RE: [ActiveDir] LDAP performance

[Darren Mar-Elia]

You might also want to fire up Server Performance Advisor on the box and 
collect some perf stats on the queries. You should be able to see where time is 
being spent and what kinds of resources are being consumed.

Darren 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Monday, June 13, 2005 7:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP performance

It's hard to really give any sort of analysis with the data provided.
Do you have any network traces of entering "failure" state that we could see? 
With that hopefully we can provide more guidance.

~Eric



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP performance

Something similar came up for discussion last week. My response was to increase 
the maxreceivebuffer size.
 
See Q315071 and Q834317
 
HTH
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? 
 -anon



From: [EMAIL PROTECTED] on behalf of Isenhour, Joseph
Sent: Mon 6/13/2005 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP performance


Oops one correction:
 
100 binds per second is the upper limit that I've found.  Average of 10 binds 
per second.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, June 13, 2005 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP performance



We're running into what appears to be some performance issues.  We have several 
AD servers that we dedicate to doing LDAP authentications for various 
applications.  We recently added a new application that performs a large number 
of binds.  The day we cut the application over to AD LDAP the application 
owners began complaining that an average of 1 to 2 LDAP requests are being 
dropped every minute.  Here are the details:

Application:  Issues an average of 100 binds per second.  Average of 50 queries 
per second using filter "(samaccountname=X)" and requesting the DN as the 
return.

HW:  2 Domain Controllers.  Each is quad proc 2.4GHZ.  Each has 4GB of RAM with 
the 3GB switch set. 

I ran this through ADSizer and it recommended one server with about half the 
capacity that is built into each of these servers.

I've run several performance checks on these machines and it appears that they 
are barely breaking a sweat in terms of available resources.  I've tweaked our 
default LDAP policies to add additional queries per proc and allowed larger 
buffers.  But the app owner is still complaining.

The network team has recommended that I increase the TCP listening queue on the 
servers.  They suspect this because they are seeing a few syns that never get 
acked.  I'm not familiar with how to do this in Windows and am not sure if that 
is really something I should be concerned with.  Can anyone out there vouch for 
this theory?  Or perhaps offer another theory as to why the DCs seem to not 
keep up with the load?

Thanks 

One other thing,  I set the LDAP diags to two and found the following warning 
poping up from time to time: 

*
* 
Event Type: Warning 
Event Source:   NTDS LDAP 
Event Category: LDAP Interface 
Event ID:   1216 
Date:   6/13/2005 
Time:   6:34:37 PM 
User:   N/A 
Computer:   ** 
Description: 
Internal event: An LDAP client connection was closed because of an error. 
  
Client ID: 
427107 
  
Additional Data
Error value: 
995 The I/O operation has been aborted because of either a thread exit or an 
application request. 
Internal ID: 
c0602ec 

For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp
 . 

*
* 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP performance

[joe]

Hey Deji, I am trying to figure out how increasing the size of LDAP messages
above 10MB could help with this. It sounds like a problem with a ton of
little auth requests, not an issue with single huge requests. Little help?

   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 8:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP performance

Something similar came up for discussion last week. My response was to
increase the maxreceivebuffer size.
 
See Q315071 and Q834317
 
HTH
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Isenhour, Joseph
Sent: Mon 6/13/2005 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP performance


Oops one correction:
 
100 binds per second is the upper limit that I've found.  Average of 10
binds per second.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, June 13, 2005 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP performance



We're running into what appears to be some performance issues.  We have
several AD servers that we dedicate to doing LDAP authentications for
various applications.  We recently added a new application that performs a
large number of binds.  The day we cut the application over to AD LDAP the
application owners began complaining that an average of 1 to 2 LDAP requests
are being dropped every minute.  Here are the details:

Application:  Issues an average of 100 binds per second.  Average of 50
queries per second using filter "(samaccountname=X)" and requesting the DN
as the return.

HW:  2 Domain Controllers.  Each is quad proc 2.4GHZ.  Each has 4GB of RAM
with the 3GB switch set. 

I ran this through ADSizer and it recommended one server with about half the
capacity that is built into each of these servers.

I've run several performance checks on these machines and it appears that
they are barely breaking a sweat in terms of available resources.  I've
tweaked our default LDAP policies to add additional queries per proc and
allowed larger buffers.  But the app owner is still complaining.

The network team has recommended that I increase the TCP listening queue on
the servers.  They suspect this because they are seeing a few syns that
never get acked.  I'm not familiar with how to do this in Windows and am not
sure if that is really something I should be concerned with.  Can anyone out
there vouch for this theory?  Or perhaps offer another theory as to why the
DCs seem to not keep up with the load?

Thanks 

One other thing,  I set the LDAP diags to two and found the following
warning poping up from time to time: 


*
* 
Event Type: Warning 
Event Source:   NTDS LDAP 
Event Category: LDAP Interface 
Event ID:   1216 
Date:   6/13/2005 
Time:   6:34:37 PM 
User:   N/A 
Computer:   ** 
Description: 
Internal event: An LDAP client connection was closed because of an error. 
  
Client ID: 
427107 
  
Additional Data
Error value: 
995 The I/O operation has been aborted because of either a thread exit or an
application request. 
Internal ID: 
c0602ec 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp
 . 


*
* 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP performance

[joe]

Title: LDAP performance



What errors specifically are the clients seeing? Is the 
server returning any extended information or are the connections just dying on 
the vine? And if so are you sure? As Eric indicated, running through a trace 
would probably be mucho helpful. 
 
What type of client? If Windows, this KB may seem 
odd, but check out http://support.microsoft.com/?id=836429
 
What you are describing sounds like something I heard from 
another friend of mine doing some auth testing and the KB above ended up being 
what the issue was related to. 
 
 
I am assuming they are most likely doing simple 
binds? If so, possibly the app developers may want to look at 
LDAP_OPT_FAST_CONCURRENT_BIND available in Windows Server 2003 AD which allows 
multiple binds over a single connection and should be faster overall. Read more 
here
 
http://msdn.microsoft.com/library/default.asp?url="">
 
 
 
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, June 13, 2005 7:55 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP 
performance

We're running into what appears to be some 
performance issues.  We have several AD servers that we dedicate to doing 
LDAP authentications for various applications.  We recently added a new 
application that performs a large number of binds.  The day we cut the 
application over to AD LDAP the application owners began complaining that an 
average of 1 to 2 LDAP requests are being dropped every minute.  Here are 
the details:
Application:  Issues an average of 100 binds per 
second.  Average of 50 queries per second using filter "(samaccountname=X)" 
and requesting the DN as the return.
HW:  2 Domain Controllers.  Each is quad 
proc 2.4GHZ.  Each has 4GB of RAM with the 3GB switch set. 
I ran this through ADSizer and it recommended one 
server with about half the capacity that is built into each of these 
servers.
I've run several performance checks on these machines 
and it appears that they are barely breaking a sweat in terms of available 
resources.  I've tweaked our default LDAP policies to add additional 
queries per proc and allowed larger buffers.  But the app owner is still 
complaining.
The network team has recommended that I increase the 
TCP listening queue on the servers.  They suspect this because they are 
seeing a few syns that never get acked.  I'm not familiar with how to do 
this in Windows and am not sure if that is really something I should be 
concerned with.  Can anyone out there vouch for this theory?  Or 
perhaps offer another theory as to why the DCs seem to not keep up with the 
load?
Thanks 
One other thing,  I set the LDAP diags to two 
and found the following warning poping up from time to time: 
** 
Event Type: Warning 
Event Source:   NTDS LDAP Event Category: LDAP Interface Event ID:   1216 Date:       
6/13/2005 Time:   
    6:34:37 PM User:       
N/A Computer:   ** 
Description: Internal event: An LDAP client connection was closed because of an error. 
  Client ID: 427107   Additional Data 
Error value: 995 The I/O operation has been aborted because of either a thread exit or 
an application request. Internal ID: 
c0602ec 
For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp. 
** 

Re: [ActiveDir] DCPROMO over a 128\256K line

[Steve Patrick]

Curious.What kind of pruning are you talking about?

steve
- Original Message - 
From: "Dean Wells" <[EMAIL PROTECTED]>

To: "Send - AD mailing list" <[EMAIL PROTECTED]>
Sent: Monday, June 13, 2005 12:11 PM
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line



The pruning is undocumented (AFAIK) and takes an awful lot of trial and
error in order to produce a successful (pruned) file-set.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Monday, June 13, 2005 12:59 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line

I might be getting a bit confused here.  The instructions from MS indicate
that once you drop the system state restore on the machine you run the
dcpromo but a few of you have indicated pruning the sys-state.

Do I have to do any additional post-install configurations after I run
DCPROMO with the /ADV flag?

The advantage that I'm looking for is to bandwidth throatily the 
promotion.

With the natural promotion I don't have this option so the promotion will
kill my line during production hours.  If I can just copy a system state
backup out, I can do so with bandwidth throttling so it doesn't cripple my
site and then do the promotion with the ADV flag and then allow the 
natural
cleaning up of whatever was missed between the system state and the 
actually

promotion time.

After the initial sync I will have enough bandwidth to keep things 
running,

it just getting it out there that is my current challenge.

I would like to thank everyone for the great responses.

Charlie

-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Monday, June 13, 2005 11:50 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line


As Brett says, it's difficult to be sure since the Directory content will
impact the result.  I can say only this with certainty; I tested a similar
scenario in W2K3 beta-something and found it to be significantly quicker 
to
prune, dump and zip the restored sys-state than perform a natural 
promotion

across the wire (I don't remember the exact numbers involved but I'd guess
my testing semantics then would be similar to those that I'd use now;
something along the lines of a couple of hundred thousand objects in a
single domain forest [app. NCs discarded for obvious reasons pre-SP1]).

NOTE - SYSVOL proved to be an irritation regardless of the replication
mechanism used.

Basing much of my decision on the results of the original test and since I
have the procedure in place to prune & compress the restored sys-state, 
I'd

tend to opt for the approach I originally offered but it's a difficult
choice to justify since each scenario will differ.

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, June 13, 2005 12:20 PM
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line

I'm not so sure, when trying to optimizing for total bandwidth usage ...

If you're in the scenario Neil suggests (without compressing the data), it
will definately be less total data transfered by doing normal dcpromo
replication over copying the DIT over the wire ... various things don't go
through the normal replication protocol, but take up space in the DIT, 
AD's
non-replicated attributes, ESE database page overhead, indexes, ESE 
catalog,

to name a few.

The ultimate question will compression be enough to make for the mentioned
non-replicated things?  I don't know.

And you'd be fighting AD's intersite per replication packet (which is
usually like 1000* objects or 1MB* or something like that at a time)
compression.  * Those aren't real numbers, just numbers I'm making up that
are w/in an order of magnitude of the real numbers.  At least I assume we 
do

compression during dcpromo's initial replication!?

Careful testing would have to be done, to prove which would yield lower
total bandwidth usage.  If you change to optimize for speed, given fast
bandwidth, I'm sure Dean's method is faster.  Dean, might be right, it 
might

even yield less total bandwidth usage his way, but I'm not sure.  I should
say, Dean has far more deployment experience than me ... so I'd side with
him.  But I myself, wouldn't be sure until I tested it myself.

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no 
rights.



On Mon, 13 Jun 2005, Dean Wells wrote:


As an aside, it's still preferable to use IFM (assuming it's a recent
backup) since replication is designed to propagate very discreet changes.
Pruning & compressing the back media and copying via CIFS or FTP will
still provide a significant benefit.
--
Dean Wells
MSEtechnology
* Email: dwell

RE: [ActiveDir] LDAP performance

[Eric Fleischman]

It's hard to really give any sort of analysis with the data provided.
Do you have any network traces of entering "failure" state that we could see? 
With that hopefully we can provide more guidance.

~Eric



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 5:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP performance

Something similar came up for discussion last week. My response was to
increase the maxreceivebuffer size.
 
See Q315071 and Q834317
 
HTH
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Isenhour, Joseph
Sent: Mon 6/13/2005 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP performance


Oops one correction:
 
100 binds per second is the upper limit that I've found.  Average of 10 binds
per second.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, June 13, 2005 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP performance



We're running into what appears to be some performance issues.  We have
several AD servers that we dedicate to doing LDAP authentications for various
applications.  We recently added a new application that performs a large
number of binds.  The day we cut the application over to AD LDAP the
application owners began complaining that an average of 1 to 2 LDAP requests
are being dropped every minute.  Here are the details:

Application:  Issues an average of 100 binds per second.  Average of 50
queries per second using filter "(samaccountname=X)" and requesting the DN as
the return.

HW:  2 Domain Controllers.  Each is quad proc 2.4GHZ.  Each has 4GB of RAM
with the 3GB switch set. 

I ran this through ADSizer and it recommended one server with about half the
capacity that is built into each of these servers.

I've run several performance checks on these machines and it appears that
they are barely breaking a sweat in terms of available resources.  I've
tweaked our default LDAP policies to add additional queries per proc and
allowed larger buffers.  But the app owner is still complaining.

The network team has recommended that I increase the TCP listening queue on
the servers.  They suspect this because they are seeing a few syns that never
get acked.  I'm not familiar with how to do this in Windows and am not sure
if that is really something I should be concerned with.  Can anyone out there
vouch for this theory?  Or perhaps offer another theory as to why the DCs
seem to not keep up with the load?

Thanks 

One other thing,  I set the LDAP diags to two and found the following warning
poping up from time to time: 

*
* 
Event Type: Warning 
Event Source:   NTDS LDAP 
Event Category: LDAP Interface 
Event ID:   1216 
Date:   6/13/2005 
Time:   6:34:37 PM 
User:   N/A 
Computer:   ** 
Description: 
Internal event: An LDAP client connection was closed because of an error. 
  
Client ID: 
427107 
  
Additional Data 
Error value: 
995 The I/O operation has been aborted because of either a thread exit or an
application request. 
Internal ID: 
c0602ec 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp
 . 

*
* 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Windows 2000 DC Hardening

[mike kline]

What documents are you using? The guides and templates released by the
NSA are always a good place to start.

You can download them here:

http://www.nsa.gov/snac/downloads_win2000.cfm?MenuID=scg10.3.1.1

DISA also has a lot of guidance that I have used and that can be found here

http://csrc.nist.gov/pcig/cig.html

Thanks
Mike


On 6/13/05, Ravi Dogra <[EMAIL PROTECTED]> wrote:
> Hi List,
> 
> I have been doing my part of job without hardning my servers till now
> (I know thats very bad). But i realise that server hardning is must
> and will definately inhance my profile.
> 
> I just need a quick help on it. if someone can guide me on the same. i
> have some documentations also but i need expert comments on this
> topic.
> 
> --
> DR
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Windows 2000 DC Hardening

[Ravi Dogra]

Hi List,

I have been doing my part of job without hardning my servers till now
(I know thats very bad). But i realise that server hardning is must
and will definately inhance my profile.

I just need a quick help on it. if someone can guide me on the same. i
have some documentations also but i need expert comments on this
topic.
 
-- 
DR
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP performance

[deji]

Something similar came up for discussion last week. My response was to
increase the maxreceivebuffer size.
 
See Q315071 and Q834317
 
HTH
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Isenhour, Joseph
Sent: Mon 6/13/2005 5:01 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] LDAP performance


Oops one correction:
 
100 binds per second is the upper limit that I've found.  Average of 10 binds
per second.



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph
Sent: Monday, June 13, 2005 4:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] LDAP performance



We're running into what appears to be some performance issues.  We have
several AD servers that we dedicate to doing LDAP authentications for various
applications.  We recently added a new application that performs a large
number of binds.  The day we cut the application over to AD LDAP the
application owners began complaining that an average of 1 to 2 LDAP requests
are being dropped every minute.  Here are the details:

Application:  Issues an average of 100 binds per second.  Average of 50
queries per second using filter "(samaccountname=X)" and requesting the DN as
the return.

HW:  2 Domain Controllers.  Each is quad proc 2.4GHZ.  Each has 4GB of RAM
with the 3GB switch set. 

I ran this through ADSizer and it recommended one server with about half the
capacity that is built into each of these servers.

I've run several performance checks on these machines and it appears that
they are barely breaking a sweat in terms of available resources.  I've
tweaked our default LDAP policies to add additional queries per proc and
allowed larger buffers.  But the app owner is still complaining.

