RE: [ActiveDir] My LDAP Query
Appears functional. Thanks. Definetely want to try this on a slightly more beefy box pegged this thing out at 100% for a while to return the 1200 qualfiying objects. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 14, 2005 9:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] My LDAP Query I am a bit tired and a little high from sniffing tile adhesive but a couple of things. First, I don't think you are using the correct attribute, I think you want msExchHomeServerName. Second, I would think you want NOT CO-XMB11 AND NOT CO-XMB12. I would write it more like ( (objectcategory=person) (objectclass=user) (mail=*) (!(msExchHomeServerName=*CO-XMB11)) (!(msExchHomeServerName=*CO-XMB12)) ) And yeah, I can't say that would probably be very performant, but I am not sure in my present state how to make it performant without listing by name every other mailbox server by full From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, June 14, 2005 9:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] My LDAP Query I cant get it to work and Im tired. Anyone see my problem? I want all the users in the current domain whose mailbox server is not CO-XMB11 or CO-XMB12. I really dont care about perf, Ill run it once and forget about it. ((objectCategory=person)(objectClass=user)(mail=*)(!(|(msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12 ( (objectCategory=person)(objectClass=user)(mail=*) (! (| (msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12) ) ) ) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] My LDAP Query
Yeah there are two bad things in that query. The NOT ops which kill the ability to use the index msExchHomeServerName has. The medial/tuple search, i.e. wildcard somewhere other than the end of the string. I don't know how much optimization there is in the engine for trying to quickly find matches with tuple searches if there is no tuple index, but I expect it isn't a considerable amount considering the perf you tend to see. For instance, I am not sure it even does simple things like skip attributes that would be too small to match the search string, etc. It isn't like it is a human mind processing the strings, it can't glance at at an entry and say, yeah there is no chance of a match there, next. It actually has to keep comparing parts of the string over and over again until it proves there is no possible match. That would actually probably be some interesting reading sometime. Maybe we can get Eric or Brett to blog about it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, June 15, 2005 2:03 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] My LDAP Query Appears functional. Thanks. Definetely want to try this on a slightly more beefy box pegged this thing out at 100% for a while to return the 1200 qualfiying objects. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Tuesday, June 14, 2005 9:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] My LDAP Query I am a bit tired and a little high from sniffing tile adhesive but a couple of things. First, I don't think you are using the correct attribute, I think you want msExchHomeServerName. Second, I would think you want NOT CO-XMB11 AND NOT CO-XMB12. I would write it more like ( (objectcategory=person) (objectclass=user) (mail=*) (!(msExchHomeServerName=*CO-XMB11)) (!(msExchHomeServerName=*CO-XMB12)) ) And yeah, I can't say that would probably be very performant, but I am not sure in my present state how to make it performant without listing by name every other mailbox server by full From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Tuesday, June 14, 2005 9:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] My LDAP Query I cant get it to work and Im tired. Anyone see my problem? I want all the users in the current domain whose mailbox server is not CO-XMB11 or CO-XMB12. I really dont care about perf, Ill run it once and forget about it. ((objectCategory=person)(objectClass=user)(mail=*)(!(|(msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12 ( (objectCategory=person)(objectClass=user)(mail=*) (! (| (msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12) ) ) ) Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
[ActiveDir] Disabling tools menu in IE through group policy in windows 2000 domain
Hello experts, How can I disable the tools menu in IE through group policy in windows 2000 domain? Regards, DISCLAIMER: This electronic message transmission contains information from Qatar Steel Company (QASCO) which may be confidential or privileged. The information is intended to be for the use of the individual or entity named above. Be aware that any disclosure,copying, distribution or use of the contents of this information,including attachments, is prohibited without the written consent of Qatar Steel Company (QASCO).
[ActiveDir] Network Issue
Hi all, I thought I run this by you all and see if anyone had a similar issue. On one of my member servers when I go into my network places, entire network, and Microsoft windows network and chose the domain of choice, I do not see any computers or servers. Instead I get a blank screen. However, when I perform the same task on another member server I see the entire domain except the member server that is experiencing the problem of not seeing the entire domain. Anyone have any ideas as to what could be the cause of the problem. The hardware of the member server is Dell PowerEdge 1750. George Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] Network Issue
Have you checked the Browser service? Z.V. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of George Arezina Sent: Wednesday, June 15, 2005 4:46 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Network Issue Hi all, I thought I run this by you all and see if anyone had a similar issue. On one of my member servers when I go into my network places, entire network, and Microsoft windows network and chose the domain of choice, I do not see any computers or servers. Instead I get a blank screen. However, when I perform the same task on another member server I see the entire domain except the member server that is experiencing the problem of not seeing the entire domain. Anyone have any ideas as to what could be the cause of the problem. The hardware of the member server is Dell PowerEdge 1750. George Informacija sa Stedionica Opportunity International A.D. Novi Sad putem e-maila je bez garancije. Zakljucivanje pravnih poslova putem ovog medija nije dozvoljeno. Ovaj e-mail moze sadrzati poverljive i/ili povlascene informacije. Ukoliko ste ovaj e-mail primili greskom, ovim putem vas obavestavamo da je svako otkrivanje, kopiranje, distribucija ili preduzimanje bilo kakvih aktivnosti u vezi njegovog sadrzaja strogo zabranjeno i moze biti nezakonito. Ukoliko ste e-mail primili greskom, molimo Vas da nas odmah obavestite tako sto cete odgovoriti na ovaj email, a zatim ga izbrisite iz vaseg sistema. The exchange of messages with Stedionica Opportunity International A.D. Novi Sad via e-mail is not binding. Declarations regarding legal transactions must not be exchanged via this medium. The information contained in this e-mail message is confidential and intended exclusively for the addressee. Persons receiving this e-mail message who are not the named addressee (or his/her co-workers, or persons authorized to take delivery) must not use, forward or reproduce its contents. If you have received this e-mail message by mistake, please contact us immediately and delete this email message beyond retrieval.
