don't cheapen my job, I can close the door too. I didn't proof read the Running DCs in a Virtual Server 2005 doc. I happen to know that it doesn't insist on turning off the host systems disk cache, so _I_ won't be debugging a confluence of lost flushes or USN rollbacks in that environment. The KB was written earlier than the DCs on VirtServer2005 doc. I personally like the KB as it is, but obviously as you point out they're incongrous. Keep in mind there are plenty of ways to shoot yourself in the foot, with VPCs ... all based off the idea of improper backup/restore/imaging of AD data ... things that come off the top of my head: - diff disks could very easily be deadly, - and in the cases of VPCs, when a VPC is shutdown, even xcopy (on the host system) is then a deadly piece of "imaging" type software. - the same thing even applies outside of VPCs, just a DC in DSRM, has an unprotected DIT and log files, copying those out, and then back in later, would qualify as something that can cause USN rollback. Cheers, -BrettSh [msft] Building 7 Garage Door Operator ... ostensibly the Garage Door Operator with the most knowledge of the ESE and AD database internals ... On Wed, 4 May 2005, Al Mulnick wrote: > Interesting, Mr Garage Door Opener. Perhaps some rewording is needed > to make this and these other docs consistent? Or am I reading into this? > > > "The following operations are not supported: > ...2. Starting an Active Directory domain controller whose operating > system resides in a virtualized hosting environment such as Microsoft > Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE " > > http://www.support.microsoft.com/kb/897614/ > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3 > -4 > 209-8ed2-e261a117fc6b&displaylang=en > > > I'm just so confused. ;) > > -ajm > > "Chief, Cook, and Bottle-Washer" > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, May 04, 2005 6:30 AM > To: ActiveDir@mail.activedir.org > Cc: Joseph L. Casale > Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?) > > "That is soo not right." (Mean Girls movie reference, at Halloween > party) > > You should take a look at this: > http://support.microsoft.com/?kbid=885875 > > I sincerely hope you don't have USN rollback or divergent replicas, > but I think it is likely if you are actually imaging dcpromo'd DCs. > > Just curious, for imaging what are you using? Ghost? Are you just > restoring images? Are you using the images to build additional DCs > for load? > > > In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from > replicating if it detects such a condition (but it is not always > guaranteed it will be able to detect the condition), to attempt to > contain the damage. > > Also note, b/c I'm not sure the KB is clear about divergent replicas ... > just because things are replicating currently, or there are no > apparent current USN rollbacks ... does NOT mean you weren't once in > the past afflicted with USN rollback, and now you've gotten past it, > and instead are simply aflicted with divergent replicas (worse than > USN rollback in ways). You might try to use (_I thinK_) dsastat to > run through all the objects on your DCs in a pair-wise fashion to find differences. > > Cheers, > Brett Shirley [msft] > Building 7 Garage Door Operator, so what do I know ... > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > On Tue, 3 May 2005, Joseph L. Casale wrote: > > > Errr, I do it always, always, ALWAYS, and it works? AD has > > mechanisms built in to get it back up to par... > > jlc > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett > > Shirley > > Sent: Tuesday, May 03, 2005 7:08 PM > > To
RE: [ActiveDir] GPO not applied - thinks it is empty
Ok, so what is the version for machine on ServerName1? Also, does machine extensions for server2 really not list any or did you just shorten it for display purposes? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, May 04, 2005 11:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied - thinks it is empty Thanks Darren- I ran the gpotool as you suggested. As part of the output I am told: Error: ServerName1 - Servername2 sysvol mismatch AND DC: Server2 Friendly name: server2 Created: 10/7/2004 Changed: 5-4-2005 5:34 pm DS Version 0 37 Sysvol: 0 37 Flags: 0 User extensions: not found Machine extensions: . Functionality version: 2 All fo the functionality versions are 2. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, May 04, 2005 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied - thinks it is empty Brenda- This usually means that the client is looking at the GPO's version number and it is showing up as 0 for computer revisions (in other words, it doesn't think any computer policy has been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against your DCs and see if any of them show a revision number of 0 for the computer side of the GPO containing your script. This could still mean that you have some issues with sysvol replication. Essentially, there is a file called gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a version number that lists how many changes were made to the computer and user sides of a GPO. That version should be the same as the version of that GPO held on the versionNumber attribute of the GPC object in AD. If there are discrepancies, then gpotool will tell you. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, May 04, 2005 7:21 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO not applied - thinks it is empty I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, May 03, 2005 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
[ActiveDir] Windows 2003 Std RRAS & Logon Scripts
At my organization, we have a windows 2003 RRAS box and when users login via VPN or Dialup, their logon scripts do not run. If the VPN users click Login using dial-up connection at the CTRL-ALT-DEL screen, the logon scripts work that way but not when just clicking on the dial-up / vpn shortcuts on their desktops... does anyone have any suggestions on how to make the logon scripts run whenever anyone connects regardless on how they do it (via shortcut on desktop or at the CTRL-ALT-DEL Screen) Thanks-- Charlie Saliba[EMAIL PROTECTED]
RE: [ActiveDir] using GPO with scripts
Go get 'em tiger! :) If it doesn't work out that way, drop a note back. It's not something they should reject, but if you feel like building an empire, this might be a first step to taking over the web development... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Wednesday, May 04, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts We have a web development team. Looks like they are actually trying to pawn this off elsewhere but I am fighting that now that I know more what they are wanting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Yep. To do something like that would require some coding of course. It also relies on the user going to the homepage on a regular basis and that they are able to run apps. Do you have to write this, or do you have web application dev teams? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, May 03, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Well found out some more information. Love how you get the full info when you need it. NOT Anyways. Seems the website is just a web interface to a database with their personnel information. They want to ensure the user visits the site every 90 days to make updates if needed. They are request a "Runonce" type operation for IE when the user launches IE that will send them to the Database every 90 days but of course not send the entire population there at once. So I am thinking a field within the personnel database that will be a timestamp. Now can I have our homepage run a script in the background that checks this field to see if the timestamp is greater than 90 days? And then if it is redirect them to the database website? Sounds better than dealing with login scripts and schema changes. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 03, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Yeah locking the account because they haven't read the doc yet seems a little counter productive but if it is that important... Go for it. Just warn the help desk staff ahead of time. :o) I agree with the staggered mechanism of alert the user and then alert their manager later if they haven't complied. If you want to get fancy you could even have a compliance reporting mechanism to put pressure on the managers. Reports go to the CEO showing compliance in percentages of the whole company at any given time (say monthly) and also percentages by division or group or whatever (depends on your size). A quickie alternative would be to store the info in an AD/AM instead of in AD. Don't have to extend the AD Schema then but can use the AD scripting knowledge you have. Obviously it could go into SQL Server as well but that seems a bit expensive for this. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, May 02, 2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Depends how you setup the attribute (search for extending schema in AD). I wouldn't have the website do this based on authentication. You want to be sure they read it, so you would want to treat it like you do with other agreements i.e. EULA agreements and have the OK navigation button disabled unless and until they click 'I Agree' As for notification, use email and bug the crud out of them. Or bug their manager if they don't respond in x amount of days. I see the .mil in the addr, which tells me you likely have managers that don't like to be bothered with this kind of piddly stuff. :) As for whether or not to update in AD, I'm not one to agree so easily that adding a custom attribute or even using an existing one is so worth it. I suppose it depends and there are many pros and cons both directions I'm sure. I'd favor some other recording method in many instances myself. As for permissions, you would have to permissions to modify the attribute using the credentials provided. For the sake of tamper-resistance, I would guess that you would want to make this a restricted attribute field. You may additionally want to lock out or disable their account until they read this if it's that important. Makes me wonder how they'll get to the page if they're locked out, but Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 7:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts I lik
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra I'd be highly interested in that information as well if you can spare it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 4:16 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Yeah, if you could find out, that would be nice. I haven’t been able to find the easy, kerberized way that Solaris 10 “supposedly” integrates with AD. I really thought this was one of the big initiatives that MS and Sun was working on. Thanks everyone for your replies about Ethereal. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Wednesday, May 04, 2005 3:01 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I know I said it earlier, but I’ll say it again here…..Solaris 9/10 have (I’m told) a much nicer Kerberos client that is very AD savvy. So if you’re using one of them, you might be getting a lot of advice for a well baked scenario that Sun was kind enough to try out for you already. I can find out a bit more if you have no idea what I’m talking about, I just don’t remember off hand. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 11:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Ignore this. I just did a little FAQ reading, and it looks like this is by design on a switched network. ___ Getting more used to this Ethereal thing now. Found a cool little article that helped out a bit. Now I am trying to figure out why I can’t sniff the packets of another machine on the same subnet as me (I thought that was the point of promiscuous mode). I have it set to promiscuous mode, and it still sees nothing. I am just trying to get some ammo for persuade management that we really need to get a tool that uses ssh instead of telnet for one of our applications. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 11:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 04, 2005 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial prod
RE: [ActiveDir] Solaris authentication
To get all the information you should be using a spanning (not spamming) port. That will show you all the information going through the switch, not just what ethereal can collect. If there is no spanning port you may want to break into the switch and tell it to send all traffic to your port as well. Assuming the switch is intelligent. If its a dumb switch your going to have problems treating it like a hub. Brent Eads Employee Technology Solutions, Inc.