The network team has recommended that I increase the TCP listening queue on
the servers.  They suspect this because they are seeing a few syns that never
get acked.  I'm not familiar with how to do this in Windows and am not sure
if that is really something I should be concerned with.  Can anyone out there
vouch for this theory?  Or perhaps offer another theory as to why the DCs
seem to not keep up with the load?

Thanks 

One other thing,  I set the LDAP diags to two and found the following warning
poping up from time to time: 

*
* 
Event Type: Warning 
Event Source:   NTDS LDAP 
Event Category: LDAP Interface 
Event ID:   1216 
Date:   6/13/2005 
Time:   6:34:37 PM 
User:   N/A 
Computer:   ** 
Description: 
Internal event: An LDAP client connection was closed because of an error. 
  
Client ID: 
427107 
  
Additional Data 
Error value: 
995 The I/O operation has been aborted because of either a thread exit or an
application request. 
Internal ID: 
c0602ec 

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp
 . 

*
* 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] LDAP performance

[Isenhour, Joseph]

Title: LDAP performance



Oops one correction:
 
100 binds per second is the upper limit that I've 
found.  Average of 10 binds per second.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, 
JosephSent: Monday, June 13, 2005 4:55 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] LDAP 
performance

We're running into what appears to be some 
performance issues.  We have several AD servers that we dedicate to doing 
LDAP authentications for various applications.  We recently added a new 
application that performs a large number of binds.  The day we cut the 
application over to AD LDAP the application owners began complaining that an 
average of 1 to 2 LDAP requests are being dropped every minute.  Here are 
the details:
Application:  Issues an average of 100 binds per 
second.  Average of 50 queries per second using filter "(samaccountname=X)" 
and requesting the DN as the return.
HW:  2 Domain Controllers.  Each is quad 
proc 2.4GHZ.  Each has 4GB of RAM with the 3GB switch set. 
I ran this through ADSizer and it recommended one 
server with about half the capacity that is built into each of these 
servers.
I've run several performance checks on these machines 
and it appears that they are barely breaking a sweat in terms of available 
resources.  I've tweaked our default LDAP policies to add additional 
queries per proc and allowed larger buffers.  But the app owner is still 
complaining.
The network team has recommended that I increase the 
TCP listening queue on the servers.  They suspect this because they are 
seeing a few syns that never get acked.  I'm not familiar with how to do 
this in Windows and am not sure if that is really something I should be 
concerned with.  Can anyone out there vouch for this theory?  Or 
perhaps offer another theory as to why the DCs seem to not keep up with the 
load?
Thanks 
One other thing,  I set the LDAP diags to two 
and found the following warning poping up from time to time: 
** 
Event Type: Warning 
Event Source:   NTDS LDAP Event Category: LDAP Interface Event ID:   1216 Date:       
6/13/2005 Time:   
    6:34:37 PM User:       
N/A Computer:   ** 
Description: Internal event: An LDAP client connection was closed because of an error. 
  Client ID: 427107   Additional Data 
Error value: 995 The I/O operation has been aborted because of either a thread exit or 
an application request. Internal ID: 
c0602ec 
For more information, see Help and Support Center at 
http://go.microsoft.com/fwlink/events.asp. 
** 

[ActiveDir] LDAP performance

[Isenhour, Joseph]

Title: LDAP performance






We're running into what appears to be some performance issues.  We have several AD servers that we dedicate to doing LDAP authentications for various applications.  We recently added a new application that performs a large number of binds.  The day we cut the application over to AD LDAP the application owners began complaining that an average of 1 to 2 LDAP requests are being dropped every minute.  Here are the details:

Application:  Issues an average of 100 binds per second.  Average of 50 queries per second using filter "(samaccountname=X)" and requesting the DN as the return.

HW:  2 Domain Controllers.  Each is quad proc 2.4GHZ.  Each has 4GB of RAM with the 3GB switch set.


I ran this through ADSizer and it recommended one server with about half the capacity that is built into each of these servers.

I've run several performance checks on these machines and it appears that they are barely breaking a sweat in terms of available resources.  I've tweaked our default LDAP policies to add additional queries per proc and allowed larger buffers.  But the app owner is still complaining.

The network team has recommended that I increase the TCP listening queue on the servers.  They suspect this because they are seeing a few syns that never get acked.  I'm not familiar with how to do this in Windows and am not sure if that is really something I should be concerned with.  Can anyone out there vouch for this theory?  Or perhaps offer another theory as to why the DCs seem to not keep up with the load?

Thanks


One other thing,  I set the LDAP diags to two and found the following warning poping up from time to time:


**

Event Type: Warning

Event Source:   NTDS LDAP

Event Category: LDAP Interface 

Event ID:   1216

Date:       6/13/2005

Time:       6:34:37 PM

User:       N/A

Computer:   **

Description:

Internal event: An LDAP client connection was closed because of an error. 

 

Client ID:

427107 

 

Additional Data 

Error value:

995 The I/O operation has been aborted because of either a thread exit or an application request. 

Internal ID:

c0602ec


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


**

[ActiveDir] OT AUTOBACKUPLOGFILE

[Cothern Jeff D. Team EITC]

Does 
anyone use the registry key AutoBackupLogFile for the eventlogs.  And if so 
what method do you use to move or backup the archived files that 
are created?
 
Jeff
   

RE: [ActiveDir] Using AD Sizer

[Rick Kingslan]

Title: Using AD Sizer










See inline below…..





Rick







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark
Sent: Monday, June 13, 2005 12:11
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Using AD
Sizer



 

I’m
trying to run through the Microsoft-provided free Active
Directory Sizer tool to approximate what new hardware should look like so we
can replace some older DCs. I haven’t used this thing before, and a
couple of things are unclear to me:

1. 
It
asks “How many additional attributes will you have per
user?” – Are they talking about schema changes we may have
made for user accounts?

[RTK] Yep, that’s exactly what they are after.  5
added attributes per user times, say 10,000 – that’s a fair bit of
an added replication need.

2.   
It asks for Avg logon rate per
second in Interactive, Batch, and Network logons. How can I
approximate something like that?

[RTK]  We’re talking about DCs here, yes? 
So, you can assume that your Interactive and Batch logon rate is going to be
pretty low. These simply mean how many times per second will someone/something
logon at the console or logging on as a batch process.  If these are
either negligible or not happening, then ignore.

Network logons are likely quite different.  This is
likely to be the biggest impact item.  Now, you can either input a median
of the logon traffic over a period of time or the peak of the traffic. 
How are you going to get that figure?  Me, I’d use the Performance
Monitor and gather the data over a 24 hr. period as a baseline of
traffic.  Once you have this (granularity is up to you….  I’ve
collected as frequently as every second), export to a CSV and import into
Access, Excel, SQL, whatever your choice to analyze.

Then, input your peak or average network logons to get the
sizing for your DCs.  My opinion – the ADSizer works just as well as
alsomst anything elese you’ll find.

Alternatively,
has anyone seen a better tool to get this information? We are still Windows
2000 AD – no 2003 DCs yet.

Thanks

Mark
Creamer

Systems Engineer

Cintas Corporation


This e-mail transmission contains information that is intended to be
confidential and privileged. If you receive this e-mail and you are not a named
addressee you are hereby notified that you are not authorized to read, print,
retain, copy or disseminate this communication without the consent of the
sender and that doing so is prohibited and may be unlawful. Please reply to the
message immediately by informing the sender that the message was misdirected.
After replying, please delete and otherwise erase it and any attachments from
your computer system. Your assistance in correcting this error is appreciated.

RE: [ActiveDir] mstsc /console switch for non admins

[Rick Kingslan]

Guido,

Thanks
for the kind words.  Very much appreciated.

As to
qualifying the customer - ~50k staff and production, multi-national
company.  And, as many companies tend to be – they value the opinion
of Consultants and outsiders rather than their own employees to some
degree.  Many times, I think, management has a tendency to believe that
someone from the outside has a more “worldly” opinion or viewpoint,
while the employee is to narrow focused and too close to the problem.

It has
been my observation as a Consultant that I had a much easier time conveying
ideas to Management than when I was the employee conveying the ideas in a quite
similar manner.  In fact, I’ve garnered the respect and trust of
many of the folks that I worked with on projects as the outside consultant by
gathering some of their ideas and getting those implemented along with the
project – even though they had been trying to simply get and ear for 6
mos. or more.

It’s
politics – and the bigger the company, the bigger the disconnect from the
worker to the decision makers.

Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Grillenmeier, Guido
Sent: Monday, June 13, 2005 2:58
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



 

Hey Rick - sorry to hear - but from how
I know you, this has simply made it easier for you to move on to a new company,
something you'll have wanted to do for a while now and never did due to the
complications involved.  I am very positive, that you won't need to worry
about finding anything. 

 

As to this discussion, I find too often,
that mid-size companies are not willing to take that last step which would
ensure a better security model - and many have good reasons to do so and accept
the risks involved. But then again, they've never had a real issue and if they
would, that thought would likely be different.  It's different with large
corporations - I can usually convince them to do the right thing.  So I
guess we must differentiate the type of customer when discussing these sort of
things.  This would make the discussion more "real world"
like.  

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Samstag, 11. Juni 2005 05:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc
/console switch for non admins



joe,

Yeah, you
had to know it was coming – Rick’s  $.02 worth.

Remember
what we both were relieved of our positions for?  Oh, that’s right
– I didn’t tell you about me!  Suffice it to say I took one
for my team because upper management was trying to get things done that were
wrong, technically, tactically and strategically.  They, in fact, are on
the verge of violating, IMHO, Sox 40x controls.  I complained, I argued, I
provided information that they were on the precipice of something really
bad.  Apparently, I finally hit nerve and my rubbing of folks the wrong
way (from their viewpoint) caused my layoff via ‘Elimination of my
position’.

Whatever. 
I got fired for saying what I believed was right.  You and I see eye to
eye as it is with DC permissions and access controls.  You and I see eye
to eye on security as a whole.

However,
our view is not really a well accepted PRACTICE in Corporate
environments.  Our beliefs are actually radical when compared to the norm
in practice.

Does this
mean that we’re wrong?  No.  It DOES mean that our Secure
Conscious viewpoint can still get one fired.  It’s not a popular
stance to say “Of my 10 Systems Admins, only these two can log on to a
DC.”   The common rebut is “Everyone needs to be able to
do these functions when on call” or “when the help desk calls, we
need everyone capable of dealing with the problem at hand”.

I still
believe that we are correct, but – most folks don’t live in
“Rick and joe-land”.  They live in the screwed up Corporate
world where the only endgame is money, and the generation of it [1].  With
IT being a cost center, and Security viewed as an even bigger inhibiter to
Production, most companies need to have a *Serious*
computer security event to be convinced that they have their priorities in the
wrong places.  

Money
generated doesn’t matter if you can’t guarantee that you can SECURE
your customer’s money / data / private information.

Rick

[1] Case
in point.  One of the guys that I used to work with was told that one
thing management was really pissed about was the time it would take me to lock
down a server.  For estimation purposes, I told folks to plan for (and
published a timeline for planning purposes) 2 days for initial lockdown, 2 days
for final lockdown and application of IPSec filters, and 3 days for InfoSec to
certify the system (The time for InfoSec is THEIR guideline from their VP
– not my timeline at all).  Typically, I would have a server back to
the application team the same day to apply their apps, and would take one day
to do the final lockdown, apply IPSec, and s

RE: [ActiveDir] Change password web interface

[deji]

iisadmpwd VD is one of the VDs that is ALWAYS neutered on any IIS server I
touch - as part of my "server hardening" procedure. htr is one of the
extensions that gets unmapped in any IIS installation I do. I have been doing
this before IISLOCKDOWN and, luckily, before CodeRed I and II.
 
Your experience may be different. I am just pointing out that this is not a
secure way to do what you are doing. Roll your own solution. IISAMDPWD and
htr has been proven to be, shall we say, full of issues.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Douglas M. Long
Sent: Mon 6/13/2005 12:37 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Change password web interface



http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

 

 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Monday, June 13, 2005 3:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Change password web interface

 

I am looking for a way for employees to change their password at any time
over a web interface.  Any scripts or free programs out there anyone could
suggest?

-- 
Jacob Stabl 
Network Engineer 
Plain Local School District 
http://www.plainlocal.org   
Office:  330.492.3500 
Cell :330.704.1278 
IP Phone: 4466 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

[frank . carroll]

Dean - thanks for the pointer.

That article was the key. I went back to the lab and applied the change
(change rangeupper to 4096). I then looked on an existing GC and it did not
have the event 1575 in the directory services log. Given this, I think that
the answer is that the update does not cause a full GC sync, which makes
sense since the full sync occurred when forestprep modified the schema the
first time and I am now modifying an existing object

Thanks everybody

Frank

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 11:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

OK, I goofed. ms-Exch-Extension-Attribute-15 IS a member of PAS. It's
already
added and replicated (via Full GC Sync) to all GCs in the forest during the
prepping (schema extension). Changing just the
ms-Exch-Extension-Attribute-15
or even deleting it will NOT cause a full sync. My bad. Sorry to have to
send
you to the Lab.
 
See "Replication of Changes to the Global Catalog Partial Attribute Set" in
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechR
e
f/440e44ab-ea05-4bd8-a68c-12cf8fb1af50.mspx
 
Thanks, Dean.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of
[EMAIL PROTECTED]
Sent: Mon 6/13/2005 7:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD



Deji,

The attribute is used by the Aelita Exchange migration product. I am having
to change it because Aelita uses it to store the alternate recipients and I
have a few Exc 5.5 mailboxes that blow it past the 2048 default.

I am now concerned because I have conflicting answers. I have one answer
from MS (and you) that says the change will kick off a full sync and I have
another from somebody else at MS that matches Jorge's answer that it won't.

All of the docs that I read indicate that when you update the schema by
adding an attribute that is in the PAS (i.e. E2K3 forestprep) it will cause
a full sync on a W2K directory. I have not found a mention of what happens
when you update the definition of an existing schema attribute (which is
what I need to do). This is why I asked the original question ;-)

I guess that I am off to the lab...

BTW - If anybody has any pointers to any definative documentation on this it
would be greatly appriciated...

Frank


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Even though you've prep'd everything, your underlying infrastructure is
still
W2K. As a result, you will still be doing a full GC sync.

I have a q, though. Why are you increasing the RangeUpper? I am just curious
and asking for my own education.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto
Sent: Mon 6/13/2005 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD


The implementation of the E2K3 already caused a full GC sync/rebuild because
it adds new attributes to the PAS.
The PAS is the Partial Attribute Set...in other words the set of attributes
in the GC. Only if you change that set (add or remove an attribute to/from
the set) will cause a full sync of the GCs if W2K. This will not occur in
W2K3 as in W2K3 it only replicates the new added/removed attribute.

So in W2K only when changing the SET will cause a full sync, NOT when
changing the value of an attribute in the set. The change of the value will
of course replicate to all GCs in the forest

See also:
http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/41641
/
41641.html

Cheers
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 14:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Affect of a schema update on W2K SP4 AD



All,

I am running a W2K SP4 AD and am in the process of migrating to Exc 2003. I
have already applied the Exc 2003 forest prep and domain prep.

I now have a need to increase the rangerupper on
ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a member
of the partial attaibute set. The question is will the update to the
rangeupper on an existing attribute cause a complete GC synch?

I suspec

RE: [ActiveDir] mstsc /console switch for non admins

[Grillenmeier, Guido]

Hey Rick - sorry to hear - but from how I know you, this 
has simply made it easier for you to move on to a new company, something you'll 
have wanted to do for a while now and never did due to the complications 
involved.  I am very positive, that you won't need to worry about finding 
anything. 
 
As to this discussion, I find too often, that mid-size companies 
are not willing to take that last step which would ensure a better security 
model - and many have good reasons to do so and accept the risks involved. But 
then again, they've never had a real issue and if they would, that thought would 
likely be different.  It's different with large corporations - I can 
usually convince them to do the right thing.  So I guess we must 
differentiate the type of customer when discussing these sort of things.  
This would make the discussion more "real world" like.  