RE: [ActiveDir] Last Logon attempts
Or use OLDCMP (also from Joe) which can generate a nice HTML report -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 02:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Last Logon attempts Tony pointed you to a lesson on fishing. Once you understand how to get the info for one user, you can expand it to get all. I haven't looked at that article closely but hopefully it talks about some of the shortcomings. Short and sweet there is no guaranteed mechanism to perfectly get last logon report for users. There are multiple mechanisms to try and get the data but nothing is completely full proof, some logons don't get get tracked (such as LDAP Simple Binds) and some mechanisms require you to query every single DC for every single user and some mechanisms can be as much as a week out of date for the last logon. The easiest mechanism is the lastLogonTimeStamp mechanism available in Windows Server 2003. It is 7 days out of date at worst by default because it doesn't track every logon for every user, only specific logons and of those it only updates the values every 7 days (again by default). It is though, by far the easiest mechanism and only requires querying one DC per domain. You can get the output like this (all one line) adfind -b dc=domain,dc=com -tdc -f (objectcategory=person)(lastlogontimestamp=*) lastlogontimestamp Any other mechanism will require querying every DC in a domain and collecting info for every user OR doing something with logon scripts. They will all have their issues and again, none of the mechanisms are foolproof so keep that in mind. The mechanisms behind logon/authentication is a bit different in the Windows world than it is in some of the other Oses. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Tuesday, June 14, 2005 8:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Last Logon attempts Hi Tony, What i need is a consolidated report for all users, not a single user. If there is a third party solution then let it be. -- DR On 6/15/05, Tony Murray [EMAIL PROTECTED] wrote: Hi Ravi There's a good explanation and script (using lastLogonTimeStamp) shown here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon .mspx Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Wednesday, 15 June 2005 11:39 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Last Logon attempts Hi, Can we have a last logon consolidated report for all my users. I need collective information about last logons of all my users. Can anyone suggest any easy way. -- DR List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ## ## This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited ## ## ## ### This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email was scanned and cleared by NetIQ MailMarshal at Gen-i Limited. # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be
RE: [ActiveDir] Last Logon attempts
Err I feel silly. Yes of course if you are in DFL2 you could use oldcmp to generate a user lastlogontimestamp based report. If not though, it will key off of pwdLastSet which is an entirely different creature. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Wednesday, June 15, 2005 8:17 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Last Logon attempts Or use OLDCMP (also from Joe) which can generate a nice HTML report -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 02:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Last Logon attempts Tony pointed you to a lesson on fishing. Once you understand how to get the info for one user, you can expand it to get all. I haven't looked at that article closely but hopefully it talks about some of the shortcomings. Short and sweet there is no guaranteed mechanism to perfectly get last logon report for users. There are multiple mechanisms to try and get the data but nothing is completely full proof, some logons don't get get tracked (such as LDAP Simple Binds) and some mechanisms require you to query every single DC for every single user and some mechanisms can be as much as a week out of date for the last logon. The easiest mechanism is the lastLogonTimeStamp mechanism available in Windows Server 2003. It is 7 days out of date at worst by default because it doesn't track every logon for every user, only specific logons and of those it only updates the values every 7 days (again by default). It is though, by far the easiest mechanism and only requires querying one DC per domain. You can get the output like this (all one line) adfind -b dc=domain,dc=com -tdc -f (objectcategory=person)(lastlogontimestamp=*) lastlogontimestamp Any other mechanism will require querying every DC in a domain and collecting info for every user OR doing something with logon scripts. They will all have their issues and again, none of the mechanisms are foolproof so keep that in mind. The mechanisms behind logon/authentication is a bit different in the Windows world than it is in some of the other Oses. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Tuesday, June 14, 2005 8:09 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Last Logon attempts Hi Tony, What i need is a consolidated report for all users, not a single user. If there is a third party solution then let it be. -- DR On 6/15/05, Tony Murray [EMAIL PROTECTED] wrote: Hi Ravi There's a good explanation and script (using lastLogonTimeStamp) shown here: http://www.microsoft.com/technet/scriptcenter/topics/win2003/lastlogon .mspx Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ravi Dogra Sent: Wednesday, 15 June 2005 11:39 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Last Logon attempts Hi, Can we have a last logon consolidated report for all my users. I need collective information about last logons of all my users. Can anyone suggest any easy way. -- DR List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ## ## This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited ## ## ## ### This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank You. Please note that this communication does not designate an information system for the purposes of the NZ Electronic Transactions Act 2002. This email was scanned and cleared by NetIQ MailMarshal at Gen-i Limited. # List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -- Ravi Dogra 9899647200 This e-mail, together with any attachments, is confidential. It may be read, copied and used only by the intended recipient. If you have received it in error, please notify the sender immediately by e-mail or telephone. Please then delete it from your computer without making any copies or disclosing it to any other person. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
RE: [ActiveDir] Load balancing LDAP request among my DCs - Correction :)
Title: Message Exchange finds and uses DCs in a different way than most applications. It doesn't use the standard windows mechanism, it finds the first DC that way and then uses its own internal mechanisms (see DSACCESS docs) to find the rest. Generally it will only use DCs in its own site. I believe, but it has been a while since I read this, it will avoid the PDC by default. In larger environments I strongly recommend that Exchange servers, especially pools of Exchange servers go into their own dedicated sites with GCs that you want dedicated to Exchange. That way Exchange doesn'timpact your "normal" DC/GCs and anything else doesn't impact your Exchange DC/GCs. This obviously also brings up the idea of properly setting up subnets and sites in your directory. If that is done properly, any 2K/Xp clients in remote subnets will use the remote DCs and this doesn't require round robin (though it helps in the case of multiple DCs in a single site). If you find clients are not following the topology correctly it almost certainly goes back to a DNS problem and if it isn't a DNS problem, the local DC is probably having issues. As for other applications, it completely depends on how they were written on what they will use. If they are Microsoft based applications and by that I mean on MS and at some level using the MS LDAP Libraries (this is to specifically exclude LDAP Applications that use say the iPlanet LDAP SDK or some other non-MS LDAP DLLs such as NET::LDAP from perl) and they use serverless binding, they will follow the proper processes for locating domain controller resources. If they are not MS based apps, then somewhere, they specify the DCs they are targeting and you need to understand what they are specifying. Overall, the PDC is generally going to be one of your more busy machines. It does things no other DCs do especially with legacy clients. Large companies will often take the PDC and put it off into its ownlogical site to cut down the number of normal requests going to it and allow only legacy clients and clients that specifically need the PDC to connect to it. Overall, all of thiscan be a largedifficult problem, you have to break it up and slowly attack it but identifying what is going on and determining if it is correct behavior or not. If something isn't correct, you need to ascertain why it is happening. If it is correct, you need to account for it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANNSent: Wednesday, June 15, 2005 7:41 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Load balancing LDAP request among my DCs - Correction :) Thanks Joe. I confirm You that we do not have DNS server, but BIND 9 DNS. I will chek to activate the RR with the DNS admin. I will follow your advice about network traffics. We have many services that need ldap/auth access to our DCs such as 10 Exchange 2003 servers (with ~ 3 users), asp script, php script, and our whole computers connecting to our AD 2003 domain, and perhaps many other:( But the DC wich receives more LDAP traffics is my PDC Emulator which is also GC. I follow the excellent link forwarded by Neil . I put LdapSrvWeight and LdapSrvPriority values for my PDC emulatorlower than the 3 others.. I will check if that works fine. Regards, Yann De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de joeEnvoyé: mercredi 15 juin 2005 03:10À: ActiveDir@mail.activedir.orgObjet: RE: [ActiveDir] Load balancing LDAP request among my DCs - Corre ction :) Any load balancing in AD isn't done based on how busy the DCs are. There is a roundrobin that can happen from DNS but if you use a non-MS DNS, roundrobining may not be on, I have seen this more than once in various locations. Also note that a DC is given out for a client asking for a DC, it isn't given out per operation, so you could get a situation where a couple of clients happen to get the same DC and they are really busy clients. You can also get the case of some clients hard coded to a specific DC. When I say clients above, I don't mean workstations, I mean any service hitting a domain controller requesting something/anything. If you have a specific DC that is getting the crap pounded out of it, get a network trace of the machine and look to see who is hitting it and try to ascertain why. Could be all clients at a certain site who point at a screwed up DNS server or it could be any number of things. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Tuesday, June 14, 2005 3:40 AMTo: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Load balancing LDAP request among my DCs - Corre ction :) I understand you concerns and requirements but you include too many subjective words / phrases for my liking :) i.e. "heavy load" "plenty of queries" "deserve efficiently" Best of luck with the SRV weight changes. neil