RE: [ActiveDir] GPO not applied - thinks it is empty
Add to the methods 1. Put machine on hub and sniff traffic and watch script come down. 2. Put a password filter in place and have it alert you that the password was changed. et alii From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Wednesday, May 04, 2005 3:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied - thinks it is empty If I could ask what might be the obvious, from a security perspective…. If you have a policy out there resetting the local admin password, how are you storing the new password in the script? Hopefully you have something very clever in place, else I can get the local admin password out of your policy in so many ways: If you didn’t consider this at all, I bet the policy is ACLd with AU having read, so I can just read it out with notepad. If you were clever enough to acl the policy so that only the machine accounts can read it, I could own a machine (perhaps I already do….perhaps I am in the local admins group on one of the boxes, because it is _my machine_) and just open the policy while impersonating the machine. Or get the machine to do it for me (since I own it, I can make it do my bidding). And if you haven’t taking precautions, you should assume local admin on any machine with this password is local admin on them all. For it only takes one bad apple to spoil the whole bushel. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, May 04, 2005 11:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied - thinks it is empty Thanks Darren- I ran the gpotool as you suggested. As part of the output I am told: Error: ServerName1 - Servername2 sysvol mismatch AND DC: Server2 Friendly name: server2 Created: 10/7/2004 Changed: 5-4-2005 5:34 pm DS Version 0 37 Sysvol: 0 37 Flags: 0 User extensions: not found Machine extensions: . Functionality version: 2 All fo the functionality versions are 2. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, May 04, 2005 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied - thinks it is empty Brenda- This usually means that the client is looking at the GPO's version number and it is showing up as 0 for computer revisions (in other words, it doesn't think any computer policy has been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against your DCs and see if any of them show a revision number of 0 for the computer side of the GPO containing your script. This could still mean that you have some issues with sysvol replication. Essentially, there is a file called gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a version number that lists how many changes were made to the computer and user sides of a GPO. That version should be the same as the version of that GPO held on the versionNumber attribute of the GPC object in AD. If there are discrepancies, then gpotool will tell you. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, May 04, 2005 7:21 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO not applied - thinks it is empty I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, May 03, 2005 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra Yeah, if you could find out, that would be nice. I haven’t been able to find the easy, kerberized way that Solaris 10 “supposedly” integrates with AD. I really thought this was one of the big initiatives that MS and Sun was working on. Thanks everyone for your replies about Ethereal. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Wednesday, May 04, 2005 3:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I know I said it earlier, but I’ll say it again here…..Solaris 9/10 have (I’m told) a much nicer Kerberos client that is very AD savvy. So if you’re using one of them, you might be getting a lot of advice for a well baked scenario that Sun was kind enough to try out for you already. I can find out a bit more if you have no idea what I’m talking about, I just don’t remember off hand. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, May 04, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Ignore this. I just did a little FAQ reading, and it looks like this is by design on a switched network. ___ Getting more used to this Ethereal thing now. Found a cool little article that helped out a bit. Now I am trying to figure out why I can’t sniff the packets of another machine on the same subnet as me (I thought that was the point of promiscuous mode). I have it set to promiscuous mode, and it still sees nothing. I am just trying to get some ammo for persuade management that we really need to get a tool that uses ssh instead of telnet for one of our applications. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, May 04, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 03, 2005 10:30 AM To: ActiveDir@mail.activ
RE: [ActiveDir] using GPO with scripts
We have a web development team. Looks like they are actually trying to pawn this off elsewhere but I am fighting that now that I know more what they are wanting. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Yep. To do something like that would require some coding of course. It also relies on the user going to the homepage on a regular basis and that they are able to run apps. Do you have to write this, or do you have web application dev teams? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, May 03, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Well found out some more information. Love how you get the full info when you need it. NOT Anyways. Seems the website is just a web interface to a database with their personnel information. They want to ensure the user visits the site every 90 days to make updates if needed. They are request a "Runonce" type operation for IE when the user launches IE that will send them to the Database every 90 days but of course not send the entire population there at once. So I am thinking a field within the personnel database that will be a timestamp. Now can I have our homepage run a script in the background that checks this field to see if the timestamp is greater than 90 days? And then if it is redirect them to the database website? Sounds better than dealing with login scripts and schema changes. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 03, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Yeah locking the account because they haven't read the doc yet seems a little counter productive but if it is that important... Go for it. Just warn the help desk staff ahead of time. :o) I agree with the staggered mechanism of alert the user and then alert their manager later if they haven't complied. If you want to get fancy you could even have a compliance reporting mechanism to put pressure on the managers. Reports go to the CEO showing compliance in percentages of the whole company at any given time (say monthly) and also percentages by division or group or whatever (depends on your size). A quickie alternative would be to store the info in an AD/AM instead of in AD. Don't have to extend the AD Schema then but can use the AD scripting knowledge you have. Obviously it could go into SQL Server as well but that seems a bit expensive for this. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, May 02, 2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Depends how you setup the attribute (search for extending schema in AD). I wouldn't have the website do this based on authentication. You want to be sure they read it, so you would want to treat it like you do with other agreements i.e. EULA agreements and have the OK navigation button disabled unless and until they click 'I Agree' As for notification, use email and bug the crud out of them. Or bug their manager if they don't respond in x amount of days. I see the .mil in the addr, which tells me you likely have managers that don't like to be bothered with this kind of piddly stuff. :) As for whether or not to update in AD, I'm not one to agree so easily that adding a custom attribute or even using an existing one is so worth it. I suppose it depends and there are many pros and cons both directions I'm sure. I'd favor some other recording method in many instances myself. As for permissions, you would have to permissions to modify the attribute using the credentials provided. For the sake of tamper-resistance, I would guess that you would want to make this a restricted attribute field. You may additionally want to lock out or disable their account until they read this if it's that important. Makes me wonder how they'll get to the page if they're locked out, but Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 7:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts I like this idea of using the custom attribute in AD. I am assuming that I need to use ADSI or similar tool to create this Custom Attribute. Once the attribute is there. I would need to configure Active X script or something that will update this attribute when the user authenticates to the website correct? Do I need the web services account to run this script so that it has privileges to change the attribute within AD? Jeff -Original Message-
RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)
My apologies for the demotional insuation. While there are plenty of ways to shoot my foot off, I'd appreciate reducing that number. Is this something we should revise in one of the two docs at least for posterity? Do you know who wrote the docs that disagree and can you drop a note? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, May 04, 2005 12:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?) I'm not a Garage Door Opener, I'm a Garage Door _Operator_, please don't cheapen my job, I can close the door too. I didn't proof read the Running DCs in a Virtual Server 2005 doc. I happen to know that it doesn't insist on turning off the host systems disk cache, so _I_ won't be debugging a confluence of lost flushes or USN rollbacks in that environment. The KB was written earlier than the DCs on VirtServer2005 doc. I personally like the KB as it is, but obviously as you point out they're incongrous. Keep in mind there are plenty of ways to shoot yourself in the foot, with VPCs ... all based off the idea of improper backup/restore/imaging of AD data ... things that come off the top of my head: - diff disks could very easily be deadly, - and in the cases of VPCs, when a VPC is shutdown, even xcopy (on the host system) is then a deadly piece of "imaging" type software. - the same thing even applies outside of VPCs, just a DC in DSRM, has an unprotected DIT and log files, copying those out, and then back in later, would qualify as something that can cause USN rollback. Cheers, -BrettSh [msft] Building 7 Garage Door Operator ... ostensibly the Garage Door Operator with the most knowledge of the ESE and AD database internals ... On Wed, 4 May 2005, Al Mulnick wrote: > Interesting, Mr Garage Door Opener. Perhaps some rewording is needed > to make this and these other docs consistent? Or am I reading into this? > > > "The following operations are not supported: > ...2. Starting an Active Directory domain controller whose operating > system resides in a virtualized hosting environment such as Microsoft > Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE " > > http://www.support.microsoft.com/kb/897614/ > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3 > -4 > 209-8ed2-e261a117fc6b&displaylang=en > > > I'm just so confused. ;) > > -ajm > > "Chief, Cook, and Bottle-Washer" > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, May 04, 2005 6:30 AM > To: ActiveDir@mail.activedir.org > Cc: Joseph L. Casale > Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?) > > "That is soo not right." (Mean Girls movie reference, at Halloween > party) > > You should take a look at this: > http://support.microsoft.com/?kbid=885875 > > I sincerely hope you don't have USN rollback or divergent replicas, > but I think it is likely if you are actually imaging dcpromo'd DCs. > > Just curious, for imaging what are you using? Ghost? Are you just > restoring images? Are you using the images to build additional DCs > for load? > > > In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from > replicating if it detects such a condition (but it is not always > guaranteed it will be able to detect the condition), to attempt to > contain the damage. > > Also note, b/c I'm not sure the KB is clear about divergent replicas ... > just because things are replicating currently, or there are no > apparent current USN rollbacks ... does NOT mean you weren't once in > the past afflicted with USN rollback, and now you've gotten past it, > and instead are simply aflicted with divergent replicas (worse than > USN rollback in ways). You might try to use (_I thinK_) dsastat to > run through all the objects on your DCs in a pair-wise fashion to find differences. > > Cheers, > Brett Shirley [msft] > Building 7 Garage Door Operator, so what do I know ... > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > On Tue, 3 May 2005, Joseph L. Casale wrote: > > > Errr, I do it always, always, ALWAYS, and it works? AD has > > mechanisms built in to get it back up to par... > > jlc > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett > > Shirley > > Sent: Tuesday, May 03, 2005 7:08 PM > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] best practice? > > > > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or > > ADAM server. I don't know about memebers, just adding knowledge > > about > > > DCs, as I don't think I've ever mentioned it here before. > > > > Cheers, > > -Brett Shirley [msft] > > > > as is, caveat emtpor, status quo, etc > > > > > > > > On Tue, 3 May 2005, Joh
Re: [ActiveDir] Solaris authentication
On 5/4/05, joe <[EMAIL PROTECTED]> wrote: > Switched networks help secure the network a little better, it locks down who > has full access to see all traffic. However if you sniff from the server > side, you tend to get all sorts of goodies because lots of people are > connecting to them. Although it's worth pointing out that being more secure is not the main point of a switched network ;) Trying to get access to mirror ports is another great reason to make sure you have a very good relationship with your network department, but if all else fails the hub thing is easier (if you can afford to unplug your server and plug it into a hub). Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO not applied - thinks it is empty
If I could ask what might be the obvious, from a security perspective…. If you have a policy out there resetting the local admin password, how are you storing the new password in the script? Hopefully you have something very clever in place, else I can get the local admin password out of your policy in so many ways: If you didn’t consider this at all, I bet the policy is ACLd with AU having read, so I can just read it out with notepad. If you were clever enough to acl the policy so that only the machine accounts can read it, I could own a machine (perhaps I already do….perhaps I am in the local admins group on one of the boxes, because it is _my machine_) and just open the policy while impersonating the machine. Or get the machine to do it for me (since I own it, I can make it do my bidding). And if you haven’t taking precautions, you should assume local admin on any machine with this password is local admin on them all. For it only takes one bad apple to spoil the whole bushel. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, May 04, 2005 11:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO not applied - thinks it is empty Thanks Darren- I ran the gpotool as you suggested. As part of the output I am told: Error: ServerName1 - Servername2 sysvol mismatch AND DC: Server2 Friendly name: server2 Created: 10/7/2004 Changed: 5-4-2005 5:34 pm DS Version 0 37 Sysvol: 0 37 Flags: 0 User extensions: not found Machine extensions: . Functionality version: 2 All fo the functionality versions are 2. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Wednesday, May 04, 2005 9:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO not applied - thinks it is empty Brenda- This usually means that the client is looking at the GPO's version number and it is showing up as 0 for computer revisions (in other words, it doesn't think any computer policy has been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against your DCs and see if any of them show a revision number of 0 for the computer side of the GPO containing your script. This could still mean that you have some issues with sysvol replication. Essentially, there is a file called gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a version number that lists how many changes were made to the computer and user sides of a GPO. That version should be the same as the version of that GPO held on the versionNumber attribute of the GPC object in AD. If there are discrepancies, then gpotool will tell you. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Wednesday, May 04, 2005 7:21 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO not applied - thinks it is empty I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey Sent: Tuesday, May 03, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra I know I said it earlier, but I’ll say it again here…..Solaris 9/10 have (I’m told) a much nicer Kerberos client that is very AD savvy. So if you’re using one of them, you might be getting a lot of advice for a well baked scenario that Sun was kind enough to try out for you already. I can find out a bit more if you have no idea what I’m talking about, I just don’t remember off hand. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, May 04, 2005 11:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Ignore this. I just did a little FAQ reading, and it looks like this is by design on a switched network. ___ Getting more used to this Ethereal thing now. Found a cool little article that helped out a bit. Now I am trying to figure out why I can’t sniff the packets of another machine on the same subnet as me (I thought that was the point of promiscuous mode). I have it set to promiscuous mode, and it still sees nothing. I am just trying to get some ammo for persuade management that we really need to get a tool that uses ssh instead of telnet for one of our applications. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, May 04, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 03, 2005 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the