 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rick 
KingslanSent: Samstag, 11. Juni 2005 05:30To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] mstsc /console 
switch for non admins



joe,
Yeah, you 
had to know it was coming – Rick’s  $.02 
worth.
Remember 
what we both were relieved of our positions for?  Oh, that’s right – I 
didn’t tell you about me!  Suffice it to say I took one for my team because 
upper management was trying to get things done that were wrong, technically, 
tactically and strategically.  They, in fact, are on the verge of 
violating, IMHO, Sox 40x controls.  I complained, I argued, I provided 
information that they were on the precipice of something really bad.  
Apparently, I finally hit nerve and my rubbing of folks the wrong way (from 
their viewpoint) caused my layoff via ‘Elimination of my 
position’.
Whatever.  I got fired for saying what I believed 
was right.  You and I see eye to eye as it is with DC permissions and 
access controls.  You and I see eye to eye on security as a 
whole.
However, 
our view is not really a well accepted PRACTICE in Corporate environments.  
Our beliefs are actually radical when compared to the norm in 
practice.
Does this 
mean that we’re wrong?  No.  It DOES mean that our Secure Conscious 
viewpoint can still get one fired.  It’s not a popular stance to say “Of my 
10 Systems Admins, only these two can log on to a DC.”   The common 
rebut is “Everyone needs to be able to do these functions when on call” or “when 
the help desk calls, we need everyone capable of dealing with the problem at 
hand”.
I still 
believe that we are correct, but – most folks don’t live in “Rick and 
joe-land”.  They live in the screwed up Corporate world where the only 
endgame is money, and the generation of it [1].  With IT being a cost 
center, and Security viewed as an even bigger inhibiter to Production, most 
companies need to have a *Serious* 
computer security event to be convinced that they have their priorities in the 
wrong places.  
Money 
generated doesn’t matter if you can’t guarantee that you can SECURE your 
customer’s money / data / private information.
Rick
[1] Case in 
point.  One of the guys that I used to work with was told that one thing 
management was really pissed about was the time it would take me to lock down a 
server.  For estimation purposes, I told folks to plan for (and published a 
timeline for planning purposes) 2 days for initial lockdown, 2 days for final 
lockdown and application of IPSec filters, and 3 days for InfoSec to certify the 
system (The time for InfoSec is THEIR guideline from their VP – not my timeline 
at all).  Typically, I would have a server back to the application team the 
same day to apply their apps, and would take one day to do the final lockdown, 
apply IPSec, and scan it before sending to InfoSec (yeah, I’m kind of funny that 
way – I like to KNOW what the scan looks like before I send it for 
certification).  Typically, it would take the application folks (who were 
the ones that complained about the time *I* took) about 2 – 3 weeks to get their 
applications on to the box.
Now for the 
funny part.  No one else has a clue how to do what I was doing  Nada – 
nothing.  Nobody wanted to learn the boring, mundane, and highly visible 
process of hardening servers for the perimeter and DMZ.  So, other 
Supervisor gets this server that needs to be hardened.  He assigns it to my 
friend and tells him, “I don’t care if you know how to do it or not – just do 
it.”  He then proceeds to instruct him to just tell InfoSec you have a 
server to scan.  When you get the vulnerability report back, just fix what 
shows up as problems and send it back over to them for certification 
again.  “And, I need it by Friday, end of business…”  How long did 
this ‘abbreviated, BS, crap, end run, corner cutting hardening method for 
losers’ attempt take?
Three 
days.  
Yeah.  
They shaved a whole bunch of time off of my usual time to delivery.  

R




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, June 1

RE: [ActiveDir] Change password web interface

[Douglas M. Long]

Title: Change password web interface








http://support.microsoft.com/default.aspx?scid=kb;en-us;297121

 

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl
Sent: Monday, June 13, 2005 3:35
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Change
password web interface



 

I
am looking for a way for employees to change their password at any time over a
web interface.  Any scripts or free programs out there anyone could
suggest?

--

Jacob
Stabl 
Network
Engineer 
Plain
Local School District 
http://www.plainlocal.org

Office: 
330.492.3500 
Cell
:    330.704.1278 
IP
Phone: 4466 

RE: [ActiveDir] Bionet trojan,

[Rick Kingslan]

Joe,

After going back and looking at the justification for the request, I now see
that this apparently is for the other systems admins - not just the average
end user.

Given that Fire Fighters in training are expected to go into a controlled
burn and learn with a mentor how to put out a fire, rescue people from a
burning building, etc., I'm very aware of what the need is, plus I'm all for
research and I'm all for learning.  In this case, to me - trust is
paramount.  I don't know Rubik's Cube.  If joe or Dean had asked - I could
have explored.  Them I know personally.

I'm sure that we can both agree that giving Anthrax to any nation that just
asks nice is not in the best interest of any nation - and why I refrain from
tossing around live code of that ilk  :o)

I'm not so worried about one person's network who decides to mess with these
types of bugs.  I'm a bit more altruistic - I'm worried about all of the
innocents and their networks who didn't have a say.

Cheers!  And, thank you for the comments.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley
Sent: Monday, June 13, 2005 1:54 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bionet trojan,

Rick,

While I agree with you that using the EICAR test file to demonstrate how
A/V software will react when it finds a virus... The EICAR test file
doesn't demonstrate to end users just how nefarious a trojan can be...

Bionet is common script kiddie trojan builder...  The included
capabilities allow a controller to upload and download files, record
keystrokes, activate the microphone, or even activate an attached web
cam if there's one available.  Plus you can run script files either on
demand or at scheduled times...  With Bionet, a person can literally do
anything they want to your PC...

Now, it's one thing to tell a user...  "A script kiddie could do
anything they want with your PC and data"  and it's an entirely
different thing to show them just how easy it is  Really, it puts
the fear of God in the end user when you can demonstrate to them that it
really can work, much more so than just telling them...

OTOH, it's also good for administrators and security professionals to
learn how these tools work.  It may not be 100% necessary to understand
the tools to protect your computers and networks, but it certainly does
help.

Of course, all due caution should be used when playing with this stuff.
Keep it off any network or machine that you care about losing.  Use at
your own risk...  Your mileage may vary...  Wash your hands in warm,
soapy water for at least 60 seconds when finished...  Etc.


Joe Pochedley
A computer terminal is not some clunky old television
with a typewriter in front of it. It is an interface 
where the mind and body can connect with the universe
and move bits of it about. -Douglas Adams 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, June 13, 2005 12:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bionet trojan,

I understand the reason for your request.  And, it's admirable that you
want to insightfully inform your user base.

However, looking for live virus or Trojans is not the way to do it.  If
one wants to show how things can go horribly wrong, controlled
environment or not, this is likely a good start.

What I'd suggest is to make use of the EICAR test string.  All AV
programs that I know of will respond to it, and will respond as if a
real virus had been detected.

IMHO, this is the safe a proper way to do virus and Trojan awareness
training for user and response team staffs.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Monday, June 13, 2005 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bionet trojan,

Ok my apology, didn't realize it will be taken this way.

I am a network administrator, and we are planning a security awareness
campaigne, this demonestration will be a part of training for the staff
to see the secuirty risks they can be into when opening an attachement
that they don't know about or executing a file. ( I have it now).

I had a nobel cause so I asked a nobel list thats all, no offense for
the list.

r.c.


On 6/12/05, Tony Murray <[EMAIL PROTECTED]> wrote:
> Jorge's right.  Please contact me off-list before posting something 
> like that.  There's off topic and there's off topic, if you know what
I mean.
> 
> Tony [List owner]
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de 
> Almeida Pinto
> Sent: Saturday, 11 June 2005 11:15 p.m.
> To: 'rubix cube '; '[EMAIL PROTECTED] '; 
> 'ActiveDir@mail.activedir.org '
> Subject: RE: [ActiveDir] Bionet trojan,
> 
> In my opinion this list is not the place to ask for stuff like that.
> But hey... that's me
> #JORGE#
> 
> -Original Message-
> From: [EMAIL PROTEC

[ActiveDir] Change password web interface

[Jacob Stabl]

Title: Change password web interface






I am looking for a way for employees to change their password at any time over a web interface.  Any scripts or free programs out there anyone could suggest?

--

Jacob Stabl

Network Engineer

Plain Local School District

http://www.plainlocal.org

Office:  330.492.3500

Cell :    330.704.1278

IP Phone: 4466

RE: [ActiveDir] Load balancing LDAP request among my DCs

[Dean Wells]

Title: RE: [ActiveDir] Load balancing LDAP request among my DCs



Yes, 
assuming it can determine where to refer the request to ... this requires that 
it has explicit knowledge of the namespace (and the servers that house it) in 
which further results may exist.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA 
YANNSent: Monday, June 13, 2005 1:35 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE : [ActiveDir] Load 
balancing LDAP request among my DCs


Jorge, Neil, thank U for your 
very helpfull feedback. I will look into this.
 
And...may i make another question  
that prevent me form sleeping all nights  please ? :) 
 
If i well understantd, AD 2003 is able to 
do referrals... that means to froward request which it can not find 
any response to another DC . Is it right ?
 
In this case, AD 2003 is able to 
forward such requests ?
 


Regards,
 
Yann




De: [EMAIL PROTECTED] de 
la part de Jorge de Almeida PintoDate: lun. 13/06/2005 
16:35À: ActiveDir@mail.activedir.orgObjet : RE: 
[ActiveDir] Load balancing LDAP request among my DCs

Hi,Load balancing is already provided by DNS through 
round robin. However, insome occasions you might to change the DNS priority 
and/or weights of someDC(s) to offload it (I mean the SRV records of the 
DCs)When using W2K3 DCs you have the possibility to configure the DC 
through aGPO as the settings are available through the W2K3 GPOsDNS 
priority: in my opinion it shoud not be called this way, but it shouldbe 
called "DNS cost" (but: what's in the name). The DC(s) with the lowestvalue 
is used first compared to other DCs with higher values. E.g. DC1 hasDNS prio 
50 and DC2 has prio 80. DC1 will always be used!. DC2 will only beused when 
DC1 is not availableQUOTE from the GPO explanation field:The 
Priority field in the SRV record sets the preference for target 
hosts(specified in the SRV record's Target field). DNS clients that query 
for SRVresource records attempt to contact the first reachable host with the 
lowestpriority number listed.In short: use DNS priorities when some 
DC should ONLY be used when othersare not avilable any moreDNS 
weight: The weight field specifies a relative weight for entries withthe 
same priority. Larger weights SHOULD be given a proportionately 
higherprobability of being selected. E.g. DC1 has DNS weight 50 and DC2 has 
prio100. In three queries the probability is that DC1 will be used once and 
DC2twice, provided both have the same DNS prioQUOTE from the GPO 
explanation field:The Weight field in the SRV record can be used in addition 
to the Priorityvalue to provide a load-balancing mechanism where multiple 
servers arespecified in the SRV records Target field and are all set to the 
samepriority. The probability with which the DNS client randomly selects 
thetarget host to be contacted is proportional to the Weight field value in 
theSRV record.In short: use DNS weights when some DC should receive 
less or more queriesthan other 
DCsCheers,#JORGE#-Original Message-From: 
[EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
On Behalf Of TIROA YANNSent: maandag 13 juni 2005 16:04To: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Load balancing LDAP request 
among my DCsHello,I have a site with 4 DCs 2003.It seems 
that one of my DC can not deal with a large number of LDAP queries,GC 
Response and NTLM/Kerberos Auth I misunderstand something but is my 
DC 2003 is able to check that it cannotdeserve these queries and forward 
automatically these queries to another DCthat is less busy ? In order wold, 
can AD 2003 natively load-balance queriesto another less busy DC 
?Regards,YannThis e-mail and any 
attachment is for authorised use by the intended recipient(s) only. It may 
contain proprietary material, confidential information and/or be subject to 
legal privilege. It should not be copied, disclosed to, retained or used by, any 
other party. If you are not an intended recipient then please promptly delete 
this e-mail and any attachment and all copies and inform the sender. Thank 
you.List info   : http://www.activedir.org/List.aspxList 
FAQ    : http://www.activedir.org/ListFAQ.aspxList 
archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DCPROMO over a 128\256K line

[Dean Wells]

The pruning is undocumented (AFAIK) and takes an awful lot of trial and
error in order to produce a successful (pruned) file-set.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Monday, June 13, 2005 12:59 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line

I might be getting a bit confused here.  The instructions from MS indicate
that once you drop the system state restore on the machine you run the
dcpromo but a few of you have indicated pruning the sys-state. 

Do I have to do any additional post-install configurations after I run
DCPROMO with the /ADV flag?

The advantage that I'm looking for is to bandwidth throatily the promotion.
With the natural promotion I don't have this option so the promotion will
kill my line during production hours.  If I can just copy a system state
backup out, I can do so with bandwidth throttling so it doesn't cripple my
site and then do the promotion with the ADV flag and then allow the natural
cleaning up of whatever was missed between the system state and the actually
promotion time.

After the initial sync I will have enough bandwidth to keep things running,
it just getting it out there that is my current challenge.  

I would like to thank everyone for the great responses.

Charlie

-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Monday, June 13, 2005 11:50 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line


As Brett says, it's difficult to be sure since the Directory content will
impact the result.  I can say only this with certainty; I tested a similar
scenario in W2K3 beta-something and found it to be significantly quicker to
prune, dump and zip the restored sys-state than perform a natural promotion
across the wire (I don't remember the exact numbers involved but I'd guess
my testing semantics then would be similar to those that I'd use now;
something along the lines of a couple of hundred thousand objects in a
single domain forest [app. NCs discarded for obvious reasons pre-SP1]).  

NOTE - SYSVOL proved to be an irritation regardless of the replication
mechanism used.

Basing much of my decision on the results of the original test and since I
have the procedure in place to prune & compress the restored sys-state, I'd
tend to opt for the approach I originally offered but it's a difficult
choice to justify since each scenario will differ.

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, June 13, 2005 12:20 PM
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line

I'm not so sure, when trying to optimizing for total bandwidth usage ...

If you're in the scenario Neil suggests (without compressing the data), it
will definately be less total data transfered by doing normal dcpromo
replication over copying the DIT over the wire ... various things don't go
through the normal replication protocol, but take up space in the DIT, AD's
non-replicated attributes, ESE database page overhead, indexes, ESE catalog,
to name a few.

The ultimate question will compression be enough to make for the mentioned
non-replicated things?  I don't know.

And you'd be fighting AD's intersite per replication packet (which is
usually like 1000* objects or 1MB* or something like that at a time)
compression.  * Those aren't real numbers, just numbers I'm making up that
are w/in an order of magnitude of the real numbers.  At least I assume we do
compression during dcpromo's initial replication!?

Careful testing would have to be done, to prove which would yield lower
total bandwidth usage.  If you change to optimize for speed, given fast
bandwidth, I'm sure Dean's method is faster.  Dean, might be right, it might
even yield less total bandwidth usage his way, but I'm not sure.  I should
say, Dean has far more deployment experience than me ... so I'd side with
him.  But I myself, wouldn't be sure until I tested it myself.

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no rights. 


On Mon, 13 Jun 2005, Dean Wells wrote:

> As an aside, it's still preferable to use IFM (assuming it's a recent
> backup) since replication is designed to propagate very discreet changes.
> Pruning & compressing the back media and copying via CIFS or FTP will 
> still provide a significant benefit.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells  @msetechnology.com 
>  http://msetechnology.com
> 
>  
> 
>   _
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Monday, June 13, 2005 9:52 AM
> To: 'ActiveDir@mail.activedir

RE: [ActiveDir] Bionet trojan,

[Joe Pochedley]

Rick,

While I agree with you that using the EICAR test file to demonstrate how
A/V software will react when it finds a virus... The EICAR test file
doesn't demonstrate to end users just how nefarious a trojan can be...

Bionet is common script kiddie trojan builder...  The included
capabilities allow a controller to upload and download files, record
keystrokes, activate the microphone, or even activate an attached web
cam if there's one available.  Plus you can run script files either on
demand or at scheduled times...  With Bionet, a person can literally do
anything they want to your PC...

Now, it's one thing to tell a user...  "A script kiddie could do
anything they want with your PC and data"  and it's an entirely
different thing to show them just how easy it is  Really, it puts
the fear of God in the end user when you can demonstrate to them that it
really can work, much more so than just telling them...