[ActiveDir] Prohibit closing items
Top of the morning to ya! I need to remove a restriction set in a GPO that prevents the user from closing any open windows. I thought it was located at: user configuration / administrative templates / desktop / active desktop / prohibit closing items but that's not the one. Any ideas? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] ESE Perf Mon problems
Here's the key, I copied the entries from the KB article, except for the Squeaky Lobster key, which I have also tried as the 'correct' key name (escapes me now). I have five DCs, all of which have the same problem. The Disable Performance Counters key is added by the system after it fails to initialize properly. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance] Open=OpenPerformanceData Collect=CollectPerformanceData Close=ClosePerformanceData Library=c:\\perf\\esentprf.dll Squeaky Lobster=dword:0001 Disable Performance Counters=dword:0001 Thanks, JD -Original Message- From: Steve Patrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ESE Perf Mon problems Did you verify that you had proper settings under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance Perhaps export the key and paste it in here? steve - Original Message - From: WILLIAMS, J.D. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 14, 2005 11:30 AM Subject: [ActiveDir] ESE Perf Mon problems Greetings, I have been trying to get the ESE counters on my DCs with no luck. I get the following Event Log entry after following the install instructions, loading perfmon and looking for the counters: Event Type: Error Event Source:Perflib Event Category: None Event ID: 1006 Date:6/14/2005 Time:1:13:14 PM User:N/A Computer: ADC12-E654-001 Description: Unable to locate the collect procedure in DLL c:\perf\esentprf.dll for the ESENT service. Performance data for this service will not be available. Error Status is data DWORD 0. Data: : 7f 00 00 00 ... I can't find anything in Google with regard to troubleshooting; this seems to work fine for everyone else! We are running W2K, SP4. My file version for ESENTPRF.DLL is 6.0.3939.6, file is 40K and dated 11-30-1999 (had another version, same info but dated 12-7-1999, same error). Any assistance is greatly appreciated! Thanks, JD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Passwords from SQL
Title: Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org Office: 330.492.3500 Cell : 330.704.1278 IP Phone: 4466
Re: [ActiveDir] Passwords from SQL
Jacob Stabl wrote: I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? AD standalone - no. For such pourpose software like MIIS should be deployed or custom made script solution which will perform synchronization should be scheduled to run at some intervals. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
Title: Passwords from SQL No, AD can not connect to another password store and pull passwords. You would need some sort of syncing mechanism such as a metadata syncing tool or other. It also depends completely on how the passwords are stored in the MySQL database. If they are stored as one way hashes, you would need to intercept the password change and forward that clear text password on to Active Directory as it wouldn't be able to use the hash. One additional concern would be around password policies, doing something like would require identical policies on the two systems or else you could get in a situation where a password would be valid for one system, but not for the other. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob StablSent: Wednesday, June 15, 2005 11:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org Office: 330.492.3500 Cell : 330.704.1278 IP Phone: 4466
RE: [ActiveDir] Passwords from SQL
Title: Passwords from SQL Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Jacob StablSent: Wednesday, June 15, 2005 8:56 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org Office: 330.492.3500 Cell : 330.704.1278 IP Phone: 4466
RE: [ActiveDir] Passwords from SQL
He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
Oh I completely agree, hence the sentence Of course free is a question begging term . I expect the password piece is more a function of the application versus the DB anyway. If the application was pointed at SQL Server as written, it would probably do the same thing and set up a password table and compare users logging in to that versus using any integration in the DB product. Additionally, most university and high schools folks I have talked to through the years and certainly it was the case when I was in those places have more time than money. In high school I was the sysadmin for a PDP-11/84 running RSTS/E with 2 RK06 washing machine sized 40MB disk drives and a simple TU-80 for backups. If it didn't come for free from DEC or wasn't included in the service contract with DEC, it didn't matter how much something cost, it was entirely out of our own personal pocket so we spent far more time than money getting things working the way we wanted which including writing system monitors, device drivers, spooler and batch compiler systems, and tons of other systems tools as well as the odd ball VT-220 based video game (pacman, snakes, etc) and a steller Macro Assembler based reverse polish notation graphical calculator (also for the VT-220). Quite honestly, looking back I wouldn't have it any other way, I learned a ton about the internals of systems software by messing with Disk subsystems and writing batch systems. I would absolutely not be the person I am today without all of that hacking experience. Makes me wonder if kids in high school today that have better greater access to far better systems really dig into the guts much to make things better. Instead of seeing better systems down the road maybe we will see crappier systems as people who didn't grow up severely limited by what their systems could do and hacking them to make them better start moving into the positions where they are supposed to produce the next best thing... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office:
RE: [ActiveDir] Passwords from SQL
Did you ever notice how the name on the TU-80s looked like the word Tubo; personally I preferred the CVT-240 since it had color. (Not that the ceiling white on gray background of the 240s was bad mind you.) Bob -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 2:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Oh I completely agree, hence the sentence Of course free is a question begging term . I expect the password piece is more a function of the application versus the DB anyway. If the application was pointed at SQL Server as written, it would probably do the same thing and set up a password table and compare users logging in to that versus using any integration in the DB product. Additionally, most university and high schools folks I have talked to through the years and certainly it was the case when I was in those places have more time than money. In high school I was the sysadmin for a PDP-11/84 running RSTS/E with 2 RK06 washing machine sized 40MB disk drives and a simple TU-80 for backups. If it didn't come for free from DEC or wasn't included in the service contract with DEC, it didn't matter how much something cost, it was entirely out of our own personal pocket so we spent far more time than money getting things working the way we wanted which including writing system monitors, device drivers, spooler and batch compiler systems, and tons of other systems tools as well as the odd ball VT-220 based video game (pacman, snakes, etc) and a steller Macro Assembler based reverse polish notation graphical calculator (also for the VT-220). Quite honestly, looking back I wouldn't have it any other way, I learned a ton about the internals of systems software by messing with Disk subsystems and writing batch systems. I would absolutely not be the person I am today without all of that hacking experience. Makes me wonder if kids in high school today that have better greater access to far better systems really dig into the guts much to make things better. Instead of seeing better systems down the road maybe we will see crappier systems as people who didn't grow up severely limited by what their systems could do and hacking them to make them better start moving into the positions where they are supposed to produce the next best thing... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to
RE: [ActiveDir] Passwords from SQL
Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
Well we purchased the enterprise MSSQL version. Also we have already purchased exchange here -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Same As Parent Folder
Hi I have added a DC (lets call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2s IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme
RE : [ActiveDir] Same As Parent Folder
hello, Try to do a netstop netlogon and a netstart netlogon in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann De: [EMAIL PROTECTED] de la part de Noah Eiger Date: mer. 15/06/2005 21:54 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Same As Parent Folder Hi - I have added a DC (let's call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2's IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme winmail.dat
RE: [ActiveDir] Same As Parent Folder
Thanks but that did not seem to do it. Any other thoughts? -- nme _ From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:10 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Same As Parent Folder hello, Try to do a netstop netlogon and a netstart netlogon in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann _ De: [EMAIL PROTECTED] de la part de Noah Eiger Date: mer. 15/06/2005 21:54 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Same As Parent Folder Hi - I have added a DC (let's call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2's IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme attachment: winmail.dat
RE: [ActiveDir] Same As Parent Folder
Locate the NETLOGON.* set of files within %windir%\system32\config ... stop the NETLOGON service, delete the NETLOGON.DNB and NETLOGON.DNS files. Configure the AD representative DNS zone to allow non-secure updates and restart NETLOGON on the errant DC ... if the entry still does not appear, reboot the DC. Post back the results. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, June 15, 2005 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder Thanks but that did not seem to do it. Any other thoughts? -- nme From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder hello, Try to do a "netstop netlogon" and a "netstart netlogon" in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann De: [EMAIL PROTECTED] de la part de Noah EigerDate: mer. 15/06/2005 21:54À: ActiveDir@mail.activedir.orgObjet : [ActiveDir] Same As Parent Folder Hi I have added a DC (lets call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2s IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme
[ActiveDir] GPO configuration
Isn't there a GPO setting that can prevent users from closing any window they open? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Lost and found
OK. We now have the Dean and joe version of what is happening. I'm good with it. So, why is Tom's LastKnownParent blank? Now I'm interested. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 14, 2005 9:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lost and found Dean is correct, just tested it out on K3. When an object gets tossed into lost and found the lastKnownParent gets populated as well as when an object is deleted it gets populated. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, June 14, 2005 9:52 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Lost and found Joe's - lastKnownParent populated only during (group) object's-parent-deletion coinciding with (group) object's-move into deleted ( same) parent ... operations originated against individual DCs. Dean's - lastKnownParent also populated during 2K3 DC's decision (when resolving conflict) to move (group) object into LostAndFound container due to absent parent ... lastKnownParent was populated as a result of conflict-resolution's 'move to LostAndFound' operation. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, June 14, 2005 9:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lost and found H, this last bit just piqued my interest: [joe] I think lastKnownParent is only available on objects deleted on a K3 DC. I.E. If an object hasn't been deleted and if that deletion didn't occur on a K3 DC, it wouldn't be populated. [Dean] Not quite, your statement is true ... but only to a point. Assuming the origin of the move operation was a 2K3 DC, the lastKnownParent will indeed be populated ... the attribute serves a greater purpose than most documentation will elude to. *stares* Okay, what's the difference between what the two of you just said? It would appear that there's a subtlety I'm missing, since it reads the same to me. - Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] LDAP performance
Title: LDAP performance Nice machine name.. descriptive, to be sure. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 14, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance From port 42217? What was the clientOS again? That doesn't sound like Windows. Windows client I would expect port down in the range specified by the KB article. That modification they specify is for the client machine. For instance, I fired up several queries to one of my DCs and let them complete, now I do a NETSTAT -A on my client and I see TCP fastmofo:2497 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2526 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2535 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2552 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2575 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2597 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2602 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2609 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2665 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2675 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2686 2k3dc10.child1.joe.com:ldap TIME_WAIT TCP fastmofo:2697 2k3dc10.child1.joe.com:ldap TIME_WAIT These connections are all closed, but waiting on final cleanup. You can do a google on time_wait and get a better explanation than I can give. According to that article, if I get enough of these to eat up the pre-specified range on the client, the client will not be able to make any more connections to the DC. The KB tells you how to open up more ports for use on the client. The trace should obviously go Client:x - Server:389 SYN Server:389 - Client:x SYN ACK Client:x - Server:389 ACK and then go into an LDAP conversation starting most likely witha rootdse search or a bind. and then at the end youshould see Client:x - Server:389 FIN ACK Server:389 - Client:x ACK Server:389 - Client:x FIN ACK Client:x - Server:389 ACK assuming they are closing the connections down properly. The trace below doesn't show this occurring. The trace is already filtered though with hundreds of packets missing so who knows what gotscreened, it could be a misrepresentation of what is going on if someone didn't do the trace or the filter quite right. If you get MS involved, you will almost certainly need to send them the whole trace so they can see everything going on. Especially some queries working and some not. I understand why you may not want to post a full trace to a group like this. If you want, I would be willing to look at a full trace as well, just zip and send to me offline and I will look at it in the evening when I get a chance. Please send a format that can be opened in Ethereal. Digging through text traces is a pain in the butt. It doesn't allow us to use the computer tools that do this work so much better than we do. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Isenhour, Joseph Sent: Tuesday, June 14, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] LDAP performance The application owner says that they are not seeing any extended error info. The connections are simply being disconnected. Here is part of the network trace the network guys sent me. This basically shows the same connection attempting to connect to 389 from port 42217. as you can see it trys a syn, waits a couple minutes, then trys again. It never gets acked. I have the LDAP calls as wellhowever; (CISSPs close your ears), they are simple binds so I'll need to do some cleaning before sending them out ;-) In a nutshell here is the sequence that the application goes through every time it auths a user: 1. Use a service account to bind to the directory 2. Search for the user account using filter (samaccountname=x) retrieve the DN. 2. Now that it has the DN, bind as the user. It does this for every single user auth. Terribly inefficient I know. The newer version of the product does not bind with the service account every single time and actually we do have the newer version implemented in one location. The newer version has not seen this problem to date. I'll go ahead and check out these articles, Thanks *** No. Time Source Destination Protocol Info 6827 32.129301 **.**.**.** **.**.**.** TCP 42217 ldap [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460 WS=0 TSV=5999338 TSER=0 Frame 6827 (78 bytes on wire, 78 bytes captured) Ethernet II, Src: 00:01:d7:14:d2:c1, Dst: 00:00:0c:07:ac:0e 802.1q Virtual LAN Internet Protocol, Src Addr: **.**.**.** (**.**.**.**), Dst Addr: **.**.**.** (**.**.**.**) Transmission Control Protocol, Src Port: 42217 (42217), Dst Port: ldap (389), Seq: 0, Ack: 0, Len: 0 No. Time Source
RE: [ActiveDir] Lost and found
2K DCs involved would be my guess ... or possibly they auth. restored it! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, June 15, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lost and found OK. We now have the Dean and joe version of what is happening. I'm good with it. So, why is Tom's LastKnownParent blank? Now I'm interested. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 14, 2005 9:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lost and found Dean is correct, just tested it out on K3. When an object gets tossed into lost and found the lastKnownParent gets populated as well as when an object is deleted it gets populated. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Tuesday, June 14, 2005 9:52 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Lost and found Joe's - lastKnownParent populated only during (group) object's-parent-deletion coinciding with (group) object's-move into deleted ( same) parent ... operations originated against individual DCs. Dean's - lastKnownParent also populated during 2K3 DC's decision (when resolving conflict) to move (group) object into LostAndFound container due to absent parent ... lastKnownParent was populated as a result of conflict-resolution's 'move to LostAndFound' operation. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, June 14, 2005 9:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Lost and found H, this last bit just piqued my interest: [joe] I think lastKnownParent is only available on objects deleted on a K3 DC. I.E. If an object hasn't been deleted and if that deletion didn't occur on a K3 DC, it wouldn't be populated. [Dean] Not quite, your statement is true ... but only to a point. Assuming the origin of the move operation was a 2K3 DC, the lastKnownParent will indeed be populated ... the attribute serves a greater purpose than most documentation will elude to. *stares* Okay, what's the difference between what the two of you just said? It would appear that there's a subtlety I'm missing, since it reads the same to me. - Laura List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Lost and found
Me too!!! :) -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Lost and found
Didn't auth restore it. An admin just moved it out of the Lost and Found thru ADUC But yes, the domain is win2k dc's. No win2k3 dc's to be found. Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
Why do you need the Enterprise version, are you running SQL Cluster's for failover? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Well we purchased the enterprise MSSQL version. Also we have already purchased exchange here -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Same As Parent Folder
Thanks, Dean. That did not seem to do it either. Ah, but now I see what happened. We have set HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RegisterDnsARecords to value = 1 (meaning, dont register as per MSKB 246804). We had to do this to prevent RRAS PPP connections from registering in DNS and confusing local workstations. As soon as I change this value to 0, the host record shows up; as soon as I set it back to 1, the host disappears. Unfortunately, the PPP interfaces also register. We dont seem to have this problem at other sites. Any further thoughts? -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Same As Parent Folder Locate the NETLOGON.* set of files within %windir%\system32\config ... stop the NETLOGON service, delete the NETLOGON.DNB and NETLOGON.DNS files. Configure the AD representative DNS zone to allow non-secure updates and restart NETLOGON on the errant DC ... if the entry still does not appear, reboot the DC. Post back the results. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 15, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Same As Parent Folder Thanks but that did not seem to do it. Any other thoughts? -- nme From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Same As Parent Folder hello, Try to do a netstop netlogon and a netstart netlogon in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann De: [EMAIL PROTECTED] de la part de Noah Eiger Date: mer. 15/06/2005 21:54 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Same As Parent Folder Hi I have added a DC (lets call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2s IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme
RE: [ActiveDir] Same As Parent Folder
May I ask why a DC has PPP interfaces? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, June 15, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder Thanks, Dean. That did not seem to do it either. Ah, but now I see what happened. We have set HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RegisterDnsARecords to value = 1 (meaning, dont register as per MSKB 246804). We had to do this to prevent RRAS PPP connections from registering in DNS and confusing local workstations. As soon as I change this value to 0, the host record shows up; as soon as I set it back to 1, the host disappears. Unfortunately, the PPP interfaces also register. We dont seem to have this problem at other sites. Any further thoughts? -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:39 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Same As Parent Folder Locate the NETLOGON.* set of files within %windir%\system32\config ... stop the NETLOGON service, delete the NETLOGON.DNB and NETLOGON.DNS files. Configure the AD representative DNS zone to allow non-secure updates and restart NETLOGON on the errant DC ... if the entry still does not appear, reboot the DC. Post back the results. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, June 15, 2005 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder Thanks but that did not seem to do it. Any other thoughts? -- nme From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder hello, Try to do a "netstop netlogon" and a "netstart netlogon" in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann De: [EMAIL PROTECTED] de la part de Noah EigerDate: mer. 15/06/2005 21:54À: ActiveDir@mail.activedir.orgObjet : [ActiveDir] Same As Parent Folder Hi I have added a DC (lets call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2s IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme
RE: [ActiveDir] Same As Parent Folder
Title: Message Noah- I had a newly-promotedDC one day that wouldn't register one of the DNS records (I forget which record), that effectively messed up replication from that server to the other DC in that test domain. After unsuccessfully trying the old stop/start netlogon trick and a bunch of other things, I tried netdiag /fix on that DC. Like magic, all was well. I have no idea whether that's useful in your case or not, but it's a shot. It was the first time that switch has come in handy for me... Dave -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, June 15, 2005 3:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder Thanks but that did not seem to do it. Any other thoughts? -- nme From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder hello, Try to do a "netstop netlogon" and a "netstart netlogon" in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann De: [EMAIL PROTECTED] de la part de Noah EigerDate: mer. 15/06/2005 21:54À: ActiveDir@mail.activedir.orgObjet : [ActiveDir] Same As Parent Folder Hi I have added a DC (lets call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2s IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme �
RE: [ActiveDir] Same As Parent Folder
Yes. It kills me, but a DC at each site also runs RRAS in order to terminate PPTP connections. I have explained this over and over to the clients management. There is, arguably, now a plan (or at least a thought) to move this to a router or at least another Winbox. So, yes, I am aware that it is cludgey and bad and all of those things. That said, until installing this DC we had finally reached a servicable steady state (thanks, in part to Deji) where VPN connections were happening, replication was moving pretty well, and only the local interface was registering in DNS. In other news, now DC2 is kicking out tons of NetBT errors claiming that the IP address is being used by another name. Could there have been something in the promotion process that caused this not to register properly? I did not do that part of the process and am not sure that the guy did knew what he was doing. -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 2:28 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Same As Parent Folder May I ask why a DC has PPP interfaces? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 15, 2005 5:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Same As Parent Folder Thanks, Dean. That did not seem to do it either. Ah, but now I see what happened. We have set HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RegisterDnsARecords to value = 1 (meaning, dont register as per MSKB 246804). We had to do this to prevent RRAS PPP connections from registering in DNS and confusing local workstations. As soon as I change this value to 0, the host record shows up; as soon as I set it back to 1, the host disappears. Unfortunately, the PPP interfaces also register. We dont seem to have this problem at other sites. Any further thoughts? -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:39 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Same As Parent Folder Locate the NETLOGON.* set of files within %windir%\system32\config ... stop the NETLOGON service, delete the NETLOGON.DNB and NETLOGON.DNS files. Configure the AD representative DNS zone to allow non-secure updates and restart NETLOGON on the errant DC ... if the entry still does not appear, reboot the DC. Post back the results. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Wednesday, June 15, 2005 4:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Same As Parent Folder Thanks but that did not seem to do it. Any other thoughts? -- nme From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Same As Parent Folder hello, Try to do a netstop netlogon and a netstart netlogon in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann De: [EMAIL PROTECTED] de la part de Noah Eiger Date: mer. 15/06/2005 21:54 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Same As Parent Folder Hi I have added a DC (lets call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2s IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme
RE: [ActiveDir] Same As Parent Folder
I have a similar setup at home and have merely used the RRASMGMT snap in to disable DNS registration for any undesirable NIC without issue (PPPoE etc) ... please further explain your RRAS configuration as I confess I'm not understanding the problem at this point. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, June 15, 2005 5:44 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder Yes. It kills me, but a DC at each site also runs RRAS in order to terminate PPTP connections. I have explained this over and over to the clients management. There is, arguably, now a plan (or at least a thought) to move this to a router or at least another Winbox. So, yes, I am aware that it is cludgey and bad and all of those things . That said, until installing this DC we had finally reached a servicable steady state (thanks, in part to Deji) where VPN connections were happening, replication was moving pretty well, and only the local interface was registering in DNS. In other news, now DC2 is kicking out tons of NetBT errors claiming that the IP address is being used by another name. Could there have been something in the promotion process that caused this not to register properly? I did not do that part of the process and am not sure that the guy did knew what he was doing. -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 2:28 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Same As Parent Folder May I ask why a DC has PPP interfaces? --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, June 15, 2005 5:17 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder Thanks, Dean. That did not seem to do it either. Ah, but now I see what happened. We have set HKLM\System\CurrentControlSet\Services\Netlogon\Parameters\RegisterDnsARecords to value = 1 (meaning, dont register as per MSKB 246804). We had to do this to prevent RRAS PPP connections from registering in DNS and confusing local workstations. As soon as I change this value to 0, the host record shows up; as soon as I set it back to 1, the host disappears. Unfortunately, the PPP interfaces also register. We dont seem to have this problem at other sites. Any further thoughts? -- nme From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:39 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Same As Parent Folder Locate the NETLOGON.* set of files within %windir%\system32\config ... stop the NETLOGON service, delete the NETLOGON.DNB and NETLOGON.DNS files. Configure the AD representative DNS zone to allow non-secure updates and restart NETLOGON on the errant DC ... if the entry still does not appear, reboot the DC. Post back the results. --Dean WellsMSEtechnology* Email: [EMAIL PROTECTED]http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah EigerSent: Wednesday, June 15, 2005 4:25 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder Thanks but that did not seem to do it. Any other thoughts? -- nme From: TIROA YANN [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 15, 2005 1:10 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Same As Parent Folder hello, Try to do a "netstop netlogon" and a "netstart netlogon" in the DC that did not registered it SRV records, and finally restart your dns server in dns manager. Regards, Yann De: [EMAIL PROTECTED] de la part de Noah EigerDate: mer. 15/06/2005 21:54À: ActiveDir@mail.activedir.orgObjet : [ActiveDir] Same As Parent Folder Hi I have added a DC (lets call it DC2) to a site where it will eventually be the sole DC for that site. Currently, it is running AD-integrated DNS and appears to be replicating with the other sites and DCs (including the FSMO role holders). In DNS, DC2s IP address never appears with a (Same As Parent Folder) record. All other DCs seem to have this. For example, dc2.company.com shows up in company.com\_msdcs\gc\_sites\site1\_tcp\ with the SRV record by name. But it does not show up under _msdcs\gc with an A record for (same as parent folder). It seems like the new DC never fully registered itself in DNS. What can I do to force this now? Thanks. -- nme
RE: [ActiveDir] My LDAP Query
joe said: I am a bit tired and a little high from sniffing tile adhesive And, then later emoted: state how to make it performant without listing by name every other mailbox server by full Looking at the first statement, and the LACK OF COMPLETENESS to the second, I think the fumes overtook joe at some point during the response.. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 14, 2005 9:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] My LDAP Query I am a bit tired and a little high from sniffing tile adhesive but a couple of things. First, I don't think you are using the correct attribute, I think you want msExchHomeServerName. Second, I would think you want NOT CO-XMB11 AND NOT CO-XMB12. I would write it more like ( (objectcategory=person) (objectclass=user) (mail=*) (!(msExchHomeServerName=*CO-XMB11)) (!(msExchHomeServerName=*CO-XMB12)) ) And yeah, I can't say that would probably be very performant, but I am not sure in my present state how to make it performant without listing by name every other mailbox server by full From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, June 14, 2005 9:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] My LDAP Query I cant get it to work and Im tired. Anyone see my problem? I want all the users in the current domain whose mailbox server is not CO-XMB11 or CO-XMB12. I really dont care about perf, Ill run it once and forget about it. ((objectCategory=person)(objectClass=user)(mail=*)(!(|(msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12 ( (objectCategory=person)(objectClass=user)(mail=*) (! (| (msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12) ) ) ) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] GPO configuration