RE: [ActiveDir] Account activation and password setting using PHP/LDAPS
More generally, AD doesn't care who the client is, it only cares that the client can play by the rulesLDAPv2/3, for password ops a secure LDAP connection, etc. In fact, there isn't really a good way for AD to know what OS/client side LDAP API/etc. a given LDAP client is running. We just service requests as they come to us. So as long as you can talk LDAPS to us, doing such an operation from a Windows system or a !Windows system should be very much the same. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, May 04, 2005 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Account activation and password setting using PHP/LDAPS Start here http://support.microsoft.com/Default.aspx?kbid=269190 Short form. Yeah it should be possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Sent: Wednesday, May 04, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account activation and password setting using PHP/LDAPS Hello everybody Our windows 2003 server is configurated with LDAPS (port 636). I would like to know if it's possible to set an account password and activate the account from another server using PHP (apache/redhat). I read that it's not possible to activate an account on this way. What do you know about this ? Many thanks Olivier List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra Did you see Joe's later post about the hub? Switches, often will not show you the data of other machines using different ports unless configured otherwise. That's an advantage of a switch There are ways to configure switches to allow network capture. The alcatel way was posted earlier in the thread. Other vendors have data about the process for their particular hardware. You'll have to check with that for the blow by blow. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 2:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Getting more used to this Ethereal thing now. Found a cool little article that helped out a bit. Now I am trying to figure out why I can’t sniff the packets of another machine on the same subnet as me (I thought that was the point of promiscuous mode). I have it set to promiscuous mode, and it still sees nothing. I am just trying to get some ammo for persuade management that we really need to get a tool that uses ssh instead of telnet for one of our applications. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 11:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 04, 2005 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, May 03, 2005 10:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)? As far
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra You have to have them on a simple hub or configure the mirror port(s) on the switch they are connected to. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 11:05 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Getting more used to this Ethereal thing now. Found a cool little article that helped out a bit. Now I am trying to figure out why I can’t sniff the packets of another machine on the same subnet as me (I thought that was the point of promiscuous mode). I have it set to promiscuous mode, and it still sees nothing. I am just trying to get some ammo for persuade management that we really need to get a tool that uses ssh instead of telnet for one of our applications. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 11:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 04, 2005 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, May 03, 2005 10:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)? As far as REQs Al……. 1. FREE 2. Add little complexity Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickS
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra Are you on a switched network? If so, you can see packets on a switched network like that. That is why someone previously mentioned mirror port on the switch. I say forget the mirror port (the network people tend to not let you have that access for good reason) and just hook up a hub and run both your machines through the hub and then hook to the switch with the uplink. Switched networks help secure the network a little better, it locks down who has full access to see all traffic. However if you sniff from the server side, you tend to get all sorts of goodies because lots of people are connecting to them. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 2:05 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Getting more used to this Ethereal thing now. Found a cool little article that helped out a bit. Now I am trying to figure out why I can’t sniff the packets of another machine on the same subnet as me (I thought that was the point of promiscuous mode). I have it set to promiscuous mode, and it still sees nothing. I am just trying to get some ammo for persuade management that we really need to get a tool that uses ssh instead of telnet for one of our applications. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Wednesday, May 04, 2005 11:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 04, 2005 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, May 03, 2005 10:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing
RE: [ActiveDir] best practice?
I'm not Brett[1] but wanted to just say something really quick here. Well a couple of things actually. 1. When it comes to AD Database consistency and replication. Brett is someone I would tend to listen to very carefully. I may not understand what he is trying to say but I will try like heck to understand it. Rough around the edges though he may be, he knows a lot about the guts of the AD DB and Replication. Keep in mind he wrote some of the most "brilliant" parts of repadmin[2]. 2. When you image and recover the image you are bypassing any and all logic associated with a directory DB recovery. I.E. You aren't restoring the database through the very specific DS Backup/Restore API so you don't get the cool things that it does like renaming the Database GUID aka invocation ID which effectively tells all of the other partners there is a "different" database out here that needs to be fully updated. I haven't fully thought out the implications of that but one thing right off the bat is the thought that all DCs maintain high water vectors for all databases so they know where they are at for replication. This isn't just kept on the DC in question, this is kept all over so I could see serious possibilities of issues there. Additionally think of a change that mastered on that database and replicated out. How do you get it back if the DB is rolled back and all of the other DCs already think that DB has that info since it was mastered there? You get ~Eric, Dean, and Brett thinking about it and I expect you could find all sorts of horrible things that this can do to you. I think the idea that a DC can be restored from an image like that because it is "sort" of like restoring the DB is flawed at the very best. You don't have a full comprehension of what is being done in the backend to support that restore. If it were that simple, why do you need a backup api at all? Mirror the DIT and zip it and there is your backup... It doesn't work that way. As Brett indicated... Bad mojo... Heck I will go further, positively evil. You could damage your AD in ways that you (and it) has no clue about and only later run into it when you are trying to figure out niggling consistency issues in applications that act odd some of the time. joe [1] And I couldn't play him on TV either, Brett stores a good portion of his height in his hair and I store mine in my legs. [2] His words when I met him in person at an MVP summit. He was quite excited to talk about that portion of the code... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V Contr NASIC/SCNA Sent: Wednesday, May 04, 2005 1:59 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] best practice? Brett, What is your basis for not being able to restore a DC from a image? If the DC has an old copy of the directory data, it will check its USN's and update its copy. What could cause havok if anything? We are about to institute this very same concept here to turn DR into a 10 minute process when it comes to operating system recovery. We will image the servers monthly and restore from said image whenever one crashes. What could cause a problem by restoring a DC, it will be timestamped to be old and AD will synchronize it with the rest of the domain. Please elaborate on your basis for comment. Nathaniel Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, May 04, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] best practice? jlc, You can't restore a single DC via an image based backup, either. It is not supported, it is not allowed ... it is bad mojo. Well, it wouldn't cause issues if the forest had ONLY that one DC (seems unlikely the case), or for a multi-DC forest, you'd have to shutdown all the DCs in the forest at the same time, when you took your backup images. And then on restore, restore them all at the same time. Basically a pretty infeasible suggestion. Cheers, -Brett Shirley [msft] This posting is provided "AS IS" with no warranties, and confers no rights. On Wed, 4 May 2005, Joseph L. Casale wrote: > Exactly, I do it for DR purposes, the old one dies - I reimage it and > put it back out there. > No poblem... > jlc > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf > Sent: Wednesday, May 04, 2005 7:01 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] best practice? > > On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote: > > BUTas for DC's. I do "image" dc's using Symantec Livestate > > Recovery ( formerly PowerQuest V2i ). It works wonderfully. I > > primarily use for backups. I have not had to recover a server in > > production ( and hope I do not have to ) but I have in lab 10+ times > and servers are as clean as ever. > > You should take a look. > > When Brett mentioned imaging DC
RE: [ActiveDir] best practice?
It sounds like the question is: What is the proper method for adding a new machine (new image, reimage, whatever) to the domain using a NetBIOS name that already exists in the domain? Reset the machine account and then add the new machine (what Jorge said). In a single site you should have no issues. -alex From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, May 04, 2005 7:07 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] best practice? Maybe you should explain a bit more as I still do not understand what you want to acchieve! You have said: "The reason for reimage is for new departmental standards ( look and feel ). " --> this sounds like creating a new configuration and image You have said: "you want to re-image pc's that are domain members. You want to immediately rejoin domain using same name." Explain why you want to re-image the EXISTING PCs and rejoin them. How are you thinking to get the new look and feel by doing this? #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr Sent: Wednesday, May 04, 2005 15:38 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] best practice? You stated: * When distributing restore the image SYSPREP runs Enter a computername (if it an existing previous computername reset the computer account in AD), join to domain et voila Computer names will be existing. My original question was do I remove from domain then image and rejoin or image and reset account. Are you saying to image, reset account then rejoin, and will this work given the site structure? - Original Message - From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> To:Sent: Wednesday, May 04, 2005 9:10 AM Subject: RE: [ActiveDir] best practice? > OK, let me rephrase that... "don't even think cloning DCs or backing up DCs > using tools similar to ghost THAT ARE NOT AD AWARE in production > environments (at least ghost versions 8 and lower are not AD aware... Not > sure if ghost 9 is AD aware) > > New departmental standards... So you want to create a new image to > "distribute" to the current HW? > > * Choose one hardware model to create the image > * Install the OS and configure accordingly > * Add drivers for the other HW models you have in your ORG > * Use the Deployment tools (especially SYSPREP) > * Create an image of the configuration while it is not joined to the domain > * When distributing restore the image SYSPREP runs Enter a > computername (if it an existing previous computername reset the computer > account in AD), join to domain et voila > > The quick and dirty explanation ;-) > > #JORGE# > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr > Sent: Wednesday, May 04, 2005 14:50 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] best practice? > > I was talking about pc's. The reason for reimage is for new departmental > standards ( look and feel ). I do not have luxury of SMS. Yes, same domain, > same hardware, same name, just new image. I am having issues with removing, > pushing new image and rejoining. Some seem to work and others are coming up > disabled?? Just wanted to ask if anyone is familiar or knows better way. > > BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery ( > formerly PowerQuest V2i ). It works wonderfully. I primarily use for > backups. I have not had to recover a server in production ( and hope I do > not have to ) but I have in lab 10+ times and servers are as clean as ever. > You should take a look. > > - Original Message - > From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> > To: > Sent: Wednesday, May 04, 2005 2:55 AM > Subject: RE: [ActiveDir] best practice? > > > > In his mail he is talking about DOMAIN MEMBERS and not DCs. If he is > talking > > about DCs I agree with Brett -> don't image DCs... Don't even think about > > it! > > > > Concerning imaging DOMAIN MEMBERS and rejoining... > > I'm not sure what you want to acchieve...why do you want to rejoin the > > computers? Same domain? Other domain? Same HW, Other HW? > > > > Cheers, > > #JORGE# > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > > Sent: Wednesday, May 04, 2005 03:08 > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] best practice? > > > > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM > > server. I don't know about memebers, just adding knowledge about DCs, as > I > > don't think I've ever mentioned it here before. > > > > Cheers, > > -Brett Shirley [msft] > > > > as is, caveat emtpor, status quo, etc > > > > > > > > On Tue, 3 May 2005, John Shukovsky Jr wrote: > >
Re: [ActiveDir] best practice?
