RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

[Rick Kingslan]

Al,

"Can" and "Will" are two different things.  Knowing Brett and his, shall we
say, feisty nature - anything is possible.  :o)

Brett - what's the Xbox game of the week, BTW?

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 04, 2005 3:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

My apologies for the demotional insuation.  

While there are plenty of ways to shoot my foot off, I'd appreciate
reducing that number.  Is this something we should revise in one of the
two docs at least for posterity?  Do you know who wrote the docs that
disagree and can you drop a note? 

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Wednesday, May 04, 2005 12:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

I'm not a Garage Door Opener, I'm a Garage Door _Operator_, please don't
cheapen my job, I can close the door too.

I didn't proof read the Running DCs in a Virtual Server 2005 doc.  I
happen to know that it doesn't insist on turning off the host systems
disk cache, so _I_ won't be debugging a confluence of lost flushes or
USN rollbacks in that environment.  

The KB was written earlier than the DCs on VirtServer2005 doc.  I
personally like the KB as it is, but obviously as you point out they're
incongrous.

Keep in mind there are plenty of ways to shoot yourself in the foot,
with VPCs ... all based off the idea of improper backup/restore/imaging
of AD data ... things that come off the top of my head:

 - diff disks could very easily be deadly,
 - and in the cases of VPCs, when a VPC is shutdown, even xcopy (on the
host system) is then a deadly piece of "imaging" type software.
 - the same thing even applies outside of VPCs, just a DC in DSRM, has
an
unprotected DIT and log files, copying those out, and then back
in later, would qualify as something that can cause USN
rollback.

Cheers,
-BrettSh [msft] 

Building 7 Garage Door Operator ... ostensibly the Garage Door Operator
with the most knowledge of the ESE and AD database internals ...


On Wed, 4 May 2005, Al Mulnick wrote:

> Interesting, Mr Garage Door Opener.  Perhaps some rewording is needed 
> to make this and these other docs consistent?  Or am I reading into
this?
> 
> 
> "The following operations are not supported: 
> ...2. Starting an Active Directory domain controller whose operating 
> system resides in a virtualized hosting environment such as Microsoft 
> Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE "
> 
> http://www.support.microsoft.com/kb/897614/
> 
> 
> http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3
> -4
> 209-8ed2-e261a117fc6b&displaylang=en
> 
> 
> I'm just so confused.  ;)
> 
> -ajm
> 
> "Chief, Cook, and Bottle-Washer"
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Wednesday, May 04, 2005 6:30 AM
> To: ActiveDir@mail.activedir.org
> Cc: Joseph L. Casale
> Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)
> 
> "That is soo not right." (Mean Girls movie reference, at Halloween
> party)
> 
> You should take a look at this:
> http://support.microsoft.com/?kbid=885875
> 
> I sincerely hope you don't have USN rollback or divergent replicas, 
> but I think it is likely if you are actually imaging dcpromo'd DCs.
> 
> Just curious, for imaging what are you using?  Ghost?  Are you just 
> restoring images?  Are you using the images to build additional DCs 
> for load?
> 
> 
> In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from

> replicating if it detects such a condition (but it is not always 
> guaranteed it will be able to detect the condition), to attempt to 
> contain the damage.
> 
> Also note, b/c I'm not sure the KB is clear about divergent replicas
...
> just because things are replicating currently, or there are no 
> apparent current USN rollbacks ... does NOT mean you weren't once in 
> the past afflicted with USN rollback, and now you've gotten past it, 
> and instead are simply aflicted with divergent replicas (worse than 
> USN rollback in ways).  You might try to use (_I thinK_) dsastat to 
> run through all the objects on your DCs in a pair-wise fashion to find
differences.
> 
> Cheers,
> Brett Shirley [msft]
> Building 7 Garage Door Operator, so what do I know ...
> 
> This posting is provided "AS IS" with no warranties, and confers no 
> rights.
> 
> 
> On Tue, 3 May 2005, Joseph L. Casale wrote:
> 
> > Errr, I do it always, always, ALWAYS, and it works? AD has 
> > mechanisms built in to get it back up to par...
> > jlc
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett 
> > Shirley
> > Sent: Tuesday, May 03, 2005 7:08 PM
> > To

RE: [ActiveDir] GPO not applied - thinks it is empty

[Darren Mar-Elia]

Ok, so what is the version for machine on ServerName1? 
Also, does machine extensions for server2 really not list 
any or did you just shorten it for display purposes?
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Wednesday, May 04, 2005 11:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied 
- thinks it is empty

Thanks Darren-
I ran the gpotool as you suggested.  As 
part of the output I am told:
Error:  ServerName1 - Servername2 sysvol 
mismatch
 
AND
 
DC: Server2
Friendly name: 
server2
Created: 
10/7/2004
Changed: 5-4-2005 5:34 pm
DS Version 0 
37
Sysvol: 0 
37
Flags: 0
User extensions: not found
Machine extensions: .
Functionality version: 2
 
All fo the functionality versions are 2.  

 
 

Thanks,
Brenda


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Wednesday, May 04, 2005 9:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied 
- thinks it is empty

Brenda-
This usually means that the client is looking at the GPO's 
version number and it is showing up as 0 for computer revisions (in other words, 
it doesn't think any computer policy has been set in that GPO). Run gpotool.exe 
(from Win2K reskit or part of XP and 2003) against your DCs and see if any of 
them show a revision number of 0 for the computer side of the GPO containing 
your script. This could still mean that you have some issues with sysvol 
replication. Essentially, there is a file called gpt.ini that is stored with the 
GPO in sysvol on each DC. This file contains a version number that lists how 
many changes were made to the computer and user sides of a GPO. That version 
should be the same as the version of that GPO held on the versionNumber 
attribute of the GPC object in AD. If there are discrepancies, then gpotool will 
tell you. 
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Wednesday, May 04, 2005 7:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO not applied - 
thinks it is empty

I am no longer having replication issues on any 
servers, however, now when I run gpresult I am told that my gpo was not applied 
because it is empty.  I can manually open the GPO and see my startup script 
is there.
 

Thanks,
Brenda
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Tuesday, May 03, 2005 3:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator 
password change in Startup script in GPO

I have created a startup script to change my administrator 
password on specific machines as part of my group policy.  These computers 
are part of a group, I have applied the policy to this group, and set the 
security permissions appropriately.  When I run gpupdate on the pc, I get 
no error in the Event log, but when I restart the machine, the administrator 
account password has not been changed.
I have run replmon.exe and have found that 1 dc (out of 30) is not 
replicating, as it is out of hard drive space on c:.  Could 1 out of 30 
dc's be causing the problem, or is there something else I am missing?  How 
long should it take, before the policy takes 
effect?
 

Thanks,
Brenda

[ActiveDir] Windows 2003 Std RRAS & Logon Scripts

[Charlie Saliba]

At my organization, we have a windows 2003 RRAS box and when users login via VPN or Dialup, their logon scripts do not run.
If the VPN users click Login using dial-up connection at the CTRL-ALT-DEL screen, the logon scripts work that way but not when 
just clicking on the dial-up / vpn shortcuts on their desktops...

does anyone have any suggestions on how to make the logon scripts run
whenever anyone connects regardless on how they do it (via shortcut on
desktop or at the CTRL-ALT-DEL Screen)

Thanks-- Charlie Saliba[EMAIL PROTECTED]

RE: [ActiveDir] using GPO with scripts

[Al Mulnick]

Go get 'em tiger!   :)

If it doesn't work out that way, drop a note back.  It's not something
they should reject, but if you feel like building an empire, this might
be a first step to taking over the web development... 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Wednesday, May 04, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

We have a web development team.  Looks like they are actually trying to
pawn this off elsewhere but I am fighting that now that I know more what
they are wanting. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 04, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Yep.  To do something like that would require some coding of course.  It
also relies on the user going to the homepage on a regular basis and
that they are able to run apps.

Do you have to write this, or do you have web application dev teams?  

Al 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, May 03, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Well found out some more information.  Love how you get the full info
when you need it.  NOT

Anyways.  Seems the website is just a web interface to a database with
their personnel information.  They want to ensure the user visits the
site every 90 days to make updates if needed.  They are request a
"Runonce"  type operation for IE when the user launches IE that will
send them to the Database every 90 days but of course not send the
entire population there at once.  So I am thinking a field within the
personnel database that will be a timestamp.  Now can I have our
homepage run a script in the background that checks this field to see if
the timestamp is greater than 90 days?  And then if it is redirect them
to the database website?

Sounds better than dealing with login scripts and schema changes.

Jeff


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 03, 2005 10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Yeah locking the account because they haven't read the doc yet seems a
little counter productive but if it is that important... Go for it.
Just
warn the help desk staff ahead of time. :o)

I agree with the staggered mechanism of alert the user and then alert
their manager later if they haven't complied. If you want to get fancy
you could even have a compliance reporting mechanism to put pressure on
the managers.
Reports go to the CEO showing compliance in percentages of the whole
company at any given time (say monthly) and also percentages by division
or group or whatever (depends on your size).

A quickie alternative would be to store the info in an AD/AM instead of
in AD. Don't have to extend the AD Schema then but can use the AD
scripting knowledge you have. Obviously it could go into SQL Server as
well but that seems a bit expensive for this. 


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, May 02, 2005 10:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Depends how you setup the attribute (search for extending schema in AD).


I wouldn't have the website do this based on authentication.  You want
to be sure they read it, so you would want to treat it like you do with
other agreements i.e. EULA agreements and have the OK navigation button
disabled unless and until they click 'I Agree' 


As for notification, use email and bug the crud out of them.  Or bug
their manager if they don't respond in x amount of days. I see the .mil
in the addr, which tells me you likely have managers that don't like to
be bothered with this kind of piddly stuff.  :)

As for whether or not to update in AD, I'm not one to agree so easily
that adding a custom attribute or even using an existing one is so worth
it.
I
suppose it depends and there are many pros and cons both directions I'm
sure.  I'd favor some other recording method in many instances myself. 

As for permissions, you would have to permissions to modify the
attribute using the credentials provided.  For the sake of
tamper-resistance, I would guess that you would want to make this a
restricted attribute field.
You
may additionally want to lock out or disable their account until they
read this if it's that important.
Makes me wonder how they'll get to the page if they're locked out,
but


Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 7:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

I lik

RE: [ActiveDir] Solaris authentication

[Al Mulnick]

Title: RE: [ActiveDir] Ocra



I'd be highly interested in that information as well if you 
can spare it.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 2005 4:16 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication


Yeah, if you could find 
out, that would be nice. I haven’t been able to find the easy, kerberized way 
that Solaris 10 “supposedly” integrates with AD. I really thought this was one 
of the big initiatives that MS and Sun was working 
on.
 
 
Thanks everyone for 
your replies about Ethereal.
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric 
FleischmanSent: Wednesday, May 
04, 2005 3:01 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
I know I said it 
earlier, but I’ll say it again here…..Solaris 9/10 have (I’m told) a much nicer 
Kerberos client that is very AD savvy. So if you’re using one of them, you might 
be getting a lot of advice for a well baked scenario that Sun was kind enough to 
try out for you already.
I can find out a bit 
more if you have no idea what I’m talking about, I just don’t remember off 
hand.
 
~Eric
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 
2005 11:13 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
Ignore this. I just did 
a little FAQ reading, and it looks like this is by design on a switched network. 

 
___
Getting more used to 
this Ethereal thing now. Found a cool little article that helped out a bit. Now 
I am trying to figure out why I can’t sniff the packets of another machine on 
the same subnet as me (I thought that was the point of promiscuous mode). I have 
it set to promiscuous mode, and it still sees nothing. I am just trying to get 
some ammo for persuade management that we really need to get a tool that uses 
ssh instead of telnet for one of our applications. Any 
ideas?
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 
2005 11:20 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
I totally agree with 
the time cost of the issue, and am at least looking into the cost before I throw 
the idea out the window. And I also agree with the ldap bind scenario. I just 
don’t like it. 
 
Just saw my first 
password in ethereal (over a telnet connection), but am now reading up on how to 
customize the view (filters) to show me that more easily. If I didn’t know that 
it was the password (since it was my telnet connection), I would have never 
known that those letters where my password. I will also take a look at 
netmon
 
Thanks for your 
comments all
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Wednesday, May 
04, 2005 9:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
Two 
things:
 
"As far as REQs Al……. 
1. FREE    2. Add 
little complexity"

 

These two are sometimes 
[1] not complimentary to one another.  Consider the cost of your time and 
troubleshooting efforts when you say this. I read Joe's response later in the 
thread and he's absolutely correct that a) this idea of using a static DN to 
bind sux rocks and b) LDAP bind by itself is not authentication!  
Agghhh.

 

There, I feel better 
about that. :)

 

 

As for the network 
trace, your servers come with netmon by default which you can use to capture 
network traces in a limited fashion.  In other words, you can capture 
traffic to and from the server itself and that's about it.  SMS comes with 
a more full featured network trace utility. There's also Ethereal and a 
host of other products that are free and downloadable, but Ethereal and Netmon 
tend to be my preferred.  Critter of habit I 
guess.

 

To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will 
give some information about the product and what it's for.  In your case, 
you'd want to look at the traffic coming from the other hosts (Sun) that is 
using an LDAP bind and basically if you can read the traffic, so can 
others.  You do want to also check the destination port that the client is 
sending traffic to.  That may indicate if it's even trying to use some sort 
of secure traffic mechanism.  If it's destination is tcp 389, then the data 
protection would need to be handled at a different layer such as TLS or IPSec 
type of protection. 

 

-ajm

 

[1] Ok, that's a litlte 
misleading.  Sometimes doesn't do it justice.  Often would be a better 
term here. Kerberos is not simple when you get beyond one or two machines.  
Even then, it takes a bit of work.  That work typically has a cost 
associated with it.  That cost/benefit analysis might make it worth it to 
use a commercial prod

RE: [ActiveDir] Solaris authentication

[beads]

To get all the information you should
be using a spanning (not spamming) port. That will show you all the information
going through the switch, not just what ethereal can collect. If there
is no spanning port you may want to break into the switch and tell it to
send all traffic to your port as well. Assuming the switch is intelligent.
If its a dumb switch your going to have problems treating it like a hub.



Brent Eads
Employee Technology Solutions, Inc.

RE: [ActiveDir] GPO not applied - thinks it is empty

[joe]

Add to the methods
 
1. Put machine on hub and sniff traffic and watch script 
come down.
 
2. Put a password filter in place and have it alert you 
that the password was changed.
 
et alii


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Wednesday, May 04, 2005 3:10 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied 
- thinks it is empty


If I could ask what 
might be the obvious, from a security perspective….
 
If you have a policy 
out there resetting the local admin password, how are you storing the new 
password in the script? Hopefully you have something very clever in place, else 
I can get the local admin password out of your policy in so many 
ways:

  If you didn’t 
  consider this at all, I bet the policy is ACLd with AU having read, so I can 
  just read it out with notepad. 
  If you were clever 
  enough to acl the policy so that only the machine accounts can read it, I 
  could own a machine (perhaps I already do….perhaps I am in the local admins 
  group on one of the boxes, because it is _my machine_) and just open the policy 
  while impersonating the machine. Or get the machine to do it for me (since I 
  own it, I can make it do my bidding). 
   
 
And if you haven’t 
taking precautions, you should assume local admin on any machine with this 
password is local admin on them all. For it only takes one bad apple to spoil 
the whole bushel.
 
~Eric
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brenda 
CaseySent: Wednesday, May 04, 
2005 11:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied - 
thinks it is empty
 
Thanks 
Darren-
I ran the gpotool as 
you suggested.  As part of the output I am 
told:
Error:  
ServerName1 - Servername2 sysvol mismatch
 
AND
 
DC: 
Server2
Friendly name: 
server2
Created: 
10/7/2004

Changed: 5-4-2005 
5:34 pm

DS Version 
0 37

Sysvol: 0 
37

Flags: 
0

User extensions: not 
found

Machine extensions: 
.

Functionality 
version: 2

 

All fo the 
functionality versions are 2.  

 

 
Thanks,
Brenda
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Darren 
Mar-EliaSent: Wednesday, May 
04, 2005 9:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied - 
thinks it is empty
Brenda-
This usually means that 
the client is looking at the GPO's version number and it is showing up as 0 for 
computer revisions (in other words, it doesn't think any computer policy has 
been set in that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 
2003) against your DCs and see if any of them show a revision number of 0 for 
the computer side of the GPO containing your script. This could still mean that 
you have some issues with sysvol replication. Essentially, there is a file 
called gpt.ini that is stored with the GPO in sysvol on each DC. This file 
contains a version number that lists how many changes were made to the computer 
and user sides of a GPO. That version should be the same as the version of that 
GPO held on the versionNumber attribute of the GPC object in AD. If there are 
discrepancies, then gpotool will tell you. 
 
Darren
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brenda 
CaseySent: Wednesday, May 04, 
2005 7:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO not applied - 
thinks it is empty
I am no longer having 
replication issues on any servers, however, now when I run gpresult I am told 
that my gpo was not applied because it is empty.  I can manually open the 
GPO and see my startup script is there.