OTOH, it's also good for administrators and security professionals to
learn how these tools work.  It may not be 100% necessary to understand
the tools to protect your computers and networks, but it certainly does
help.

Of course, all due caution should be used when playing with this stuff.
Keep it off any network or machine that you care about losing.  Use at
your own risk...  Your mileage may vary...  Wash your hands in warm,
soapy water for at least 60 seconds when finished...  Etc.


Joe Pochedley
A computer terminal is not some clunky old television
with a typewriter in front of it. It is an interface 
where the mind and body can connect with the universe
and move bits of it about. -Douglas Adams 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, June 13, 2005 12:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Bionet trojan,

I understand the reason for your request.  And, it's admirable that you
want to insightfully inform your user base.

However, looking for live virus or Trojans is not the way to do it.  If
one wants to show how things can go horribly wrong, controlled
environment or not, this is likely a good start.

What I'd suggest is to make use of the EICAR test string.  All AV
programs that I know of will respond to it, and will respond as if a
real virus had been detected.

IMHO, this is the safe a proper way to do virus and Trojan awareness
training for user and response team staffs.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Monday, June 13, 2005 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bionet trojan,

Ok my apology, didn't realize it will be taken this way.

I am a network administrator, and we are planning a security awareness
campaigne, this demonestration will be a part of training for the staff
to see the secuirty risks they can be into when opening an attachement
that they don't know about or executing a file. ( I have it now).

I had a nobel cause so I asked a nobel list thats all, no offense for
the list.

r.c.


On 6/12/05, Tony Murray <[EMAIL PROTECTED]> wrote:
> Jorge's right.  Please contact me off-list before posting something 
> like that.  There's off topic and there's off topic, if you know what
I mean.
> 
> Tony [List owner]
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de 
> Almeida Pinto
> Sent: Saturday, 11 June 2005 11:15 p.m.
> To: 'rubix cube '; '[EMAIL PROTECTED] '; 
> 'ActiveDir@mail.activedir.org '
> Subject: RE: [ActiveDir] Bionet trojan,
> 
> In my opinion this list is not the place to ask for stuff like that.
> But hey... that's me
> #JORGE#
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Sent: 6/11/2005 11:42 AM
> Subject: [ActiveDir] Bionet trojan,
> 
> Hi guys,
> Can any one send me the BioNet trojan, I am condcuting a training 
> session and I want to demonstrate for the staff how this works.
> thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential 
> information and/or be subject to legal privilege. It should not be 
> copied, disclosed to, retained or used by, any other party. If you are

> not an intended recipient then please promptly delete this e-mail and 
> any attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: 
> http://www.mail-archive.com/activedir%40mail.act

REÂ : [ActiveDir] Load balancing LDAP request among my DCs

[TIROA YANN]

Jorge, Neil, thank U for your very helpfull feedback. I will look into this.
 
And...may i make another question  that prevent me form sleeping all nights  
please ? :) 
 
If i well understantd, AD 2003 is able to do referrals... that means to froward 
request which it can not find any response to another DC . Is it right ?
 
In this case, AD 2003 is able to forward such requests ?
 
Regards,
 
Yann



De: [EMAIL PROTECTED] de la part de Jorge de Almeida Pinto
Date: lun. 13/06/2005 16:35
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs



Hi,

Load balancing is already provided by DNS through round robin. However, in
some occasions you might to change the DNS priority and/or weights of some
DC(s) to offload it (I mean the SRV records of the DCs)

When using W2K3 DCs you have the possibility to configure the DC through a
GPO as the settings are available through the W2K3 GPOs

DNS priority: in my opinion it shoud not be called this way, but it should
be called "DNS cost" (but: what's in the name). The DC(s) with the lowest
value is used first compared to other DCs with higher values. E.g. DC1 has
DNS prio 50 and DC2 has prio 80. DC1 will always be used!. DC2 will only be
used when DC1 is not available

QUOTE from the GPO explanation field:
The Priority field in the SRV record sets the preference for target hosts
(specified in the SRV record's Target field). DNS clients that query for SRV
resource records attempt to contact the first reachable host with the lowest
priority number listed.

In short: use DNS priorities when some DC should ONLY be used when others
are not avilable any more


DNS weight: The weight field specifies a relative weight for entries with
the same priority. Larger weights SHOULD be given a proportionately higher
probability of being selected. E.g. DC1 has DNS weight 50 and DC2 has prio
100. In three queries the probability is that DC1 will be used once and DC2
twice, provided both have the same DNS prio

QUOTE from the GPO explanation field:
The Weight field in the SRV record can be used in addition to the Priority
value to provide a load-balancing mechanism where multiple servers are
specified in the SRV records Target field and are all set to the same
priority. The probability with which the DNS client randomly selects the
target host to be contacted is proportional to the Weight field value in the
SRV record.

In short: use DNS weights when some DC should receive less or more queries
than other DCs

Cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: maandag 13 juni 2005 16:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs

Hello,

I have a site with 4 DCs 2003.

It seems that one of my DC can not deal with a large number of LDAP queries,
GC Response and NTLM/Kerberos Auth 

I misunderstand something but is my DC 2003 is able to check that it cannot
deserve these queries and forward automatically these queries to another DC
that is less busy ? In order wold, can AD 2003 natively load-balance queries
to another less busy DC ?


Regards,

Yann





This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

REÂ : [ActiveDir] Load balancing LDAP request among my DCs -> Corre ction :)

[TIROA YANN]

"busy" in term of all queries (LDAP, auth...)  point to only one DC, that 
causes heavy load.These loads cause affected system resources  (memory, CPU, 
..).
All my DCs have the same system resources (1Go RAM, biprocessor,etc..).
 
When monitoring DCs queries, always the same DC suffers of these queries ;(
 
Maybe, I have this simple picture of load balancing in my mind...
1 DC receives plenty of queries(LDAP or auth) that it can not deserve 
efficiently. I imagine that it can forward a certain amount (a ratio ?) of 
those queries to another DC less "busy".. But maybe is a "to simple" reflexion 
:)
 
Anyway, if DCs can not load-balanced LDAP queries, i will then chek your link 
and altering SRV record weights/priorities in DNS.
 
Regards,
 
Yann
 



De: [EMAIL PROTECTED] de la part de Ruston, Neil
Date: lun. 13/06/2005 17:52
À: 'ActiveDir@mail.activedir.org'
Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs -> Corre ction 
:)



Well, yes and no. DNS does load balance via round robin, as Jorge alluded to. 
DCs do not load balance based upon your requirements, where a request is 
forwarded to another DC if the receiver is "busy".

After all, what is the definition of busy??

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 16:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs -> Correction 
:)


Ok, thanks for the reply. Your tip might tell me that AD2003 seems to be 
*UNABLE* (and not enable -> sorry for my english :)) , natively, to load 
balance such queries, strange .. :(

I will chek your link for more informations.

Cheers,

Yann

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil 
Envoyé : lundi 13 juin 2005 16:20 À : 'ActiveDir@mail.activedir.org' Objet : 
RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx
 - it may relate to the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP queries, GC 
Response and NTLM/Kerberos Auth  I misunderstand something but is my DC 
2003 is able to check that it cannot deserve these queries and forward 
automatically these queries to another DC that is less busy ? In order wold, 
can AD 2003 natively load-balance queries to another less busy DC ? Regards, 
Yann

==
Please access the attached hyperlink for an important electronic communications 
disclaimer:

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
Please access the attached hyperlink for an important electronic communications 
disclaimer:

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


<>

[ActiveDir] Using AD Sizer

[Creamer, Mark]

Title: Using AD Sizer






I’m trying to run through the Microsoft-provided free Active Directory Sizer tool to approximate what new hardware should look like so we can replace some older DCs. I haven’t used this thing before, and a couple of things are unclear to me:

1.  It asks “How many additional attributes will you have per user?” – Are they talking about schema changes we may have made for user accounts?

2.  It asks for Avg logon rate per second in Interactive, Batch, and Network logons. How can I approximate something like that?

Alternatively, has anyone seen a better tool to get this information? We are still Windows 2000 AD – no 2003 DCs yet.

Thanks

Mark Creamer

Systems Engineer

Cintas Corporation





This e-mail transmission contains information that is intended to be confidential and privileged.  If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful.  Please reply to the message immediately by informing the sender that the message was misdirected.  After replying, please delete and otherwise erase it and any attachments from your computer system.  Your assistance in correcting this error is appreciated.

RE: [ActiveDir] DCPROMO over a 128\256K line

[Carerros, Charles]

I might be getting a bit confused here.  The instructions from MS indicate
that once you drop the system state restore on the machine you run the
dcpromo but a few of you have indicated pruning the sys-state. 

Do I have to do any additional post-install configurations after I run
DCPROMO with the /ADV flag?

The advantage that I'm looking for is to bandwidth throatily the promotion.
With the natural promotion I don't have this option so the promotion will
kill my line during production hours.  If I can just copy a system state
backup out, I can do so with bandwidth throttling so it doesn't cripple my
site and then do the promotion with the ADV flag and then allow the natural
cleaning up of whatever was missed between the system state and the actually
promotion time.

After the initial sync I will have enough bandwidth to keep things running,
it just getting it out there that is my current challenge.  

I would like to thank everyone for the great responses.

Charlie

-Original Message-
From: Dean Wells [mailto:[EMAIL PROTECTED]
Sent: Monday, June 13, 2005 11:50 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line


As Brett says, it's difficult to be sure since the Directory content will
impact the result.  I can say only this with certainty; I tested a similar
scenario in W2K3 beta-something and found it to be significantly quicker to
prune, dump and zip the restored sys-state than perform a natural promotion
across the wire (I don't remember the exact numbers involved but I'd guess
my testing semantics then would be similar to those that I'd use now;
something along the lines of a couple of hundred thousand objects in a
single domain forest [app. NCs discarded for obvious reasons pre-SP1]).  

NOTE - SYSVOL proved to be an irritation regardless of the replication
mechanism used.

Basing much of my decision on the results of the original test and since I
have the procedure in place to prune & compress the restored sys-state, I'd
tend to opt for the approach I originally offered but it's a difficult
choice to justify since each scenario will differ.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, June 13, 2005 12:20 PM
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line

I'm not so sure, when trying to optimizing for total bandwidth usage ...

If you're in the scenario Neil suggests (without compressing the data), it
will definately be less total data transfered by doing normal dcpromo
replication over copying the DIT over the wire ... various things don't go
through the normal replication protocol, but take up space in the DIT, AD's
non-replicated attributes, ESE database page overhead, indexes, ESE catalog,
to name a few.

The ultimate question will compression be enough to make for the mentioned
non-replicated things?  I don't know.

And you'd be fighting AD's intersite per replication packet (which is
usually like 1000* objects or 1MB* or something like that at a time)
compression.  * Those aren't real numbers, just numbers I'm making up that
are w/in an order of magnitude of the real numbers.  At least I assume we do
compression during dcpromo's initial replication!?

Careful testing would have to be done, to prove which would yield lower
total bandwidth usage.  If you change to optimize for speed, given fast
bandwidth, I'm sure Dean's method is faster.  Dean, might be right, it might
even yield less total bandwidth usage his way, but I'm not sure.  I should
say, Dean has far more deployment experience than me ... so I'd side with
him.  But I myself, wouldn't be sure until I tested it myself.

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no rights. 


On Mon, 13 Jun 2005, Dean Wells wrote:

> As an aside, it's still preferable to use IFM (assuming it's a recent
> backup) since replication is designed to propagate very discreet changes.
> Pruning & compressing the back media and copying via CIFS or FTP will 
> still provide a significant benefit.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells  @msetechnology.com  
>  http://msetechnology.com
> 
>  
> 
>   _
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Monday, June 13, 2005 9:52 AM
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] DCPROMO over a 128\256K line
> 
> 
> As per previous threads - if the system state is larger than a CD (or 
> DVD) then you still need to copy the system state over the wire so as 
> to use the /adv switch. If this is the case, then you may as well 
> simply promote over the wire in the traditional manner.
>  
>  
> neil
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On B

RE: [ActiveDir] DCPROMO over a 128\256K line

[Dean Wells]

As Brett says, it's difficult to be sure since the Directory content will
impact the result.  I can say only this with certainty; I tested a similar
scenario in W2K3 beta-something and found it to be significantly quicker to
prune, dump and zip the restored sys-state than perform a natural promotion
across the wire (I don't remember the exact numbers involved but I'd guess
my testing semantics then would be similar to those that I'd use now;
something along the lines of a couple of hundred thousand objects in a
single domain forest [app. NCs discarded for obvious reasons pre-SP1]).  

NOTE - SYSVOL proved to be an irritation regardless of the replication
mechanism used.

Basing much of my decision on the results of the original test and since I
have the procedure in place to prune & compress the restored sys-state, I'd
tend to opt for the approach I originally offered but it's a difficult
choice to justify since each scenario will differ.

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley
Sent: Monday, June 13, 2005 12:20 PM
To: ActiveDir@mail.activedir.org
Cc: Send - AD mailing list
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line

I'm not so sure, when trying to optimizing for total bandwidth usage ...

If you're in the scenario Neil suggests (without compressing the data), it
will definately be less total data transfered by doing normal dcpromo
replication over copying the DIT over the wire ... various things don't go
through the normal replication protocol, but take up space in the DIT, AD's
non-replicated attributes, ESE database page overhead, indexes, ESE catalog,
to name a few.

The ultimate question will compression be enough to make for the mentioned
non-replicated things?  I don't know.

And you'd be fighting AD's intersite per replication packet (which is
usually like 1000* objects or 1MB* or something like that at a time)
compression.  * Those aren't real numbers, just numbers I'm making up that
are w/in an order of magnitude of the real numbers.  At least I assume we do
compression during dcpromo's initial replication!?

Careful testing would have to be done, to prove which would yield lower
total bandwidth usage.  If you change to optimize for speed, given fast
bandwidth, I'm sure Dean's method is faster.  Dean, might be right, it might
even yield less total bandwidth usage his way, but I'm not sure.  I should
say, Dean has far more deployment experience than me ... so I'd side with
him.  But I myself, wouldn't be sure until I tested it myself.

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no rights. 


On Mon, 13 Jun 2005, Dean Wells wrote:

> As an aside, it's still preferable to use IFM (assuming it's a recent
> backup) since replication is designed to propagate very discreet changes.
> Pruning & compressing the back media and copying via CIFS or FTP will 
> still provide a significant benefit.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells  @msetechnology.com  
>  http://msetechnology.com
> 
>  
> 
>   _
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Monday, June 13, 2005 9:52 AM
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] DCPROMO over a 128\256K line
> 
> 
> As per previous threads - if the system state is larger than a CD (or 
> DVD) then you still need to copy the system state over the wire so as 
> to use the /adv switch. If this is the case, then you may as well 
> simply promote over the wire in the traditional manner.
>  
>  
> neil
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tim Foster
> Sent: 13 June 2005 14:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DCPROMO over a 128\256K line
> 
> 
> 
> If you are promoting a W2K3 machine, you can run dcpromo /adv. This 
> will allow you to replicate AD from a backup of system state data - 
> copy the backup of system state data for one of your existing DCs to a 
> CD, ship the CD to your remote location.  Copy the contents of the CD 
> to disk (do not restore it!), then run dcpromo /adv.  You will still 
> need network connectivity with HQ.
> 
>  
> 
> Tim
> 
>   
> 
>  
> 
> 
>   _
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, 
> Charles
> Sent: Monday, June 13, 2005 9:14 AM
> To: 'ActiveDir@mail.activedir.org'
> Subject: [ActiveDir] DCPROMO over a 128\256K line
> 
>  
> 
> I have a server at a remote location that I need to DCPROMO.  Two of 
> my colleagues were at this location a few months ago and tried to 
> DCPROMO it after a fresh rebuild but the sync took down the line (it 
> was running at 56K with a burst speed of 128K).
> 
>  
> 
> We have finally gotten the line upgraded to a 128K line with with a 
> 256K

RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

[Jorge de Almeida Pinto]

Driving home and rethinking the question I realized you were not talking
about A VALUE from an attribute but about the UPPER VALUE. Although it is
not the actual value of the attribute I still think it will not cause a full
sync because the partial attribute set is not changed
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: 6/13/2005 5:45 PM
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Wouldn't it be strange each time you update or change an attribute VALUE
your GCs rebuild everything? The samaccountname or the DN is in the PAS.
So
if you rename the samaccountname or DN of some object or create a sec.
princ. That would cause a full sync of the GCs? In my opinion no

A full (W2K) sync would be caused if you uncheck or check the box for
some
attribute called "Replicate this attribute to the Global Catalog". With
this
box you change which attributes are in the PAS.