That would take considerabley longer in my enviroment. You would have to clean metadata if server was to come back up with same name (thats a minimum 3 hour and maximum 6 hour wait ). Build server. Restore data. DC Promo. Reconfigure shares. With - Original Message - From: "Phil Renouf" <[EMAIL PROTECTED]> To: Sent: Wednesday, May 04, 2005 10:00 AM Subject: Re: [ActiveDir] best practice? On 5/4/05, Joseph L. Casale <[EMAIL PROTECTED]> wrote: > Exactly, I do it for DR purposes, the old one dies - I reimage it and > put it back out there. > No poblem... > jlc For DR I would prefer to have an Automated Build that would build the server then DCPromo it back up and allow it to replicate. This doesn't take much longer, doesn't require any extra user intervention than a reimaging and is a far better option I think. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient(s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the Department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra I agree with Al, usually one of the reasons you buy something is so that you can get away from some level of complexity or knowledge of the topic. Building your own setup may seem "Free" but you obviously have all of the people time and your level of support is completely self controlled. I know of a company that spent over 2 years trying to properly kerberize their *nix clients/hosts and ran into issue after issue after issue due to the multirealm environement alone. Next on the plate was trying to manage all of the different kerb packages for the different platforms and they were simply working with HPUX (multiple revs) and Solaris (multiple revs), they never got to working on the packages for RH, SUSE, AIX, and others they would need. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 04, 2005 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, May 03, 2005 10:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)? As far as REQs Al……. 1. FREE 2. Add little complexity Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, May 03, 2005 7:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication The directions you reference on the sunone site make it look to me like it's an LDAP bind. Best way to know for sure would be to trace it on the network to see what is passed. If ldap bind, be sure to use some sort of encryption such as SSL. I'm curious what the requirement here is? If just to allow solaris to authenticate via kerb with AD and allow AD users to login to solaris workstations, have you considered a product such as Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the requirements are though. The docs you referenced indicate a configuration that would be a PITA to manage in terms of reliability and effort IMHO. Al
RE: [ActiveDir] How to make a user member of Built in Administrat or group
Yep, just be careful, you can get into fun situations since that information has two replication channels, through GPOs and through AD replication. I have seen more than one occasion where an out of sync GPO causes a group membership to bounce back and forth between what the old GPO says and the new GPO says and in the meanwhile that membership replicating back and forth across the domain. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, May 04, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to make a user member of Built in Administrat or group You can use Restricted groups on the Built-In Administrator group? I always thought that was intended for the local groups on member servers/desktops never really thought to see if it applied to DCs as well. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] My network sites and GPO
You want to remove shared folders or network drives? I think you want to remove network drives... Put this in the logon script net use * /delete /y From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez TrujilloSent: Wednesday, May 04, 2005 3:19 AMTo: Lista ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] My network sites and GPO Hello,is posible to configure "My network sites" to diferent users? for example that in "My network sites" appears diferent Shared folders to diferent users, also could i remove all shared folders at the beginning of a script...? The razon for this is, that there aren't enough letters to map networks drives to do something with ours users.is this posible with a GPO?We have in the company W2000 server like a Controller Domain.Thanks,Sergio S. T.
RE: [ActiveDir] Solaris authentication
An alternative is to slap the machine you are curious about onto a hub with your sniffing device. In fact my test machines tend to live on hubs specifically so I can do that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, May 04, 2005 8:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Solaris authentication Douglas You have to configure your switch so that the port that your monitorising box is connected to receives all the packets that interest you. In the Alcatel switch we have this is called mirroring. You probably will need to do this before you can start sniffing as otherwise you will only see packets directed towards your NIC. I believe it is no longer necessary to put your NIC in promiscous mode as Ethereal (or others..) will do this when you set it up.
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra Ignore this. I just did a little FAQ reading, and it looks like this is by design on a switched network. ___ Getting more used to this Ethereal thing now. Found a cool little article that helped out a bit. Now I am trying to figure out why I can’t sniff the packets of another machine on the same subnet as me (I thought that was the point of promiscuous mode). I have it set to promiscuous mode, and it still sees nothing. I am just trying to get some ammo for persuade management that we really need to get a tool that uses ssh instead of telnet for one of our applications. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, May 04, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 03, 2005 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)? As far as REQs Al……. 1. FREE 2. Add little complexity Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, May 03, 2005 7:11 AM To: ActiveDir@mail.activedir.org Subject: RE:
RE: [ActiveDir] GPO not applied - thinks it is empty
Thanks Darren- I ran the gpotool as you suggested. As part of the output I am told: Error: ServerName1 - Servername2 sysvol mismatch AND DC: Server2 Friendly name: server2 Created: 10/7/2004 Changed: 5-4-2005 5:34 pm DS Version 0 37 Sysvol: 0 37 Flags: 0 User extensions: not found Machine extensions: . Functionality version: 2 All fo the functionality versions are 2. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Wednesday, May 04, 2005 9:44 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied - thinks it is empty Brenda- This usually means that the client is looking at the GPO's version number and it is showing up as 0 for computer revisions (in other words, it doesn't think any computer policy has been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against your DCs and see if any of them show a revision number of 0 for the computer side of the GPO containing your script. This could still mean that you have some issues with sysvol replication. Essentially, there is a file called gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a version number that lists how many changes were made to the computer and user sides of a GPO. That version should be the same as the version of that GPO held on the versionNumber attribute of the GPC object in AD. If there are discrepancies, then gpotool will tell you. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, May 04, 2005 7:21 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO not applied - thinks it is empty I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, May 03, 2005 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
RE: [ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix?
Dell GX-270’s have a defected capacitor and is dying all over the world. Replace the system board. -Z.V. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Clark Sent: Wednesday, May 04, 2005 12:46 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix? Hello all, Having spent two days poking this problem I am throwing myself on the groups mercy. Windows XP SP1 computer joined to domain much like its 300 brothers and sisters decides one day that winlogon.exe should take 50% or rather 100 % of one of the Dell GX270 hyper threading virtual processors, constant high cpu utilization makes the fans ramp up and turns a nice box into a loud evil box. With winlogon using all the processor the box shows symptoms of having broken WINS no Netbios name resolution, can not find file shares etc which also creates event id of 1030 and 1058 as the group policy objects can not be found. Example Windows cannot access the file gpt.ini for GPO CN={-0**2-4B**-B3F6-7B*8B878},CN=Policies,CN=System,DC=**,DC=***,DC=**,DC=**. The file must be present at the location <\\ad.***.**.**\SysVol\ad..**.**\Policies\{***-***-***-***-}\gpt.ini>. (The network path was not found. ). Group Policy processing aborted While in this confused state the box will also not shutdown clean and has to be POPO'd The obvious malware lines of investigation have proved fruitless ad-aware did find some bits but this has not resolved the problem. The winlogon has been verified as being in the right location and has not been switched with another version. The fact that the box is a Dell Gx270 with a Gigabit card also made me think that MS Article 840669 with the group policy not starting due to the race condition might have helped but again zip. Virus protection is installed and maintained and returns no nasties. The Intel 1000 gigabit card has had its drivers updated and still nadda. I even disabled the built in card and installed a 3com 10 Mb NIC and that exhibited the same trouble. The curious thing and what is driving me absolutely nuts is that if the Computer is removed from the domain and returned to a workgroup the problem persists until you change the way users logon and use the welcome with the fast user switching, it has to be both using the welcome screen and fast user switching, this puts the box back on its feet. Winlogon behaves and the network drives can once again be accessed. We have seen this twice before on separate computers but have not paid it too much attention. rebuilds of the Computershave fixed the problem, as this is something which keeps raising its ugly head I think I need to try and get a good handle on it, the fact that there are so many other unaffected boxes makes me think that it is a software conflict on the client. What I don't get is why it can be turned on and off with the fast user switching? If I did'nt need the box to be in AD I would leave it as is fast user switching enabled and slip into a dark cave and put this down to gremlins but thats not an option, and I am very nervous that more boxes could start playing up too... ~cheers Gary
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra Getting more used to this Ethereal thing now. Found a cool little article that helped out a bit. Now I am trying to figure out why I can’t sniff the packets of another machine on the same subnet as me (I thought that was the point of promiscuous mode). I have it set to promiscuous mode, and it still sees nothing. I am just trying to get some ammo for persuade management that we really need to get a tool that uses ssh instead of telnet for one of our applications. Any ideas? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Wednesday, May 04, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 03, 2005 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)? As far as REQs Al……. 1. FREE 2. Add little complexity Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, May 03, 2005 7:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication The directions you reference on the sunone site make it look to me like it's an LDAP bind. Best way to know for sure would be to trace it on
RE: [ActiveDir] Account activation and password setting using PHP/LDAPS
Start here http://support.microsoft.com/Default.aspx?kbid=269190 Short form. Yeah it should be possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Sent: Wednesday, May 04, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account activation and password setting using PHP/LDAPS Hello everybody Our windows 2003 server is configurated with LDAPS (port 636). I would like to know if it's possible to set an account password and activate the account from another server using PHP (apache/redhat). I read that it's not possible to activate an account on this way. What do you know about this ? Many thanks Olivier List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)
I'm not a Garage Door Opener, I'm a Garage Door _Operator_, please don't cheapen my job, I can close the door too. I didn't proof read the Running DCs in a Virtual Server 2005 doc. I happen to know that it doesn't insist on turning off the host systems disk cache, so _I_ won't be debugging a confluence of lost flushes or USN rollbacks in that environment. The KB was written earlier than the DCs on VirtServer2005 doc. I personally like the KB as it is, but obviously as you point out they're incongrous. Keep in mind there are plenty of ways to shoot yourself in the foot, with VPCs ... all based off the idea of improper backup/restore/imaging of AD data ... things that come off the top of my head: - diff disks could very easily be deadly, - and in the cases of VPCs, when a VPC is shutdown, even xcopy (on the host system) is then a deadly piece of "imaging" type software. - the same thing even applies outside of VPCs, just a DC in DSRM, has an unprotected DIT and log files, copying those out, and then back in later, would qualify as something that can cause USN rollback. Cheers, -BrettSh [msft] Building 7 Garage Door Operator ... ostensibly the Garage Door Operator with the most knowledge of the ESE and AD database internals ... On Wed, 4 May 2005, Al Mulnick wrote: > Interesting, Mr Garage Door Opener. Perhaps some rewording is needed to > make this and these other docs consistent? Or am I reading into this? > > > "The following operations are not supported: > ...2. Starting an Active Directory domain controller whose operating > system resides in a virtualized hosting environment such as Microsoft > Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE " > > http://www.support.microsoft.com/kb/897614/ > > > http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4 > 209-8ed2-e261a117fc6b&displaylang=en > > > I'm just so confused. ;) > > -ajm > > "Chief, Cook, and Bottle-Washer" > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, May 04, 2005 6:30 AM > To: ActiveDir@mail.activedir.org > Cc: Joseph L. Casale > Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?) > > "That is soo not right." (Mean Girls movie reference, at Halloween > party) > > You should take a look at this: > http://support.microsoft.com/?kbid=885875 > > I sincerely hope you don't have USN rollback or divergent replicas, but > I think it is likely if you are actually imaging dcpromo'd DCs. > > Just curious, for imaging what are you using? Ghost? Are you just > restoring images? Are you using the images to build additional DCs for > load? > > > In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from > replicating if it detects such a condition (but it is not always > guaranteed it will be able to detect the condition), to attempt to > contain the damage. > > Also note, b/c I'm not sure the KB is clear about divergent replicas ... > just because things are replicating currently, or there are no apparent > current USN rollbacks ... does NOT mean you weren't once in the past > afflicted with USN rollback, and now you've gotten past it, and instead > are simply aflicted with divergent replicas (worse than USN rollback in > ways). You might try to use (_I thinK_) dsastat to run through all the > objects on your DCs in a pair-wise fashion to find differences. > > Cheers, > Brett Shirley [msft] > Building 7 Garage Door Operator, so what do I know ... > > This posting is provided "AS IS" with no warranties, and confers no > rights. > > > On Tue, 3 May 2005, Joseph L. Casale wrote: > > > Errr, I do it always, always, ALWAYS, and it works? AD has mechanisms > > built in to get it back up to par... > > jlc > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > > Sent: Tuesday, May 03, 2005 7:08 PM > > To: ActiveDir@mail.activedir.org > > Subject: Re: [ActiveDir] best practice? > > > > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or > > ADAM server. I don't know about memebers, just adding knowledge about > > > DCs, as I don't think I've ever mentioned it here before. > > > > Cheers, > > -Brett Shirley [msft] > > > > as is, caveat emtpor, status quo, etc > > > > > > > > On Tue, 3 May 2005, John Shukovsky Jr wrote: > > > > > Hello all, > > > > > > Question, you want to re-image pc's that are domain members. You > > > want > > to immediately rejoin domain using same name. Site is single W2k DC/GC > > > on 3 hour replication cycle with fsmo holders. > > > > > > Should you remove from domain, image and rejoin or just image rejoin > > and reset computer account? Would either of these ways work given site > > > setup? > > > > > > Any input appreciated. > > > > > > John Shukovsky Jr > > > Network Administrator > > > NJ Department of Human Services
RE: [ActiveDir] Solaris authentication
An alternative is to slap the machine you are curious about onto a hub with your sniffing device. In fact my test machines tend to live on hubs specifically so I can do that. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter JessopSent: Wednesday, May 04, 2005 8:43 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Solaris authentication Douglas You have to configure your switch so that the port that your monitorising box is connected to receives all the packets that interest you. In the Alcatel switch we have this is called mirroring. You probably will need to do this before you can start sniffing as otherwise you will only see packets directed towards your NIC. I believe it is no longer necessary to put your NIC in promiscous mode as Ethereal (or others..) will do this when you set it up.