 
Thanks,
Brenda
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Brenda 
CaseySent: Tuesday, May 03, 
2005 3:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator password 
change in Startup script in GPO

I have created a 
startup script to change my administrator password on specific machines as part 
of my group policy.  These computers are part of a group, I have applied 
the policy to this group, and set the security permissions appropriately.  
When I run gpupdate on the pc, I get no error in the Event log, but when I 
restart the machine, the administrator account password has not been 
changed.

I have run 
replmon.exe and have found that 1 dc (out of 30) is not replicating, as it is 
out of hard drive space on c:.  Could 1 out of 30 dc's be causing the 
problem, or is there something else I am missing?  How long should it take, 
before the policy takes effect?

 
Thanks,
Brenda

RE: [ActiveDir] Solaris authentication

[Douglas M. Long]

Title: RE: [ActiveDir] Ocra








Yeah, if you could find out, that would be
nice. I haven’t been able to find the easy, kerberized way that Solaris
10 “supposedly” integrates with AD. I really thought this was one
of the big initiatives that MS and Sun was working on.

 

 

Thanks everyone for your replies about
Ethereal.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Eric Fleischman
Sent: Wednesday, May 04, 2005 3:01
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

I know I said it earlier, but I’ll
say it again here…..Solaris 9/10 have (I’m told) a much nicer
Kerberos client that is very AD savvy. So if you’re using one of them,
you might be getting a lot of advice for a well baked scenario that Sun was
kind enough to try out for you already.

I can find out a bit more if you have no
idea what I’m talking about, I just don’t remember off hand.

 

~Eric

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, May 04, 2005
11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

Ignore this. I just did a little FAQ
reading, and it looks like this is by design on a switched network. 

 




___

Getting more used to this Ethereal thing
now. Found a cool little article that helped out a bit. Now I am trying to
figure out why I can’t sniff the packets of another machine on the same
subnet as me (I thought that was the point of promiscuous mode). I have it set
to promiscuous mode, and it still sees nothing. I am just trying to get some
ammo for persuade management that we really need to get a tool that uses ssh
instead of telnet for one of our applications. Any ideas?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, May 04, 2005
11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

I totally agree with the time cost of the
issue, and am at least looking into the cost before I throw the idea out the
window. And I also agree with the ldap bind scenario. I just don’t like
it. 

 

Just saw my first password in ethereal
(over a telnet connection), but am now reading up on how to customize the view
(filters) to show me that more easily. If I didn’t know that it was the
password (since it was my telnet connection), I would have never known that
those letters where my password. I will also take a look at netmon

 

Thanks for your comments all

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 04, 2005 9:21
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

Two things:

 

"As far as REQs Al……. 1.
FREE    2. Add
little complexity"



 





These two are sometimes [1] not
complimentary to one another.  Consider the cost of your time and
troubleshooting efforts when you say this. I read Joe's response later in the
thread and he's absolutely correct that a) this idea of using a static DN to
bind sux rocks and b) LDAP bind by itself is not authentication! 
Agghhh.





 





There, I feel better about that. :)





 





 





As for the network trace, your servers
come with netmon by default which you can use to capture network traces in a
limited fashion.  In other words, you can capture traffic to and from the
server itself and that's about it.  SMS comes with a more full featured
network trace utility. There's also Ethereal and a host of other products
that are free and downloadable, but Ethereal and Netmon tend to be my
preferred.  Critter of habit I guess.





 





To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will
give some information about the product and what it's for.  In your case,
you'd want to look at the traffic coming from the other hosts (Sun) that is
using an LDAP bind and basically if you can read the traffic, so can
others.  You do want to also check the destination port that the client is
sending traffic to.  That may indicate if it's even trying to use some
sort of secure traffic mechanism.  If it's destination is tcp 389, then
the data protection would need to be handled at a different layer such as TLS
or IPSec type of protection. 





 





-ajm





 





[1] Ok, that's a litlte misleading. 
Sometimes doesn't do it justice.  Often would be a better term here. Kerberos
is not simple when you get beyond one or two machines.  Even then, it
takes a bit of work.  That work typically has a cost associated with
it.  That cost/benefit analysis might make it worth it to use a commercial
product aimed at this problem vs. rolling your own solution.





 





 





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, May 03, 2005 10:30
AM
To: ActiveDir@mail.activ

RE: [ActiveDir] using GPO with scripts

[Cothern Jeff D. Team EITC]

We have a web development team.  Looks like they are actually trying to
pawn this off elsewhere but I am fighting that now that I know more what
they are wanting. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 04, 2005 9:53 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Yep.  To do something like that would require some coding of course.  It
also relies on the user going to the homepage on a regular basis and
that they are able to run apps.

Do you have to write this, or do you have web application dev teams?  

Al 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, May 03, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Well found out some more information.  Love how you get the full info
when you need it.  NOT

Anyways.  Seems the website is just a web interface to a database with
their personnel information.  They want to ensure the user visits the
site every 90 days to make updates if needed.  They are request a
"Runonce"  type operation for IE when the user launches IE that will
send them to the Database every 90 days but of course not send the
entire population there at once.  So I am thinking a field within the
personnel database that will be a timestamp.  Now can I have our
homepage run a script in the background that checks this field to see if
the timestamp is greater than 90 days?  And then if it is redirect them
to the database website?

Sounds better than dealing with login scripts and schema changes.

Jeff


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 03, 2005 10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Yeah locking the account because they haven't read the doc yet seems a
little counter productive but if it is that important... Go for it.
Just
warn the help desk staff ahead of time. :o)

I agree with the staggered mechanism of alert the user and then alert
their manager later if they haven't complied. If you want to get fancy
you could even have a compliance reporting mechanism to put pressure on
the managers.
Reports go to the CEO showing compliance in percentages of the whole
company at any given time (say monthly) and also percentages by division
or group or whatever (depends on your size).

A quickie alternative would be to store the info in an AD/AM instead of
in AD. Don't have to extend the AD Schema then but can use the AD
scripting knowledge you have. Obviously it could go into SQL Server as
well but that seems a bit expensive for this. 


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, May 02, 2005 10:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Depends how you setup the attribute (search for extending schema in AD).


I wouldn't have the website do this based on authentication.  You want
to be sure they read it, so you would want to treat it like you do with
other agreements i.e. EULA agreements and have the OK navigation button
disabled unless and until they click 'I Agree' 


As for notification, use email and bug the crud out of them.  Or bug
their manager if they don't respond in x amount of days. I see the .mil
in the addr, which tells me you likely have managers that don't like to
be bothered with this kind of piddly stuff.  :)

As for whether or not to update in AD, I'm not one to agree so easily
that adding a custom attribute or even using an existing one is so worth
it.
I
suppose it depends and there are many pros and cons both directions I'm
sure.  I'd favor some other recording method in many instances myself. 

As for permissions, you would have to permissions to modify the
attribute using the credentials provided.  For the sake of
tamper-resistance, I would guess that you would want to make this a
restricted attribute field.
You
may additionally want to lock out or disable their account until they
read this if it's that important.
Makes me wonder how they'll get to the page if they're locked out,
but


Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 7:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

I like this idea of using the custom attribute in AD.  I am assuming
that I need to use ADSI or similar tool to create this Custom Attribute.


Once the attribute is there.  I would need to configure Active X script
or something that will update this attribute when the user authenticates
to the website correct?   Do I need the web services account to run this
script so that it has privileges to change the attribute within AD?

Jeff

-Original Message-

RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

[Al Mulnick]

My apologies for the demotional insuation.  

While there are plenty of ways to shoot my foot off, I'd appreciate
reducing that number.  Is this something we should revise in one of the
two docs at least for posterity?  Do you know who wrote the docs that
disagree and can you drop a note? 

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Wednesday, May 04, 2005 12:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

I'm not a Garage Door Opener, I'm a Garage Door _Operator_, please don't
cheapen my job, I can close the door too.

I didn't proof read the Running DCs in a Virtual Server 2005 doc.  I
happen to know that it doesn't insist on turning off the host systems
disk cache, so _I_ won't be debugging a confluence of lost flushes or
USN rollbacks in that environment.  

The KB was written earlier than the DCs on VirtServer2005 doc.  I
personally like the KB as it is, but obviously as you point out they're
incongrous.

Keep in mind there are plenty of ways to shoot yourself in the foot,
with VPCs ... all based off the idea of improper backup/restore/imaging
of AD data ... things that come off the top of my head:

 - diff disks could very easily be deadly,
 - and in the cases of VPCs, when a VPC is shutdown, even xcopy (on the
host system) is then a deadly piece of "imaging" type software.
 - the same thing even applies outside of VPCs, just a DC in DSRM, has
an
unprotected DIT and log files, copying those out, and then back
in later, would qualify as something that can cause USN
rollback.

Cheers,
-BrettSh [msft] 

Building 7 Garage Door Operator ... ostensibly the Garage Door Operator
with the most knowledge of the ESE and AD database internals ...


On Wed, 4 May 2005, Al Mulnick wrote:

> Interesting, Mr Garage Door Opener.  Perhaps some rewording is needed 
> to make this and these other docs consistent?  Or am I reading into
this?
> 
> 
> "The following operations are not supported: 
> ...2. Starting an Active Directory domain controller whose operating 
> system resides in a virtualized hosting environment such as Microsoft 
> Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE "
> 
> http://www.support.microsoft.com/kb/897614/
> 
> 
> http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3
> -4
> 209-8ed2-e261a117fc6b&displaylang=en
> 
> 
> I'm just so confused.  ;)
> 
> -ajm
> 
> "Chief, Cook, and Bottle-Washer"
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Wednesday, May 04, 2005 6:30 AM
> To: ActiveDir@mail.activedir.org
> Cc: Joseph L. Casale
> Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)
> 
> "That is soo not right." (Mean Girls movie reference, at Halloween
> party)
> 
> You should take a look at this:
> http://support.microsoft.com/?kbid=885875
> 
> I sincerely hope you don't have USN rollback or divergent replicas, 
> but I think it is likely if you are actually imaging dcpromo'd DCs.
> 
> Just curious, for imaging what are you using?  Ghost?  Are you just 
> restoring images?  Are you using the images to build additional DCs 
> for load?
> 
> 
> In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from

> replicating if it detects such a condition (but it is not always 
> guaranteed it will be able to detect the condition), to attempt to 
> contain the damage.
> 
> Also note, b/c I'm not sure the KB is clear about divergent replicas
...
> just because things are replicating currently, or there are no 
> apparent current USN rollbacks ... does NOT mean you weren't once in 
> the past afflicted with USN rollback, and now you've gotten past it, 
> and instead are simply aflicted with divergent replicas (worse than 
> USN rollback in ways).  You might try to use (_I thinK_) dsastat to 
> run through all the objects on your DCs in a pair-wise fashion to find
differences.
> 
> Cheers,
> Brett Shirley [msft]
> Building 7 Garage Door Operator, so what do I know ...
> 
> This posting is provided "AS IS" with no warranties, and confers no 
> rights.
> 
> 
> On Tue, 3 May 2005, Joseph L. Casale wrote:
> 
> > Errr, I do it always, always, ALWAYS, and it works? AD has 
> > mechanisms built in to get it back up to par...
> > jlc
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett 
> > Shirley
> > Sent: Tuesday, May 03, 2005 7:08 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] best practice?
> > 
> > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or 
> > ADAM server.  I don't know about memebers, just adding knowledge 
> > about
> 
> > DCs, as I don't think I've ever mentioned it here before.
> > 
> > Cheers,
> > -Brett Shirley [msft]
> > 
> > as is, caveat emtpor, status quo, etc
> > 
> > 
> > 
> > On Tue, 3 May 2005, Joh

Re: [ActiveDir] Solaris authentication

[Phil Renouf]

On 5/4/05, joe <[EMAIL PROTECTED]> wrote: 
> Switched networks help secure the network a little better, it locks down who
> has full access to see all traffic. However if you sniff from the server
> side, you tend to get all sorts of goodies because lots of people are
> connecting to them. 

Although it's worth pointing out that being more secure is not the
main point of a switched network ;) Trying to get access to mirror
ports is another great reason to make sure you have a very good
relationship with your network department, but if all else fails the
hub thing is easier (if you can afford to unplug your server and plug
it into a hub).

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO not applied - thinks it is empty

[Eric Fleischman]

If I could ask what might be the obvious,
from a security perspective….

 

If you have a policy out there resetting
the local admin password, how are you storing the new password in the script?
Hopefully you have something very clever in place, else I can get the local
admin password out of your policy in so many ways:


 If you didn’t consider
 this at all, I bet the policy is ACLd with AU having read, so I can just
 read it out with notepad.
 If you were clever enough to
 acl the policy so that only the machine accounts can read it, I could own
 a machine (perhaps I already do….perhaps I am in the local admins
 group on one of the boxes, because it is _my
 machine_) and just open the policy while impersonating the
 machine. Or get the machine to do it for me (since I own it, I can make it
 do my bidding).
 


 

And if you haven’t taking
precautions, you should assume local admin on any machine with this password is
local admin on them all. For it only takes one bad apple to spoil the whole
bushel.

 

~Eric

 

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Brenda Casey
Sent: Wednesday, May 04, 2005
11:11 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO not
applied - thinks it is empty



 

Thanks Darren-

I ran the gpotool as
you suggested.  As part of the output I am told:

Error: 
ServerName1 - Servername2 sysvol mismatch

 

AND

 

DC: Server2

Friendly name: server2

Created: 10/7/2004



Changed: 5-4-2005 5:34
pm





DS Version
0 37





Sysvol: 0
37





Flags: 0





User extensions: not
found





Machine extensions:
.





Functionality version:
2





 





All fo the
functionality versions are 2.  





 





 



Thanks,

Brenda

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Darren Mar-Elia
Sent: Wednesday, May 04, 2005 9:44
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] GPO not
applied - thinks it is empty

Brenda-

This usually means that the client is
looking at the GPO's version number and it is showing up as 0 for computer
revisions (in other words, it doesn't think any computer policy has been set in
that GPO). Run gpotool.exe (from Win2K reskit or part of XP and 2003) against
your DCs and see if any of them show a revision number of 0 for the computer
side of the GPO containing your script. This could still mean that you have
some issues with sysvol replication. Essentially, there is a file called
gpt.ini that is stored with the GPO in sysvol on each DC. This file contains a
version number that lists how many changes were made to the computer and user
sides of a GPO. That version should be the same as the version of that GPO held
on the versionNumber attribute of the GPC object in AD. If there are
discrepancies, then gpotool will tell you. 

 

Darren

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey
Sent: Wednesday, May 04, 2005 7:21
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] GPO not
applied - thinks it is empty

I am no longer having
replication issues on any servers, however, now when I run gpresult I am told
that my gpo was not applied because it is empty.  I can manually open the
GPO and see my startup script is there.



 



Thanks,

Brenda

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brenda Casey
Sent: Tuesday, May 03, 2005 3:04
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] administrator
password change in Startup script in GPO



I have created a
startup script to change my administrator password on specific machines as part
of my group policy.  These computers are part of a group, I have applied
the policy to this group, and set the security permissions appropriately. 
When I run gpupdate on the pc, I get no error in the Event log, but when I
restart the machine, the administrator account password has not been changed.





I have run replmon.exe
and have found that 1 dc (out of 30) is not replicating, as it is out of hard
drive space on c:.  Could 1 out of 30 dc's be causing the problem, or is
there something else I am missing?  How long should it take, before the
policy takes effect?





 



Thanks,

Brenda

RE: [ActiveDir] Solaris authentication

[Eric Fleischman]

Title: RE: [ActiveDir] Ocra








I know I said it earlier, but I’ll
say it again here…..Solaris 9/10 have (I’m told) a much nicer
Kerberos client that is very AD savvy. So if you’re using one of them,
you might be getting a lot of advice for a well baked scenario that Sun was
kind enough to try out for you already.

I can find out a bit more if you have no
idea what I’m talking about, I just don’t remember off hand.

 

~Eric

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, May 04, 2005
11:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

Ignore this. I just did a little FAQ
reading, and it looks like this is by design on a switched network. 

 




___

Getting more used to this Ethereal thing
now. Found a cool little article that helped out a bit. Now I am trying to
figure out why I can’t sniff the packets of another machine on the same
subnet as me (I thought that was the point of promiscuous mode). I have it set
to promiscuous mode, and it still sees nothing. I am just trying to get some
ammo for persuade management that we really need to get a tool that uses ssh
instead of telnet for one of our applications. Any ideas?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, May 04, 2005
11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

I totally agree with the time cost of the
issue, and am at least looking into the cost before I throw the idea out the
window. And I also agree with the ldap bind scenario. I just don’t like
it. 

 

Just saw my first password in ethereal
(over a telnet connection), but am now reading up on how to customize the view
(filters) to show me that more easily. If I didn’t know that it was the
password (since it was my telnet connection), I would have never known that
those letters where my password. I will also take a look at netmon

 

Thanks for your comments all

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 04, 2005 9:21
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

Two things:

 

"As far as REQs Al……. 1.
FREE    2. Add
little complexity"



 





These two are sometimes [1] not
complimentary to one another.  Consider the cost of your time and troubleshooting
efforts when you say this. I read Joe's response later in the thread and he's
absolutely correct that a) this idea of using a static DN to bind sux rocks and
b) LDAP bind by itself is not authentication!  Agghhh.