I've not seen one. I think that would be pretty hard to pull off unless you can remove the hot keys and window buttons. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 1:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO configuration Isn't there a GPO setting that can prevent users from closing any window they open? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
Maybe they need an 8-way, or more than 2GB of RAM for the database that runs on it. Honestly, though - this has gotten way off the point. He's running MySQL, and doesn't look like he's going to change just because we thought MSSQL is a better fit. Or not Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Why do you need the Enterprise version, are you running SQL Cluster's for failover? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Well we purchased the enterprise MSSQL version. Also we have already purchased exchange here -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info :
RE: [ActiveDir] Passwords from SQL
Hi Rick , Actually how is this off the point? He is looking for a solution that will allow him to use the same user accounts in AD and authenticate against MYSQL, right? He wants to save the time and labor of having to manually update user accounts and passwords since they are maintained by two separate systems and since there are no built in utilities in AD that allow him to easily do so with an Open Source Database such as MYSQL. I strongly believe that by changing to a Microsoft SQL database this allows him to then use integrated authentication and it would solve his problem ( He may not have been aware that Microsoft SQL has had this feature since as far back as version 6.5 ). If the school can't even afford 2000.00 for an SQL database, I seriously doubt that they would have an 8 way server that would easily cost 20,000 or more. But enough said, as far as I am concerned he has two choices and routes he can take and it is up to him to educate his management at the school district office that he has such a need and that the solution has a small cost. I am sure that any educator with common sense would concur that just because some thing is free it does not always mean it is the best solution and easiest to maintain for every environment. Warmest regards, Jose Medeiros Former CIS instructor San Jose City College --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 15, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Maybe they need an 8-way, or more than 2GB of RAM for the database that runs on it. Honestly, though - this has gotten way off the point. He's running MySQL, and doesn't look like he's going to change just because we thought MSSQL is a better fit. Or not Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Why do you need the Enterprise version, are you running SQL Cluster's for failover? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Well we purchased the enterprise MSSQL version. Also we have already purchased exchange here -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] My LDAP Query
And by not so beefy box I meant a P3 1.33Ghz w/ 2048MB. Its one of the last ones to get an upgrade. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 2:07 AM To: ActiveDir@mail.activedir.org Cc: 'Eric Fleischman' Subject: RE: [ActiveDir] My LDAP Query Yeah there are two bad things in that query. The NOT ops which kill the ability to use the index msExchHomeServerName has. The medial/tuple search, i.e. wildcard somewhere other than the end of the string. I don't know how much optimization there is in the engine for trying to quickly find matches with tuple searches if there is no tuple index, but I expect it isn't a considerable amount considering the perf you tend to see. For instance, I am not sure it even does simple things like skip attributes that would be too small to match the search string, etc. It isn't like it is a human mind processing the strings, it can't glance at at an entry and say, yeah there is no chance of a match there, next. It actually has to keep comparing parts of the string over and over again until it proves there is no possible match. That would actually probably be some interesting reading sometime. Maybe we can get Eric or Brett to blog about it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Wednesday, June 15, 2005 2:03 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] My LDAP Query Appears functional. Thanks. Definetely want to try this on a slightly more beefy box pegged this thing out at 100% for a while to return the 1200 qualfiying objects. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, June 14, 2005 9:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] My LDAP Query I am a bit tired and a little high from sniffing tile adhesive but a couple of things. First, I don't think you are using the correct attribute, I think you want msExchHomeServerName. Second, I would think you want NOT CO-XMB11 AND NOT CO-XMB12. I would write it more like ( (objectcategory=person) (objectclass=user) (mail=*) (!(msExchHomeServerName=*CO-XMB11)) (!(msExchHomeServerName=*CO-XMB12)) ) And yeah, I can't say that would probably be very performant, but I am not sure in my present state how to make it performant without listing by name every other mailbox server by full From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Tuesday, June 14, 2005 9:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] My LDAP Query I cant get it to work and Im tired. Anyone see my problem? I want all the users in the current domain whose mailbox server is not CO-XMB11 or CO-XMB12. I really dont care about perf, Ill run it once and forget about it. ((objectCategory=person)(objectClass=user)(mail=*)(!(|(msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12 ( (objectCategory=person)(objectClass=user)(mail=*) (! (| (msExchHomeServer=*CO-XMB11)(msExchHomeServer=*CO-XMB12) ) ) ) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
[ActiveDir] DL Expansion Troubleshooting
Apparently we have had for the past three months a persistent but not predictable issue with large and nested DL expansion. These are always DLs that are nested usually three to four levels deep and ultimately expand to tens of thousands of mailboxes. There are three global catalogs in the Exchange site, and they sit all day around 3%. No load issues, all 2k3 SP1, have been built to spec by yours truly in December I believe. Nothing weird going on with them that I can see. There are two issues that crop up, one newer than the other. Issue #1 (original) is that quite simply it will take a couple tries of sending a message to a DL to get everybody to get it some folks get it twice, some get it once. When you do a message tracking it just sort of falls off the face of the Earth as far as delivery to the folks that dont get it twice. Now issue #2 is that as of late some DLs just hang up in the submission to categorizer if you look in message tracking. Takes a couple tries to get the categorizer to categorize. Everything but the OWAs is 2000 SP3 w/ the rollup. I just started looking at this today, and quite frankly Ive gotten to the end of my short list of things to check. I cranked up diagnostic logging for DSAccess and SMTP on the gateways and the mailbox server hosting the mailbox that blasts these DLs. Havent found anything useful. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] Passwords from SQL
You know I don't know what your licensing agreement is with MS, but that price is not set in stone, and I wouldn't go talking about what scale you're getting from MS while identifying who you work for. (I'm a consultant at let's just say a very large education operation which is primarily MS based, hence I notice what you posted). Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 10:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL He's probably using MY SQL instead of MS SQL for monetary reasons. Money is always an issue in education fred Hi Jacob, I have a better ID. If you use Microsoft SQL instead of MY SQL then you'll have the option of using Integrated Authentication and use the usernames and passwords that your user's log into AD with. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 8:56 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Passwords from SQL I am running a MySQL server that holds data for a grading program here in the district. Well teachers have the ability to change passwords through that software and I was curious if AD could import passwords for people on a scheduled increment from that SQL database. Can active directory connect to a SQL database to pull other information or possibly import users directly from that database?? -- Jacob Stabl Network Engineer Plain Local School District http://www.plainlocal.org http://www.plainlocal.org Office: 330.492.3500 Cell :330.704.1278 IP Phone: 4466 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