RE: [ActiveDir] How to make a user member of Built in Administrat or group
Yep, just be careful, you can get into fun situations since that information has two replication channels, through GPOs and through AD replication. I have seen more than one occasion where an out of sync GPO causes a group membership to bounce back and forth between what the old GPO says and the new GPO says and in the meanwhile that membership replicating back and forth across the domain. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, May 04, 2005 9:31 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] How to make a user member of Built in Administrat or group You can use Restricted groups on the Built-In Administrator group? I always thought that was intended for the local groups on member servers/desktops never really thought to see if it applied to DCs as well. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Account activation and password setting using PHP/LDAPS
Start here http://support.microsoft.com/Default.aspx?kbid=269190 Short form. Yeah it should be possible. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie Sent: Wednesday, May 04, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Account activation and password setting using PHP/LDAPS Hello everybody Our windows 2003 server is configurated with LDAPS (port 636). I would like to know if it's possible to set an account password and activate the account from another server using PHP (apache/redhat). I read that it's not possible to activate an account on this way. What do you know about this ? Many thanks Olivier List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] best practice?
Brett, What is your basis for not being able to restore a DC from a image? If the DC has an old copy of the directory data, it will check its USN's and update its copy. What could cause havok if anything? We are about to institute this very same concept here to turn DR into a 10 minute process when it comes to operating system recovery. We will image the servers monthly and restore from said image whenever one crashes. What could cause a problem by restoring a DC, it will be timestamped to be old and AD will synchronize it with the rest of the domain. Please elaborate on your basis for comment. Nathaniel Bahta -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, May 04, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] best practice? jlc, You can't restore a single DC via an image based backup, either. It is not supported, it is not allowed ... it is bad mojo. Well, it wouldn't cause issues if the forest had ONLY that one DC (seems unlikely the case), or for a multi-DC forest, you'd have to shutdown all the DCs in the forest at the same time, when you took your backup images. And then on restore, restore them all at the same time. Basically a pretty infeasible suggestion. Cheers, -Brett Shirley [msft] This posting is provided "AS IS" with no warranties, and confers no rights. On Wed, 4 May 2005, Joseph L. Casale wrote: > Exactly, I do it for DR purposes, the old one dies - I reimage it and > put it back out there. > No poblem... > jlc > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf > Sent: Wednesday, May 04, 2005 7:01 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] best practice? > > On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote: > > BUTas for DC's. I do "image" dc's using Symantec Livestate > > Recovery ( formerly PowerQuest V2i ). It works wonderfully. I > > primarily use for backups. I have not had to recover a server in > > production ( and hope I do not have to ) but I have in lab 10+ times > and servers are as clean as ever. > > You should take a look. > > When Brett mentioned imaging DCs being a bad idea and to never ever do > it I believe that he was meaning don't Image a DC and try to use that > Image to build other new DCs and just trying to change the SID like > you would for a desktop. Bad idea! > > Phil > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra I agree with Al, usually one of the reasons you buy something is so that you can get away from some level of complexity or knowledge of the topic. Building your own setup may seem "Free" but you obviously have all of the people time and your level of support is completely self controlled. I know of a company that spent over 2 years trying to properly kerberize their *nix clients/hosts and ran into issue after issue after issue due to the multirealm environement alone. Next on the plate was trying to manage all of the different kerb packages for the different platforms and they were simply working with HPUX (multiple revs) and Solaris (multiple revs), they never got to working on the packages for RH, SUSE, AIX, and others they would need. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Wednesday, May 04, 2005 9:21 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, May 03, 2005 10:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)? As far as REQs Al……. 1. FREE 2. Add little complexity Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, May 03, 2005 7:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication The directions you reference on the sunone site make it look to me like it's an LDAP bind. Best way to know for sure would be to trace it on the network to see what is passed. If ldap bind, be sure to use some sort of encryption such as SSL. I'm curious what the requirement here is? If just to allow solaris to authenticate via kerb with AD and allow AD users to login to solaris workstations, have you considered a product such as Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the requirements are though. The docs you referenced indicate a configuration that would be a PITA to manage in terms of reliability and effort IMHO. Al
RE: [ActiveDir] My network sites and GPO
You want to remove shared folders or network drives? I think you want to remove network drives... Put this in the logon script net use * /delete /y From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez TrujilloSent: Wednesday, May 04, 2005 3:19 AMTo: Lista ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] My network sites and GPO Hello,is posible to configure "My network sites" to diferent users? for example that in "My network sites" appears diferent Shared folders to diferent users, also could i remove all shared folders at the beginning of a script...? The razon for this is, that there aren't enough letters to map networks drives to do something with ours users.is this posible with a GPO?We have in the company W2000 server like a Controller Domain.Thanks,Sergio S. T.
[ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix?
Hello all,Having spent two days poking this problem I am throwing myself on the groups mercy. Windows XP SP1 computer joined to domain much like its 300 brothers and sisters decides one day that winlogon.exe should take 50% or rather 100 % of one of the Dell GX270 hyper threading virtual processors, constant high cpu utilization makes the fans ramp up and turns a nice box into a loud evil box.With winlogon using all the processor the box shows symptoms of having broken WINS no Netbios name resolution, can not find file shares etc which also creates event id of 1030 and 1058 as the group policy objects can not be found.ExampleWindows cannot access the file gpt.ini for GPO CN={-0**2-4B**-B3F6-7B*8B878},CN=Policies,CN=System,DC=**,DC=***,DC=**,DC=**. The file must be present at the location <\\ad.***.**.**\SysVol\ad..**.**\Policies\{***-***-***-***-}\gpt.ini>. (The network path was not found. ). Group Policy processing abortedWhile in this confused state the box will also not shutdown clean and has to be POPO'dThe obvious malware lines of investigation have proved fruitless ad-aware did find some bits but this has not resolved the problem. The winlogon has been verified as being in the right location and has not been switched with another version. The fact that the box is a Dell Gx270 with a Gigabit card also made me think that MS Article 840669 with the group policy not starting due to the race condition might have helped but again zip. Virus protection is installed and maintained and returns no nasties.The Intel 1000 gigabit card has had its drivers updated and still nadda. I even disabled the built in card and installed a 3com 10 Mb NIC and that exhibited the same trouble.The curious thing and what is driving me absolutely nuts is that if the Computer is removed from the domain and returned to a workgroup the problem persists until you change the way users logon and use the welcome with the fast user switching, it has to be both using the welcome screen and fast user switching, this puts the box back on its feet. Winlogon behaves and the network drives can once again be accessed.We have seen this twice before on separate computers but have not paid it too much attention. rebuilds of the Computershave fixed the problem, as this is something which keeps raising its ugly head I think I need to try and get a good handle on it, the fact that there are so many other unaffected boxes makes me think that it is a software conflict on the client. What I don't get is why it can be turned on and off with the fast user switching? If I did'nt need the box to be in AD I would leave it as is fast user switching enabled and slip into a dark cave and put this down to gremlins but thats not an option, and I am very nervous that more boxes could start playing up too... ~cheers Gary
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra I totally agree with the time cost of the issue, and am at least looking into the cost before I throw the idea out the window. And I also agree with the ldap bind scenario. I just don’t like it. Just saw my first password in ethereal (over a telnet connection), but am now reading up on how to customize the view (filters) to show me that more easily. If I didn’t know that it was the password (since it was my telnet connection), I would have never known that those letters where my password. I will also take a look at netmon Thanks for your comments all From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 03, 2005 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)? As far as REQs Al……. 1. FREE 2. Add little complexity Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, May 03, 2005 7:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication The directions you reference on the sunone site make it look to me like it's an LDAP bind. Best way to know for sure would be to trace it on the network to see what is passed. If ldap bind, be sure to use some sort of encryption such as SSL. I'm curious what the requirement here is? If just to allow solaris to authenticate via kerb with AD and allow AD users to login to solaris workstations, have you considered a product such as Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the requirements are though. The docs you referenced indicate a configuration that would be a PITA to manage in terms of reliability and effort IMHO. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, May 03, 2005 3:20 AM To
[ActiveDir] Slightly OT: Preserve folder timestamps on file server restore?