 





There, I feel better about that. :)





 





 





As for the network trace, your servers
come with netmon by default which you can use to capture network traces in a
limited fashion.  In other words, you can capture traffic to and from the
server itself and that's about it.  SMS comes with a more full featured
network trace utility. There's also Ethereal and a host of other products
that are free and downloadable, but Ethereal and Netmon tend to be my
preferred.  Critter of habit I guess.





 





To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will
give some information about the product and what it's for.  In your case,
you'd want to look at the traffic coming from the other hosts (Sun) that is
using an LDAP bind and basically if you can read the traffic, so can
others.  You do want to also check the destination port that the client is
sending traffic to.  That may indicate if it's even trying to use some
sort of secure traffic mechanism.  If it's destination is tcp 389, then
the data protection would need to be handled at a different layer such as TLS
or IPSec type of protection. 





 





-ajm





 





[1] Ok, that's a litlte misleading. 
Sometimes doesn't do it justice.  Often would be a better term here.
Kerberos is not simple when you get beyond one or two machines.  Even
then, it takes a bit of work.  That work typically has a cost associated
with it.  That cost/benefit analysis might make it worth it to use a
commercial product aimed at this problem vs. rolling your own solution.





 





 





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, May 03, 2005 10:30
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication

I may sounds like an idiot, but you guys
are always talking about tracing stuff on the network to see if it is in plain
text, and I have no clue how to do it. This is something I would really like to
know how to do (as I think it would really help me understand some
things….along with lessen the load of me asking these questions to you
guysJ). I have tried using ethereal to do this, but either it
doesn’t do it, or I just don’t know how to use the

RE: [ActiveDir] Account activation and password setting using PHP/LDAPS

[Eric Fleischman]

More generally, AD doesn't care who the client is, it only cares that
the client can play by the rulesLDAPv2/3, for password ops a secure
LDAP connection, etc. In fact, there isn't really a good way for AD to
know what OS/client side LDAP API/etc. a given LDAP client is running.
We just service requests as they come to us.

So as long as you can talk LDAPS to us, doing such an operation from a
Windows system or a !Windows system should be very much the same.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Wednesday, May 04, 2005 9:04 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Account activation and password setting using
PHP/LDAPS

Start here

http://support.microsoft.com/Default.aspx?kbid=269190


Short form. Yeah it should be possible. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie
Sent: Wednesday, May 04, 2005 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account activation and password setting using
PHP/LDAPS

Hello everybody

Our windows 2003 server is configurated with LDAPS (port 636).
I would like to know if it's possible to set an account password and
activate the account from another server using PHP (apache/redhat).

I read that it's not possible to activate an account on this way.

What do you know about this ?
Many thanks

Olivier

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Solaris authentication

[Al Mulnick]

Title: RE: [ActiveDir] Ocra



Did you see Joe's later post about the hub?  Switches, 
often will not show you the data of other machines using different ports unless 
configured otherwise. That's an advantage of a switch 

 
There are ways to configure switches to allow network 
capture.  The alcatel way was posted earlier in the thread.  Other 
vendors have data about the process for their particular hardware.  You'll 
have to check with that for the blow by blow.
 
Al 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 2005 2:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication


Getting more used to 
this Ethereal thing now. Found a cool little article that helped out a bit. Now 
I am trying to figure out why I can’t sniff the packets of another machine on 
the same subnet as me (I thought that was the point of promiscuous mode). I have 
it set to promiscuous mode, and it still sees nothing. I am just trying to get 
some ammo for persuade management that we really need to get a tool that uses 
ssh instead of telnet for one of our applications. Any 
ideas?
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 
2005 11:20 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
I totally agree with 
the time cost of the issue, and am at least looking into the cost before I throw 
the idea out the window. And I also agree with the ldap bind scenario. I just 
don’t like it. 
 
Just saw my first 
password in ethereal (over a telnet connection), but am now reading up on how to 
customize the view (filters) to show me that more easily. If I didn’t know that 
it was the password (since it was my telnet connection), I would have never 
known that those letters where my password. I will also take a look at 
netmon
 
Thanks for your 
comments all
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Wednesday, May 
04, 2005 9:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
Two 
things:
 
"As far as REQs Al……. 
1. FREE    2. Add 
little complexity"

 

These two are sometimes 
[1] not complimentary to one another.  Consider the cost of your time and 
troubleshooting efforts when you say this. I read Joe's response later in the 
thread and he's absolutely correct that a) this idea of using a static DN to 
bind sux rocks and b) LDAP bind by itself is not authentication!  
Agghhh.

 

There, I feel better 
about that. :)

 

 

As for the network 
trace, your servers come with netmon by default which you can use to capture 
network traces in a limited fashion.  In other words, you can capture 
traffic to and from the server itself and that's about it.  SMS comes with 
a more full featured network trace utility. There's also Ethereal and a 
host of other products that are free and downloadable, but Ethereal and Netmon 
tend to be my preferred.  Critter of habit I 
guess.

 

To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will 
give some information about the product and what it's for.  In your case, 
you'd want to look at the traffic coming from the other hosts (Sun) that is 
using an LDAP bind and basically if you can read the traffic, so can 
others.  You do want to also check the destination port that the client is 
sending traffic to.  That may indicate if it's even trying to use some sort 
of secure traffic mechanism.  If it's destination is tcp 389, then the data 
protection would need to be handled at a different layer such as TLS or IPSec 
type of protection. 

 

-ajm

 

[1] Ok, that's a litlte 
misleading.  Sometimes doesn't do it justice.  Often would be a better 
term here. Kerberos is not simple when you get beyond one or two machines.  
Even then, it takes a bit of work.  That work typically has a cost 
associated with it.  That cost/benefit analysis might make it worth it to 
use a commercial product aimed at this problem vs. rolling your own 
solution.

 

 

 

 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Tuesday, May 03, 
2005 10:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
I may sounds like an 
idiot, but you guys are always talking about tracing stuff on the network to see 
if it is in plain text, and I have no clue how to do it. This is something I 
would really like to know how to do (as I think it would really help me 
understand some things….along with lessen the load of me asking these questions 
to you guysJ). I have tried using 
ethereal to do this, but either it doesn’t do it, or I just don’t know how to 
use the thing (which I am about 99% positive is the problem). 

 
Do any of you have the 
quick and dirty steps to do this? Or a link to a good tutorial (which I can’t 
seem to find)?
 
 
 
As far 

RE: [ActiveDir] Solaris authentication

[Free, Bob]

Title: RE: [ActiveDir] Ocra



You have to have them on a simple hub or configure the 
mirror port(s) on the switch they are connected to.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 2005 11:05 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication


Getting more used to 
this Ethereal thing now. Found a cool little article that helped out a bit. Now 
I am trying to figure out why I can’t sniff the packets of another machine on 
the same subnet as me (I thought that was the point of promiscuous mode). I have 
it set to promiscuous mode, and it still sees nothing. I am just trying to get 
some ammo for persuade management that we really need to get a tool that uses 
ssh instead of telnet for one of our applications. Any 
ideas?
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 
2005 11:20 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
I totally agree with 
the time cost of the issue, and am at least looking into the cost before I throw 
the idea out the window. And I also agree with the ldap bind scenario. I just 
don’t like it. 
 
Just saw my first 
password in ethereal (over a telnet connection), but am now reading up on how to 
customize the view (filters) to show me that more easily. If I didn’t know that 
it was the password (since it was my telnet connection), I would have never 
known that those letters where my password. I will also take a look at 
netmon
 
Thanks for your 
comments all
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Wednesday, May 
04, 2005 9:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
Two 
things:
 
"As far as REQs Al……. 
1. FREE    2. Add 
little complexity"

 

These two are sometimes 
[1] not complimentary to one another.  Consider the cost of your time and 
troubleshooting efforts when you say this. I read Joe's response later in the 
thread and he's absolutely correct that a) this idea of using a static DN to 
bind sux rocks and b) LDAP bind by itself is not authentication!  
Agghhh.

 

There, I feel better 
about that. :)

 

 

As for the network 
trace, your servers come with netmon by default which you can use to capture 
network traces in a limited fashion.  In other words, you can capture 
traffic to and from the server itself and that's about it.  SMS comes with 
a more full featured network trace utility. There's also Ethereal and a 
host of other products that are free and downloadable, but Ethereal and Netmon 
tend to be my preferred.  Critter of habit I 
guess.

 

To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will 
give some information about the product and what it's for.  In your case, 
you'd want to look at the traffic coming from the other hosts (Sun) that is 
using an LDAP bind and basically if you can read the traffic, so can 
others.  You do want to also check the destination port that the client is 
sending traffic to.  That may indicate if it's even trying to use some sort 
of secure traffic mechanism.  If it's destination is tcp 389, then the data 
protection would need to be handled at a different layer such as TLS or IPSec 
type of protection. 

 

-ajm

 

[1] Ok, that's a litlte 
misleading.  Sometimes doesn't do it justice.  Often would be a better 
term here. Kerberos is not simple when you get beyond one or two machines.  
Even then, it takes a bit of work.  That work typically has a cost 
associated with it.  That cost/benefit analysis might make it worth it to 
use a commercial product aimed at this problem vs. rolling your own 
solution.

 

 

 

 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Tuesday, May 03, 
2005 10:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
I may sounds like an 
idiot, but you guys are always talking about tracing stuff on the network to see 
if it is in plain text, and I have no clue how to do it. This is something I 
would really like to know how to do (as I think it would really help me 
understand some things….along with lessen the load of me asking these questions 
to you guysJ). I have tried using 
ethereal to do this, but either it doesn’t do it, or I just don’t know how to 
use the thing (which I am about 99% positive is the problem). 

 
Do any of you have the 
quick and dirty steps to do this? Or a link to a good tutorial (which I can’t 
seem to find)?
 
 
 
As far as REQs Al……. 1. 
FREE    2. Add 
little complexity
 
 
Looks like I will 
either just use SFU, or keep the user repositories separate. I was just hoping 
that something free had come along since the last time that I looked that was 
worth doing. 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickS

RE: [ActiveDir] Solaris authentication

[joe]

Title: RE: [ActiveDir] Ocra



Are you on a switched network?
 
If so, you can see packets on a switched network like that. 
That is why someone previously mentioned mirror port on the switch. I say forget 
the mirror port (the network people tend to not let you have that access for 
good reason) and just hook up a hub and run both your machines through the hub 
and then hook to the switch with the uplink.
 
Switched networks help secure the network a little better, 
it locks down who has full access to see all traffic. However if you sniff from 
the server side, you tend to get all sorts of goodies because lots of people are 
connecting to them. 
 
  joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 2005 2:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication


Getting more used to 
this Ethereal thing now. Found a cool little article that helped out a bit. Now 
I am trying to figure out why I can’t sniff the packets of another machine on 
the same subnet as me (I thought that was the point of promiscuous mode). I have 
it set to promiscuous mode, and it still sees nothing. I am just trying to get 
some ammo for persuade management that we really need to get a tool that uses 
ssh instead of telnet for one of our applications. Any 
ideas?
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Wednesday, May 04, 
2005 11:20 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
I totally agree with 
the time cost of the issue, and am at least looking into the cost before I throw 
the idea out the window. And I also agree with the ldap bind scenario. I just 
don’t like it. 
 
Just saw my first 
password in ethereal (over a telnet connection), but am now reading up on how to 
customize the view (filters) to show me that more easily. If I didn’t know that 
it was the password (since it was my telnet connection), I would have never 
known that those letters where my password. I will also take a look at 
netmon
 
Thanks for your 
comments all
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Wednesday, May 
04, 2005 9:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
Two 
things:
 
"As far as REQs Al……. 
1. FREE    2. Add 
little complexity"

 

These two are sometimes 
[1] not complimentary to one another.  Consider the cost of your time and 
troubleshooting efforts when you say this. I read Joe's response later in the 
thread and he's absolutely correct that a) this idea of using a static DN to 
bind sux rocks and b) LDAP bind by itself is not authentication!  
Agghhh.

 

There, I feel better 
about that. :)

 

 

As for the network 
trace, your servers come with netmon by default which you can use to capture 
network traces in a limited fashion.  In other words, you can capture 
traffic to and from the server itself and that's about it.  SMS comes with 
a more full featured network trace utility. There's also Ethereal and a 
host of other products that are free and downloadable, but Ethereal and Netmon 
tend to be my preferred.  Critter of habit I 
guess.

 

To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will 
give some information about the product and what it's for.  In your case, 
you'd want to look at the traffic coming from the other hosts (Sun) that is 
using an LDAP bind and basically if you can read the traffic, so can 
others.  You do want to also check the destination port that the client is 
sending traffic to.  That may indicate if it's even trying to use some sort 
of secure traffic mechanism.  If it's destination is tcp 389, then the data 
protection would need to be handled at a different layer such as TLS or IPSec 
type of protection. 

 

-ajm

 

[1] Ok, that's a litlte 
misleading.  Sometimes doesn't do it justice.  Often would be a better 
term here. Kerberos is not simple when you get beyond one or two machines.  
Even then, it takes a bit of work.  That work typically has a cost 
associated with it.  That cost/benefit analysis might make it worth it to 
use a commercial product aimed at this problem vs. rolling your own 
solution.

 

 

 

 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Tuesday, May 03, 
2005 10:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
I may sounds like an 
idiot, but you guys are always talking about tracing stuff on the network to see 
if it is in plain text, and I have no clue how to do it. This is something I 
would really like to know how to do (as I think it would really help me 
understand some things….along with lessen the load of me asking these questions 
to you guysJ). I have tried using 
ethereal to do this, but either it doesn’t do it, or I just don’t know how to 
use the thing 

RE: [ActiveDir] best practice?

[joe]

I'm not Brett[1] but wanted to just say something really quick here. 

Well a couple of things actually.

1. When it comes to AD Database consistency and replication. Brett is
someone I would tend to listen to very carefully. I may not understand what
he is trying to say but I will try like heck to understand it. Rough around
the edges though he may be, he knows a lot about the guts of the AD DB and
Replication. Keep in mind he wrote some of the most "brilliant" parts of
repadmin[2]. 

2. When you image and recover the image you are bypassing any and all logic
associated with a directory DB recovery. I.E. You aren't restoring the
database through the very specific DS Backup/Restore API so you don't get
the cool things that it does like renaming the Database GUID aka invocation
ID which effectively tells all of the other partners there is a "different"
database out here that needs to be fully updated. 

I haven't fully thought out the implications of that but one thing right off
the bat is the thought that all DCs maintain high water vectors for all
databases so they know where they are at for replication. This isn't just
kept on the DC in question, this is kept all over so I could see serious
possibilities of issues there. Additionally think of a change that mastered
on that database and replicated out. How do you get it back if the DB is
rolled back and all of the other DCs already think that DB has that info
since it was mastered there?

You get ~Eric, Dean, and Brett thinking about it and I expect you could find
all sorts of horrible things that this can do to you. 

I think the idea that a DC can be restored from an image like that because
it is "sort" of like restoring the DB is flawed at the very best. You don't
have a full comprehension of what is being done in the backend to support
that restore. If it were that simple, why do you need a backup api at all?
Mirror the DIT and zip it and there is your backup... It doesn't work that
way.

As Brett indicated... Bad mojo... Heck I will go further, positively evil.
You could damage your AD in ways that you (and it) has no clue about and
only later run into it when you are trying to figure out niggling
consistency issues in applications that act odd some of the time. 


   joe



[1] And I couldn't play him on TV either, Brett stores a good portion of his
height in his hair and I store mine in my legs. 

[2] His words when I met him in person at an MVP summit. He was quite
excited to talk about that portion of the code...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Bahta Nathaniel V
Contr NASIC/SCNA
Sent: Wednesday, May 04, 2005 1:59 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] best practice?

Brett,

What is your basis for not being able to restore a DC from a image?  If the
DC has an old copy of the directory data, it will check its USN's and update
its copy.  What could cause havok if anything?  We are about to institute
this very same concept here to turn DR into a 10 minute process when it
comes to operating system recovery.  We will image the servers monthly and
restore from said image whenever one crashes.  What could cause a problem by
restoring a DC, it will be timestamped to be old and AD will synchronize it
with the rest of the domain.  

Please elaborate on your basis for comment.

Nathaniel Bahta

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Wednesday, May 04, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] best practice?

jlc,

You can't restore a single DC via an image based backup, either.  It is not
supported, it is not allowed ... it is bad mojo.

Well, it wouldn't cause issues if the forest had ONLY that one DC (seems
unlikely the case), or for a multi-DC forest, you'd have to shutdown all the
DCs in the forest at the same time, when you took your backup images.  
And then on restore, restore them all at the same time.  Basically a pretty
infeasible suggestion.

Cheers,
-Brett Shirley [msft]

This posting is provided "AS IS" with no warranties, and confers no rights. 