without all of that hacking experience. Makes me wonder if kids in high school today that have better greater access to far better systems really dig into the guts much to make things better. Instead of seeing better systems down the road maybe we will see crappier systems as people who didn't grow up severely limited by what their systems could do and hacking them to make them better start moving into the positions where they are supposed to produce the next best thing... /me thinks I know a few things about how AD and Exchange work plus my .Net fun, but I don't go hacking that hardcore with stuff. I do keep reflector running so I can see how MS did stuff in the .net framework though. I hear there's a veritable antique shop in the basement, though I've never been down there, we might have some of that stuff. My understanding is that they don't throw jack out around the office, and the odds and ends hidden around the datacenter seem to solidify this rumor. --brian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:26 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Oh I completely agree, hence the sentence Of course free is a question begging term . I expect the password piece is more a function of the application versus the DB anyway. If the application was pointed at SQL Server as written, it would probably do the same thing and set up a password table and compare users logging in to that versus using any integration in the DB product. Additionally, most university and high schools folks I have talked to through the years and certainly it was the case when I was in those places have more time than money. In high school I was the sysadmin for a PDP-11/84 running RSTS/E with 2 RK06 washing machine sized 40MB disk drives and a simple TU-80 for backups. If it didn't come for free from DEC or wasn't included in the service contract with DEC, it didn't matter how much something cost, it was entirely out of our own personal pocket so we spent far more time than money getting things working the way we wanted which including writing system monitors, device drivers, spooler and batch compiler systems, and tons of other systems tools as well as the odd ball VT-220 based video game (pacman, snakes, etc) and a steller Macro Assembler based reverse polish notation graphical calculator (also for the VT-220). Quite honestly, looking back I wouldn't have it any other way, I learned a ton about the internals of systems software by messing with Disk subsystems and writing batch systems. I would absolutely not be the person I am today without all of that hacking experience. Makes me wonder if kids in high school today that have better greater access to far better systems really dig into the guts much to make things better. Instead of seeing better systems down the road maybe we will see crappier systems as people who didn't grow up severely limited by what their systems could do and hacking them to make them better start moving into the positions where they are supposed to produce the next best thing... joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes Acquisition costs are only a fraction of TCO Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 15, 2005 1:44 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL When you have next to nothing for a budget, next to nothing is a lot when you can get it for free. :o) Of course free is a question begging term but for any uses I have used MySQL for it has performed admirably. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL I am not sure why, Microsoft sells their products to education institutions for next to nothing. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005
RE: [ActiveDir] Passwords from SQL
I happen to work in a very large education operation (quite larger than the OP's district or San Jose City College), and I quite simply can assure you that things aren't like you think they are. Your wishes are a long way from reality. In reality I expect his application just talks to the DB and he has no source code and MySQL is what he's got and it is what it is. If this is somehow erate-able, then you are playing with an even totally different bag of marbles as far as the dough goes. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 7:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Rick , Actually how is this off the point? He is looking for a solution that will allow him to use the same user accounts in AD and authenticate against MYSQL, right? He wants to save the time and labor of having to manually update user accounts and passwords since they are maintained by two separate systems and since there are no built in utilities in AD that allow him to easily do so with an Open Source Database such as MYSQL. I strongly believe that by changing to a Microsoft SQL database this allows him to then use integrated authentication and it would solve his problem ( He may not have been aware that Microsoft SQL has had this feature since as far back as version 6.5 ). If the school can't even afford 2000.00 for an SQL database, I seriously doubt that they would have an 8 way server that would easily cost 20,000 or more. But enough said, as far as I am concerned he has two choices and routes he can take and it is up to him to educate his management at the school district office that he has such a need and that the solution has a small cost. I am sure that any educator with common sense would concur that just because some thing is free it does not always mean it is the best solution and easiest to maintain for every environment. Warmest regards, Jose Medeiros Former CIS instructor San Jose City College --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 15, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Maybe they need an 8-way, or more than 2GB of RAM for the database that runs on it. Honestly, though - this has gotten way off the point. He's running MySQL, and doesn't look like he's going to change just because we thought MSSQL is a better fit. Or not Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Why do you need the Enterprise version, are you running SQL Cluster's for failover? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Well we purchased the enterprise MSSQL version. Also we have already purchased exchange here -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money? It's not a knock against free software... I use MySQL here and have used it for other personal applications as well... Sometimes free isn't always the best solution... Of course there's always the oft repeated quotes
RE: [ActiveDir] Passwords from SQL
Again I would simply argue that the application most likely wouldn't know what to do with integrated authentication if it walked up and bit the application on the butt. Depending also on the application, it may make zero sense to use integrated authentication against SQL since the SQL stuff could be accessed by an application ID and the passwords are simply to auth the users walking in the door. It is very difficult to determine what core backend pieces to change to get functionality without knowing a good bit about how the front end works. My original response still stands though, the mechanism to do this if there even is one depends on the formatting of the passwords going into the DB and/or if you have the ability to intercept the password as it is being changed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 8:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Rick , Actually how is this off the point? He is looking for a solution that will allow him to use the same user accounts in AD and authenticate against MYSQL, right? He wants to save the time and labor of having to manually update user accounts and passwords since they are maintained by two separate systems and since there are no built in utilities in AD that allow him to easily do so with an Open Source Database such as MYSQL. I strongly believe that by changing to a Microsoft SQL database this allows him to then use integrated authentication and it would solve his problem ( He may not have been aware that Microsoft SQL has had this feature since as far back as version 6.5 ). If the school can't even afford 2000.00 for an SQL database, I seriously doubt that they would have an 8 way server that would easily cost 20,000 or more. But enough said, as far as I am concerned he has two choices and routes he can take and it is up to him to educate his management at the school district office that he has such a need and that the solution has a small cost. I am sure that any educator with common sense would concur that just because some thing is free it does not always mean it is the best solution and easiest to maintain for every environment. Warmest regards, Jose Medeiros Former CIS instructor San Jose City College --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 15, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Maybe they need an 8-way, or more than 2GB of RAM for the database that runs on it. Honestly, though - this has gotten way off the point. He's running MySQL, and doesn't look like he's going to change just because we thought MSSQL is a better fit. Or not Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Why do you need the Enterprise version, are you running SQL Cluster's for failover? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Well we purchased the enterprise MSSQL version. Also we have already purchased exchange here -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Free to acquire, yes... However, if you spend enough time in implementing, creating, and supporting some functionality that you would otherwise gain in the paid solution (password syncing?), have you really saved any money?
RE: [ActiveDir] Passwords from SQL
The reason that it's off the point is because: 1) MySQL is the database in which the application is deployed. 2) Moving it the MSSQL might exceed the realistic 'cost' of the database 3) It might be just as easy to use OpenLDAP (I'm assuming MySQL on Linux) and communicate with AD that way Make no mistake - I'm no bigot when it comes to using MS software. Quite the contrary. But, there are times when the simple economics of a solution scream out that Microsoft is not the right solution. Most schools that I work with are this way. Most of them would have to save a huge chunk of non-salary related expenditures to afford a Standard version of SQL. Hence, Access is a really popular option, even though getting it to work in some of the multi-user scenarios sucks - plainly and simply. In one school that I work with, the majority of the desktop OSs that they run are ones that I've donated. One of the servers OSs is as well. I'm not saying the you're wrong. Far from it, in fact. But, sometimes the solution can't meet the available economic resources. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 7:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Rick , Actually how is this off the point? He is looking for a solution that will allow him to use the same user accounts in AD and authenticate against MYSQL, right? He wants to save the time and labor of having to manually update user accounts and passwords since they are maintained by two separate systems and since there are no built in utilities in AD that allow him to easily do so with an Open Source Database such as MYSQL. I strongly believe that by changing to a Microsoft SQL database this allows him to then use integrated authentication and it would solve his problem ( He may not have been aware that Microsoft SQL has had this feature since as far back as version 6.5 ). If the school can't even afford 2000.00 for an SQL database, I seriously doubt that they would have an 8 way server that would easily cost 20,000 or more. But enough said, as far as I am concerned he has two choices and routes he can take and it is up to him to educate his management at the school district office that he has such a need and that the solution has a small cost. I am sure that any educator with common sense would concur that just because some thing is free it does not always mean it is the best solution and easiest to maintain for every environment. Warmest regards, Jose Medeiros Former CIS instructor San Jose City College --- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 15, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Maybe they need an 8-way, or more than 2GB of RAM for the database that runs on it. Honestly, though - this has gotten way off the point. He's running MySQL, and doesn't look like he's going to change just because we thought MSSQL is a better fit. Or not Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 4:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Why do you need the Enterprise version, are you running SQL Cluster's for failover? Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 12:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Well we purchased the enterprise MSSQL version. Also we have already purchased exchange here -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 3:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Jake, I know that Exchange is dirt cheap for Educational use, I am sure that SQL is also much less. Let me check with an educational speacilist at Microsoft in San Francisco and see what it actually may be. Just doing a serach on the web for the retail copy comes up with. Microsoft SQL Server 2000 Standard (5-Client) Full Version Retail Box RETAIL Microsoft Part #: 228-00683 Save 18% off RETAIL $1,225.00 Retail $1,489.00 Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jacob Stabl Sent: Wednesday, June 15, 2005 11:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Educational price for MSSQL 2000 or whatever newest version is over $2000 -- Jake -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Pochedley Sent: Wednesday, June 15, 2005 2:06 PM To:
Re: [ActiveDir] ESE Perf Mon problems
remove the value for Disable Performance Counters steve - Original Message - From: WILLIAMS, J.D. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, June 15, 2005 6:48 AM Subject: RE: [ActiveDir] ESE Perf Mon problems Here's the key, I copied the entries from the KB article, except for the Squeaky Lobster key, which I have also tried as the 'correct' key name (escapes me now). I have five DCs, all of which have the same problem. The Disable Performance Counters key is added by the system after it fails to initialize properly. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance] Open=OpenPerformanceData Collect=CollectPerformanceData Close=ClosePerformanceData Library=c:\\perf\\esentprf.dll Squeaky Lobster=dword:0001 Disable Performance Counters=dword:0001 Thanks, JD -Original Message- From: Steve Patrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ESE Perf Mon problems Did you verify that you had proper settings under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance Perhaps export the key and paste it in here? steve - Original Message - From: WILLIAMS, J.D. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 14, 2005 11:30 AM Subject: [ActiveDir] ESE Perf Mon problems Greetings, I have been trying to get the ESE counters on my DCs with no luck. I get the following Event Log entry after following the install instructions, loading perfmon and looking for the counters: Event Type: Error Event Source:Perflib Event Category: None Event ID: 1006 Date:6/14/2005 Time:1:13:14 PM User:N/A Computer: ADC12-E654-001 Description: Unable to locate the collect procedure in DLL c:\perf\esentprf.dll for the ESENT service. Performance data for this service will not be available. Error Status is data DWORD 0. Data: : 7f 00 00 00 ... I can't find anything in Google with regard to troubleshooting; this seems to work fine for everyone else! We are running W2K, SP4. My file version for ESENTPRF.DLL is 6.0.3939.6, file is 40K and dated 11-30-1999 (had another version, same info but dated 12-7-1999, same error). Any assistance is greatly appreciated! Thanks, JD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] ESE Perf Mon problems
Ha! Sorry - I missed the fact you already saw this. (teach me to read the mail closer) Did you remove the First Counter \ Last counter info from this email or is it not in the registry? Did you lodctr against the esentprf.ini? If not , try this: Lodctr /s:backup.ini (backs up yer perf counter info) lodctr %systemroot%\system32\esentprf.ini steve - Original Message - From: Steve Patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, June 15, 2005 6:40 PM Subject: Re: [ActiveDir] ESE Perf Mon problems remove the value for Disable Performance Counters steve - Original Message - From: WILLIAMS, J.D. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, June 15, 2005 6:48 AM Subject: RE: [ActiveDir] ESE Perf Mon problems Here's the key, I copied the entries from the KB article, except for the Squeaky Lobster key, which I have also tried as the 'correct' key name (escapes me now). I have five DCs, all of which have the same problem. The Disable Performance Counters key is added by the system after it fails to initialize properly. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance] Open=OpenPerformanceData Collect=CollectPerformanceData Close=ClosePerformanceData Library=c:\\perf\\esentprf.dll Squeaky Lobster=dword:0001 Disable Performance Counters=dword:0001 Thanks, JD -Original Message- From: Steve Patrick [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 14, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ESE Perf Mon problems Did you verify that you had proper settings under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESENT\Performance Perhaps export the key and paste it in here? steve - Original Message - From: WILLIAMS, J.D. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 14, 2005 11:30 AM Subject: [ActiveDir] ESE Perf Mon problems Greetings, I have been trying to get the ESE counters on my DCs with no luck. I get the following Event Log entry after following the install instructions, loading perfmon and looking for the counters: Event Type: Error Event Source:Perflib Event Category: None Event ID: 1006 Date:6/14/2005 Time:1:13:14 PM User:N/A Computer: ADC12-E654-001 Description: Unable to locate the collect procedure in DLL c:\perf\esentprf.dll for the ESENT service. Performance data for this service will not be available. Error Status is data DWORD 0. Data: : 7f 00 00 00 ... I can't find anything in Google with regard to troubleshooting; this seems to work fine for everyone else! We are running W2K, SP4. My file version for ESENTPRF.DLL is 6.0.3939.6, file is 40K and dated 11-30-1999 (had another version, same info but dated 12-7-1999, same error). Any assistance is greatly appreciated! Thanks, JD List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DL Expansion Troubleshooting
did you compare the members of the respective groups in AD on your 3 GCs? You could potentially have an inconsistency between the DCs. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Donnerstag, 16. Juni 2005 02:19To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DL Expansion Troubleshooting Apparently we have had for the past three months a persistent but not predictable issue with large and nested DL expansion. These are always DLs that are nested usually three to four levels deep and ultimately expand to tens of thousands of mailboxes. There are three global catalogs in the Exchange site, and they sit all day around 3%. No load issues, all 2k3 SP1, have been built to spec by yours truly in December I believe. Nothing weird going on with them that I can see. There are two issues that crop up, one newer than the other. Issue #1 (original) is that quite simply it will take a couple tries of sending a message to a DL to get everybody to get it some folks get it twice, some get it once. When you do a message tracking it just sort of falls off the face of the Earth as far as delivery to the folks that dont get it twice. Now issue #2 is that as of late some DLs just hang up in the submission to categorizer if you look in message tracking. Takes a couple tries to get the categorizer to categorize. Everything but the OWAs is 2000 SP3 w/ the rollup. I just started looking at this today, and quite frankly Ive gotten to the end of my short list of things to check. I cranked up diagnostic logging for DSAccess and SMTP on the gateways and the mailbox server hosting the mailbox that blasts these DLs. Havent found anything useful. Thanks,Brian Desmond [EMAIL PROTECTED] c - 312.731.3132
RE: [ActiveDir] GPO configuration
You could prevent users from logging on in the first place - this will ensure they can't close any window. The only issue is that they can't open any either ;-)) Just curious - why would you want to achieve this in the first place? /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Donnerstag, 16. Juni 2005 00:07 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO configuration I've not seen one. I think that would be pretty hard to pull off unless you can remove the hot keys and window buttons. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, June 15, 2005 1:47 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] GPO configuration Isn't there a GPO setting that can prevent users from closing any window they open? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Migration between domains with same NetBios name
Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (withDNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a "normal" migration. At least I have no need to register the AD domainin WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido
RE: [ActiveDir] Migration between domains with same NetBios name
Rename it? I will admit, Ive never actually tried this, but I know people who say it works. I think you should try this procedure, on a test box first, and report back. Maybe you should do it to an BDC you bring up just to test, isolated, and see how it goes. http://support.microsoft.com/default.aspx?scid=kb;en-us;169741 If this does work, Id like to know, so I can recommend it in the future. The other option is logical data migration but not actual migration if you will. IE, ldifde and such. But that comes with the normal lose the SIDs type of issues, which I assume to be a major headache for your scenario. ~Eric PS: Basically, this mail translates roughly in to me saying, this might or might not work, and Id like you to be my testing guy to let me know, since Ive never had occasion to give it a whirl myself. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Wednesday, June 15, 2005 10:43 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Migration between domains with same NetBios name Here is a nice one - I've done quite a few migration with all kinds of scenarios, so I hardly ask questions around this topic. But when migrating from one NT4 domain to an AD domain which both have the same NetBios names, various issues and potential conflicts come to mind and I wonder if others had to do this in the past, who could share their experience. Think about an existing NT4 domain called CORP and another existing AD domain called CORP (withDNS=copr.company.com). And now you need to migrate all users and resources from the NT4 CORP to the AD CORP and place AD DCs into the same sites as the exising NT4 DCs... I can imagine various challenges, besides not being able to setup a trust and thus loosing various options for doing a normal migration. At least I have no need to register the AD domainin WINS; all clients are XP, but I know for sure that I'm going to run into various other issues (the worst one being that the account activation and the resource migration has to happend instantaneously, since resource access won't be possible accross the domains). But I'm also thinking of networking issues with and NT4 DC of the one and an AD DC of the other domain in the same ip-subnet... I wonder how others have tackled this challenge and what issues you ran into. /Guido