We're doing some DR practice, and have run into an issue that I can't seem to get around. Scenario: W2K departmental file server. Have good backup, BackupExec 9.1. Need to restore all data files to different hdw. Problem: Restore works fine; all files and folders present and accounted for, but folder timestamps all change to current date and time. Need to maintain existing folder timestamps. File timestamps OK, but not folders. This will impact ability to sort folder list by age as needed by some business groups. I have tried BE, NTBackup, xcopy, and robocopy. All of them change the folder timestamp. I have not tried FRS to maintain a mirror, mainly because this one file server has 25gb of data on it, and the goal is to be able to restore, not maintain a duplicate. Any ideas how to preserve the timestamps on the folders? Thanks! ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] best practice?
jlc, You can't restore a single DC via an image based backup, either. It is not supported, it is not allowed ... it is bad mojo. Well, it wouldn't cause issues if the forest had ONLY that one DC (seems unlikely the case), or for a multi-DC forest, you'd have to shutdown all the DCs in the forest at the same time, when you took your backup images. And then on restore, restore them all at the same time. Basically a pretty infeasible suggestion. Cheers, -Brett Shirley [msft] This posting is provided "AS IS" with no warranties, and confers no rights. On Wed, 4 May 2005, Joseph L. Casale wrote: > Exactly, I do it for DR purposes, the old one dies - I reimage it and > put it back out there. > No poblem... > jlc > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf > Sent: Wednesday, May 04, 2005 7:01 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] best practice? > > On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote: > > BUTas for DC's. I do "image" dc's using Symantec Livestate > > Recovery ( formerly PowerQuest V2i ). It works wonderfully. I > > primarily use for backups. I have not had to recover a server in > > production ( and hope I do not have to ) but I have in lab 10+ times > and servers are as clean as ever. > > You should take a look. > > When Brett mentioned imaging DCs being a bad idea and to never ever do > it I believe that he was meaning don't Image a DC and try to use that > Image to build other new DCs and just trying to change the SID like you > would for a desktop. Bad idea! > > Phil > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO not applied - thinks it is empty
Brenda- This usually means that the client is looking at the GPO's version number and it is showing up as 0 for computer revisions (in other words, it doesn't think any computer policy has been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against your DCs and see if any of them show a revision number of 0 for the computer side of the GPO containing your script. This could still mean that you have some issues with sysvol replication. Essentially, there is a file called gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a version number that lists how many changes were made to the computer and user sides of a GPO. That version should be the same as the version of that GPO held on the versionNumber attribute of the GPC object in AD. If there are discrepancies, then gpotool will tell you. Darren From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Wednesday, May 04, 2005 7:21 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO not applied - thinks it is empty I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, May 03, 2005 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
[ActiveDir] GPO not applied - thinks it is empty
I am no longer having replication issues on any servers, however, now when I run gpresult I am told that my gpo was not applied because it is empty. I can manually open the GPO and see my startup script is there. Thanks, Brenda From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda CaseySent: Tuesday, May 03, 2005 3:04 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator password change in Startup script in GPO I have created a startup script to change my administrator password on specific machines as part of my group policy. These computers are part of a group, I have applied the policy to this group, and set the security permissions appropriately. When I run gpupdate on the pc, I get no error in the Event log, but when I restart the machine, the administrator account password has not been changed. I have run replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is out of hard drive space on c:. Could 1 out of 30 dc's be causing the problem, or is there something else I am missing? How long should it take, before the policy takes effect? Thanks, Brenda
[ActiveDir] Account activation and password setting using PHP/LDAPS
Hello everybody Our windows 2003 server is configurated with LDAPS (port 636). I would like to know if it's possible to set an account password and activate the account from another server using PHP (apache/redhat). I read that it's not possible to activate an account on this way. What do you know about this ? Many thanks Olivier List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] 2003 Domain Rename Tool
For starters... read the docs on domain rename! I have done this in a test environment and it was fun to see it. It was also one hell of a procedure!!! A domain rename impacts your complete AD forest and for a moment your environment is NOT available!!! Domain rename is not possible in some scenarios like when you have exchange 2003 SP0 and lower. Only E2k3Sp1 supports domain rename. My tip: create a test environment that's a representative model of your production env. and test test test test plan plan plan test plan Cheers, #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven WoodSent: Wednesday, May 04, 2005 15:47To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 2003 Domain Rename Tool Has anyone used the Active Directory Domain Rename tool and if so what experiences did you have? I would like to rename our NetBios name; we aren’t using NetBios at all yet we see it everytime we logon. Thanks Steven Wood Network Manager Oldham Sixth Form College ---This email is from Oldham Sixth Form College, but expresses the viewsof the sender and not necessarily the views of the college. The emailand any files transmitted with it are confidential to the intendedrecipient at the e-mail address to which it has been addressed. It maynot be disclosed or used by any other than that addressee, nor may itbe copied in any way. If received in error, please notify[EMAIL PROTECTED] quoting the name of the sender.This message has been scanned for viruses by F-Secure Anti-Virus.Please note that we cannot accept any responsibility for anytransmitted viruses. It is, therefore, your responsibility to scanattachments (if any). This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] best practice?
Maybe you should explain a bit more as I still do not understand what you want to acchieve! You have said: "The reason for reimage is for new departmental standards ( look and feel ). " --> this sounds like creating a new configuration and image You have said: "you want to re-image pc's that are domain members. You want to immediately rejoin domain using same name." Explain why you want to re-image the EXISTING PCs and rejoin them. How are you thinking to get the new look and feel by doing this? #JORGE# From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky JrSent: Wednesday, May 04, 2005 15:38To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] best practice? You stated: * When distributing restore the image SYSPREP runs Enter acomputername (if it an existing previous computername reset the computeraccount in AD), join to domain et voila Computer names will be existing. My original question was do I remove from domain then image and rejoin or image and reset account. Are you saying to image, reset account then rejoin, and will this work given the site structure? - Original Message - From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> To:Sent: Wednesday, May 04, 2005 9:10 AM Subject: RE: [ActiveDir] best practice? > OK, let me rephrase that... "don't even think cloning DCs or backing up DCs> using tools similar to ghost THAT ARE NOT AD AWARE in production> environments (at least ghost versions 8 and lower are not AD aware... Not> sure if ghost 9 is AD aware)> > New departmental standards... So you want to create a new image to> "distribute" to the current HW?> > * Choose one hardware model to create the image> * Install the OS and configure accordingly> * Add drivers for the other HW models you have in your ORG> * Use the Deployment tools (especially SYSPREP)> * Create an image of the configuration while it is not joined to the domain> * When distributing restore the image SYSPREP runs Enter a> computername (if it an existing previous computername reset the computer> account in AD), join to domain et voila> > The quick and dirty explanation ;-)> > #JORGE#> > -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr> Sent: Wednesday, May 04, 2005 14:50> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] best practice?> > I was talking about pc's. The reason for reimage is for new departmental> standards ( look and feel ). I do not have luxury of SMS. Yes, same domain,> same hardware, same name, just new image. I am having issues with removing,> pushing new image and rejoining. Some seem to work and others are coming up> disabled?? Just wanted to ask if anyone is familiar or knows better way.> > BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery (> formerly PowerQuest V2i ). It works wonderfully. I primarily use for> backups. I have not had to recover a server in production ( and hope I do> not have to ) but I have in lab 10+ times and servers are as clean as ever.> You should take a look.> > - Original Message -> From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]>> To: > Sent: Wednesday, May 04, 2005 2:55 AM> Subject: RE: [ActiveDir] best practice?> > > > In his mail he is talking about DOMAIN MEMBERS and not DCs. If he is> talking> > about DCs I agree with Brett -> don't image DCs... Don't even think about> > it!> >> > Concerning imaging DOMAIN MEMBERS and rejoining...> > I'm not sure what you want to acchieve...why do you want to rejoin the> > computers? Same domain? Other domain? Same HW, Other HW?> >> > Cheers,> > #JORGE#> >> > -Original Message-> > From: [EMAIL PROTECTED]> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley> > Sent: Wednesday, May 04, 2005 03:08> > To: ActiveDir@mail.activedir.org> > Subject: Re: [ActiveDir] best practice?> >> > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM> > server. I don't know about memebers, just adding knowledge about DCs, as> I> > don't think I've ever mentioned it here before.> >> > Cheers,> > -Brett Shirley [msft]> >> > as is, caveat emtpor, status quo, etc> >> >> >> > On Tue, 3 May 2005, John Shukovsky Jr wrote:> >> > > Hello all,> > >> > > Question, you want to re-image pc's that are domain members. You want> to> > immediately rejoin domain using same name. Site is single W2k DC/GC on 3> > hour replication cycle with fsmo holders.> > >> > > Should you remove from domain, image and rejoin or just image rejoin and> > reset computer account? Would either of these ways work given site setup?> > >> > > Any input appreciated.> > >> > > John Shukovsky Jr> > > Network Administrator> > > NJ Department of Human Services> > > 609-861-6031> > >> > >> > > This E-mail, including any attachments, may be intended solely for the> > > personal a
Re: [ActiveDir] best practice?
On 5/4/05, Joseph L. Casale <[EMAIL PROTECTED]> wrote: > Exactly, I do it for DR purposes, the old one dies - I reimage it and > put it back out there. > No poblem... > jlc For DR I would prefer to have an Automated Build that would build the server then DCPromo it back up and allow it to replicate. This doesn't take much longer, doesn't require any extra user intervention than a reimaging and is a far better option I think. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] using GPO with scripts
Yep. To do something like that would require some coding of course. It also relies on the user going to the homepage on a regular basis and that they are able to run apps. Do you have to write this, or do you have web application dev teams? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, May 03, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Well found out some more information. Love how you get the full info when you need it. NOT Anyways. Seems the website is just a web interface to a database with their personnel information. They want to ensure the user visits the site every 90 days to make updates if needed. They are request a "Runonce" type operation for IE when the user launches IE that will send them to the Database every 90 days but of course not send the entire population there at once. So I am thinking a field within the personnel database that will be a timestamp. Now can I have our homepage run a script in the background that checks this field to see if the timestamp is greater than 90 days? And then if it is redirect them to the database website? Sounds better than dealing with login scripts and schema changes. Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, May 03, 2005 10:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Yeah locking the account because they haven't read the doc yet seems a little counter productive but if it is that important... Go for it. Just warn the help desk staff ahead of time. :o) I agree with the staggered mechanism of alert the user and then alert their manager later if they haven't complied. If you want to get fancy you could even have a compliance reporting mechanism to put pressure on the managers. Reports go to the CEO showing compliance in percentages of the whole company at any given time (say monthly) and also percentages by division or group or whatever (depends on your size). A quickie alternative would be to store the info in an AD/AM instead of in AD. Don't have to extend the AD Schema then but can use the AD scripting knowledge you have. Obviously it could go into SQL Server as well but that seems a bit expensive for this. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Monday, May 02, 2005 10:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts Depends how you setup the attribute (search for extending schema in AD). I wouldn't have the website do this based on authentication. You want to be sure they read it, so you would want to treat it like you do with other agreements i.e. EULA agreements and have the OK navigation button disabled unless and until they click 'I Agree' As for notification, use email and bug the crud out of them. Or bug their manager if they don't respond in x amount of days. I see the .mil in the addr, which tells me you likely have managers that don't like to be bothered with this kind of piddly stuff. :) As for whether or not to update in AD, I'm not one to agree so easily that adding a custom attribute or even using an existing one is so worth it. I suppose it depends and there are many pros and cons both directions I'm sure. I'd favor some other recording method in many instances myself. As for permissions, you would have to permissions to modify the attribute using the credentials provided. For the sake of tamper-resistance, I would guess that you would want to make this a restricted attribute field. You may additionally want to lock out or disable their account until they read this if it's that important. Makes me wonder how they'll get to the page if they're locked out, but Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, May 02, 2005 7:03 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts I like this idea of using the custom attribute in AD. I am assuming that I need to use ADSI or similar tool to create this Custom Attribute. Once the attribute is there. I would need to configure Active X script or something that will update this attribute when the user authenticates to the website correct? Do I need the web services account to run this script so that it has privileges to change the attribute within AD? Jeff -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, May 02, 2005 4:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] using GPO with scripts "You could even tie into the change password functionality. Take away everyone's right to change their password in the directory and make them go to a website to do it, that website forces
RE: [ActiveDir] best practice?