On Wed, 4 May 2005, Joseph L. Casale wrote:

> Exactly, I do it for DR purposes, the old one dies - I reimage it and 
> put it back out there.
> No poblem...
> jlc
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
> Sent: Wednesday, May 04, 2005 7:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] best practice?
> 
> On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote:
> > BUTas for DC's. I do "image" dc's using Symantec Livestate 
> > Recovery ( formerly PowerQuest V2i ). It works wonderfully. I 
> > primarily use for backups. I have not had to recover a server in 
> > production ( and hope I do not have to ) but I have in lab 10+ times
> and servers are as clean as ever.
> > You should take a look.
> 
> When Brett mentioned imaging DC

RE: [ActiveDir] best practice?

[Alex Fontana]

It sounds like the question is:

 

What is the proper method for adding a new
machine (new image, reimage, whatever)  to the domain using a NetBIOS name
that already exists in the domain?

 

Reset the machine account and then add the
new machine (what Jorge said).  In a single site you should have no
issues.

 

-alex









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Jorge de Almeida Pinto
Sent: Wednesday, May 04, 2005 7:07
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] best
practice?



 

Maybe you
should explain a bit more as I still do not understand what you want to
acchieve!

 

You have
said: "The reason for reimage
is for new departmental standards ( look and feel ). " --> this sounds like
creating a new configuration and image

 

You have
said: "you want to re-image
pc's  that are domain members. You want to immediately rejoin
domain using same name."

 

Explain
why you want to re-image the EXISTING PCs and rejoin them. How are you thinking
to get the new look and feel by doing this?

 

#JORGE#

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr
Sent: Wednesday, May 04, 2005
15:38
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] best
practice?



You stated:





* When distributing
restore the image SYSPREP runs Enter a
computername (if it an existing previous computername reset the computer
account in AD), join to domain et voila





 





Computer names will be existing. My original question was do
I remove from domain then image and rejoin or image and reset account. 





 





Are you saying to image, reset account then rejoin, and will
this work given the site structure?





- Original Message - 



From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]>





To: 





Sent: Wednesday, May 04, 2005 9:10 AM





Subject: RE: [ActiveDir] best practice?







 



> OK, let me rephrase that... "don't even think
cloning DCs or backing up DCs
> using tools similar to ghost THAT ARE NOT AD AWARE in production
> environments (at least ghost versions 8 and lower are not AD aware... Not
> sure if ghost 9 is AD aware)
> 
> New departmental standards... So you want to create a new image to
> "distribute" to the current HW?
> 
> * Choose one hardware model to create the image
> * Install the OS and configure accordingly
> * Add drivers for the other HW models you have in your ORG
> * Use the Deployment tools (especially SYSPREP)
> * Create an image of the configuration while it is not joined to the
domain
> * When distributing restore the image SYSPREP runs Enter a
> computername (if it an existing previous computername reset the computer
> account in AD), join to domain et voila
> 
> The quick and dirty explanation ;-)
> 
> #JORGE#
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
On Behalf Of John Shukovsky Jr
> Sent: Wednesday, May 04, 2005 14:50
> To: ActiveDir@mail.activedir.org
>
Subject: Re: [ActiveDir] best practice?
> 
> I was talking about pc's. The reason for reimage is for new departmental
> standards ( look and feel ). I do not have luxury of SMS. Yes, same
domain,
> same hardware, same name, just new image. I am having issues with
removing,
> pushing new image and rejoining. Some seem to work and others are coming
up
> disabled?? Just wanted to ask if anyone is familiar or knows better way.
> 
> BUTas for DC's. I do "image" dc's using Symantec Livestate
Recovery (
> formerly PowerQuest V2i ). It works wonderfully. I primarily use for
> backups. I have not had to recover a server in production ( and hope I do
> not have to ) but I have in lab 10+ times and servers are as clean as
ever.
> You should take a look.
> 
> - Original Message -
> From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]>
> To: 
> Sent: Wednesday, May 04, 2005 2:55 AM
> Subject: RE: [ActiveDir] best practice?
> 
> 
> > In his mail he is talking about DOMAIN MEMBERS and not DCs. If he is
> talking
> > about DCs I agree with Brett -> don't image DCs... Don't even
think about
> > it!
> >
> > Concerning imaging DOMAIN MEMBERS and rejoining...
> > I'm not sure what you want to acchieve...why do you want to rejoin
the
> > computers? Same domain? Other domain? Same HW, Other HW?
> >
> > Cheers,
> > #JORGE#
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
>
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Wednesday, May 04, 2005 03:08
> > To: ActiveDir@mail.activedir.org
>
> Subject: Re: [ActiveDir] best practice?
> >
> > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or
ADAM
> > server.  I don't know about memebers, just adding knowledge
about DCs, as
> I
> > don't think I've ever mentioned it here before.
> >
> > Cheers,
> > -Brett Shirley [msft]
> >
> > as is, caveat emtpor, status quo, etc
> >
> >
> >
> > On Tue, 3 May 2005, John Shukovsky Jr wrote:
> >

Re: [ActiveDir] best practice?

[John Shukovsky Jr]

That would take considerabley longer in my enviroment. You would have to
clean metadata if server was to come back up with same name (thats a minimum
3 hour and maximum 6 hour wait ). Build server. Restore data. DC Promo.
Reconfigure shares.

With
- Original Message - 
From: "Phil Renouf" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 04, 2005 10:00 AM
Subject: Re: [ActiveDir] best practice?


On 5/4/05, Joseph L. Casale <[EMAIL PROTECTED]> wrote:
> Exactly, I do it for DR purposes, the old one dies - I reimage it and
> put it back out there.
> No poblem...
> jlc

For DR I would prefer to have an Automated Build that would build the
server then DCPromo it back up and allow it to replicate. This doesn't
take much longer, doesn't require any extra user intervention than a
reimaging and is a far better option I think.

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



This E-mail, including any attachments, may be intended solely for the personal 
and confidential use of the sender and recipient(s) named above. This message 
may include advisory, consultative and/or deliberative material and, as such, 
would be privileged and confidential and not a public document. Any Information 
in this e-mail identifying a client of the Department of Human Services is 
confidential. If you have received this e-mail in error, you must not review, 
transmit, convert to hard copy, copy, use or disseminate this e-mail or any 
attachments to it and you must delete this message. You are requested to notify 
the sender by return e-mail.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Solaris authentication

[joe]

Title: RE: [ActiveDir] Ocra



I agree with Al, usually one of the reasons you buy 
something is so that you can get away from some level of complexity or knowledge 
of the topic. 
 
Building your own setup may seem "Free" but you obviously 
have all of the people time and your level of support is completely self 
controlled. 
 
I know of a company that spent over 2 years trying to 
properly kerberize their *nix clients/hosts and ran into issue 
after issue after issue due to the multirealm environement alone. Next on 
the plate was trying to manage all of the different kerb packages for the 
different platforms and they were simply working with HPUX (multiple revs) 
and Solaris (multiple revs),  they never got to working on the packages for 
RH, SUSE, AIX, and others they would need. 
 
   joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Wednesday, May 04, 2005 9:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication

Two things:
 
"As far as REQs Al……. 
1. FREE    2. Add 
little complexity"
 
These 
two are sometimes [1] not complimentary to one another.  Consider the cost 
of your time and troubleshooting efforts when you say this. I read Joe's 
response later in the thread and he's absolutely correct that a) this idea of 
using a static DN to bind sux rocks and b) LDAP bind by itself is not 
authentication!  Agghhh.
 
There, 
I feel better about that. :)
 
 
As for 
the network trace, your servers come with netmon by default which you can use to 
capture network traces in a limited fashion.  In other words, you can 
capture traffic to and from the server itself and that's about it.  SMS 
comes with a more full featured network trace utility. There's also 
Ethereal and a host of other products that are free and downloadable, but 
Ethereal and Netmon tend to be my preferred.  Critter of habit I 
guess.
 
To use 
Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will 
give some information about the product and what it's for.  In your case, 
you'd want to look at the traffic coming from the other hosts (Sun) that is 
using an LDAP bind and basically if you can read the traffic, so can 
others.  You do want to also check the destination port that the client is 
sending traffic to.  That may indicate if it's even trying to use some sort 
of secure traffic mechanism.  If it's destination is tcp 389, then the data 
protection would need to be handled at a different layer such as TLS or IPSec 
type of protection. 
 
-ajm
 
[1] 
Ok, that's a litlte misleading.  Sometimes doesn't do it justice.  
Often would be a better term here. Kerberos is not simple when you get beyond 
one or two machines.  Even then, it takes a bit of work.  That work 
typically has a cost associated with it.  That cost/benefit analysis might 
make it worth it to use a commercial product aimed at this problem vs. rolling 
your own solution.
 
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Tuesday, May 03, 2005 10:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication


I may sounds like an 
idiot, but you guys are always talking about tracing stuff on the network to see 
if it is in plain text, and I have no clue how to do it. This is something I 
would really like to know how to do (as I think it would really help me 
understand some things….along with lessen the load of me asking these questions 
to you guysJ). I have tried using 
ethereal to do this, but either it doesn’t do it, or I just don’t know how to 
use the thing (which I am about 99% positive is the problem). 

 
Do any of you have the 
quick and dirty steps to do this? Or a link to a good tutorial (which I can’t 
seem to find)?
 
 
 
As far as REQs Al……. 1. 
FREE    2. Add 
little complexity
 
 
Looks like I will 
either just use SFU, or keep the user repositories separate. I was just hoping 
that something free had come along since the last time that I looked that was 
worth doing. 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Tuesday, May 03, 
2005 7:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
The directions you 
reference on the sunone site make it look to me like it's an LDAP bind.  
Best way to know for sure would be to trace it on the network to see what is 
passed.  If ldap bind, be sure to use some sort of encryption such as SSL. 

 
I'm curious what the 
requirement here is?  If just to allow solaris to authenticate via kerb 
with AD and allow AD users to login to solaris workstations, have you considered 
a product such as Centrify?  www.centrify.com
 
Far cry better and 
easier to implement. 
 
I'm interested in 
hearing what the requirements are though. The docs you referenced indicate a 
configuration that would be a PITA to manage in terms of reliability and effort 
IMHO. 
 
Al
 

RE: [ActiveDir] How to make a user member of Built in Administrat or group

[joe]

Yep, just be careful, you can get into fun situations since that information
has two replication channels, through GPOs and through AD replication. I
have seen more than one occasion where an out of sync GPO causes a group
membership to bounce back and forth between what the old GPO says and the
new GPO says and in the meanwhile that membership replicating back and forth
across the domain.

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, May 04, 2005 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to make a user member of Built in Administrat
or group


You can use Restricted groups on the Built-In Administrator group? I always
thought that was intended for the local groups on member servers/desktops
never really thought to see if it applied to DCs as well.

Phil

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] My network sites and GPO

[joe]

You want to remove shared folders or network drives? I 
think you want to remove network drives...
 
Put this in the logon script
 
 
net use * /delete /y
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez 
TrujilloSent: Wednesday, May 04, 2005 3:19 AMTo: Lista 
ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] My 
network sites and GPO


Hello,is posible to 
configure "My network sites" to diferent users? for example that in "My network 
sites" appears diferent Shared folders to diferent users, also could i remove 
all shared folders at the beginning of a script...? The razon for this 
is, that there aren't enough letters to map networks drives to do something with 
ours users.is this posible with a GPO?We have in the company 
W2000 server like a Controller Domain.Thanks,Sergio 
S. T.
 

RE: [ActiveDir] Solaris authentication

[joe]

An alternative is to slap the machine you are curious about 
onto a hub with your sniffing device. In fact my test machines tend to live on 
hubs specifically so I can do that. 
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Peter 
JessopSent: Wednesday, May 04, 2005 8:43 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Solaris 
authentication

Douglas
 
You have to configure your switch so that the port that 
your monitorising box is connected to receives all the packets that 
interest you. In the Alcatel switch we have this is called mirroring. You 
probably will need to do this before you can start sniffing as 
otherwise you will only see packets directed towards your NIC. I 
believe it is no longer necessary to put your NIC in promiscous mode as Ethereal 
(or others..) will do this when you set it up. 
 

RE: [ActiveDir] Solaris authentication

[Douglas M. Long]

Title: RE: [ActiveDir] Ocra








Ignore this. I just did a little FAQ
reading, and it looks like this is by design on a switched network. 

 




___

Getting more used to this Ethereal thing
now. Found a cool little article that helped out a bit. Now I am trying to
figure out why I can’t sniff the packets of another machine on the same
subnet as me (I thought that was the point of promiscuous mode). I have it set
to promiscuous mode, and it still sees nothing. I am just trying to get some
ammo for persuade management that we really need to get a tool that uses ssh
instead of telnet for one of our applications. Any ideas?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, May 04, 2005
11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

I totally agree with the time cost of the
issue, and am at least looking into the cost before I throw the idea out the
window. And I also agree with the ldap bind scenario. I just don’t like
it. 

 

Just saw my first password in ethereal (over
a telnet connection), but am now reading up on how to customize the view
(filters) to show me that more easily. If I didn’t know that it was the
password (since it was my telnet connection), I would have never known that
those letters where my password. I will also take a look at netmon

 

Thanks for your comments all

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 04, 2005 9:21
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

Two things:

 

"As far as REQs Al……. 1.
FREE    2. Add
little complexity"



 





These two are sometimes [1] not
complimentary to one another.  Consider the cost of your time and
troubleshooting efforts when you say this. I read Joe's response later in the
thread and he's absolutely correct that a) this idea of using a static DN to
bind sux rocks and b) LDAP bind by itself is not authentication! 
Agghhh.





 





There, I feel better about that. :)





 





 





As for the network trace, your servers
come with netmon by default which you can use to capture network traces in a
limited fashion.  In other words, you can capture traffic to and from the
server itself and that's about it.  SMS comes with a more full featured
network trace utility. There's also Ethereal and a host of other products
that are free and downloadable, but Ethereal and Netmon tend to be my
preferred.  Critter of habit I guess.





 





To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will
give some information about the product and what it's for.  In your case,
you'd want to look at the traffic coming from the other hosts (Sun) that is
using an LDAP bind and basically if you can read the traffic, so can
others.  You do want to also check the destination port that the client is
sending traffic to.  That may indicate if it's even trying to use some
sort of secure traffic mechanism.  If it's destination is tcp 389, then
the data protection would need to be handled at a different layer such as TLS
or IPSec type of protection. 





 





-ajm





 





[1] Ok, that's a litlte misleading. 
Sometimes doesn't do it justice.  Often would be a better term here.
Kerberos is not simple when you get beyond one or two machines.  Even
then, it takes a bit of work.  That work typically has a cost associated
with it.  That cost/benefit analysis might make it worth it to use a
commercial product aimed at this problem vs. rolling your own solution.





 





 





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, May 03, 2005 10:30
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication

I may sounds like an idiot, but you guys
are always talking about tracing stuff on the network to see if it is in plain
text, and I have no clue how to do it. This is something I would really like to
know how to do (as I think it would really help me understand some
things….along with lessen the load of me asking these questions to you
guysJ). I have tried using ethereal to do this, but either it
doesn’t do it, or I just don’t know how to use the thing (which I
am about 99% positive is the problem). 

 

Do any of you have the quick and dirty
steps to do this? Or a link to a good tutorial (which I can’t seem to
find)?

 

 

 

As far as REQs Al……. 1.
FREE    2. Add
little complexity

 

 

Looks like I will either just use SFU, or
keep the user repositories separate. I was just hoping that something free had
come along since the last time that I looked that was worth doing. 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, May 03, 2005 7:11
AM
To: ActiveDir@mail.activedir.org
Subject: RE:

RE: [ActiveDir] GPO not applied - thinks it is empty

[Brenda Casey]

Thanks Darren-
I ran the gpotool as you suggested.  As 
part of the output I am told:
Error:  ServerName1 - Servername2 sysvol 
mismatch
 
AND
 
DC: Server2
Friendly name: 
server2
Created: 
10/7/2004
Changed: 5-4-2005 5:34 pm
DS Version 0 
37
Sysvol: 0 
37
Flags: 0
User extensions: not found
Machine extensions: .
Functionality version: 2
 
All fo the functionality versions are 2.  

 
 

Thanks,
Brenda


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Wednesday, May 04, 2005 9:44 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] GPO not applied 
- thinks it is empty

Brenda-
This usually means that the client is looking at the GPO's 
version number and it is showing up as 0 for computer revisions (in other words, 
it doesn't think any computer policy has been set in that GPO). Run gpotool.exe 
(from Win2K reskit or part of XP and 2003) against your DCs and see if any of 
them show a revision number of 0 for the computer side of the GPO containing 
your script. This could still mean that you have some issues with sysvol 
replication. Essentially, there is a file called gpt.ini that is stored with the 
GPO in sysvol on each DC. This file contains a version number that lists how 
many changes were made to the computer and user sides of a GPO. That version 
should be the same as the version of that GPO held on the versionNumber 
attribute of the GPC object in AD. If there are discrepancies, then gpotool will 
tell you. 
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Wednesday, May 04, 2005 7:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO not applied - 
thinks it is empty

I am no longer having replication issues on any 
servers, however, now when I run gpresult I am told that my gpo was not applied 
because it is empty.  I can manually open the GPO and see my startup script 
is there.
 