#JORGE# 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 16:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Deji,

The attribute is used by the Aelita Exchange migration product. I am
having
to change it because Aelita uses it to store the alternate recipients
and I
have a few Exc 5.5 mailboxes that blow it past the 2048 default.

I am now concerned because I have conflicting answers. I have one answer
from MS (and you) that says the change will kick off a full sync and I
have
another from somebody else at MS that matches Jorge's answer that it
won't.

All of the docs that I read indicate that when you update the schema by
adding an attribute that is in the PAS (i.e. E2K3 forestprep) it will
cause
a full sync on a W2K directory. I have not found a mention of what
happens
when you update the definition of an existing schema attribute (which is
what I need to do). This is why I asked the original question ;-)

I guess that I am off to the lab...

BTW - If anybody has any pointers to any definative documentation on
this it
would be greatly appriciated...

Frank
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, June 13, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Even though you've prep'd everything, your underlying infrastructure is
still W2K. As a result, you will still be doing a full GC sync.
 
I have a q, though. Why are you increasing the RangeUpper? I am just
curious
and asking for my own education.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jorge de Almeida
Pinto
Sent: Mon 6/13/2005 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD


The implementation of the E2K3 already caused a full GC sync/rebuild
because
it adds new attributes to the PAS.
The PAS is the Partial Attribute Set...in other words the set of
attributes
in the GC. Only if you change that set (add or remove an attribute
to/from
the set) will cause a full sync of the GCs if W2K. This will not occur
in
W2K3 as in W2K3 it only replicates the new added/removed attribute.
 
So in W2K only when changing the SET will cause a full sync, NOT when
changing the value of an attribute in the set. The change of the value
will
of course replicate to all GCs in the forest
 
See also:
http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/4
1641
/
41641.html
 
Cheers
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 14:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Affect of a schema update on W2K SP4 AD



All, 

I am running a W2K SP4 AD and am in the process of migrating to Exc
2003. I
have already applied the Exc 2003 forest prep and domain prep.

I now have a need to increase the rangerupper on
ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a
member
of the partial attaibute set. The question is will the update to the
rangeupper on an existing attribute cause a complete GC synch?

I suspect that the answer is yes but I just want to confirm this 

Thanks in advance 

Frank 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

List i

RE: [ActiveDir] DCPROMO over a 128\256K line

[Brett Shirley]

I'm not so sure, when trying to optimizing for total bandwidth usage ...

If you're in the scenario Neil suggests (without compressing the data), it
will definately be less total data transfered by doing normal dcpromo
replication over copying the DIT over the wire ... various things don't go
through the normal replication protocol, but take up space in the DIT,
AD's non-replicated attributes, ESE database page overhead, indexes, ESE
catalog, to name a few.

The ultimate question will compression be enough to make for the mentioned
non-replicated things?  I don't know.

And you'd be fighting AD's intersite per replication packet (which is
usually like 1000* objects or 1MB* or something like that at a time)
compression.  * Those aren't real numbers, just numbers I'm making up that
are w/in an order of magnitude of the real numbers.  At least I assume we
do compression during dcpromo's initial replication!?

Careful testing would have to be done, to prove which would yield lower
total bandwidth usage.  If you change to optimize for speed, given fast
bandwidth, I'm sure Dean's method is faster.  Dean, might be right, it
might even yield less total bandwidth usage his way, but I'm not sure.  I
should say, Dean has far more deployment experience than me ... so I'd
side with him.  But I myself, wouldn't be sure until I tested it myself.

Cheers,
-BrettSh [msft]

This posting is provided "AS IS" with no warranties, and confers no
rights. 


On Mon, 13 Jun 2005, Dean Wells wrote:

> As an aside, it's still preferable to use IFM (assuming it's a recent
> backup) since replication is designed to propagate very discreet changes.
> Pruning & compressing the back media and copying via CIFS or FTP will still
> provide a significant benefit.
> --
> Dean Wells
> MSEtechnology
> * Email: dwells  @msetechnology.com
>   http://msetechnology.com
> 
>  
> 
>   _  
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
> Sent: Monday, June 13, 2005 9:52 AM
> To: 'ActiveDir@mail.activedir.org'
> Subject: RE: [ActiveDir] DCPROMO over a 128\256K line
> 
> 
> As per previous threads - if the system state is larger than a CD (or DVD)
> then you still need to copy the system state over the wire so as to use the
> /adv switch. If this is the case, then you may as well simply promote over
> the wire in the traditional manner.
>  
>  
> neil
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tim Foster
> Sent: 13 June 2005 14:25
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] DCPROMO over a 128\256K line
> 
> 
> 
> If you are promoting a W2K3 machine, you can run dcpromo /adv. This will
> allow you to replicate AD from a backup of system state data - copy the
> backup of system state data for one of your existing DCs to a CD, ship the
> CD to your remote location.  Copy the contents of the CD to disk (do not
> restore it!), then run dcpromo /adv.  You will still need network
> connectivity with HQ.
> 
>  
> 
> Tim
> 
>   
> 
>  
> 
> 
>   _  
> 
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
> Sent: Monday, June 13, 2005 9:14 AM
> To: 'ActiveDir@mail.activedir.org'
> Subject: [ActiveDir] DCPROMO over a 128\256K line
> 
>  
> 
> I have a server at a remote location that I need to DCPROMO.  Two of my
> colleagues were at this location a few months ago and tried to DCPROMO it
> after a fresh rebuild but the sync took down the line (it was running at 56K
> with a burst speed of 128K).
> 
>  
> 
> We have finally gotten the line upgraded to a 128K line with with a 256K
> burst.  I'm not all that great with my math on these slow links but I was
> wondering if it would be possible to conduct a DCPROMO while making that DC
> a global catalog over this size link?  
> 
>  
> 
> Right now, I'm going to have someone there power it up so I can do a forced
> demote and then I will remove AD from it (as this box is currently
> tombstoned) then ensure that I delete it out of my AD.  After that I will
> need to bring it back up and I'm trying to determine the best course of
> action:
> 
>  
> 
> 1)  DCPROMO it remotely and let it kill the line over a weekend
> 
> 2)  Have them ship the server to me for rebuilding (it's in Canada I'm
> in the US)
> 
> 3)  Install a DC on a laptop and carry it up there and conduct the
> DCPROMO
> 
>  
> 
> I would like to do the first one for cost and time reasons, however I'm not
> sure if the replication will be able to occur over this slow of a line in
> time.
> 
>  
> 
> Does item one sound like it would work or is the line too small to do this
> type of sync with?  Currently, my NTDS and SYSVOL folders are only 226 megs
> combined.
> 
>  
> 
> What path do you guys suggestion I follow?
> 
>  
> 
> Thanks,
> 
>  
> 
> Charlie
> 
> 
> ==
> P

RE: [ActiveDir] OT:BigIP LB, --- Was Load balancing LDAP request among my DCs

[Rick Kingslan]

Yep.  Have used it for application and web services load balancing.  Also
have used the Cisco CSS.

As long as your Engineer knows the traffic to look for, the destinations,
and if it is to be statefull or stateless - then it will work.

Obviously, the LDAP on 389 is not the only thing to take into account.  Be
aware of anything on 3268 as well as anything that is "/S" oriented as well.

Rick 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Monday, June 13, 2005 9:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs

Not to hijack the thread but has anyone used a hardware based load
balancer such as a BigIP appliance to load balance and/or fail over
LDAP?  We have some apps that have to be configured to a specific host
and this was one idea floated up.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, June 13, 2005 7:20 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx - it may relate to
the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP
queries, GC Response and NTLM/Kerberos Auth  I misunderstand
something but is my DC 2003 is able to check that it cannot deserve
these queries and forward automatically these queries to another DC that
is less busy ? In order wold, can AD 2003 natively load-balance queries
to another less busy DC ? Regards, Yann


==
Please access the attached hyperlink for an important electronic
communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml


==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Bionet trojan,

[Rick Kingslan]

I understand the reason for your request.  And, it's admirable that you want
to insightfully inform your user base.

However, looking for live virus or Trojans is not the way to do it.  If one
wants to show how things can go horribly wrong, controlled environment or
not, this is likely a good start.

What I'd suggest is to make use of the EICAR test string.  All AV programs
that I know of will respond to it, and will respond as if a real virus had
been detected.

IMHO, this is the safe a proper way to do virus and Trojan awareness
training for user and response team staffs.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rubix cube
Sent: Monday, June 13, 2005 3:22 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Bionet trojan,

Ok my apology, didn't realize it will be taken this way.

I am a network administrator, and we are planning a security awareness
campaigne, this demonestration will be a part of training for the
staff to see the secuirty risks they can be into when opening an
attachement that they don't know about or executing a file. ( I have
it now).

I had a nobel cause so I asked a nobel list thats all, no offense for the
list.

r.c.


On 6/12/05, Tony Murray <[EMAIL PROTECTED]> wrote:
> Jorge's right.  Please contact me off-list before posting something like
> that.  There's off topic and there's off topic, if you know what I mean.
> 
> Tony [List owner]
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
> Pinto
> Sent: Saturday, 11 June 2005 11:15 p.m.
> To: 'rubix cube '; '[EMAIL PROTECTED] ';
> 'ActiveDir@mail.activedir.org '
> Subject: RE: [ActiveDir] Bionet trojan,
> 
> In my opinion this list is not the place to ask for stuff like that.
> But hey... that's me
> #JORGE#
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Sent: 6/11/2005 11:42 AM
> Subject: [ActiveDir] Bionet trojan,
> 
> Hi guys,
> Can any one send me the BioNet trojan, I am condcuting a training session
> and I want to demonstrate for the staff how this works.
> thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Load balancing LDAP request among my DCs -> Corre ction :)

[Ruston, Neil]

Well, yes and no. DNS does load balance via round robin, as Jorge alluded to. 
DCs do not load balance based upon your requirements, where a request is 
forwarded to another DC if the receiver is "busy".

After all, what is the definition of busy??

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 16:05
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs -> Correction 
:)


Ok, thanks for the reply. Your tip might tell me that AD2003 seems to be 
*UNABLE* (and not enable -> sorry for my english :)) , natively, to load 
balance such queries, strange .. :(

I will chek your link for more informations.

Cheers,

Yann

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil 
Envoyé : lundi 13 juin 2005 16:20 À : 'ActiveDir@mail.activedir.org' Objet : 
RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx
 - it may relate to the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP queries, GC 
Response and NTLM/Kerberos Auth  I misunderstand something but is my DC 
2003 is able to check that it cannot deserve these queries and forward 
automatically these queries to another DC that is less busy ? In order wold, 
can AD 2003 natively load-balance queries to another less busy DC ? Regards, 
Yann

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

[deji]

OK, I goofed. ms-Exch-Extension-Attribute-15 IS a member of PAS. It's already
added and replicated (via Full GC Sync) to all GCs in the forest during the
prepping (schema extension). Changing just the ms-Exch-Extension-Attribute-15
or even deleting it will NOT cause a full sync. My bad. Sorry to have to send
you to the Lab.
 
See "Replication of Changes to the Global Catalog Partial Attribute Set" in
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRe
f/440e44ab-ea05-4bd8-a68c-12cf8fb1af50.mspx
 
Thanks, Dean.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of
[EMAIL PROTECTED]
Sent: Mon 6/13/2005 7:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD



Deji,

The attribute is used by the Aelita Exchange migration product. I am having
to change it because Aelita uses it to store the alternate recipients and I
have a few Exc 5.5 mailboxes that blow it past the 2048 default.

I am now concerned because I have conflicting answers. I have one answer
from MS (and you) that says the change will kick off a full sync and I have
another from somebody else at MS that matches Jorge's answer that it won't.

All of the docs that I read indicate that when you update the schema by
adding an attribute that is in the PAS (i.e. E2K3 forestprep) it will cause
a full sync on a W2K directory. I have not found a mention of what happens
when you update the definition of an existing schema attribute (which is
what I need to do). This is why I asked the original question ;-)

I guess that I am off to the lab...

BTW - If anybody has any pointers to any definative documentation on this it
would be greatly appriciated...

Frank


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Even though you've prep'd everything, your underlying infrastructure is
still
W2K. As a result, you will still be doing a full GC sync.

I have a q, though. Why are you increasing the RangeUpper? I am just curious
and asking for my own education.


Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto
Sent: Mon 6/13/2005 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD


The implementation of the E2K3 already caused a full GC sync/rebuild because
it adds new attributes to the PAS.
The PAS is the Partial Attribute Set...in other words the set of attributes
in the GC. Only if you change that set (add or remove an attribute to/from
the set) will cause a full sync of the GCs if W2K. This will not occur in
W2K3 as in W2K3 it only replicates the new added/removed attribute.

So in W2K only when changing the SET will cause a full sync, NOT when
changing the value of an attribute in the set. The change of the value will
of course replicate to all GCs in the forest

See also:
http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/41641
/
41641.html

Cheers
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 14:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Affect of a schema update on W2K SP4 AD



All,

I am running a W2K SP4 AD and am in the process of migrating to Exc 2003. I
have already applied the Exc 2003 forest prep and domain prep.

I now have a need to increase the rangerupper on
ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a member
of the partial attaibute set. The question is will the update to the
rangeupper on an existing attribute cause a complete GC synch?

I suspect that the answer is yes but I just want to confirm this

Thanks in advance

Frank



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment
and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FA

RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

[Jorge de Almeida Pinto]

Wouldn't it be strange each time you update or change an attribute VALUE
your GCs rebuild everything? The samaccountname or the DN is in the PAS. So
if you rename the samaccountname or DN of some object or create a sec.
princ. That would cause a full sync of the GCs? In my opinion no

A full (W2K) sync would be caused if you uncheck or check the box for some
attribute called "Replicate this attribute to the Global Catalog". With this
box you change which attributes are in the PAS.

#JORGE# 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 16:50
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Deji,

The attribute is used by the Aelita Exchange migration product. I am having
to change it because Aelita uses it to store the alternate recipients and I
have a few Exc 5.5 mailboxes that blow it past the 2048 default.

I am now concerned because I have conflicting answers. I have one answer
from MS (and you) that says the change will kick off a full sync and I have
another from somebody else at MS that matches Jorge's answer that it won't.

All of the docs that I read indicate that when you update the schema by
adding an attribute that is in the PAS (i.e. E2K3 forestprep) it will cause
a full sync on a W2K directory. I have not found a mention of what happens
when you update the definition of an existing schema attribute (which is
what I need to do). This is why I asked the original question ;-)

I guess that I am off to the lab...

BTW - If anybody has any pointers to any definative documentation on this it
would be greatly appriciated...

Frank
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Even though you've prep'd everything, your underlying infrastructure is
still W2K. As a result, you will still be doing a full GC sync.
 
I have a q, though. Why are you increasing the RangeUpper? I am just curious
and asking for my own education.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto
Sent: Mon 6/13/2005 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD


The implementation of the E2K3 already caused a full GC sync/rebuild because
it adds new attributes to the PAS.
The PAS is the Partial Attribute Set...in other words the set of attributes
in the GC. Only if you change that set (add or remove an attribute to/from
the set) will cause a full sync of the GCs if W2K. This will not occur in
W2K3 as in W2K3 it only replicates the new added/removed attribute.
 
So in W2K only when changing the SET will cause a full sync, NOT when
changing the value of an attribute in the set. The change of the value will
of course replicate to all GCs in the forest
 
See also:
http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/41641
/
41641.html
 
Cheers
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 14:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Affect of a schema update on W2K SP4 AD



All, 

I am running a W2K SP4 AD and am in the process of migrating to Exc 2003. I
have already applied the Exc 2003 forest prep and domain prep.

I now have a need to increase the rangerupper on
ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a member
of the partial attaibute set. The question is will the update to the
rangeupper on an existing attribute cause a complete GC synch?