Exactly, I do it for DR purposes, the old one dies - I reimage it and put it back out there. No poblem... jlc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Wednesday, May 04, 2005 7:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] best practice? On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote: > BUTas for DC's. I do "image" dc's using Symantec Livestate > Recovery ( formerly PowerQuest V2i ). It works wonderfully. I > primarily use for backups. I have not had to recover a server in > production ( and hope I do not have to ) but I have in lab 10+ times and servers are as clean as ever. > You should take a look. When Brett mentioned imaging DCs being a bad idea and to never ever do it I believe that he was meaning don't Image a DC and try to use that Image to build other new DCs and just trying to change the SID like you would for a desktop. Bad idea! Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003 Domain Rename Tool
Has anyone used the Active Directory Domain Rename tool and if so what experiences did you have? I would like to rename our NetBios name; we aren’t using NetBios at all yet we see it everytime we logon. Thanks Steven Wood Network Manager Oldham Sixth Form College ---This email is from Oldham Sixth Form College, but expresses the viewsof the sender and not necessarily the views of the college. The emailand any files transmitted with it are confidential to the intendedrecipient at the e-mail address to which it has been addressed. It maynot be disclosed or used by any other than that addressee, nor may itbe copied in any way. If received in error, please notify[EMAIL PROTECTED] quoting the name of the sender.This message has been scanned for viruses by F-Secure Anti-Virus.Please note that we cannot accept any responsibility for anytransmitted viruses. It is, therefore, your responsibility to scanattachments (if any).
Re: [ActiveDir] best practice?
You stated: * When distributing restore the image SYSPREP runs Enter acomputername (if it an existing previous computername reset the computeraccount in AD), join to domain et voila Computer names will be existing. My original question was do I remove from domain then image and rejoin or image and reset account. Are you saying to image, reset account then rejoin, and will this work given the site structure? - Original Message - From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> To:Sent: Wednesday, May 04, 2005 9:10 AM Subject: RE: [ActiveDir] best practice? > OK, let me rephrase that... "don't even think cloning DCs or backing up DCs> using tools similar to ghost THAT ARE NOT AD AWARE in production> environments (at least ghost versions 8 and lower are not AD aware... Not> sure if ghost 9 is AD aware)> > New departmental standards... So you want to create a new image to> "distribute" to the current HW?> > * Choose one hardware model to create the image> * Install the OS and configure accordingly> * Add drivers for the other HW models you have in your ORG> * Use the Deployment tools (especially SYSPREP)> * Create an image of the configuration while it is not joined to the domain> * When distributing restore the image SYSPREP runs Enter a> computername (if it an existing previous computername reset the computer> account in AD), join to domain et voila> > The quick and dirty explanation ;-)> > #JORGE#> > -Original Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr> Sent: Wednesday, May 04, 2005 14:50> To: ActiveDir@mail.activedir.org> Subject: Re: [ActiveDir] best practice?> > I was talking about pc's. The reason for reimage is for new departmental> standards ( look and feel ). I do not have luxury of SMS. Yes, same domain,> same hardware, same name, just new image. I am having issues with removing,> pushing new image and rejoining. Some seem to work and others are coming up> disabled?? Just wanted to ask if anyone is familiar or knows better way.> > BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery (> formerly PowerQuest V2i ). It works wonderfully. I primarily use for> backups. I have not had to recover a server in production ( and hope I do> not have to ) but I have in lab 10+ times and servers are as clean as ever.> You should take a look.> > - Original Message -> From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]>> To: > Sent: Wednesday, May 04, 2005 2:55 AM> Subject: RE: [ActiveDir] best practice?> > > > In his mail he is talking about DOMAIN MEMBERS and not DCs. If he is> talking> > about DCs I agree with Brett -> don't image DCs... Don't even think about> > it!> >> > Concerning imaging DOMAIN MEMBERS and rejoining...> > I'm not sure what you want to acchieve...why do you want to rejoin the> > computers? Same domain? Other domain? Same HW, Other HW?> >> > Cheers,> > #JORGE#> >> > -Original Message-> > From: [EMAIL PROTECTED]> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley> > Sent: Wednesday, May 04, 2005 03:08> > To: ActiveDir@mail.activedir.org> > Subject: Re: [ActiveDir] best practice?> >> > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM> > server. I don't know about memebers, just adding knowledge about DCs, as> I> > don't think I've ever mentioned it here before.> >> > Cheers,> > -Brett Shirley [msft]> >> > as is, caveat emtpor, status quo, etc> >> >> >> > On Tue, 3 May 2005, John Shukovsky Jr wrote:> >> > > Hello all,> > >> > > Question, you want to re-image pc's that are domain members. You want> to> > immediately rejoin domain using same name. Site is single W2k DC/GC on 3> > hour replication cycle with fsmo holders.> > >> > > Should you remove from domain, image and rejoin or just image rejoin and> > reset computer account? Would either of these ways work given site setup?> > >> > > Any input appreciated.> > >> > > John Shukovsky Jr> > > Network Administrator> > > NJ Department of Human Services> > > 609-861-6031> > >> > >> > > This E-mail, including any attachments, may be intended solely for the> > > personal and confidential use of the sender and recipient(s) named> > > above. This message may include advisory, consultative and/or> > > deliberative material and, as such, would be privileged and> > > confidential and not a public document. Any Information in this e-mail> > > identifying a client of the Department of Human Services is> > > confidential. If you have received this e-mail in error, you must not> > > review, transmit, convert to hard copy, copy, use or disseminate this> > > e-mail or any attachments to it and you must delete this message. You> are> > requested to notify the sender by return e-mail.> > >> >> > List info : http://www.activedir.org/List.aspx> > List FAQ : http://www.activedir.
RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)
Interesting, Mr Garage Door Opener. Perhaps some rewording is needed to make this and these other docs consistent? Or am I reading into this? "The following operations are not supported: ...2. Starting an Active Directory domain controller whose operating system resides in a virtualized hosting environment such as Microsoft Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE " http://www.support.microsoft.com/kb/897614/ http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4 209-8ed2-e261a117fc6b&displaylang=en I'm just so confused. ;) -ajm "Chief, Cook, and Bottle-Washer" -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Wednesday, May 04, 2005 6:30 AM To: ActiveDir@mail.activedir.org Cc: Joseph L. Casale Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?) "That is soo not right." (Mean Girls movie reference, at Halloween party) You should take a look at this: http://support.microsoft.com/?kbid=885875 I sincerely hope you don't have USN rollback or divergent replicas, but I think it is likely if you are actually imaging dcpromo'd DCs. Just curious, for imaging what are you using? Ghost? Are you just restoring images? Are you using the images to build additional DCs for load? In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from replicating if it detects such a condition (but it is not always guaranteed it will be able to detect the condition), to attempt to contain the damage. Also note, b/c I'm not sure the KB is clear about divergent replicas ... just because things are replicating currently, or there are no apparent current USN rollbacks ... does NOT mean you weren't once in the past afflicted with USN rollback, and now you've gotten past it, and instead are simply aflicted with divergent replicas (worse than USN rollback in ways). You might try to use (_I thinK_) dsastat to run through all the objects on your DCs in a pair-wise fashion to find differences. Cheers, Brett Shirley [msft] Building 7 Garage Door Operator, so what do I know ... This posting is provided "AS IS" with no warranties, and confers no rights. On Tue, 3 May 2005, Joseph L. Casale wrote: > Errr, I do it always, always, ALWAYS, and it works? AD has mechanisms > built in to get it back up to par... > jlc > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Tuesday, May 03, 2005 7:08 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] best practice? > > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or > ADAM server. I don't know about memebers, just adding knowledge about > DCs, as I don't think I've ever mentioned it here before. > > Cheers, > -Brett Shirley [msft] > > as is, caveat emtpor, status quo, etc > > > > On Tue, 3 May 2005, John Shukovsky Jr wrote: > > > Hello all, > > > > Question, you want to re-image pc's that are domain members. You > > want > to immediately rejoin domain using same name. Site is single W2k DC/GC > on 3 hour replication cycle with fsmo holders. > > > > Should you remove from domain, image and rejoin or just image rejoin > and reset computer account? Would either of these ways work given site > setup? > > > > Any input appreciated. > > > > John Shukovsky Jr > > Network Administrator > > NJ Department of Human Services > > 609-861-6031 > > > > > > This E-mail, including any attachments, may be intended solely for > > the > > > personal and confidential use of the sender and recipient(s) named > > above. This message may include advisory, consultative and/or > > deliberative material and, as such, would be privileged and > > confidential and not a public document. Any Information in this > > e-mail > > > identifying a client of the Department of Human Services is > > confidential. If you have received this e-mail in error, you must > > not review, transmit, convert to hard copy, copy, use or disseminate > > this e-mail or any attachments to it and you must delete this > > message. You > are requested to notify the sender by return e-mail. > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] How to make a user member of Built in Administrat or group
On 5/3/05, Jorge de Almeida Pinto <[EMAIL PROTECTED]> wrote: > FIRST: > You can use restricted groups in a GPO. > However in that is in the forest root domain then members of the builtin > administrators have control over the enterprise administrators group. You can use Restricted groups on the Built-In Administrator group? I always thought that was intended for the local groups on member servers/desktops never really thought to see if it applied to DCs as well. Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Solaris authentication
Title: RE: [ActiveDir] Ocra Two things: "As far as REQs Al……. 1. FREE 2. Add little complexity" These two are sometimes [1] not complimentary to one another. Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication! Agghhh. There, I feel better about that. :) As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion. In other words, you can capture traffic to and from the server itself and that's about it. SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred. Critter of habit I guess. To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for. In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others. You do want to also check the destination port that the client is sending traffic to. That may indicate if it's even trying to use some sort of secure traffic mechanism. If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection. -ajm [1] Ok, that's a litlte misleading. Sometimes doesn't do it justice. Often would be a better term here. Kerberos is not simple when you get beyond one or two machines. Even then, it takes a bit of work. That work typically has a cost associated with it. That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, May 03, 2005 10:30 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem). Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)? As far as REQs Al……. 1. FREE 2. Add little complexity Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, May 03, 2005 7:11 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication The directions you reference on the sunone site make it look to me like it's an LDAP bind. Best way to know for sure would be to trace it on the network to see what is passed. If ldap bind, be sure to use some sort of encryption such as SSL. I'm curious what the requirement here is? If just to allow solaris to authenticate via kerb with AD and allow AD users to login to solaris workstations, have you considered a product such as Centrify? www.centrify.com Far cry better and easier to implement. I'm interested in hearing what the requirements are though. The docs you referenced indicate a configuration that would be a PITA to manage in terms of reliability and effort IMHO. Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric FleischmanSent: Tuesday, May 03, 2005 3:20 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris authentication I know someone doing auth from Solaris 9 and 10 against AD via Kerberos in production. I don’t know how they are populating /etc/passwd but can find out. I’ve never used NIS against AD so couldn’t say what’s going on here. ~Eric From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Monday, May 02, 2005 7:26 PMTo: ActiveDir@mail.activedir.orgSubject: Solaris authentication Anyone know if this is passed in plain text? If so, i dont see any advantage to this versus the NIS server in SFU. Seems that the *nix community is making no progress in the secure authentication arena if this is the case. Any ideas or thoughts? http://docs.sun.com/source/816-6775-10/a_activedirauth.html
RE: [ActiveDir] best practice?