Thanks,
Brenda
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Tuesday, May 03, 2005 3:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator 
password change in Startup script in GPO

I have created a startup script to change my administrator 
password on specific machines as part of my group policy.  These computers 
are part of a group, I have applied the policy to this group, and set the 
security permissions appropriately.  When I run gpupdate on the pc, I get 
no error in the Event log, but when I restart the machine, the administrator 
account password has not been changed.
I have run replmon.exe and have found that 1 dc (out of 30) is not 
replicating, as it is out of hard drive space on c:.  Could 1 out of 30 
dc's be causing the problem, or is there something else I am missing?  How 
long should it take, before the policy takes 
effect?
 

Thanks,
Brenda

RE: [ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix?

[Za Vue]

Dell GX-270’s have a defected
capacitor and is dying all over the world. Replace the system board.

 

-Z.V.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Gary Clark
Sent: Wednesday, May 04, 2005
12:46 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Winlogon 100%
CPU and Fast user Switching as a Fix?



 

Hello
all,

Having spent two days poking this problem I am throwing myself on the groups
mercy.  Windows XP SP1 computer joined to domain much like its 300
brothers and sisters decides one day that winlogon.exe should take 50% or
rather 100 % of one of the Dell GX270 hyper threading virtual processors,
constant high cpu utilization makes the fans ramp up and turns a nice box into
a loud evil box.

With winlogon using all the processor the box shows symptoms of having broken
WINS no Netbios name resolution, can not find file shares etc which also
creates event id of 1030 and 1058 as the group policy objects can not be found.

Example

Windows cannot access the file gpt.ini for GPO
CN={-0**2-4B**-B3F6-7B*8B878},CN=Policies,CN=System,DC=**,DC=***,DC=**,DC=**.
The file must be present at the location
<\\ad.***.**.**\SysVol\ad..**.**\Policies\{***-***-***-***-}\gpt.ini>.
(The network path was not found. ). Group Policy processing aborted

While in this confused state the box will also not shutdown clean and has to be
POPO'd

The obvious malware lines of investigation have proved fruitless ad-aware did
find some bits but this has not resolved the problem. The winlogon has been
verified as being in the right location and has not been switched with another
version. The fact that the box is a Dell Gx270 with a Gigabit card also made me
think that MS Article 840669 with the group policy not starting due to the race
condition might have helped but again zip. Virus protection is installed
and maintained and returns no nasties.

The Intel 1000 gigabit card has had its drivers updated and still nadda. I even
disabled the built in card and installed a 3com 10 Mb NIC and that exhibited
the same trouble.

The curious thing and what is driving me absolutely nuts is that if the
Computer is removed from the domain and returned to a workgroup the problem
persists until you change the way users logon and use the welcome with the fast
user switching, it has to be both using the welcome screen and fast user
switching, this puts the box back on its feet. Winlogon behaves and the network
drives can once again be accessed.

We have seen this twice before on separate computers but have not paid it
too much attention. rebuilds of  the Computershave fixed the problem,
as this is something which keeps raising its ugly head I think I need to try
and get a good handle on it, the fact that there are so many other unaffected
boxes makes me think that it is a software conflict on the client.  What I
don't get is why it can be turned on and off with the fast user switching? If I
did'nt need the box to be in AD I would leave it as is fast user switching
enabled and slip into a dark cave and put this down to gremlins but thats not
an option, and I am very nervous that more boxes could start playing up too... 

~cheers 

Gary

 

RE: [ActiveDir] Solaris authentication

[Douglas M. Long]

Title: RE: [ActiveDir] Ocra








Getting more used to this Ethereal thing
now. Found a cool little article that helped out a bit. Now I am trying to
figure out why I can’t sniff the packets of another machine on the same
subnet as me (I thought that was the point of promiscuous mode). I have it set
to promiscuous mode, and it still sees nothing. I am just trying to get some
ammo for persuade management that we really need to get a tool that uses ssh
instead of telnet for one of our applications. Any ideas?

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Wednesday, May 04, 2005
11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

I totally agree with the time cost of the
issue, and am at least looking into the cost before I throw the idea out the
window. And I also agree with the ldap bind scenario. I just don’t like
it. 

 

Just saw my first password in ethereal (over
a telnet connection), but am now reading up on how to customize the view
(filters) to show me that more easily. If I didn’t know that it was the
password (since it was my telnet connection), I would have never known that
those letters where my password. I will also take a look at netmon

 

Thanks for your comments all

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 04, 2005 9:21
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

Two things:

 

"As far as REQs Al……. 1.
FREE    2. Add
little complexity"



 





These two are sometimes [1] not
complimentary to one another.  Consider the cost of your time and
troubleshooting efforts when you say this. I read Joe's response later in the
thread and he's absolutely correct that a) this idea of using a static DN to
bind sux rocks and b) LDAP bind by itself is not authentication! 
Agghhh.





 





There, I feel better about that. :)





 





 





As for the network trace, your servers
come with netmon by default which you can use to capture network traces in a
limited fashion.  In other words, you can capture traffic to and from the
server itself and that's about it.  SMS comes with a more full featured
network trace utility. There's also Ethereal and a host of other products
that are free and downloadable, but Ethereal and Netmon tend to be my
preferred.  Critter of habit I guess.





 





To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will
give some information about the product and what it's for.  In your case,
you'd want to look at the traffic coming from the other hosts (Sun) that is
using an LDAP bind and basically if you can read the traffic, so can
others.  You do want to also check the destination port that the client is
sending traffic to.  That may indicate if it's even trying to use some
sort of secure traffic mechanism.  If it's destination is tcp 389, then
the data protection would need to be handled at a different layer such as TLS
or IPSec type of protection. 





 





-ajm





 





[1] Ok, that's a litlte misleading. 
Sometimes doesn't do it justice.  Often would be a better term here.
Kerberos is not simple when you get beyond one or two machines.  Even
then, it takes a bit of work.  That work typically has a cost associated
with it.  That cost/benefit analysis might make it worth it to use a
commercial product aimed at this problem vs. rolling your own solution.





 





 





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, May 03, 2005 10:30
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication

I may sounds like an idiot, but you guys
are always talking about tracing stuff on the network to see if it is in plain
text, and I have no clue how to do it. This is something I would really like to
know how to do (as I think it would really help me understand some
things….along with lessen the load of me asking these questions to you
guysJ). I have tried using ethereal to do this, but either it
doesn’t do it, or I just don’t know how to use the thing (which I
am about 99% positive is the problem). 

 

Do any of you have the quick and dirty
steps to do this? Or a link to a good tutorial (which I can’t seem to
find)?

 

 

 

As far as REQs Al……. 1.
FREE    2. Add
little complexity

 

 

Looks like I will either just use SFU, or
keep the user repositories separate. I was just hoping that something free had
come along since the last time that I looked that was worth doing. 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, May 03, 2005 7:11
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

The directions you reference on the sunone
site make it look to me like it's an LDAP bind.  Best way to know for sure
would be to trace it on

RE: [ActiveDir] Account activation and password setting using PHP/LDAPS

[joe]

Start here

http://support.microsoft.com/Default.aspx?kbid=269190


Short form. Yeah it should be possible. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie
Sent: Wednesday, May 04, 2005 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account activation and password setting using PHP/LDAPS

Hello everybody

Our windows 2003 server is configurated with LDAPS (port 636).
I would like to know if it's possible to set an account password and
activate the account from another server using PHP (apache/redhat).

I read that it's not possible to activate an account on this way.

What do you know about this ?
Many thanks

Olivier

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

[Brett Shirley]

I'm not a Garage Door Opener, I'm a Garage Door _Operator_, please don't
cheapen my job, I can close the door too.

I didn't proof read the Running DCs in a Virtual Server 2005 doc.  I
happen to know that it doesn't insist on turning off the host systems disk
cache, so _I_ won't be debugging a confluence of lost flushes or USN
rollbacks in that environment.  

The KB was written earlier than the DCs on VirtServer2005 doc.  I
personally like the KB as it is, but obviously as you point out they're
incongrous.

Keep in mind there are plenty of ways to shoot yourself in the foot, with
VPCs ... all based off the idea of improper backup/restore/imaging of AD
data ... things that come off the top of my head:

 - diff disks could very easily be deadly, 
 - and in the cases of VPCs, when a VPC is shutdown, even xcopy (on the
host system) is then a deadly piece of "imaging" type software.
 - the same thing even applies outside of VPCs, just a DC in DSRM, has an
unprotected DIT and log files, copying those out, and then back
in later, would qualify as something that can cause USN rollback.

Cheers, 
-BrettSh [msft] 

Building 7 Garage Door Operator ... ostensibly the Garage Door Operator
with the most knowledge of the ESE and AD database internals ...


On Wed, 4 May 2005, Al Mulnick wrote:

> Interesting, Mr Garage Door Opener.  Perhaps some rewording is needed to
> make this and these other docs consistent?  Or am I reading into this? 
> 
> 
> "The following operations are not supported: 
> ...2. Starting an Active Directory domain controller whose operating
> system resides in a virtualized hosting environment such as Microsoft
> Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE " 
> 
> http://www.support.microsoft.com/kb/897614/
> 
> 
> http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4
> 209-8ed2-e261a117fc6b&displaylang=en
> 
> 
> I'm just so confused.  ;)
> 
> -ajm
> 
> "Chief, Cook, and Bottle-Washer"
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Wednesday, May 04, 2005 6:30 AM
> To: ActiveDir@mail.activedir.org
> Cc: Joseph L. Casale
> Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)
> 
> "That is soo not right." (Mean Girls movie reference, at Halloween
> party)
> 
> You should take a look at this:
> http://support.microsoft.com/?kbid=885875
> 
> I sincerely hope you don't have USN rollback or divergent replicas, but
> I think it is likely if you are actually imaging dcpromo'd DCs.
> 
> Just curious, for imaging what are you using?  Ghost?  Are you just
> restoring images?  Are you using the images to build additional DCs for
> load?
> 
> 
> In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from
> replicating if it detects such a condition (but it is not always
> guaranteed it will be able to detect the condition), to attempt to
> contain the damage.
> 
> Also note, b/c I'm not sure the KB is clear about divergent replicas ...
> just because things are replicating currently, or there are no apparent
> current USN rollbacks ... does NOT mean you weren't once in the past
> afflicted with USN rollback, and now you've gotten past it, and instead
> are simply aflicted with divergent replicas (worse than USN rollback in
> ways).  You might try to use (_I thinK_) dsastat to run through all the
> objects on your DCs in a pair-wise fashion to find differences.
> 
> Cheers,
> Brett Shirley [msft]
> Building 7 Garage Door Operator, so what do I know ...
> 
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> 
> 
> On Tue, 3 May 2005, Joseph L. Casale wrote:
> 
> > Errr, I do it always, always, ALWAYS, and it works? AD has mechanisms 
> > built in to get it back up to par...
> > jlc
> > 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> > Sent: Tuesday, May 03, 2005 7:08 PM
> > To: ActiveDir@mail.activedir.org
> > Subject: Re: [ActiveDir] best practice?
> > 
> > Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or 
> > ADAM server.  I don't know about memebers, just adding knowledge about
> 
> > DCs, as I don't think I've ever mentioned it here before.
> > 
> > Cheers,
> > -Brett Shirley [msft]
> > 
> > as is, caveat emtpor, status quo, etc
> > 
> > 
> > 
> > On Tue, 3 May 2005, John Shukovsky Jr wrote:
> > 
> > > Hello all,
> > > 
> > > Question, you want to re-image pc's  that are domain members. You 
> > > want
> > to immediately rejoin domain using same name. Site is single W2k DC/GC
> 
> > on 3 hour replication cycle with fsmo holders.
> > > 
> > > Should you remove from domain, image and rejoin or just image rejoin
> > and reset computer account? Would either of these ways work given site
> 
> > setup?
> > > 
> > > Any input appreciated.
> > >  
> > > John Shukovsky Jr
> > > Network Administrator
> > > NJ Department of Human Services

RE: [ActiveDir] Solaris authentication

[joe]

An alternative is to slap the machine you are curious about 
onto a hub with your sniffing device. In fact my test machines tend to live on 
hubs specifically so I can do that. 
 
   joe


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Peter 
JessopSent: Wednesday, May 04, 2005 8:43 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Solaris 
authentication

Douglas
 
You have to configure your switch so that the port that 
your monitorising box is connected to receives all the packets that 
interest you. In the Alcatel switch we have this is called mirroring. You 
probably will need to do this before you can start sniffing as 
otherwise you will only see packets directed towards your NIC. I 
believe it is no longer necessary to put your NIC in promiscous mode as Ethereal 
(or others..) will do this when you set it up. 
 

RE: [ActiveDir] How to make a user member of Built in Administrat or group

[joe]

Yep, just be careful, you can get into fun situations since that information
has two replication channels, through GPOs and through AD replication. I
have seen more than one occasion where an out of sync GPO causes a group
membership to bounce back and forth between what the old GPO says and the
new GPO says and in the meanwhile that membership replicating back and forth
across the domain.

   joe

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, May 04, 2005 9:31 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] How to make a user member of Built in Administrat
or group


You can use Restricted groups on the Built-In Administrator group? I always
thought that was intended for the local groups on member servers/desktops
never really thought to see if it applied to DCs as well.

Phil

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Account activation and password setting using PHP/LDAPS

[joe]

Start here

http://support.microsoft.com/Default.aspx?kbid=269190


Short form. Yeah it should be possible. 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Olivier Marie
Sent: Wednesday, May 04, 2005 10:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Account activation and password setting using PHP/LDAPS

Hello everybody

Our windows 2003 server is configurated with LDAPS (port 636).
I would like to know if it's possible to set an account password and
activate the account from another server using PHP (apache/redhat).

I read that it's not possible to activate an account on this way.

What do you know about this ?
Many thanks

Olivier

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] best practice?

[Bahta Nathaniel V Contr NASIC/SCNA]

Brett,

What is your basis for not being able to restore a DC from a image?  If the
DC has an old copy of the directory data, it will check its USN's and update
its copy.  What could cause havok if anything?  We are about to institute
this very same concept here to turn DR into a 10 minute process when it
comes to operating system recovery.  We will image the servers monthly and
restore from said image whenever one crashes.  What could cause a problem by
restoring a DC, it will be timestamped to be old and AD will synchronize it
with the rest of the domain.  

Please elaborate on your basis for comment.

Nathaniel Bahta

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Wednesday, May 04, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] best practice?

jlc,

You can't restore a single DC via an image based backup, either.  It is not
supported, it is not allowed ... it is bad mojo.

Well, it wouldn't cause issues if the forest had ONLY that one DC (seems
unlikely the case), or for a multi-DC forest, you'd have to shutdown all the
DCs in the forest at the same time, when you took your backup images.  
And then on restore, restore them all at the same time.  Basically a pretty
infeasible suggestion.

Cheers,
-Brett Shirley [msft]

This posting is provided "AS IS" with no warranties, and confers no rights. 


On Wed, 4 May 2005, Joseph L. Casale wrote:

> Exactly, I do it for DR purposes, the old one dies - I reimage it and 
> put it back out there.
> No poblem...
> jlc
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
> Sent: Wednesday, May 04, 2005 7:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] best practice?
> 
> On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote:
> > BUTas for DC's. I do "image" dc's using Symantec Livestate 
> > Recovery ( formerly PowerQuest V2i ). It works wonderfully. I 
> > primarily use for backups. I have not had to recover a server in 
> > production ( and hope I do not have to ) but I have in lab 10+ times
> and servers are as clean as ever.
> > You should take a look.
> 
> When Brett mentioned imaging DCs being a bad idea and to never ever do 
> it I believe that he was meaning don't Image a DC and try to use that 
> Image to build other new DCs and just trying to change the SID like 
> you would for a desktop. Bad idea!
> 
> Phil
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Solaris authentication

[joe]

Title: RE: [ActiveDir] Ocra



I agree with Al, usually one of the reasons you buy 
something is so that you can get away from some level of complexity or knowledge 
of the topic. 
 
Building your own setup may seem "Free" but you obviously 
have all of the people time and your level of support is completely self 
controlled. 
 
I know of a company that spent over 2 years trying to 
properly kerberize their *nix clients/hosts and ran into issue 
after issue after issue due to the multirealm environement alone. Next on 
the plate was trying to manage all of the different kerb packages for the 
different platforms and they were simply working with HPUX (multiple revs) 
and Solaris (multiple revs),  they never got to working on the packages for 
RH, SUSE, AIX, and others they would need. 
 
   joe
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Wednesday, May 04, 2005 9:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication

Two things:
 
"As far as REQs Al……. 
1. FREE    2. Add 
little complexity"
 
These 
two are sometimes [1] not complimentary to one another.  Consider the cost 
of your time and troubleshooting efforts when you say this. I read Joe's 
response later in the thread and he's absolutely correct that a) this idea of 
using a static DN to bind sux rocks and b) LDAP bind by itself is not 
authentication!  Agghhh.
 
There, 
I feel better about that. :)
 
 
As for 
the network trace, your servers come with netmon by default which you can use to 
capture network traces in a limited fashion.  In other words, you can 
capture traffic to and from the server itself and that's about it.  SMS 
comes with a more full featured network trace utility. There's also 
Ethereal and a host of other products that are free and downloadable, but 
Ethereal and Netmon tend to be my preferred.  Critter of habit I 
guess.
 