I suspect that the answer is yes but I just want to confirm this 

Thanks in advance 

Frank 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: htt

RE: [ActiveDir] outlook cached mode

[Darren Mar-Elia]

That's probably a good approach. The Outlook cached mode setting is stored per 
email account and is part of the binary blob that is the user's Outlook profile 
in the registry, so it would be tough to put that in an ADM.

As an aside, the ineptitude of the Office product team in continuing to only 
marginally policy-enable their applications is sad and pathetic.

Ok, now I feel better.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, June 13, 2005 8:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] outlook cached mode

Helo,

Doesn't know if it will works, but just an idea 

Have you tried to do it with the Custom Maintenance Wizard ? It seems that 
administrative template .adm file you downloaded can not be managed fully. Try 
to use Custom Maintenance Wizard in your Reskit Outlook, then create and deploy 
a .prf file with the options of "Exchange Cached Mode".

Let us know what's goin' on ;)

Regards,

Yann


-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Marcio Silva_ibm 
Envoyé : lundi 13 juin 2005 17:23 À : ActiveDir@mail.activedir.org Objet : 
[ActiveDir] outlook cached mode

Hi All,


I need to set all of my outlook clients in cached mode by policy.
I download templates from Microsoft and used in policy on my AD.
But , I don't have option to set cached mode for all profiles, only for new 
profiles.
Does Anyone know of a way to set this?
Thanks
Marcio



DISCLAIMER:
Esta mensagem, incluindo seus anexos, contem informacoes legais privilegiadas 
e/ou confidenciais, nao podendo ser retransmitida, arquivada,divulgada ou 
copiada sem autorizacao do remetente. Caso tenha recebido esta mensagem por 
engano, por favor informe o remetente respondendo imediatamente a este e-mail, 
e em seguida apague-a do seu computador.
--
All information in this e-mail and attachments is confidential and privileged. 
If you are not the intended addressee, please notify us immediately by 
returning this e-mail and delete this message from your computer. You should 
not forward, file, copy nor disclose this e-mail to any other person without 
prior authorization.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] outlook cached mode

[TIROA YANN]

Helo,

Doesn't know if it will works, but just an idea 

Have you tried to do it with the Custom Maintenance Wizard ? It seems that 
administrative template .adm file you downloaded can not be managed fully. Try 
to use Custom Maintenance Wizard in your Reskit Outlook, then create and deploy 
a .prf file with the options of "Exchange Cached Mode".

Let us know what's goin' on ;)

Regards,

Yann


-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Marcio Silva_ibm
Envoyé : lundi 13 juin 2005 17:23
À : ActiveDir@mail.activedir.org
Objet : [ActiveDir] outlook cached mode

Hi All,


I need to set all of my outlook clients in cached mode by policy.
I download templates from Microsoft and used in policy on my AD.
But , I don't have option to set cached mode for all profiles, only for new 
profiles.
Does Anyone know of a way to set this?
Thanks
Marcio



DISCLAIMER:
Esta mensagem, incluindo seus anexos, contem informacoes legais privilegiadas 
e/ou confidenciais, nao podendo ser retransmitida, arquivada,divulgada ou 
copiada sem autorizacao do remetente. Caso tenha recebido esta mensagem por 
engano, por favor informe o remetente respondendo imediatamente a este e-mail, 
e em seguida apague-a do seu computador.
--
All information in this e-mail and attachments is confidential and privileged. 
If you are not the intended addressee, please notify us immediately by 
returning this e-mail and delete this message from your computer. You should 
not forward, file, copy nor disclose this e-mail to any other person without 
prior authorization.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] outlook cached mode

[Marcio Silva_ibm]

Hi All,


I need to set all of my outlook clients in cached mode by policy.
I download templates from Microsoft and used in policy on my AD.
But , I don't have option to set cached mode for all profiles, only for
new profiles.
Does Anyone know of a way to set this?
Thanks 
Marcio



DISCLAIMER:
Esta mensagem, incluindo seus anexos, contem informacoes legais privilegiadas 
e/ou confidenciais, nao podendo ser retransmitida, arquivada,divulgada ou 
copiada sem autorizacao do remetente. Caso tenha recebido esta mensagem por 
engano, por favor informe o remetente respondendo imediatamente a este e-mail, 
e em seguida apague-a do seu computador.
--
All information in this e-mail and attachments is confidential and privileged. 
If you are not the intended addressee, please notify us immediately by 
returning this e-mail and delete this message from your computer. You should 
not forward, file, copy nor disclose this e-mail to any other person without 
prior authorization.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

[Jackson Shaw]

http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/sag_ADschema_15.htm

Replication issues
A schema update performed at the schema master is replicated to all other 
domain controllers in the forest, guaranteeing a consistent schema. However, 
because of the time required for replication to complete, there can be 
temporary inconsistencies.

For example, if a new class is created, and subsequently an object of that 
class is created, the related schema updates may be sent separately to the 
other domain controllers. The update for the new object may reach another 
domain controller before the update for the new class. This causes an error, 
since the class does not yet exist on that domain controller.


Confusion regarding this may be attributed to the amount of enhancements to 
reduce replication that were introduced in Windows Server 2003.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 7:50 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Deji,

The attribute is used by the Aelita Exchange migration product. I am having
to change it because Aelita uses it to store the alternate recipients and I
have a few Exc 5.5 mailboxes that blow it past the 2048 default.

I am now concerned because I have conflicting answers. I have one answer
from MS (and you) that says the change will kick off a full sync and I have
another from somebody else at MS that matches Jorge's answer that it won't.

All of the docs that I read indicate that when you update the schema by
adding an attribute that is in the PAS (i.e. E2K3 forestprep) it will cause
a full sync on a W2K directory. I have not found a mention of what happens
when you update the definition of an existing schema attribute (which is
what I need to do). This is why I asked the original question ;-)

I guess that I am off to the lab...

BTW - If anybody has any pointers to any definative documentation on this it
would be greatly appriciated...

Frank
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Even though you've prep'd everything, your underlying infrastructure is
still
W2K. As a result, you will still be doing a full GC sync.
 
I have a q, though. Why are you increasing the RangeUpper? I am just curious
and asking for my own education.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto
Sent: Mon 6/13/2005 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD


The implementation of the E2K3 already caused a full GC sync/rebuild because
it adds new attributes to the PAS.
The PAS is the Partial Attribute Set...in other words the set of attributes
in the GC. Only if you change that set (add or remove an attribute to/from
the set) will cause a full sync of the GCs if W2K. This will not occur in
W2K3 as in W2K3 it only replicates the new added/removed attribute.
 
So in W2K only when changing the SET will cause a full sync, NOT when
changing the value of an attribute in the set. The change of the value will
of course replicate to all GCs in the forest
 
See also:
http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/41641
/
41641.html
 
Cheers
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 14:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Affect of a schema update on W2K SP4 AD



All, 

I am running a W2K SP4 AD and am in the process of migrating to Exc 2003. I
have already applied the Exc 2003 forest prep and domain prep.

I now have a need to increase the rangerupper on
ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a member
of the partial attaibute set. The question is will the update to the
rangeupper on an existing attribute cause a complete GC synch?

I suspect that the answer is yes but I just want to confirm this 

Thanks in advance 

Frank 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment
and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ 

RE: [ActiveDir] DCPROMO over a 128\256K line

[Dean Wells]

Title: Message



As an 
aside, it's still preferable to use IFM (assuming it's a recent backup) since 
replication is designed to propagate very discreet changes.  Pruning & 
compressing the back media and copying via CIFS or FTP will still provide a 
significant 
benefit.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, 
NeilSent: Monday, June 13, 2005 9:52 AMTo: 
'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] DCPROMO over a 
128\256K line

As per 
previous threads - if the system state is larger than a CD (or DVD) then you 
still need to copy the system state over the wire so as to use the /adv switch. 
If this is the case, then you may as well simply promote over the wire in the 
traditional manner.
 
 
neil

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Tim FosterSent: 13 June 2005 
  14:25To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DCPROMO over a 128\256K line
  
  If you are promoting 
  a W2K3 machine, you can run dcpromo /adv. This will allow you to replicate AD 
  from a backup of system state data - copy the backup of system state data for 
  one of your existing DCs to a CD, ship the CD to your remote location.  
  Copy the contents of the CD to disk (do not restore it!), then run dcpromo 
  /adv.  You will still need network connectivity with 
  HQ.
   
  Tim
    
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Carerros, 
  CharlesSent: Monday, June 
  13, 2005 9:14 AMTo: 
  'ActiveDir@mail.activedir.org'Subject: [ActiveDir] DCPROMO over a 
  128\256K line
   
  
  I have a server at a 
  remote location that I need to DCPROMO.  Two of my colleagues were at 
  this location a few months ago and tried to DCPROMO it after a fresh rebuild 
  but the sync took down the line (it was running at 56K with a burst speed of 
  128K).
  
   
  
  We have finally 
  gotten the line upgraded to a 128K line with with a 256K burst.  I'm not 
  all that great with my math on these slow links but I was wondering if it 
  would be possible to conduct a DCPROMO while making that DC a global catalog 
  over this size link?  
  
   
  
  Right now, I'm going 
  to have someone there power it up so I can do a forced demote and then 
  I will remove AD from it (as this box is currently tombstoned) then 
  ensure that I delete it out of my AD.  After that I will need to bring it 
  back up and I'm trying to determine the best course of 
  action:
  
   
  
      
  1)  DCPROMO it remotely and let it kill the line over a 
  weekend
  
      
  2)  Have them ship the server to me for rebuilding (it's in 
  Canada I'm in the 
  US)
  
      
  3)  Install a DC on a laptop and carry it up there and conduct the 
  DCPROMO
  
   
  
  I would like to do 
  the first one for cost and time reasons, however I'm not sure if the 
  replication will be able to occur over this slow of a line in 
  time.
  
   
  
  Does item one sound 
  like it would work or is the line too small to do this type of sync 
  with?  Currently, my NTDS and SYSVOL folders are only 226 megs 
  combined.
  
   
  
  What path do you guys 
  suggestion I follow?
  
   
  
  Thanks,
  
   
  
  Charlie
==Please 
access the attached hyperlink for an important electronic communications 
disclaimer: 
http://www.csfb.com/legal_terms/disclaimer_external_email.shtml==

RE: [ActiveDir] Load balancing LDAP request among my DCs -> Correction :)

[TIROA YANN]

Ok, thanks for the reply. Your tip might tell me that AD2003 seems to be 
*UNABLE* (and not enable -> sorry for my english :)) , natively, to load 
balance such queries, strange .. :(

I will chek your link for more informations.

Cheers,

Yann

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil
Envoyé : lundi 13 juin 2005 16:20
À : 'ActiveDir@mail.activedir.org'
Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx
 - it may relate to the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP queries, GC 
Response and NTLM/Kerberos Auth  I misunderstand something but is my DC 
2003 is able to check that it cannot deserve these queries and forward 
automatically these queries to another DC that is less busy ? In order wold, 
can AD 2003 natively load-balance queries to another less busy DC ? Regards, 
Yann

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

[frank . carroll]

Deji,

The attribute is used by the Aelita Exchange migration product. I am having
to change it because Aelita uses it to store the alternate recipients and I
have a few Exc 5.5 mailboxes that blow it past the 2048 default.

I am now concerned because I have conflicting answers. I have one answer
from MS (and you) that says the change will kick off a full sync and I have
another from somebody else at MS that matches Jorge's answer that it won't.

All of the docs that I read indicate that when you update the schema by
adding an attribute that is in the PAS (i.e. E2K3 forestprep) it will cause
a full sync on a W2K directory. I have not found a mention of what happens
when you update the definition of an existing schema attribute (which is
what I need to do). This is why I asked the original question ;-)

I guess that I am off to the lab...

BTW - If anybody has any pointers to any definative documentation on this it
would be greatly appriciated...

Frank
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, June 13, 2005 10:17 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

Even though you've prep'd everything, your underlying infrastructure is
still
W2K. As a result, you will still be doing a full GC sync.
 
I have a q, though. Why are you increasing the RangeUpper? I am just curious
and asking for my own education.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto
Sent: Mon 6/13/2005 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD


The implementation of the E2K3 already caused a full GC sync/rebuild because
it adds new attributes to the PAS.
The PAS is the Partial Attribute Set...in other words the set of attributes
in the GC. Only if you change that set (add or remove an attribute to/from
the set) will cause a full sync of the GCs if W2K. This will not occur in
W2K3 as in W2K3 it only replicates the new added/removed attribute.
 
So in W2K only when changing the SET will cause a full sync, NOT when
changing the value of an attribute in the set. The change of the value will
of course replicate to all GCs in the forest
 
See also:
http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/41641
/
41641.html
 
Cheers
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 14:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Affect of a schema update on W2K SP4 AD



All, 

I am running a W2K SP4 AD and am in the process of migrating to Exc 2003. I
have already applied the Exc 2003 forest prep and domain prep.

I now have a need to increase the rangerupper on
ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a member
of the partial attaibute set. The question is will the update to the
rangeupper on an existing attribute cause a complete GC synch?

I suspect that the answer is yes but I just want to confirm this 

Thanks in advance 

Frank 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment
and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Load balancing LDAP request among my DCs

[TIROA YANN]

Ok, thanks for the reply. Your tip might tell me that AD2003 seems to be 
enable, natively, to load balance such queries, strange .. :(

I will chek your link for more informations.

Cheers,

Yann

-Message d'origine-
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Ruston, Neil
Envoyé : lundi 13 juin 2005 16:20
À : 'ActiveDir@mail.activedir.org'
Objet : RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx
 - it may relate to the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP queries, GC 
Response and NTLM/Kerberos Auth  I misunderstand something but is my DC 
2003 is able to check that it cannot deserve these queries and forward 
automatically these queries to another DC that is less busy ? In order wold, 
can AD 2003 natively load-balance queries to another less busy DC ? Regards, 
Yann

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Load balancing LDAP request among my DCs

[Ayers, Diane]

Not to hijack the thread but has anyone used a hardware based load
balancer such as a BigIP appliance to load balance and/or fail over
LDAP?  We have some apps that have to be configured to a specific host
and this was one idea floated up.

Diane

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, June 13, 2005 7:20 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs

Have you considered altering SRV record weights/priorities in DNS?

Check out this article
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx - it may relate to
the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP
queries, GC Response and NTLM/Kerberos Auth  I misunderstand
something but is my DC 2003 is able to check that it cannot deserve
these queries and forward automatically these queries to another DC that
is less busy ? In order wold, can AD 2003 natively load-balance queries
to another less busy DC ? Regards, Yann


==
Please access the attached hyperlink for an important electronic
communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml


==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Load balancing LDAP request among my DCs

[Jorge de Almeida Pinto]

Hi,

Load balancing is already provided by DNS through round robin. However, in
some occasions you might to change the DNS priority and/or weights of some
DC(s) to offload it (I mean the SRV records of the DCs)

When using W2K3 DCs you have the possibility to configure the DC through a
GPO as the settings are available through the W2K3 GPOs

DNS priority: in my opinion it shoud not be called this way, but it should
be called "DNS cost" (but: what's in the name). The DC(s) with the lowest
value is used first compared to other DCs with higher values. E.g. DC1 has
DNS prio 50 and DC2 has prio 80. DC1 will always be used!. DC2 will only be
used when DC1 is not available

QUOTE from the GPO explanation field:
The Priority field in the SRV record sets the preference for target hosts
(specified in the SRV record's Target field). DNS clients that query for SRV
resource records attempt to contact the first reachable host with the lowest
priority number listed.

In short: use DNS priorities when some DC should ONLY be used when others
are not avilable any more


DNS weight: The weight field specifies a relative weight for entries with
the same priority. Larger weights SHOULD be given a proportionately higher
probability of being selected. E.g. DC1 has DNS weight 50 and DC2 has prio
100. In three queries the probability is that DC1 will be used once and DC2
twice, provided both have the same DNS prio

QUOTE from the GPO explanation field:
The Weight field in the SRV record can be used in addition to the Priority
value to provide a load-balancing mechanism where multiple servers are
specified in the SRV records Target field and are all set to the same
priority. The probability with which the DNS client randomly selects the
target host to be contacted is proportional to the Weight field value in the
SRV record.