OK, let me rephrase that... "don't even think cloning DCs or backing up DCs using tools similar to ghost THAT ARE NOT AD AWARE in production environments (at least ghost versions 8 and lower are not AD aware... Not sure if ghost 9 is AD aware) New departmental standards... So you want to create a new image to "distribute" to the current HW? * Choose one hardware model to create the image * Install the OS and configure accordingly * Add drivers for the other HW models you have in your ORG * Use the Deployment tools (especially SYSPREP) * Create an image of the configuration while it is not joined to the domain * When distributing restore the image SYSPREP runs Enter a computername (if it an existing previous computername reset the computer account in AD), join to domain et voila The quick and dirty explanation ;-) #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr Sent: Wednesday, May 04, 2005 14:50 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] best practice? I was talking about pc's. The reason for reimage is for new departmental standards ( look and feel ). I do not have luxury of SMS. Yes, same domain, same hardware, same name, just new image. I am having issues with removing, pushing new image and rejoining. Some seem to work and others are coming up disabled?? Just wanted to ask if anyone is familiar or knows better way. BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery ( formerly PowerQuest V2i ). It works wonderfully. I primarily use for backups. I have not had to recover a server in production ( and hope I do not have to ) but I have in lab 10+ times and servers are as clean as ever. You should take a look. - Original Message - From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> To: Sent: Wednesday, May 04, 2005 2:55 AM Subject: RE: [ActiveDir] best practice? > In his mail he is talking about DOMAIN MEMBERS and not DCs. If he is talking > about DCs I agree with Brett -> don't image DCs... Don't even think about > it! > > Concerning imaging DOMAIN MEMBERS and rejoining... > I'm not sure what you want to acchieve...why do you want to rejoin the > computers? Same domain? Other domain? Same HW, Other HW? > > Cheers, > #JORGE# > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, May 04, 2005 03:08 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] best practice? > > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM > server. I don't know about memebers, just adding knowledge about DCs, as I > don't think I've ever mentioned it here before. > > Cheers, > -Brett Shirley [msft] > > as is, caveat emtpor, status quo, etc > > > > On Tue, 3 May 2005, John Shukovsky Jr wrote: > > > Hello all, > > > > Question, you want to re-image pc's that are domain members. You want to > immediately rejoin domain using same name. Site is single W2k DC/GC on 3 > hour replication cycle with fsmo holders. > > > > Should you remove from domain, image and rejoin or just image rejoin and > reset computer account? Would either of these ways work given site setup? > > > > Any input appreciated. > > > > John Shukovsky Jr > > Network Administrator > > NJ Department of Human Services > > 609-861-6031 > > > > > > This E-mail, including any attachments, may be intended solely for the > > personal and confidential use of the sender and recipient(s) named > > above. This message may include advisory, consultative and/or > > deliberative material and, as such, would be privileged and > > confidential and not a public document. Any Information in this e-mail > > identifying a client of the Department of Human Services is > > confidential. If you have received this e-mail in error, you must not > > review, transmit, convert to hard copy, copy, use or disseminate this > > e-mail or any attachments to it and you must delete this message. You are > requested to notify the sender by return e-mail. > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient(s) named above. T
Re: [ActiveDir] best practice?
On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote: > BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery ( > formerly PowerQuest V2i ). It works wonderfully. I primarily use for > backups. I have not had to recover a server in production ( and hope I do > not have to ) but I have in lab 10+ times and servers are as clean as ever. > You should take a look. When Brett mentioned imaging DCs being a bad idea and to never ever do it I believe that he was meaning don't Image a DC and try to use that Image to build other new DCs and just trying to change the SID like you would for a desktop. Bad idea! Phil List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] best practice?
John Shukovsky Jr wrote: Hello all, Question, you want to re-image pc's that are domain members. You want to immediately rejoin domain using same name. Site is single W2k DC/GC on 3 hour replication cycle with fsmo holders. Should you remove from domain, image and rejoin or just image rejoin and reset computer account? Would either of these ways work given site setup? In the network I'm working right now we are using process like this: imaging -> reset account -> join again. Works perfect for about 5k workstations. -- Tomasz Onyszko [MVP] [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] best practice?
I was talking about pc's. The reason for reimage is for new departmental standards ( look and feel ). I do not have luxury of SMS. Yes, same domain, same hardware, same name, just new image. I am having issues with removing, pushing new image and rejoining. Some seem to work and others are coming up disabled?? Just wanted to ask if anyone is familiar or knows better way. BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery ( formerly PowerQuest V2i ). It works wonderfully. I primarily use for backups. I have not had to recover a server in production ( and hope I do not have to ) but I have in lab 10+ times and servers are as clean as ever. You should take a look. - Original Message - From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]> To: Sent: Wednesday, May 04, 2005 2:55 AM Subject: RE: [ActiveDir] best practice? > In his mail he is talking about DOMAIN MEMBERS and not DCs. If he is talking > about DCs I agree with Brett -> don't image DCs... Don't even think about > it! > > Concerning imaging DOMAIN MEMBERS and rejoining... > I'm not sure what you want to acchieve...why do you want to rejoin the > computers? Same domain? Other domain? Same HW, Other HW? > > Cheers, > #JORGE# > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Wednesday, May 04, 2005 03:08 > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] best practice? > > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM > server. I don't know about memebers, just adding knowledge about DCs, as I > don't think I've ever mentioned it here before. > > Cheers, > -Brett Shirley [msft] > > as is, caveat emtpor, status quo, etc > > > > On Tue, 3 May 2005, John Shukovsky Jr wrote: > > > Hello all, > > > > Question, you want to re-image pc's that are domain members. You want to > immediately rejoin domain using same name. Site is single W2k DC/GC on 3 > hour replication cycle with fsmo holders. > > > > Should you remove from domain, image and rejoin or just image rejoin and > reset computer account? Would either of these ways work given site setup? > > > > Any input appreciated. > > > > John Shukovsky Jr > > Network Administrator > > NJ Department of Human Services > > 609-861-6031 > > > > > > This E-mail, including any attachments, may be intended solely for the > > personal and confidential use of the sender and recipient(s) named > > above. This message may include advisory, consultative and/or > > deliberative material and, as such, would be privileged and > > confidential and not a public document. Any Information in this e-mail > > identifying a client of the Department of Human Services is > > confidential. If you have received this e-mail in error, you must not > > review, transmit, convert to hard copy, copy, use or disseminate this > > e-mail or any attachments to it and you must delete this message. You are > requested to notify the sender by return e-mail. > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > This E-mail, including any attachments, may be intended solely for the personal and confidential use of the sender and recipient(s) named above. This message may include advisory, consultative and/or deliberative material and, as such, would be privileged and confidential and not a public document. Any Information in this e-mail identifying a client of the Department of Human Services is confidential. If you have received this e-mail in error, you must not review, transmit, convert to hard copy, copy, use or disseminate this e-mail or any attachments to it and you must delete this message. You are requested to notify the sender by return e-mail. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Solaris authentication
Douglas You have to configure your switch so that the port that your monitorising box is connected to receives all the packets that interest you. In the Alcatel switch we have this is called mirroring. You probably will need to do this before you can start sniffing as otherwise you will only see packets directed towards your NIC. I believe it is no longer necessary to put your NIC in promiscous mode as Ethereal (or others..) will do this when you set it up.
Re: [ActiveDir] My network sites and GPO
A script to remove all local mappings of network drives is the following: On Error Resume NextDim objNetWork, i, driveSet objNetWork = CreateObject("WScript.Network")For i = Asc("A") To Asc("Z") drive = Chr(i) & ":" objNetWork.RemoveNetWorkDrive drive, True, TrueNext Saludos Peter Jessop
RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)
"That is soo not right." (Mean Girls movie reference, at Halloween party) You should take a look at this: http://support.microsoft.com/?kbid=885875 I sincerely hope you don't have USN rollback or divergent replicas, but I think it is likely if you are actually imaging dcpromo'd DCs. Just curious, for imaging what are you using? Ghost? Are you just restoring images? Are you using the images to build additional DCs for load? In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from replicating if it detects such a condition (but it is not always guaranteed it will be able to detect the condition), to attempt to contain the damage. Also note, b/c I'm not sure the KB is clear about divergent replicas ... just because things are replicating currently, or there are no apparent current USN rollbacks ... does NOT mean you weren't once in the past afflicted with USN rollback, and now you've gotten past it, and instead are simply aflicted with divergent replicas (worse than USN rollback in ways). You might try to use (_I thinK_) dsastat to run through all the objects on your DCs in a pair-wise fashion to find differences. Cheers, Brett Shirley [msft] Building 7 Garage Door Operator, so what do I know ... This posting is provided "AS IS" with no warranties, and confers no rights. On Tue, 3 May 2005, Joseph L. Casale wrote: > Errr, I do it always, always, ALWAYS, and it works? AD has mechanisms > built in to get it back up to par... > jlc > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley > Sent: Tuesday, May 03, 2005 7:08 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] best practice? > > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM > server. I don't know about memebers, just adding knowledge about DCs, > as I don't think I've ever mentioned it here before. > > Cheers, > -Brett Shirley [msft] > > as is, caveat emtpor, status quo, etc > > > > On Tue, 3 May 2005, John Shukovsky Jr wrote: > > > Hello all, > > > > Question, you want to re-image pc's that are domain members. You want > to immediately rejoin domain using same name. Site is single W2k DC/GC > on 3 hour replication cycle with fsmo holders. > > > > Should you remove from domain, image and rejoin or just image rejoin > and reset computer account? Would either of these ways work given site > setup? > > > > Any input appreciated. > > > > John Shukovsky Jr > > Network Administrator > > NJ Department of Human Services > > 609-861-6031 > > > > > > This E-mail, including any attachments, may be intended solely for the > > > personal and confidential use of the sender and recipient(s) named > > above. This message may include advisory, consultative and/or > > deliberative material and, as such, would be privileged and > > confidential and not a public document. Any Information in this e-mail > > > identifying a client of the Department of Human Services is > > confidential. If you have received this e-mail in error, you must not > > review, transmit, convert to hard copy, copy, use or disseminate this > > e-mail or any attachments to it and you must delete this message. You > are requested to notify the sender by return e-mail. > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] My network sites and GPO
Hello, is posible to configure "My network sites" to diferent users? for example that in "My network sites" appears diferent Shared folders to diferent users, also could i remove all shared folders at the beginning of a script...? The razon for this is, that there aren't enough letters to map networks drives to do something with ours users. is this posible with a GPO? We have in the company W2000 server like a Controller Domain. Thanks, Sergio S. T.