To use 
Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will 
give some information about the product and what it's for.  In your case, 
you'd want to look at the traffic coming from the other hosts (Sun) that is 
using an LDAP bind and basically if you can read the traffic, so can 
others.  You do want to also check the destination port that the client is 
sending traffic to.  That may indicate if it's even trying to use some sort 
of secure traffic mechanism.  If it's destination is tcp 389, then the data 
protection would need to be handled at a different layer such as TLS or IPSec 
type of protection. 
 
-ajm
 
[1] 
Ok, that's a litlte misleading.  Sometimes doesn't do it justice.  
Often would be a better term here. Kerberos is not simple when you get beyond 
one or two machines.  Even then, it takes a bit of work.  That work 
typically has a cost associated with it.  That cost/benefit analysis might 
make it worth it to use a commercial product aimed at this problem vs. rolling 
your own solution.
 
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Tuesday, May 03, 2005 10:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication


I may sounds like an 
idiot, but you guys are always talking about tracing stuff on the network to see 
if it is in plain text, and I have no clue how to do it. This is something I 
would really like to know how to do (as I think it would really help me 
understand some things….along with lessen the load of me asking these questions 
to you guysJ). I have tried using 
ethereal to do this, but either it doesn’t do it, or I just don’t know how to 
use the thing (which I am about 99% positive is the problem). 

 
Do any of you have the 
quick and dirty steps to do this? Or a link to a good tutorial (which I can’t 
seem to find)?
 
 
 
As far as REQs Al……. 1. 
FREE    2. Add 
little complexity
 
 
Looks like I will 
either just use SFU, or keep the user repositories separate. I was just hoping 
that something free had come along since the last time that I looked that was 
worth doing. 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Tuesday, May 03, 
2005 7:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
The directions you 
reference on the sunone site make it look to me like it's an LDAP bind.  
Best way to know for sure would be to trace it on the network to see what is 
passed.  If ldap bind, be sure to use some sort of encryption such as SSL. 

 
I'm curious what the 
requirement here is?  If just to allow solaris to authenticate via kerb 
with AD and allow AD users to login to solaris workstations, have you considered 
a product such as Centrify?  www.centrify.com
 
Far cry better and 
easier to implement. 
 
I'm interested in 
hearing what the requirements are though. The docs you referenced indicate a 
configuration that would be a PITA to manage in terms of reliability and effort 
IMHO. 
 
Al
 

RE: [ActiveDir] My network sites and GPO

[joe]

You want to remove shared folders or network drives? I 
think you want to remove network drives...
 
Put this in the logon script
 
 
net use * /delete /y
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Sergio Sánchez 
TrujilloSent: Wednesday, May 04, 2005 3:19 AMTo: Lista 
ActiveDirectory (ActiveDir@mail.activedir.org)Subject: [ActiveDir] My 
network sites and GPO


Hello,is posible to 
configure "My network sites" to diferent users? for example that in "My network 
sites" appears diferent Shared folders to diferent users, also could i remove 
all shared folders at the beginning of a script...? The razon for this 
is, that there aren't enough letters to map networks drives to do something with 
ours users.is this posible with a GPO?We have in the company 
W2000 server like a Controller Domain.Thanks,Sergio 
S. T.
 

[ActiveDir] Winlogon 100% CPU and Fast user Switching as a Fix?

[Gary Clark]

Hello all,Having spent two days poking this problem I am 
throwing myself on the groups mercy.  Windows XP SP1 computer joined to 
domain much like its 300 brothers and sisters decides one day that winlogon.exe 
should take 50% or rather 100 % of one of the Dell GX270 hyper threading virtual 
processors, constant high cpu utilization makes the fans ramp up and turns a 
nice box into a loud evil box.With winlogon using all the processor the 
box shows symptoms of having broken WINS no Netbios name resolution, can not 
find file shares etc which also creates event id of 1030 and 1058 as the group 
policy objects can not be found.ExampleWindows cannot access the 
file gpt.ini for GPO 
CN={-0**2-4B**-B3F6-7B*8B878},CN=Policies,CN=System,DC=**,DC=***,DC=**,DC=**. 
The file must be present at the location 
<\\ad.***.**.**\SysVol\ad..**.**\Policies\{***-***-***-***-}\gpt.ini>. 
(The network path was not found. ). Group Policy processing abortedWhile 
in this confused state the box will also not shutdown clean and has to be 
POPO'dThe obvious malware lines of investigation have proved fruitless 
ad-aware did find some bits but this has not resolved the problem. The winlogon 
has been verified as being in the right location and has not been switched with 
another version. The fact that the box is a Dell Gx270 with a Gigabit card also 
made me think that MS Article 840669 with the group policy not starting due to 
the race 
condition might have helped but again zip. Virus protection is installed and 
maintained and returns no nasties.The Intel 1000 gigabit card has had 
its drivers updated and still nadda. I even disabled the built in card and 
installed a 3com 10 Mb NIC and that exhibited the same trouble.The 
curious thing and what is driving me absolutely nuts is that if the Computer is 
removed from the domain and returned to a workgroup the problem persists until 
you change the way users logon and use the welcome with the fast user switching, 
it has to be both using the welcome screen and fast user switching, this puts 
the box back on its feet. Winlogon behaves and the network drives can once again 
be accessed.We have seen this twice before on separate 
computers but have not paid it too much attention. rebuilds of  the 
Computershave fixed the problem, as this is something which keeps raising 
its ugly head I think I need to try and get a good handle on it, the fact that 
there are so many other unaffected boxes makes me think that it is a software 
conflict on the client.  What I don't get is why it can be turned on and 
off with the fast user switching? If I did'nt need the box to be in AD I would 
leave it as is fast user switching enabled and slip into a dark cave and put 
this down to gremlins but thats not an option, and I am very nervous that more 
boxes could start playing up too... 
~cheers 
Gary

RE: [ActiveDir] Solaris authentication

[Douglas M. Long]

Title: RE: [ActiveDir] Ocra








I totally agree with the time cost of the
issue, and am at least looking into the cost before I throw the idea out the
window. And I also agree with the ldap bind scenario. I just don’t like
it. 

 

Just saw my first password in ethereal
(over a telnet connection), but am now reading up on how to customize the view
(filters) to show me that more easily. If I didn’t know that it was the
password (since it was my telnet connection), I would have never known that
those letters where my password. I will also take a look at netmon

 

Thanks for your comments all

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Wednesday, May 04, 2005 9:21
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

Two things:

 

"As far as REQs Al……. 1.
FREE    2. Add
little complexity"



 





These two are sometimes [1] not
complimentary to one another.  Consider the cost of your time and troubleshooting
efforts when you say this. I read Joe's response later in the thread and he's
absolutely correct that a) this idea of using a static DN to bind sux rocks and
b) LDAP bind by itself is not authentication!  Agghhh.





 





There, I feel better about that. :)





 





 





As for the network trace, your servers
come with netmon by default which you can use to capture network traces in a
limited fashion.  In other words, you can capture traffic to and from the
server itself and that's about it.  SMS comes with a more full featured
network trace utility. There's also Ethereal and a host of other products
that are free and downloadable, but Ethereal and Netmon tend to be my
preferred.  Critter of habit I guess.





 





To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will
give some information about the product and what it's for.  In your case, you'd
want to look at the traffic coming from the other hosts (Sun) that is using an
LDAP bind and basically if you can read the traffic, so can others.  You
do want to also check the destination port that the client is sending traffic
to.  That may indicate if it's even trying to use some sort of secure
traffic mechanism.  If it's destination is tcp 389, then the data
protection would need to be handled at a different layer such as TLS or IPSec
type of protection. 





 





-ajm





 





[1] Ok, that's a litlte misleading. 
Sometimes doesn't do it justice.  Often would be a better term here.
Kerberos is not simple when you get beyond one or two machines.  Even
then, it takes a bit of work.  That work typically has a cost associated
with it.  That cost/benefit analysis might make it worth it to use a
commercial product aimed at this problem vs. rolling your own solution.





 





 





 





 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, May 03, 2005 10:30
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication

I may sounds like an idiot, but you guys
are always talking about tracing stuff on the network to see if it is in plain
text, and I have no clue how to do it. This is something I would really like to
know how to do (as I think it would really help me understand some
things….along with lessen the load of me asking these questions to you
guysJ). I have tried using ethereal to do this, but either it
doesn’t do it, or I just don’t know how to use the thing (which I
am about 99% positive is the problem). 

 

Do any of you have the quick and dirty
steps to do this? Or a link to a good tutorial (which I can’t seem to
find)?

 

 

 

As far as REQs Al……. 1.
FREE    2. Add
little complexity

 

 

Looks like I will either just use SFU, or
keep the user repositories separate. I was just hoping that something free had
come along since the last time that I looked that was worth doing. 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, May 03, 2005 7:11
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Solaris
authentication



 

The directions you reference on the sunone
site make it look to me like it's an LDAP bind.  Best way to know for sure
would be to trace it on the network to see what is passed.  If ldap bind,
be sure to use some sort of encryption such as SSL. 

 

I'm curious what the requirement here
is?  If just to allow solaris to authenticate via kerb with AD and allow
AD users to login to solaris workstations, have you considered a product such
as Centrify?  www.centrify.com

 

Far cry better and easier to implement. 

 

I'm interested in hearing what the
requirements are though. The docs you referenced indicate a configuration that
would be a PITA to manage in terms of reliability and effort IMHO. 

 

Al

 

 

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, May 03, 2005 3:20
AM
To

[ActiveDir] Slightly OT: Preserve folder timestamps on file server restore?

[Charlie Kaiser]

We're doing some DR practice, and have run into an issue that I can't
seem to get around.
Scenario:
W2K departmental file server. Have good backup, BackupExec 9.1. Need to
restore all data files to different hdw.
Problem:
Restore works fine; all files and folders present and accounted for, but
folder timestamps all change to current date and time. Need to maintain
existing folder timestamps. File timestamps OK, but not folders. This
will impact ability to sort folder list by age as needed by some
business groups.

I have tried BE, NTBackup, xcopy, and robocopy. All of them change the
folder timestamp. I have not tried FRS to maintain a mirror, mainly
because this one file server has 25gb of data on it, and the goal is to
be able to restore, not maintain a duplicate.

Any ideas how to preserve the timestamps on the folders?

Thanks!

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] best practice?

[Brett Shirley]

jlc,

You can't restore a single DC via an image based backup, either.  It is
not supported, it is not allowed ... it is bad mojo.

Well, it wouldn't cause issues if the forest had ONLY that one DC (seems
unlikely the case), or for a multi-DC forest, you'd have to shutdown all
the DCs in the forest at the same time, when you took your backup images.  
And then on restore, restore them all at the same time.  Basically a
pretty infeasible suggestion.

Cheers,
-Brett Shirley [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights. 


On Wed, 4 May 2005, Joseph L. Casale wrote:

> Exactly, I do it for DR purposes, the old one dies - I reimage it and
> put it back out there.
> No poblem...
> jlc 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
> Sent: Wednesday, May 04, 2005 7:01 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] best practice?
> 
> On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote:
> > BUTas for DC's. I do "image" dc's using Symantec Livestate 
> > Recovery ( formerly PowerQuest V2i ). It works wonderfully. I 
> > primarily use for backups. I have not had to recover a server in 
> > production ( and hope I do not have to ) but I have in lab 10+ times
> and servers are as clean as ever.
> > You should take a look.
> 
> When Brett mentioned imaging DCs being a bad idea and to never ever do
> it I believe that he was meaning don't Image a DC and try to use that
> Image to build other new DCs and just trying to change the SID like you
> would for a desktop. Bad idea!
> 
> Phil
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] GPO not applied - thinks it is empty

[Darren Mar-Elia]

Brenda-
This usually means that the client is looking at the GPO's 
version number and it is showing up as 0 for computer revisions (in other words, 
it doesn't think any computer policy has been set in that GPO). Run gpotool.exe 
(from Win2K reskit or part of XP and 2003) against your DCs and see if any of 
them show a revision number of 0 for the computer side of the GPO containing 
your script. This could still mean that you have some issues with sysvol 
replication. Essentially, there is a file called gpt.ini that is stored with the 
GPO in sysvol on each DC. This file contains a version number that lists how 
many changes were made to the computer and user sides of a GPO. That version 
should be the same as the version of that GPO held on the versionNumber 
attribute of the GPC object in AD. If there are discrepancies, then gpotool will 
tell you. 
 
Darren


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Wednesday, May 04, 2005 7:21 AMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] GPO not applied - 
thinks it is empty

I am no longer having replication issues on any 
servers, however, now when I run gpresult I am told that my gpo was not applied 
because it is empty.  I can manually open the GPO and see my startup script 
is there.
 

Thanks,
Brenda
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Tuesday, May 03, 2005 3:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator 
password change in Startup script in GPO

I have created a startup script to change my administrator 
password on specific machines as part of my group policy.  These computers 
are part of a group, I have applied the policy to this group, and set the 
security permissions appropriately.  When I run gpupdate on the pc, I get 
no error in the Event log, but when I restart the machine, the administrator 
account password has not been changed.
I have run replmon.exe and have found that 1 dc (out of 30) is not 
replicating, as it is out of hard drive space on c:.  Could 1 out of 30 
dc's be causing the problem, or is there something else I am missing?  How 
long should it take, before the policy takes 
effect?
 

Thanks,
Brenda

[ActiveDir] GPO not applied - thinks it is empty

[Brenda Casey]

I am no longer having replication issues on any 
servers, however, now when I run gpresult I am told that my gpo was not applied 
because it is empty.  I can manually open the GPO and see my startup script 
is there.
 

Thanks,
Brenda
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Brenda 
CaseySent: Tuesday, May 03, 2005 3:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] administrator 
password change in Startup script in GPO

I have created a startup script to change my administrator 
password on specific machines as part of my group policy.  These computers 
are part of a group, I have applied the policy to this group, and set the 
security permissions appropriately.  When I run gpupdate on the pc, I get 
no error in the Event log, but when I restart the machine, the administrator 
account password has not been changed.
I have run replmon.exe and have found that 1 dc (out of 30) is not 
replicating, as it is out of hard drive space on c:.  Could 1 out of 30 
dc's be causing the problem, or is there something else I am missing?  How 
long should it take, before the policy takes 
effect?
 

Thanks,
Brenda

[ActiveDir] Account activation and password setting using PHP/LDAPS

[Olivier Marie]

Hello everybody

Our windows 2003 server is configurated with LDAPS (port 636).
I would like to know if it's possible to set an account password and
activate the account from another server using PHP (apache/redhat).

I read that it's not possible to activate an account on this way.

What do you know about this ?
Many thanks

Olivier

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 Domain Rename Tool

[Jorge de Almeida Pinto]

For starters... read the docs on 
domain rename!
 
I have done this in a test 
environment and it was fun to see it. It was also one hell of a procedure!!! A 
domain rename impacts your complete AD forest and for a moment your environment 
is NOT available!!!
 
Domain rename is not possible in 
some scenarios like when you have exchange 2003 SP0 and lower. Only E2k3Sp1 
supports domain rename.
 
My tip: create a test 
environment that's a representative model of your production env. and test test 
test test plan plan plan test plan
 
Cheers,
#JORGE#


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Steven 
WoodSent: Wednesday, May 04, 2005 15:47To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] 2003 Domain Rename 
Tool


Has anyone used the Active Directory 
Domain Rename tool and if so what experiences did you 
have?
I would like to rename our NetBios 
name; we aren’t using NetBios at all yet we see it everytime we 
logon.
 
Thanks
 
Steven 
Wood
Network 
Manager
Oldham 
Sixth Form College
 ---This 
email is from Oldham Sixth Form College, but expresses the viewsof the 
sender and not necessarily the views of the college. The emailand any files 
transmitted with it are confidential to the intendedrecipient at the e-mail 
address to which it has been addressed. It maynot be disclosed or used by 
any other than that addressee, nor may itbe copied in any way. If received 
in error, please notify[EMAIL PROTECTED] quoting the name of the 
sender.This message has been scanned for viruses by F-Secure 
Anti-Virus.Please note that we cannot accept any responsibility for 
anytransmitted viruses. It is, therefore, your responsibility to 
scanattachments (if any).

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] best practice?

[Jorge de Almeida Pinto]

Maybe you should explain a bit 
more as I still do not understand what you want to acchieve!
 
You have said: "The reason for reimage is for new departmental standards ( 
look and feel ). " --> this sounds like creating a new configuration 
and image
 
You have said: "you want to re-image pc's  that are domain members. You 
want to immediately rejoin domain using same 
name."
 
Explain why you want to re-image the EXISTING PCs and rejoin them. How 
are you thinking to get the new look and feel by doing this?
 
#JORGE#
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky 
JrSent: Wednesday, May 04, 2005 15:38To: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] best 
practice?

You stated:
* When distributing restore the 
image SYSPREP runs Enter acomputername (if it an existing previous 
computername reset the computeraccount in AD), join to domain et 
voila
 
Computer names will be existing. My original 
question was do I remove from domain then image and rejoin or image and reset 
account. 
 