In short: use DNS weights when some DC should receive less or more queries
than other DCs

Cheers,
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: maandag 13 juni 2005 16:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs

Hello,

I have a site with 4 DCs 2003.

It seems that one of my DC can not deal with a large number of LDAP queries,
GC Response and NTLM/Kerberos Auth 

I misunderstand something but is my DC 2003 is able to check that it cannot
deserve these queries and forward automatically these queries to another DC
that is less busy ? In order wold, can AD 2003 natively load-balance queries
to another less busy DC ?


Regards,

Yann





This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] DCPROMO over a 128\256K line

[deji]

This issue is discussed in 08_Deploy_ShipDC.doc and there are sample scripts
to make the process smoother and more automated. 
 
The scripts and docs are available in ADBODG03.EXE and can be downloaded from
http://www.microsoft.com/downloads/details.aspx?FamilyID=9353a4f6-a8a8-40bb-9
fa7-3a95c9540112&displaylang=en
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto
Sent: Mon 6/13/2005 6:38 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DCPROMO over a 128\256K line


If its W2K3 use the install from media option... DCPROMO /ADV
If you have W2K and have that possibility ship the DC to a central location,
DCPROMO it and ship it back to the branch office. In this case be sure to
create a separate site in AD and install the DC in that separate site!. Why?
If you install the DC in the central production site the DC will register its
records in DNS corresponding to that site. If you ship it later on, the
records in the central production site where the DC got installed might not
be cleaned up. Clients in the central production could afterwards be
authenticated against the branch office DC and then they will have
performance that sucks over that 128K line. Just a reminder!
Cheers
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: maandag 13 juni 2005 15:14
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] DCPROMO over a 128\256K line


I have a server at a remote location that I need to DCPROMO.  Two of my
colleagues were at this location a few months ago and tried to DCPROMO it
after a fresh rebuild but the sync took down the line (it was running at 56K
with a burst speed of 128K).
 
We have finally gotten the line upgraded to a 128K line with with a 256K
burst.  I'm not all that great with my math on these slow links but I was
wondering if it would be possible to conduct a DCPROMO while making that DC a
global catalog over this size link?  
 
Right now, I'm going to have someone there power it up so I can do a forced
demote and then I will remove AD from it (as this box is currently
tombstoned) then ensure that I delete it out of my AD.  After that I will
need to bring it back up and I'm trying to determine the best course of
action:
 
1)  DCPROMO it remotely and let it kill the line over a weekend
2)  Have them ship the server to me for rebuilding (it's in Canada I'm in
the US)
3)  Install a DC on a laptop and carry it up there and conduct the
DCPROMO
 
I would like to do the first one for cost and time reasons, however I'm not
sure if the replication will be able to occur over this slow of a line in
time.
 
Does item one sound like it would work or is the line too small to do this
type of sync with?  Currently, my NTDS and SYSVOL folders are only 226 megs
combined.
 
What path do you guys suggestion I follow?
 
Thanks,
 
Charlie



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Load balancing LDAP request among my DCs

[Ruston, Neil]

Have you considered altering SRV record weights/priorities in DNS?

Check out this article 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/df86810b-9fc5-49b8-a704-d01c042cf460.mspx
 - it may relate to the PDC but applies to DCs in general too.

neil



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: 13 June 2005 15:04
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Load balancing LDAP request among my DCs


Hello,
I have a site with 4 DCs 2003.
It seems that one of my DC can not deal with a large number of LDAP queries, GC 
Response and NTLM/Kerberos Auth  I misunderstand something but is my DC 
2003 is able to check that it cannot deserve these queries and forward 
automatically these queries to another DC that is less busy ? In order wold, 
can AD 2003 natively load-balance queries to another less busy DC ? Regards, 
Yann

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

[deji]

Even though you've prep'd everything, your underlying infrastructure is still
W2K. As a result, you will still be doing a full GC sync.
 
I have a q, though. Why are you increasing the RangeUpper? I am just curious
and asking for my own education.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Jorge de Almeida Pinto
Sent: Mon 6/13/2005 6:31 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Affect of a schema update on W2K SP4 AD


The implementation of the E2K3 already caused a full GC sync/rebuild because
it adds new attributes to the PAS.
The PAS is the Partial Attribute Set...in other words the set of attributes
in the GC. Only if you change that set (add or remove an attribute to/from
the set) will cause a full sync of the GCs if W2K. This will not occur in
W2K3 as in W2K3 it only replicates the new added/removed attribute.
 
So in W2K only when changing the SET will cause a full sync, NOT when
changing the value of an attribute in the set. The change of the value will
of course replicate to all GCs in the forest
 
See also:
http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/41641/
41641.html
 
Cheers
#JORGE#



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: maandag 13 juni 2005 14:39
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Affect of a schema update on W2K SP4 AD



All, 

I am running a W2K SP4 AD and am in the process of migrating to Exc 2003. I
have already applied the Exc 2003 forest prep and domain prep.

I now have a need to increase the rangerupper on
ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a member
of the partial attaibute set. The question is will the update to the
rangeupper on an existing attribute cause a complete GC synch?

I suspect that the answer is yes but I just want to confirm this 

Thanks in advance 

Frank 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any attachment
and all copies and inform the sender. Thank you.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] mstsc /console switch for non admins

[deji]

Rick,
 
Got a minute to chat off-list? Don't know if your @cox.net addy is still
live.
 
 
Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sun 6/12/2005 7:02 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc /console switch for non admins



"other members of their particular market segment get hit, or their customers
start worrying "

 

In my case, the other folks that were being lied to (outside of the Cxx's
signing false documents and the Auditors collecting bad information) ARE the
customers.  They are being told that the correct practices (Such as CISP,
etc.) *are* being followed and adhered to.

 

Bull-Hockery...

 

Rick

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Sunday, June 12, 2005 8:36 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] mstsc /console switch for non admins

 

>>Hopefully this will change now that it seems there is a company a day
releasing that customer information has been compromised. 

 

Ha.   Everyone thinks that OTHER companies make mistakes, but not them.

 

Plus, most Senior Managers aren't going to see it as a problem unless the
other members of their particular market segment get hit, or their customers
start worrying 

 

-ASB

 



 

On 6/12/05, Douglas M. Long <[EMAIL PROTECTED]> wrote: 

Hopefully this will change now that it seems there is a company a day
releasing that customer information has been compromised. Here in Ohio, the
state actually decided to sue DSW for such a thing (which is the first legal
action in the states, I think). I know how politics works, so who knows,
nothing may come of it, but lets hope. Management seems to worry about making
everyone happy on the surface. "We will increase productivity, ease of use,
and your overall experience." But lets not tell them that is at the risk of
security by implementing it to allow such ease of use. Oh well, good luck on
your job search. I may some day get canned for the exact same sort of thing. 

 



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, June 10, 2005 11:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] mstsc /console switch for non admins

 

joe,

Yeah, you had to know it was coming - Rick's  $.02 worth.

Remember what we both were relieved of our positions for?  Oh, that's right -
I didn't tell you about me!  Suffice it to say I took one for my team because
upper management was trying to get things done that were wrong, technically,
tactically and strategically.  They, in fact, are on the verge of violating,
IMHO, Sox 40x controls.  I complained, I argued, I provided information that
they were on the precipice of something really bad.  Apparently, I finally
hit nerve and my rubbing of folks the wrong way (from their viewpoint) caused
my layoff via 'Elimination of my position'. 

Whatever.  I got fired for saying what I believed was right.  You and I see
eye to eye as it is with DC permissions and access controls.  You and I see
eye to eye on security as a whole. 

However, our view is not really a well accepted PRACTICE in Corporate
environments.  Our beliefs are actually radical when compared to the norm in
practice. 

Does this mean that we're wrong?  No.  It DOES mean that our Secure Conscious
viewpoint can still get one fired.  It's not a popular stance to say "Of my
10 Systems Admins, only these two can log on to a DC."   The common rebut is
"Everyone needs to be able to do these functions when on call" or "when the
help desk calls, we need everyone capable of dealing with the problem at
hand". 

I still believe that we are correct, but - most folks don't live in "Rick and
joe-land".  They live in the screwed up Corporate world where the only
endgame is money, and the generation of it [1].  With IT being a cost center,
and Security viewed as an even bigger inhibiter to Production, most companies
need to have a * Serious* computer security event to be convinced that they
have their priorities in the wrong places.  

Money generated doesn't matter if you can't guarantee that you can SECURE
your customer's money / data / private information.

Rick

[1] Case in point.  One of the guys that I used to work with was told that
one thing management was really pissed about was the time it would take me to
lock down a server.  For estimation purposes, I told folks to plan for (and
published a timeline for planning purposes) 2 days for initial lockdown, 2
days for final lockdown and application of IPSec filters, and 3 days for
InfoSec to certify the system (The time for InfoSec is THEIR guideline from
their VP - not my timeline at all).  Typically

[ActiveDir] Load balancing LDAP request among my DCs

[TIROA YANN]

Hello,

I have a site with 4 DCs 2003.

It seems that one of my DC can not deal with a large number of LDAP
queries, GC Response and NTLM/Kerberos Auth 

I misunderstand something but is my DC 2003 is able to check that it
cannot deserve these queries and forward automatically these queries to
another DC that is less busy ? In order wold, can AD 2003 natively
load-balance queries to another less busy DC ?


Regards,

Yann


BEGIN:VCARD
VERSION:2.1
N:TIROA;YANN
FN:TIROA YANN
ORG:Université Claude Bernard Lyon I;Environnement Numérique de Travail
TITLE:Assistant Ingénieur
TEL;WORK;VOICE:04 26 23 44 25
ADR;WORK:;Bat Lippmann 2eme etage;;Villeurbanne Cedex;69;69622;FRANCE
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Bat Lippmann 2eme etage=0D=0AVilleurbanne Cedex, 69 69622=0D=0AFRANCE
EMAIL;PREF;INTERNET:[EMAIL PROTECTED]
REV:20050530T093037Z
END:VCARD

RE: [ActiveDir] DCPROMO over a 128\256K line

[Ruston, Neil]

Title: Message



As per 
previous threads - if the system state is larger than a CD (or DVD) then you 
still need to copy the system state over the wire so as to use the /adv switch. 
If this is the case, then you may as well simply promote over the wire in the 
traditional manner.
 
 
neil

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Tim FosterSent: 13 June 2005 
  14:25To: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DCPROMO over a 128\256K line
  
  If you are promoting 
  a W2K3 machine, you can run dcpromo /adv. This will allow you to replicate AD 
  from a backup of system state data - copy the backup of system state data for 
  one of your existing DCs to a CD, ship the CD to your remote location.  
  Copy the contents of the CD to disk (do not restore it!), then run dcpromo 
  /adv.  You will still need network connectivity with 
  HQ.
   
  Tim
    
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Carerros, 
  CharlesSent: Monday, June 
  13, 2005 9:14 AMTo: 
  'ActiveDir@mail.activedir.org'Subject: [ActiveDir] DCPROMO over a 
  128\256K line
   
  
  I have a server at a 
  remote location that I need to DCPROMO.  Two of my colleagues were at 
  this location a few months ago and tried to DCPROMO it after a fresh rebuild 
  but the sync took down the line (it was running at 56K with a burst speed of 
  128K).
  
   
  
  We have finally 
  gotten the line upgraded to a 128K line with with a 256K burst.  I'm not 
  all that great with my math on these slow links but I was wondering if it 
  would be possible to conduct a DCPROMO while making that DC a global catalog 
  over this size link?  
  
   
  
  Right now, I'm going 
  to have someone there power it up so I can do a forced demote and then 
  I will remove AD from it (as this box is currently tombstoned) then 
  ensure that I delete it out of my AD.  After that I will need to bring it 
  back up and I'm trying to determine the best course of 
  action:
  
   
  
      
  1)  DCPROMO it remotely and let it kill the line over a 
  weekend
  
      
  2)  Have them ship the server to me for rebuilding (it's in 
  Canada I'm in the 
  US)
  
      
  3)  Install a DC on a laptop and carry it up there and conduct the 
  DCPROMO
  
   
  
  I would like to do 
  the first one for cost and time reasons, however I'm not sure if the 
  replication will be able to occur over this slow of a line in 
  time.
  
   
  
  Does item one sound 
  like it would work or is the line too small to do this type of sync 
  with?  Currently, my NTDS and SYSVOL folders are only 226 megs 
  combined.
  
   
  
  What path do you guys 
  suggestion I follow?
  
   
  
  Thanks,
  
   
  
  Charlie
==
Please access the attached hyperlink for an important electronic communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

RE: [ActiveDir] DCPROMO over a 128\256K line

[Jorge de Almeida Pinto]

Title: Affect of a schema update on W2K SP4 AD



If its W2K3 use the install from 
media option... DCPROMO /ADV
If you have W2K and have that 
possibility ship the DC to a central location, DCPROMO it and ship it back to 
the branch office. In this case be sure to create a separate site in AD and 
install the DC in that separate site!. Why? If you install the DC in the central 
production site the DC will register its records in DNS corresponding to that 
site. If you ship it later on, the records in the central production site where 
the DC got installed might not be cleaned up. Clients in the central production 
could afterwards be authenticated against the branch office DC and then they 
will have performance that sucks over that 128K line. Just a 
reminder!
Cheers
#JORGE#


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Carerros, 
CharlesSent: maandag 13 juni 2005 15:14To: 
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] DCPROMO over a 
128\256K line

I have 
a server at a remote location that I need to DCPROMO.  Two of my colleagues 
were at this location a few months ago and tried to DCPROMO it after a fresh 
rebuild but the sync took down the line (it was running at 56K with a burst 
speed of 128K).
 
We 
have finally gotten the line upgraded to a 128K line with with a 256K 
burst.  I'm not all that great with my math on these slow links but I was 
wondering if it would be possible to conduct a DCPROMO while making that DC a 
global catalog over this size link?  
 
Right 
now, I'm going to have someone there power it up so I can do a forced demote and 
then I will remove AD from it (as this box is currently tombstoned) then 
ensure that I delete it out of my AD.  After that I will need to bring it 
back up and I'm trying to determine the best course of 
action:
 
    1)  DCPROMO it remotely and let 
it kill the line over a weekend
    2)  Have them ship the server 
to me for rebuilding (it's in Canada I'm in the US)
    3)  Install a DC on a laptop 
and carry it up there and conduct the DCPROMO
 
I 
would like to do the first one for cost and time reasons, however I'm not sure 
if the replication will be able to occur over this slow of a line in 
time.
 
Does 
item one sound like it would work or is the line too small to do this type of 
sync with?  Currently, my NTDS and SYSVOL folders are only 226 megs 
combined.
 
What 
path do you guys suggestion I follow?
 
Thanks,
 
Charlie
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] DCPROMO over a 128\256K line

[Carerros, Charles]

Title: Affect of a schema update on W2K SP4 AD



I'm 
running W2K3.
 
I'll 
read up on the /ADV flag install.
 
Thanks.
 
Charlie

  -Original Message-From: Tim Foster 
  [mailto:[EMAIL PROTECTED]Sent: Monday, June 13, 2005 8:25 
  AMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] DCPROMO over a 128\256K line
  
  If you are promoting 
  a W2K3 machine, you can run dcpromo /adv. This will allow you to replicate AD 
  from a backup of system state data - copy the backup of system state data for 
  one of your existing DCs to a CD, ship the CD to your remote location.  
  Copy the contents of the CD to disk (do not restore it!), then run dcpromo 
  /adv.  You will still need network connectivity with 
  HQ.
   
  Tim
    
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Carerros, 
  CharlesSent: Monday, June 
  13, 2005 9:14 AMTo: 
  'ActiveDir@mail.activedir.org'Subject: [ActiveDir] DCPROMO over a 
  128\256K line
   
  
  I have a server at a 
  remote location that I need to DCPROMO.  Two of my colleagues were at 
  this location a few months ago and tried to DCPROMO it after a fresh rebuild 
  but the sync took down the line (it was running at 56K with a burst speed of 
  128K).
  
   
  
  We have finally 
  gotten the line upgraded to a 128K line with with a 256K burst.  I'm not 
  all that great with my math on these slow links but I was wondering if it 
  would be possible to conduct a DCPROMO while making that DC a global catalog 
  over this size link?  
  