Are you saying to image, reset account then rejoin, 
and will this work given the site structure?
- Original Message - 
From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 04, 2005 9:10 AM
Subject: RE: [ActiveDir] best 
practice?
> OK, let me rephrase that... "don't even think cloning DCs or backing 
up DCs> using tools similar to ghost THAT ARE NOT AD AWARE in 
production> environments (at least ghost versions 8 and lower are not AD 
aware... Not> sure if ghost 9 is AD aware)> > New 
departmental standards... So you want to create a new image to> 
"distribute" to the current HW?> > * Choose one hardware model to 
create the image> * Install the OS and configure accordingly> * 
Add drivers for the other HW models you have in your ORG> * Use the 
Deployment tools (especially SYSPREP)> * Create an image of the 
configuration while it is not joined to the domain> * When distributing 
restore the image SYSPREP runs Enter a> computername (if it an 
existing previous computername reset the computer> account in AD), join 
to domain et voila> > The quick and dirty explanation ;-)> 
> #JORGE#> > -Original Message-> From: 
[EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of John 
Shukovsky Jr> Sent: Wednesday, May 04, 2005 14:50> To: ActiveDir@mail.activedir.org> 
Subject: Re: [ActiveDir] best practice?> > I was talking about 
pc's. The reason for reimage is for new departmental> standards ( look 
and feel ). I do not have luxury of SMS. Yes, same domain,> same 
hardware, same name, just new image. I am having issues with removing,> 
pushing new image and rejoining. Some seem to work and others are coming 
up> disabled?? Just wanted to ask if anyone is familiar or knows better 
way.> > BUTas for DC's. I do "image" dc's using Symantec 
Livestate Recovery (> formerly PowerQuest V2i ). It works wonderfully. I 
primarily use for> backups. I have not had to recover a server in 
production ( and hope I do> not have to ) but I have in lab 10+ times and 
servers are as clean as ever.> You should take a look.> > 
- Original Message -> From: "Jorge de Almeida Pinto" 
<[EMAIL PROTECTED]>> To: > Sent: Wednesday, May 04, 2005 2:55 AM> Subject: RE: 
[ActiveDir] best practice?> > > > In his mail he is 
talking about DOMAIN MEMBERS and not DCs. If he is> talking> > 
about DCs I agree with Brett -> don't image DCs... Don't even think 
about> > it!> >> > Concerning imaging DOMAIN 
MEMBERS and rejoining...> > I'm not sure what you want to 
acchieve...why do you want to rejoin the> > computers? Same domain? 
Other domain? Same HW, Other HW?> >> > Cheers,> > 
#JORGE#> >> > -Original Message-> > From: 
[EMAIL PROTECTED]> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett 
Shirley> > Sent: Wednesday, May 04, 2005 03:08> > To: 
ActiveDir@mail.activedir.org> 
> Subject: Re: [ActiveDir] best practice?> >> > Never, 
ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM> > 
server.  I don't know about memebers, just adding knowledge about DCs, 
as> I> > don't think I've ever mentioned it here 
before.> >> > Cheers,> > -Brett Shirley 
[msft]> >> > as is, caveat emtpor, status quo, etc> 
>> >> >> > On Tue, 3 May 2005, John Shukovsky 
Jr wrote:> >> > > Hello all,> > >> 
> > Question, you want to re-image pc's  that are domain members. You 
want> to> > immediately rejoin domain using same name. Site is 
single W2k DC/GC on 3> > hour replication cycle with fsmo 
holders.> > >> > > Should you remove from domain, 
image and rejoin or just image rejoin and> > reset computer account? 
Would either of these ways work given site setup?> > >> > 
> Any input appreciated.> > >> > > John Shukovsky 
Jr> > > Network Administrator> > > NJ Department of 
Human Services> > > 609-861-6031> > >> > 
>> > > This E-mail, including any attachments, may be intended 
solely for the> > > personal a

Re: [ActiveDir] best practice?

[Phil Renouf]

On 5/4/05, Joseph L. Casale <[EMAIL PROTECTED]> wrote:
> Exactly, I do it for DR purposes, the old one dies - I reimage it and
> put it back out there.
> No poblem...
> jlc

For DR I would prefer to have an Automated Build that would build the
server then DCPromo it back up and allow it to replicate. This doesn't
take much longer, doesn't require any extra user intervention than a
reimaging and is a far better option I think.

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] using GPO with scripts

[Al Mulnick]

Yep.  To do something like that would require some coding of course.  It
also relies on the user going to the homepage on a regular basis and
that they are able to run apps.

Do you have to write this, or do you have web application dev teams?  

Al 

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Tuesday, May 03, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Well found out some more information.  Love how you get the full info
when you need it.  NOT

Anyways.  Seems the website is just a web interface to a database with
their personnel information.  They want to ensure the user visits the
site every 90 days to make updates if needed.  They are request a
"Runonce"  type operation for IE when the user launches IE that will
send them to the Database every 90 days but of course not send the
entire population there at once.  So I am thinking a field within the
personnel database that will be a timestamp.  Now can I have our
homepage run a script in the background that checks this field to see if
the timestamp is greater than 90 days?  And then if it is redirect them
to the database website?

Sounds better than dealing with login scripts and schema changes.

Jeff


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, May 03, 2005 10:13 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Yeah locking the account because they haven't read the doc yet seems a
little counter productive but if it is that important... Go for it.
Just
warn the help desk staff ahead of time. :o)

I agree with the staggered mechanism of alert the user and then alert
their manager later if they haven't complied. If you want to get fancy
you could even have a compliance reporting mechanism to put pressure on
the managers.
Reports go to the CEO showing compliance in percentages of the whole
company at any given time (say monthly) and also percentages by division
or group or whatever (depends on your size).

A quickie alternative would be to store the info in an AD/AM instead of
in AD. Don't have to extend the AD Schema then but can use the AD
scripting knowledge you have. Obviously it could go into SQL Server as
well but that seems a bit expensive for this. 


  joe



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Monday, May 02, 2005 10:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

Depends how you setup the attribute (search for extending schema in AD).


I wouldn't have the website do this based on authentication.  You want
to be sure they read it, so you would want to treat it like you do with
other agreements i.e. EULA agreements and have the OK navigation button
disabled unless and until they click 'I Agree' 


As for notification, use email and bug the crud out of them.  Or bug
their manager if they don't respond in x amount of days. I see the .mil
in the addr, which tells me you likely have managers that don't like to
be bothered with this kind of piddly stuff.  :)

As for whether or not to update in AD, I'm not one to agree so easily
that adding a custom attribute or even using an existing one is so worth
it.
I
suppose it depends and there are many pros and cons both directions I'm
sure.  I'd favor some other recording method in many instances myself. 

As for permissions, you would have to permissions to modify the
attribute using the credentials provided.  For the sake of
tamper-resistance, I would guess that you would want to make this a
restricted attribute field.
You
may additionally want to lock out or disable their account until they
read this if it's that important.
Makes me wonder how they'll get to the page if they're locked out,
but


Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, May 02, 2005 7:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

I like this idea of using the custom attribute in AD.  I am assuming
that I need to use ADSI or similar tool to create this Custom Attribute.


Once the attribute is there.  I would need to configure Active X script
or something that will update this attribute when the user authenticates
to the website correct?   Do I need the web services account to run this
script so that it has privileges to change the attribute within AD?

Jeff

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Monday, May 02, 2005 4:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] using GPO with scripts

"You could even tie into the change password functionality. Take away
everyone's right to change their password in the directory and make them
go to a website to do it, that website forces

RE: [ActiveDir] best practice?

[Joseph L. Casale]

Exactly, I do it for DR purposes, the old one dies - I reimage it and
put it back out there.
No poblem...
jlc 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf
Sent: Wednesday, May 04, 2005 7:01 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] best practice?

On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote:
> BUTas for DC's. I do "image" dc's using Symantec Livestate 
> Recovery ( formerly PowerQuest V2i ). It works wonderfully. I 
> primarily use for backups. I have not had to recover a server in 
> production ( and hope I do not have to ) but I have in lab 10+ times
and servers are as clean as ever.
> You should take a look.

When Brett mentioned imaging DCs being a bad idea and to never ever do
it I believe that he was meaning don't Image a DC and try to use that
Image to build other new DCs and just trying to change the SID like you
would for a desktop. Bad idea!

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] 2003 Domain Rename Tool

[Steven Wood]

Has anyone used the Active Directory Domain Rename tool and
if so what experiences did you have?

I would like to rename our NetBios name; we aren’t
using NetBios at all yet we see it everytime we logon.

 

Thanks

 

Steven Wood

Network Manager

Oldham Sixth Form College

 



---This email is from Oldham Sixth Form College, but expresses the viewsof the sender and not necessarily the views of the college. The emailand any files transmitted with it are confidential to the intendedrecipient at the e-mail address to which it has been addressed. It maynot be disclosed or used by any other than that addressee, nor may itbe copied in any way. If received in error, please notify[EMAIL PROTECTED] quoting the name of the sender.This message has been scanned for viruses by F-Secure Anti-Virus.Please note that we cannot accept any responsibility for anytransmitted viruses. It is, therefore, your responsibility to scanattachments (if any).

Re: [ActiveDir] best practice?

[John Shukovsky Jr]

You stated:
* When distributing restore the 
image SYSPREP runs Enter acomputername (if it an existing previous 
computername reset the computeraccount in AD), join to domain et 
voila
 
Computer names will be existing. My original 
question was do I remove from domain then image and rejoin or image and reset 
account. 
 
Are you saying to image, reset account then rejoin, 
and will this work given the site structure?
- Original Message - 
From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 04, 2005 9:10 AM
Subject: RE: [ActiveDir] best 
practice?
> OK, let me rephrase that... "don't even think cloning DCs or backing 
up DCs> using tools similar to ghost THAT ARE NOT AD AWARE in 
production> environments (at least ghost versions 8 and lower are not AD 
aware... Not> sure if ghost 9 is AD aware)> > New 
departmental standards... So you want to create a new image to> 
"distribute" to the current HW?> > * Choose one hardware model to 
create the image> * Install the OS and configure accordingly> * 
Add drivers for the other HW models you have in your ORG> * Use the 
Deployment tools (especially SYSPREP)> * Create an image of the 
configuration while it is not joined to the domain> * When distributing 
restore the image SYSPREP runs Enter a> computername (if it an 
existing previous computername reset the computer> account in AD), join 
to domain et voila> > The quick and dirty explanation ;-)> 
> #JORGE#> > -Original Message-> From: 
[EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED] On Behalf Of John 
Shukovsky Jr> Sent: Wednesday, May 04, 2005 14:50> To: ActiveDir@mail.activedir.org> 
Subject: Re: [ActiveDir] best practice?> > I was talking about 
pc's. The reason for reimage is for new departmental> standards ( look 
and feel ). I do not have luxury of SMS. Yes, same domain,> same 
hardware, same name, just new image. I am having issues with removing,> 
pushing new image and rejoining. Some seem to work and others are coming 
up> disabled?? Just wanted to ask if anyone is familiar or knows better 
way.> > BUTas for DC's. I do "image" dc's using Symantec 
Livestate Recovery (> formerly PowerQuest V2i ). It works wonderfully. I 
primarily use for> backups. I have not had to recover a server in 
production ( and hope I do> not have to ) but I have in lab 10+ times and 
servers are as clean as ever.> You should take a look.> > 
- Original Message -> From: "Jorge de Almeida Pinto" 
<[EMAIL PROTECTED]>> To: > Sent: Wednesday, May 04, 2005 2:55 AM> Subject: RE: 
[ActiveDir] best practice?> > > > In his mail he is 
talking about DOMAIN MEMBERS and not DCs. If he is> talking> > 
about DCs I agree with Brett -> don't image DCs... Don't even think 
about> > it!> >> > Concerning imaging DOMAIN 
MEMBERS and rejoining...> > I'm not sure what you want to 
acchieve...why do you want to rejoin the> > computers? Same domain? 
Other domain? Same HW, Other HW?> >> > Cheers,> > 
#JORGE#> >> > -Original Message-> > From: 
[EMAIL PROTECTED]> > [mailto:[EMAIL PROTECTED] On Behalf Of Brett 
Shirley> > Sent: Wednesday, May 04, 2005 03:08> > To: 
ActiveDir@mail.activedir.org> 
> Subject: Re: [ActiveDir] best practice?> >> > Never, 
ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM> > 
server.  I don't know about memebers, just adding knowledge about DCs, 
as> I> > don't think I've ever mentioned it here 
before.> >> > Cheers,> > -Brett Shirley 
[msft]> >> > as is, caveat emtpor, status quo, etc> 
>> >> >> > On Tue, 3 May 2005, John Shukovsky 
Jr wrote:> >> > > Hello all,> > >> 
> > Question, you want to re-image pc's  that are domain members. You 
want> to> > immediately rejoin domain using same name. Site is 
single W2k DC/GC on 3> > hour replication cycle with fsmo 
holders.> > >> > > Should you remove from domain, 
image and rejoin or just image rejoin and> > reset computer account? 
Would either of these ways work given site setup?> > >> > 
> Any input appreciated.> > >> > > John Shukovsky 
Jr> > > Network Administrator> > > NJ Department of 
Human Services> > > 609-861-6031> > >> > 
>> > > This E-mail, including any attachments, may be intended 
solely for the> > > personal and confidential use of the sender and 
recipient(s) named> > > above. This message may include advisory, 
consultative and/or> > > deliberative material and, as such, would 
be privileged and> > > confidential and not a public document. Any 
Information in this e-mail> > > identifying a client of the 
Department of Human Services is> > > confidential. If you have 
received this e-mail in error, you must not> > > review, transmit, 
convert to hard copy, copy, use or disseminate this> > > e-mail or 
any attachments to it and you must delete this message. You> are> 
> requested to notify the sender by return e-mail.> > >> 
>> > List info   : http://www.activedir.org/List.aspx> > List FAQ    : http://www.activedir.

RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

[Al Mulnick]

Interesting, Mr Garage Door Opener.  Perhaps some rewording is needed to
make this and these other docs consistent?  Or am I reading into this? 


"The following operations are not supported: 
...2. Starting an Active Directory domain controller whose operating
system resides in a virtualized hosting environment such as Microsoft
Virtual PC, Microsoft Virtual Server 2005, or EMC VMWARE " 

http://www.support.microsoft.com/kb/897614/


http://www.microsoft.com/downloads/details.aspx?FamilyID=64db845d-f7a3-4
209-8ed2-e261a117fc6b&displaylang=en


I'm just so confused.  ;)

-ajm

"Chief, Cook, and Bottle-Washer"


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Wednesday, May 04, 2005 6:30 AM
To: ActiveDir@mail.activedir.org
Cc: Joseph L. Casale
Subject: RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

"That is soo not right." (Mean Girls movie reference, at Halloween
party)

You should take a look at this:
http://support.microsoft.com/?kbid=885875

I sincerely hope you don't have USN rollback or divergent replicas, but
I think it is likely if you are actually imaging dcpromo'd DCs.

Just curious, for imaging what are you using?  Ghost?  Are you just
restoring images?  Are you using the images to build additional DCs for
load?


In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from
replicating if it detects such a condition (but it is not always
guaranteed it will be able to detect the condition), to attempt to
contain the damage.

Also note, b/c I'm not sure the KB is clear about divergent replicas ...
just because things are replicating currently, or there are no apparent
current USN rollbacks ... does NOT mean you weren't once in the past
afflicted with USN rollback, and now you've gotten past it, and instead
are simply aflicted with divergent replicas (worse than USN rollback in
ways).  You might try to use (_I thinK_) dsastat to run through all the
objects on your DCs in a pair-wise fashion to find differences.

Cheers,
Brett Shirley [msft]
Building 7 Garage Door Operator, so what do I know ...

This posting is provided "AS IS" with no warranties, and confers no
rights.


On Tue, 3 May 2005, Joseph L. Casale wrote:

> Errr, I do it always, always, ALWAYS, and it works? AD has mechanisms 
> built in to get it back up to par...
> jlc
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Tuesday, May 03, 2005 7:08 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] best practice?
> 
> Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or 
> ADAM server.  I don't know about memebers, just adding knowledge about

> DCs, as I don't think I've ever mentioned it here before.
> 
> Cheers,
> -Brett Shirley [msft]
> 
> as is, caveat emtpor, status quo, etc
> 
> 
> 
> On Tue, 3 May 2005, John Shukovsky Jr wrote:
> 
> > Hello all,
> > 
> > Question, you want to re-image pc's  that are domain members. You 
> > want
> to immediately rejoin domain using same name. Site is single W2k DC/GC

> on 3 hour replication cycle with fsmo holders.
> > 
> > Should you remove from domain, image and rejoin or just image rejoin
> and reset computer account? Would either of these ways work given site

> setup?
> > 
> > Any input appreciated.
> >  
> > John Shukovsky Jr
> > Network Administrator
> > NJ Department of Human Services
> > 609-861-6031
> > 
> > 
> > This E-mail, including any attachments, may be intended solely for 
> > the
> 
> > personal and confidential use of the sender and recipient(s) named 
> > above. This message may include advisory, consultative and/or 
> > deliberative material and, as such, would be privileged and 
> > confidential and not a public document. Any Information in this 
> > e-mail
> 
> > identifying a client of the Department of Human Services is 
> > confidential. If you have received this e-mail in error, you must 
> > not review, transmit, convert to hard copy, copy, use or disseminate

> > this e-mail or any attachments to it and you must delete this 
> > message. You
> are requested to notify the sender by return e-mail.
> > 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] How to make a user member of Built in Administrat or group

[Phil Renouf]

On 5/3/05, Jorge de Almeida Pinto <[EMAIL PROTECTED]> wrote:
> FIRST:
> You can use restricted groups in a GPO.
> However in that is in the forest root domain then members of the builtin
> administrators have control  over the enterprise administrators group.