   
  
  Right now, I'm going 
  to have someone there power it up so I can do a forced demote and then 
  I will remove AD from it (as this box is currently tombstoned) then 
  ensure that I delete it out of my AD.  After that I will need to bring it 
  back up and I'm trying to determine the best course of 
  action:
  
   
  
      
  1)  DCPROMO it remotely and let it kill the line over a 
  weekend
  
      
  2)  Have them ship the server to me for rebuilding (it's in 
  Canada I'm in the 
  US)
  
      
  3)  Install a DC on a laptop and carry it up there and conduct the 
  DCPROMO
  
   
  
  I would like to do 
  the first one for cost and time reasons, however I'm not sure if the 
  replication will be able to occur over this slow of a line in 
  time.
  
   
  
  Does item one sound 
  like it would work or is the line too small to do this type of sync 
  with?  Currently, my NTDS and SYSVOL folders are only 226 megs 
  combined.
  
   
  
  What path do you guys 
  suggestion I follow?
  
   
  
  Thanks,
  
   
  
  Charlie

RE: [ActiveDir] DCPROMO over a 128\256K line

[Peter Johnson]

Whoops!!

Mike beat me to the punch

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of mike kline
Sent: 13 June 2005 15:23
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] DCPROMO over a 128\256K line

Are you running 2000 or 2003.  Perfect time to install from media if
you are using 2003.

Thanks
MIke

On 6/13/05, Carerros, Charles <[EMAIL PROTECTED]> wrote:
> I have a server at a remote location that I need to DCPROMO.  Two of
my
> colleagues were at this location a few months ago and tried to DCPROMO
it
> after a fresh rebuild but the sync took down the line (it was running
at 56K
> with a burst speed of 128K).
>  
> We have finally gotten the line upgraded to a 128K line with with a
256K
> burst.  I'm not all that great with my math on these slow links but I
was
> wondering if it would be possible to conduct a DCPROMO while making
that DC
> a global catalog over this size link?  
>  
> Right now, I'm going to have someone there power it up so I can do a
forced
> demote and then I will remove AD from it (as this box is currently
> tombstoned) then ensure that I delete it out of my AD.  After that I
will
> need to bring it back up and I'm trying to determine the best course
of
> action:
>  
> 1)  DCPROMO it remotely and let it kill the line over a weekend
> 2)  Have them ship the server to me for rebuilding (it's in Canada
I'm
> in the US)
> 3)  Install a DC on a laptop and carry it up there and conduct the
> DCPROMO
>  
> I would like to do the first one for cost and time reasons, however
I'm not
> sure if the replication will be able to occur over this slow of a line
in
> time.
>  
> Does item one sound like it would work or is the line too small to do
this
> type of sync with?  Currently, my NTDS and SYSVOL folders are only 226
megs
> combined.
>  
> What path do you guys suggestion I follow?
>  
> Thanks,
>  
> Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Affect of a schema update on W2K SP4 AD

[Jorge de Almeida Pinto]

Title: Affect of a schema update on W2K SP4 AD



The implementation of the E2K3 already 
caused a full GC sync/rebuild because it adds new attributes to the 
PAS.
The PAS is the Partial Attribute Set...in 
other words the set of attributes in the GC. Only if you change that set (add or 
remove an attribute to/from the set) will cause a full sync of the GCs if W2K. 
This will not occur in W2K3 as in W2K3 it only replicates the new added/removed 
attribute.
 
So in W2K only when changing the SET will 
cause a full sync, NOT when changing the value of an attribute in the set. The 
change of the value will of course replicate to all GCs in the 
forest
 
See also: http://www.windowsitpro.com/MicrosoftExchangeOutlook/Article/ArticleID/41641/41641.html
 
Cheers
#JORGE#


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: maandag 13 juni 2005 
14:39To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
Affect of a schema update on W2K SP4 AD

All, 
I am running a W2K SP4 AD and am in the process of 
migrating to Exc 2003. I have already applied the Exc 2003 forest prep and 
domain prep.
I now have a need to increase the rangerupper on 
ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a member of 
the partial attaibute set. The question is will the update to the rangeupper on 
an existing attribute cause a complete GC synch?
I suspect that the answer is yes but I just want to 
confirm this 
Thanks in advance 
Frank 
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

RE: [ActiveDir] DCPROMO over a 128\256K line

[Peter Johnson]

Title: Affect of a schema update on W2K SP4 AD








Are you running Windows 2003? If so why
don’t try dcpromo-ing from media?

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: 13 June 2005 15:14
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] DCPROMO over
a 128\256K line



 



I have a server at a remote location that
I need to DCPROMO.  Two of my colleagues were at this location a few
months ago and tried to DCPROMO it after a fresh rebuild but the sync took down
the line (it was running at 56K with a burst speed of 128K).





 





We have finally gotten the line upgraded
to a 128K line with with a 256K burst.  I'm not all that great with my
math on these slow links but I was wondering if it would be possible to conduct
a DCPROMO while making that DC a global catalog over this size link?  





 





Right now, I'm going to have someone there
power it up so I can do a forced demote and then I will remove AD from it
(as this box is currently tombstoned) then ensure that I delete it out of my
AD.  After that I will need to bring it back up and I'm trying to
determine the best course of action:





 





    1)  DCPROMO it
remotely and let it kill the line over a weekend





    2)  Have them ship
the server to me for rebuilding (it's in Canada
I'm in the US)





    3)  Install a DC
on a laptop and carry it up there and conduct the DCPROMO





 





I would like to do the first one for cost
and time reasons, however I'm not sure if the replication will be able to occur
over this slow of a line in time.





 





Does item one sound like it would work or
is the line too small to do this type of sync with?  Currently, my NTDS
and SYSVOL folders are only 226 megs combined.





 





What path do you guys suggestion I follow?





 





Thanks,





 





Charlie

RE: [ActiveDir] DCPROMO over a 128\256K line

[Tim Foster]

Title: Affect of a schema update on W2K SP4 AD








If you are promoting a W2K3 machine, you
can run dcpromo /adv. This will allow you to replicate AD from a backup of
system state data – copy the backup of system state data for one of your
existing DCs to a CD, ship the CD to your remote location.  Copy the contents
of the CD to disk (do not restore it!), then run dcpromo /adv.  You will still
need network connectivity with HQ.

 

Tim

  

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles
Sent: Monday, June 13, 2005 9:14
AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] DCPROMO over
a 128\256K line



 



I have a server at a remote location that
I need to DCPROMO.  Two of my colleagues were at this location a few
months ago and tried to DCPROMO it after a fresh rebuild but the sync took down
the line (it was running at 56K with a burst speed of 128K).





 





We have finally gotten the line upgraded
to a 128K line with with a 256K burst.  I'm not all that great with my
math on these slow links but I was wondering if it would be possible to conduct
a DCPROMO while making that DC a global catalog over this size link?  





 





Right now, I'm going to have someone there
power it up so I can do a forced demote and then I will remove AD from it
(as this box is currently tombstoned) then ensure that I delete it out of my
AD.  After that I will need to bring it back up and I'm trying to
determine the best course of action:





 





    1)  DCPROMO it
remotely and let it kill the line over a weekend





    2)  Have them ship
the server to me for rebuilding (it's in Canada
I'm in the US)





    3)  Install a DC
on a laptop and carry it up there and conduct the DCPROMO





 





I would like to do the first one for cost
and time reasons, however I'm not sure if the replication will be able to occur
over this slow of a line in time.





 





Does item one sound like it would work or
is the line too small to do this type of sync with?  Currently, my NTDS
and SYSVOL folders are only 226 megs combined.





 





What path do you guys suggestion I follow?





 





Thanks,





 





Charlie

Re: [ActiveDir] DCPROMO over a 128\256K line

[mike kline]

Are you running 2000 or 2003.  Perfect time to install from media if
you are using 2003.

Thanks
MIke

On 6/13/05, Carerros, Charles <[EMAIL PROTECTED]> wrote:
> I have a server at a remote location that I need to DCPROMO.  Two of my
> colleagues were at this location a few months ago and tried to DCPROMO it
> after a fresh rebuild but the sync took down the line (it was running at 56K
> with a burst speed of 128K).
>  
> We have finally gotten the line upgraded to a 128K line with with a 256K
> burst.  I'm not all that great with my math on these slow links but I was
> wondering if it would be possible to conduct a DCPROMO while making that DC
> a global catalog over this size link?  
>  
> Right now, I'm going to have someone there power it up so I can do a forced
> demote and then I will remove AD from it (as this box is currently
> tombstoned) then ensure that I delete it out of my AD.  After that I will
> need to bring it back up and I'm trying to determine the best course of
> action:
>  
> 1)  DCPROMO it remotely and let it kill the line over a weekend
> 2)  Have them ship the server to me for rebuilding (it's in Canada I'm
> in the US)
> 3)  Install a DC on a laptop and carry it up there and conduct the
> DCPROMO
>  
> I would like to do the first one for cost and time reasons, however I'm not
> sure if the replication will be able to occur over this slow of a line in
> time.
>  
> Does item one sound like it would work or is the line too small to do this
> type of sync with?  Currently, my NTDS and SYSVOL folders are only 226 megs
> combined.
>  
> What path do you guys suggestion I follow?
>  
> Thanks,
>  
> Charlie
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DCPROMO over a 128\256K line

[Carerros, Charles]

Title: Affect of a schema update on W2K SP4 AD



I have 
a server at a remote location that I need to DCPROMO.  Two of my colleagues 
were at this location a few months ago and tried to DCPROMO it after a fresh 
rebuild but the sync took down the line (it was running at 56K with a burst 
speed of 128K).
 
We 
have finally gotten the line upgraded to a 128K line with with a 256K 
burst.  I'm not all that great with my math on these slow links but I was 
wondering if it would be possible to conduct a DCPROMO while making that DC a 
global catalog over this size link?  
 
Right 
now, I'm going to have someone there power it up so I can do a forced demote and 
then I will remove AD from it (as this box is currently tombstoned) then 
ensure that I delete it out of my AD.  After that I will need to bring it 
back up and I'm trying to determine the best course of 
action:
 
    1)  DCPROMO it remotely and let 
it kill the line over a weekend
    2)  Have them ship the server 
to me for rebuilding (it's in Canada I'm in the US)
    3)  Install a DC on a laptop 
and carry it up there and conduct the DCPROMO
 
I 
would like to do the first one for cost and time reasons, however I'm not sure 
if the replication will be able to occur over this slow of a line in 
time.
 
Does 
item one sound like it would work or is the line too small to do this type of 
sync with?  Currently, my NTDS and SYSVOL folders are only 226 megs 
combined.
 
What 
path do you guys suggestion I follow?
 
Thanks,
 
Charlie

[ActiveDir] Affect of a schema update on W2K SP4 AD

[frank . carroll]

Title: Affect of a schema update on W2K SP4 AD





All,


I am running a W2K SP4 AD and am in the process of migrating to Exc 2003. I have already applied the Exc 2003 forest prep and domain prep.

I now have a need to increase the rangerupper on ms-Exch-Extension-Attribute-15 from 2048 to 4096. This attribute is a member of the partial attaibute set. The question is will the update to the rangeupper on an existing attribute cause a complete GC synch?

I suspect that the answer is yes but I just want to confirm this


Thanks in advance


Frank

Re: [ActiveDir] Bionet trojan,

[rubix cube]

Ok my apology, didn't realize it will be taken this way.

I am a network administrator, and we are planning a security awareness
campaigne, this demonestration will be a part of training for the
staff to see the secuirty risks they can be into when opening an
attachement that they don't know about or executing a file. ( I have
it now).

I had a nobel cause so I asked a nobel list thats all, no offense for the list.

r.c.


On 6/12/05, Tony Murray <[EMAIL PROTECTED]> wrote:
> Jorge's right.  Please contact me off-list before posting something like
> that.  There's off topic and there's off topic, if you know what I mean.
> 
> Tony [List owner]
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
> Pinto
> Sent: Saturday, 11 June 2005 11:15 p.m.
> To: 'rubix cube '; '[EMAIL PROTECTED] ';
> 'ActiveDir@mail.activedir.org '
> Subject: RE: [ActiveDir] Bionet trojan,
> 
> In my opinion this list is not the place to ask for stuff like that.
> But hey... that's me
> #JORGE#
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> To: ActiveDir@mail.activedir.org
> Sent: 6/11/2005 11:42 AM
> Subject: [ActiveDir] Bionet trojan,
> 
> Hi guys,
> Can any one send me the BioNet trojan, I am condcuting a training session
> and I want to demonstrate for the staff how this works.
> thanks
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> This e-mail and any attachment is for authorised use by the intended
> recipient(s) only. It may contain proprietary material, confidential
> information and/or be subject to legal privilege. It should not be copied,
> disclosed to, retained or used by, any other party. If you are not an
> intended recipient then please promptly delete this e-mail and any
> attachment and all copies and inform the sender. Thank you.
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] how to allow a specific user to access the domain from one pc & disallow the others

[Sharif Naser]

Hi Mike,

Sorry again for not reading your answer properly, anyway if automatic login 
needs to be enabled on windows 2000 domain , i need to add default domain, 
default user name , default password & change AutoAdminLogon key from 0 to 1.

Regards,




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sharif Naser
Sent: Sunday, June 12, 2005 9:27 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] how to allow a specific user to access the domain from 
one pc & disallow the others


Thanks alot Mike, you have been very helpful
 
Sorry for not making myself clear. Can this be achieved in win2k domain 
environment.
I have already searched the web but i could not find a useful information
 
Any help in this regard is really highly appreciated.
 
Regards,

-Original Message- 
From: [EMAIL PROTECTED] on behalf of mike kline 
Sent: Sun 6/12/2005 4:03 PM 
To: ActiveDir@mail.activedir.org 
Cc: 
Subject: Re: [ActiveDir] how to allow a specific user to access the 
domain from one pc & disallow the others



This should help you

http://support.microsoft.com/kb/315231
How to turn on automatic logon in Windows XP

You are definitely taking a risk with this box on your domain in the
open like this.

Since this box will be in the open with no logon requirements you will
want to really tighten security on this box.

On top of the OS lockdowns at a minimum I would recommend putting a
password on the BIOS and prevent users from booting to a CD or USB
(easy enough to boot into Knoppix or use other methods to control of
the box)

Thanks
Mike




On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote:
>
> Thanks Mike & Robert.
>
> Now, I have a bonus question which is how do I allow automatic login 
so
> that I don't tag the password on the kiosk console.
>
> Regards
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams
> (RRE)
> Sent: Sunday, June 12, 2005 12:36 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] how to allow a specific user to access the
> domain from one pc & disallow the others
>
> I meant to have this in my last post...
>
> You could put the User Right "Deny Logon Locally" on all machines 
OTHER
> than your kiosk machine to accomplish the other part of your scenario
> (logging onto ONLY one machine).  The method mentioned below by Mike
> would suffice also for that purpose.
>
> Sorry for the extra junk in your mailbox ;-)  Have a good day!
>
> Robert Williams, MCSE NT4/2K/2K3, Security+
> Infrastructure Rapid Response Engineer
> Northeast Region
> Microsoft Corporation
> Global Solutions Support Center
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of mike kline
> Sent: Sunday, June 12, 2005 5:21 AM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] how to allow a specific user to access the
> domain from one pc & disallow the others
>
> To allow the user to only logon on to that machine go into their
> Account Tab and use the "Log On To" feature and only allow access to
> that particular machine.
>
> You could deny everyone else the right to log on locally using a 
policy.
>
> This is the setting in the GPO
>
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\User Rights Assignment
>
> Go into "Log on Locally"  remove "Users, Power Users, and Backup
> Operators" then add this particular user.  I would not remove the
> administrators but you can do that and just add your account in case
> you ever need to access the machine interactively.
>
> Thanks
> Mike
>
>
> On 6/12/05, Sharif Naser <[EMAIL PROTECTED]> wrote:
> >
> >
> > Hello experts,
> >
> >
> >
> > I'm setting a kiosk machine, my question is how do I allow a 
specific
> user
> > to login  to my domain from only one machine & disallow other users
> from
> > logging from the same machine.
> >
> >
> >
> > Regards,
> > DISCLAIMER:
> > This electronic message transmission contains information from Qatar
> Steel
> > Company (QASCO)
> >