You can use Restricted groups on the Built-In Administrator group? I
always thought that was intended for the local groups on member
servers/desktops never really thought to see if it applied to DCs as
well.

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Solaris authentication

[Al Mulnick]

Title: RE: [ActiveDir] Ocra



Two things:
 
"As far as REQs Al……. 
1. FREE    2. Add 
little complexity"
 
These 
two are sometimes [1] not complimentary to one another.  Consider the cost 
of your time and troubleshooting efforts when you say this. I read Joe's 
response later in the thread and he's absolutely correct that a) this idea of 
using a static DN to bind sux rocks and b) LDAP bind by itself is not 
authentication!  Agghhh.
 
There, 
I feel better about that. :)
 
 
As for 
the network trace, your servers come with netmon by default which you can use to 
capture network traces in a limited fashion.  In other words, you can 
capture traffic to and from the server itself and that's about it.  SMS 
comes with a more full featured network trace utility. There's also 
Ethereal and a host of other products that are free and downloadable, but 
Ethereal and Netmon tend to be my preferred.  Critter of habit I 
guess.
 
To use 
Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will 
give some information about the product and what it's for.  In your case, 
you'd want to look at the traffic coming from the other hosts (Sun) that is 
using an LDAP bind and basically if you can read the traffic, so can 
others.  You do want to also check the destination port that the client is 
sending traffic to.  That may indicate if it's even trying to use some sort 
of secure traffic mechanism.  If it's destination is tcp 389, then the data 
protection would need to be handled at a different layer such as TLS or IPSec 
type of protection. 
 
-ajm
 
[1] 
Ok, that's a litlte misleading.  Sometimes doesn't do it justice.  
Often would be a better term here. Kerberos is not simple when you get beyond 
one or two machines.  Even then, it takes a bit of work.  That work 
typically has a cost associated with it.  That cost/benefit analysis might 
make it worth it to use a commercial product aimed at this problem vs. rolling 
your own solution.
 
 
 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Tuesday, May 03, 2005 10:30 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication


I may sounds like an 
idiot, but you guys are always talking about tracing stuff on the network to see 
if it is in plain text, and I have no clue how to do it. This is something I 
would really like to know how to do (as I think it would really help me 
understand some things….along with lessen the load of me asking these questions 
to you guysJ). I have tried using 
ethereal to do this, but either it doesn’t do it, or I just don’t know how to 
use the thing (which I am about 99% positive is the problem). 

 
Do any of you have the 
quick and dirty steps to do this? Or a link to a good tutorial (which I can’t 
seem to find)?
 
 
 
As far as REQs Al……. 1. 
FREE    2. Add 
little complexity
 
 
Looks like I will 
either just use SFU, or keep the user repositories separate. I was just hoping 
that something free had come along since the last time that I looked that was 
worth doing. 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Al 
MulnickSent: Tuesday, May 03, 
2005 7:11 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
 
The directions you 
reference on the sunone site make it look to me like it's an LDAP bind.  
Best way to know for sure would be to trace it on the network to see what is 
passed.  If ldap bind, be sure to use some sort of encryption such as SSL. 

 
I'm curious what the 
requirement here is?  If just to allow solaris to authenticate via kerb 
with AD and allow AD users to login to solaris workstations, have you considered 
a product such as Centrify?  www.centrify.com
 
Far cry better and 
easier to implement. 
 
I'm interested in 
hearing what the requirements are though. The docs you referenced indicate a 
configuration that would be a PITA to manage in terms of reliability and effort 
IMHO. 
 
Al
 
 
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric 
FleischmanSent: Tuesday, May 
03, 2005 3:20 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Solaris 
authentication
I know someone doing 
auth from Solaris 9 and 10 against AD via Kerberos in production. I don’t know 
how they are populating /etc/passwd but can find 
out.
I’ve never used NIS 
against AD so couldn’t say what’s going on here.
 
~Eric
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Douglas M. 
LongSent: Monday, May 02, 2005 
7:26 PMTo: 
ActiveDir@mail.activedir.orgSubject: Solaris 
authentication
 


Anyone know if this is passed in plain text? If so, i 
dont see any advantage to this versus the NIS server in SFU. Seems that the *nix 
community is making no progress in the secure authentication arena if this is 
the case. Any ideas or thoughts?

 

http://docs.sun.com/source/816-6775-10/a_activedirauth.html

 

RE: [ActiveDir] best practice?

[Jorge de Almeida Pinto]

OK, let me rephrase that... "don't even think cloning DCs or backing up DCs
using tools similar to ghost THAT ARE NOT AD AWARE in production
environments (at least ghost versions 8 and lower are not AD aware... Not
sure if ghost 9 is AD aware)

New departmental standards... So you want to create a new image to
"distribute" to the current HW?

* Choose one hardware model to create the image
* Install the OS and configure accordingly
* Add drivers for the other HW models you have in your ORG
* Use the Deployment tools (especially SYSPREP)
* Create an image of the configuration while it is not joined to the domain
* When distributing restore the image SYSPREP runs Enter a
computername (if it an existing previous computername reset the computer
account in AD), join to domain et voila

The quick and dirty explanation ;-)

#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Shukovsky Jr
Sent: Wednesday, May 04, 2005 14:50
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] best practice?

I was talking about pc's. The reason for reimage is for new departmental
standards ( look and feel ). I do not have luxury of SMS. Yes, same domain,
same hardware, same name, just new image. I am having issues with removing,
pushing new image and rejoining. Some seem to work and others are coming up
disabled?? Just wanted to ask if anyone is familiar or knows better way.

BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery (
formerly PowerQuest V2i ). It works wonderfully. I primarily use for
backups. I have not had to recover a server in production ( and hope I do
not have to ) but I have in lab 10+ times and servers are as clean as ever.
You should take a look.

- Original Message -
From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 04, 2005 2:55 AM
Subject: RE: [ActiveDir] best practice?


> In his mail he is talking about DOMAIN MEMBERS and not DCs. If he is
talking
> about DCs I agree with Brett -> don't image DCs... Don't even think about
> it!
>
> Concerning imaging DOMAIN MEMBERS and rejoining...
> I'm not sure what you want to acchieve...why do you want to rejoin the
> computers? Same domain? Other domain? Same HW, Other HW?
>
> Cheers,
> #JORGE#
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Wednesday, May 04, 2005 03:08
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] best practice?
>
> Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM
> server.  I don't know about memebers, just adding knowledge about DCs, as
I
> don't think I've ever mentioned it here before.
>
> Cheers,
> -Brett Shirley [msft]
>
> as is, caveat emtpor, status quo, etc
>
>
>
> On Tue, 3 May 2005, John Shukovsky Jr wrote:
>
> > Hello all,
> >
> > Question, you want to re-image pc's  that are domain members. You want
to
> immediately rejoin domain using same name. Site is single W2k DC/GC on 3
> hour replication cycle with fsmo holders.
> >
> > Should you remove from domain, image and rejoin or just image rejoin and
> reset computer account? Would either of these ways work given site setup?
> >
> > Any input appreciated.
> >
> > John Shukovsky Jr
> > Network Administrator
> > NJ Department of Human Services
> > 609-861-6031
> >
> >
> > This E-mail, including any attachments, may be intended solely for the
> > personal and confidential use of the sender and recipient(s) named
> > above. This message may include advisory, consultative and/or
> > deliberative material and, as such, would be privileged and
> > confidential and not a public document. Any Information in this e-mail
> > identifying a client of the Department of Human Services is
> > confidential. If you have received this e-mail in error, you must not
> > review, transmit, convert to hard copy, copy, use or disseminate this
> > e-mail or any attachments to it and you must delete this message. You
are
> requested to notify the sender by return e-mail.
> >
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>



This E-mail, including any attachments, may be intended solely for the
personal 
and confidential use of the sender and recipient(s) named above. T

Re: [ActiveDir] best practice?

[Phil Renouf]

On 5/4/05, John Shukovsky Jr <[EMAIL PROTECTED]> wrote:
> BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery (
> formerly PowerQuest V2i ). It works wonderfully. I primarily use for
> backups. I have not had to recover a server in production ( and hope I do
> not have to ) but I have in lab 10+ times and servers are as clean as ever.
> You should take a look.

When Brett mentioned imaging DCs being a bad idea and to never ever do
it I believe that he was meaning don't Image a DC and try to use that
Image to build other new DCs and just trying to change the SID like
you would for a desktop. Bad idea!

Phil
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] best practice?

[Tomasz Onyszko]

John Shukovsky Jr wrote:
Hello all,
 
Question, you want to re-image pc's  that are domain members. You want 
to immediately rejoin domain using same name. Site is single W2k 
DC/GC on 3 hour replication cycle with fsmo holders.
 
Should you remove from domain, image and rejoin or just image rejoin and 
reset computer account? Would either of these ways work given site setup?
In the network I'm working right now we are using process like this: 
imaging -> reset account -> join again. Works perfect for about 5k 
workstations.

--
Tomasz Onyszko [MVP]
[EMAIL PROTECTED]
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] best practice?

[John Shukovsky Jr]

I was talking about pc's. The reason for reimage is for new departmental
standards ( look and feel ). I do not have luxury of SMS. Yes, same domain,
same hardware, same name, just new image. I am having issues with removing,
pushing new image and rejoining. Some seem to work and others are coming up
disabled?? Just wanted to ask if anyone is familiar or knows better way.

BUTas for DC's. I do "image" dc's using Symantec Livestate Recovery (
formerly PowerQuest V2i ). It works wonderfully. I primarily use for
backups. I have not had to recover a server in production ( and hope I do
not have to ) but I have in lab 10+ times and servers are as clean as ever.
You should take a look.

- Original Message - 
From: "Jorge de Almeida Pinto" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, May 04, 2005 2:55 AM
Subject: RE: [ActiveDir] best practice?


> In his mail he is talking about DOMAIN MEMBERS and not DCs. If he is
talking
> about DCs I agree with Brett -> don't image DCs... Don't even think about
> it!
>
> Concerning imaging DOMAIN MEMBERS and rejoining...
> I'm not sure what you want to acchieve...why do you want to rejoin the
> computers? Same domain? Other domain? Same HW, Other HW?
>
> Cheers,
> #JORGE#
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Wednesday, May 04, 2005 03:08
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] best practice?
>
> Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM
> server.  I don't know about memebers, just adding knowledge about DCs, as
I
> don't think I've ever mentioned it here before.
>
> Cheers,
> -Brett Shirley [msft]
>
> as is, caveat emtpor, status quo, etc
>
>
>
> On Tue, 3 May 2005, John Shukovsky Jr wrote:
>
> > Hello all,
> >
> > Question, you want to re-image pc's  that are domain members. You want
to
> immediately rejoin domain using same name. Site is single W2k DC/GC on 3
> hour replication cycle with fsmo holders.
> >
> > Should you remove from domain, image and rejoin or just image rejoin and
> reset computer account? Would either of these ways work given site setup?
> >
> > Any input appreciated.
> >
> > John Shukovsky Jr
> > Network Administrator
> > NJ Department of Human Services
> > 609-861-6031
> >
> >
> > This E-mail, including any attachments, may be intended solely for the
> > personal and confidential use of the sender and recipient(s) named
> > above. This message may include advisory, consultative and/or
> > deliberative material and, as such, would be privileged and
> > confidential and not a public document. Any Information in this e-mail
> > identifying a client of the Department of Human Services is
> > confidential. If you have received this e-mail in error, you must not
> > review, transmit, convert to hard copy, copy, use or disseminate this
> > e-mail or any attachments to it and you must delete this message. You
are
> requested to notify the sender by return e-mail.
> >
>
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>



This E-mail, including any attachments, may be intended solely for the personal 
and confidential use of the sender and recipient(s) named above. This message 
may include advisory, consultative and/or deliberative material and, as such, 
would be privileged and confidential and not a public document. Any Information 
in this e-mail identifying a client of the Department of Human Services is 
confidential. If you have received this e-mail in error, you must not review, 
transmit, convert to hard copy, copy, use or disseminate this e-mail or any 
attachments to it and you must delete this message. You are requested to notify 
the sender by return e-mail.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Solaris authentication

[Peter Jessop]

Douglas
 
You have to configure your switch so that the port that your monitorising box is connected to receives all the packets that interest you. In the Alcatel switch we have this is called mirroring. You probably will need to do this before you can start sniffing as otherwise you will only see packets directed towards your NIC. I believe it is no longer necessary to put your NIC in promiscous mode as Ethereal (or others..) will do this when you set it up.

 

Re: [ActiveDir] My network sites and GPO

[Peter Jessop]

A script to remove all local mappings of network drives is the following:
 
On Error Resume NextDim objNetWork, i, driveSet objNetWork = CreateObject("WScript.Network")For i = Asc("A") To Asc("Z") drive = Chr(i) & ":" objNetWork.RemoveNetWorkDrive
 drive, True, TrueNext
 
Saludos
 
Peter Jessop

RE: [ActiveDir] Imaging NT5+ DCs == Bad (was: best practice?)

[Brett Shirley]

"That is soo not right." (Mean Girls movie reference, at Halloween party)

You should take a look at this:
http://support.microsoft.com/?kbid=885875

I sincerely hope you don't have USN rollback or divergent replicas, but I
think it is likely if you are actually imaging dcpromo'd DCs.

Just curious, for imaging what are you using?  Ghost?  Are you just
restoring images?  Are you using the images to build additional DCs for
load?


In Win2k3 SP1 and a hot fix post Win2k SP4, will in fact stop DCs from
replicating if it detects such a condition (but it is not always
guaranteed it will be able to detect the condition), to attempt to contain
the damage.

Also note, b/c I'm not sure the KB is clear about divergent replicas ...
just because things are replicating currently, or there are no apparent
current USN rollbacks ... does NOT mean you weren't once in the past
afflicted with USN rollback, and now you've gotten past it, and instead
are simply aflicted with divergent replicas (worse than USN rollback in
ways).  You might try to use (_I thinK_) dsastat to run through all the
objects on your DCs in a pair-wise fashion to find differences.

Cheers, 
Brett Shirley [msft]
Building 7 Garage Door Operator, so what do I know ...

This posting is provided "AS IS" with no warranties, and confers no
rights.


On Tue, 3 May 2005, Joseph L. Casale wrote:

> Errr, I do it always, always, ALWAYS, and it works? AD has mechanisms
> built in to get it back up to par...
> jlc 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
> Sent: Tuesday, May 03, 2005 7:08 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] best practice?
> 
> Never, ever, EVER image a Win2k or Win2k3 Domain Controller ... or ADAM
> server.  I don't know about memebers, just adding knowledge about DCs,
> as I don't think I've ever mentioned it here before.
> 
> Cheers,
> -Brett Shirley [msft]
> 
> as is, caveat emtpor, status quo, etc
> 
> 
> 
> On Tue, 3 May 2005, John Shukovsky Jr wrote:
> 
> > Hello all,
> > 
> > Question, you want to re-image pc's  that are domain members. You want
> to immediately rejoin domain using same name. Site is single W2k DC/GC
> on 3 hour replication cycle with fsmo holders. 
> > 
> > Should you remove from domain, image and rejoin or just image rejoin
> and reset computer account? Would either of these ways work given site
> setup?
> > 
> > Any input appreciated.
> >  
> > John Shukovsky Jr
> > Network Administrator
> > NJ Department of Human Services
> > 609-861-6031
> > 
> > 
> > This E-mail, including any attachments, may be intended solely for the
> 
> > personal and confidential use of the sender and recipient(s) named 
> > above. This message may include advisory, consultative and/or 
> > deliberative material and, as such, would be privileged and 
> > confidential and not a public document. Any Information in this e-mail
> 
> > identifying a client of the Department of Human Services is 
> > confidential. If you have received this e-mail in error, you must not 
> > review, transmit, convert to hard copy, copy, use or disseminate this 
> > e-mail or any attachments to it and you must delete this message. You
> are requested to notify the sender by return e-mail.
> > 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] My network sites and GPO

[Sergio Sánchez Trujillo]

Hello,

is posible to configure "My network sites" to diferent users? for
example that in "My network sites" appears diferent Shared folders to
diferent users, also could i remove all shared folders at the beginning of a
script...? 

The razon for this is, that there aren't enough letters to map networks drives
to do something with ours users.

is this posible with a GPO?

We have in the company W2000 server like a Controller Domain.

Thanks,

Sergio S. T.