RE: [ActiveDir] Unexpected WINS registering behavior
FYI: I tried the below and *did* see the same (odd) behaviour - WINS entries 'flipped'. I'm not sure if perhaps the WINS client flips to another WINS server if the server does not respond within n msec?? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: 16 June 2005 21:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unexpected WINS registering behavior More info: I setup a test lab: 1 Windows 2003 Sp1. WINS installed 1 Windows 2003 Sp1. WINS installed 1 XP sp2 client Generic installs of WINS on each server. Setup Push/Pull replication between them. No other server configs done. Client points to the servers ip's for WINS. All boxes are on the same subnet on the same isolated switch. Doing a nbtstat -RR exibits the same behavior. It's swaps the WINS servers each time. Can someone else try: ipconfig /all = note the WINS order nbtstat -RR ipconfig /all = see if the WINS order changed I'm stumped... -alex On Thu, 16 Jun 2005 08:41:57 -0700, Kevin Taco [EMAIL PROTECTED] said: We have two WINS servers and one DHCP server. All are on different subnets. Is this what you were asking? On Thu, 16 Jun 2005 16:54:22 +0200, Jorge de Almeida Pinto [EMAIL PROTECTED] said: Are you using different DHCP servers that service the same subnet but where the WINS IP addresses are switched? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: donderdag 16 juni 2005 16:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unexpected WINS registering behavior I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Nt v4.0 in 2k Domain Issue
All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers falling off the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as Account Unknown. All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: - Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the Network access words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers falling off the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as Account Unknown. All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
I found I needed to set Network access: Allow anonymous SID/Name translation to Enabled. This is required to allow translation across trusts but then again, your NT servers are in the same domain as the DCs (I assume). neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 17 June 2005 12:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: - Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the Network access words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers falling off the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as Account Unknown. All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Passwords from SQL
If you want have information from AD you can write or buy also an application that imports statically/on demand/dinamically what you want from AD repository to other once. Are these informations limited to users (AD Users ?) You can import all not but passwords (for obvious reasons). MSSQL (2000 and later) gives other features those make the real difference . If integrated in AD you have the possibility to write application without write for everyone the management of the connection if you use SQL in Windows AD Integrated mode. No registry file, no config file, no specialized code and every time you change centrally you change peripherically. But this is minimum In Integrated mode and listing in AD MSSQLServer will become repository of AD and you can interrogate AD with interrogating MSSQL (no LDAP language, no Administrative tools) You can write applications that directly makes what you need without discontinuous points. For pricing You can have MSSQL MSDE for nothing (In Windows 2003 is present but 'hidden') And Also it can look at in Remote linked server to MySQL in bi-directional mode ... Bye From: Medeiros, Jose [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Date: Thu, 16 Jun 2005 09:44:21 -0700 MIME-Version: 1.0 Received: from mail.activedir.org ([12.168.66.190]) by mc4-f31.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 16 Jun 2005 09:48:39 -0700 Received: from mail2.probusiness.com [12.40.212.80] by mail.activedir.org with ESMTP (SMTPD32-8.15) id AC714DDA0136; Thu, 16 Jun 2005 12:44:33 -0400 Received: from Unknown [10.62.4.58] by mail2.probusiness.com - SurfControl E-mail Filter (5.0); Thu, 16 Jun 2005 09:44:22 -0700 Received: from Unknown [10.62.4.65] by plsscan102.CORP.prbz.net - SurfControl E-mail Filter (5.0); Thu, 16 Jun 2005 09:44:21 -0700 Received: from plsxch130.CORP.prbz.net ([10.62.4.72]) by plsxch123.CORP.prbz.net with Microsoft SMTPSVC(5.0.2195.6713); Thu, 16 Jun 2005 09:44:21 -0700 X-Message-Info: JGTYoYF78jGMU70MuHhLYCdbZTXWaM3bAQ9XI3cYZSI= X-SEF-Processed: 5_0_0_713__2005_06_16_09_44_23 X-SEF-2419BEE-9C3B-4234-9EB4-4472B2BD4169: 1 X-SEF-Processed: 5_0_0_713__2005_06_16_09_44_23 X-SEF-2A72E947-FFCD-4578-8AF8-C5998320E05E: 1 X-MimeOLE: Produced By Microsoft Exchange V6.0.6603.0 content-class: urn:content-classes:message X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [ActiveDir] Passwords from SQL Thread-Index: AcVxzytVWHVVMKIbSHKaSJqlyXV/TAAACZyQAACWXwAAAJLj+uOwAAFRvuAAAKqV8AADigWAAAU08PAAAGSTQAACgCpwACEFWaA= Return-Path: [EMAIL PROTECTED] X-OriginalArrivalTime: 16 Jun 2005 16:44:21.0671 (UTC) FILETIME=[A5764370:01C57292] Precedence: bulk Hi Rick, Point well taken. I also do agree MYSQL is a fine database and a great value. Peace, Jose Medeiros :-) www.ntea.net www.tvnug.org www.sfntug.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rick Kingslan Sent: Wednesday, June 15, 2005 6:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL The reason that it's off the point is because: 1) MySQL is the database in which the application is deployed. 2) Moving it the MSSQL might exceed the realistic 'cost' of the database 3) It might be just as easy to use OpenLDAP (I'm assuming MySQL on Linux) and communicate with AD that way Make no mistake - I'm no bigot when it comes to using MS software. Quite the contrary. But, there are times when the simple economics of a solution scream out that Microsoft is not the right solution. Most schools that I work with are this way. Most of them would have to save a huge chunk of non-salary related expenditures to afford a Standard version of SQL. Hence, Access is a really popular option, even though getting it to work in some of the multi-user scenarios sucks - plainly and simply. In one school that I work with, the majority of the desktop OSs that they run are ones that I've donated. One of the servers OSs is as well. I'm not saying the you're wrong. Far from it, in fact. But, sometimes the solution can't meet the available economic resources. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Wednesday, June 15, 2005 7:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Passwords from SQL Hi Rick , Actually how is this off the point? He is looking for a solution that will allow him to use the same user accounts in AD and authenticate against MYSQL, right? He wants to save the time and labor of having to manually update user accounts and passwords since they are maintained by two separate systems and since there are no built in utilities in AD that allow him to easily do so with an Open Source Database such as MYSQL. I strongly believe that by changing to a Microsoft SQL database this
RE: [ActiveDir] Migration between domains with same NetBios name
Deji, you mention you've already leveraged rendom in production environments Correct. One of the most recent involved a divestiture, and that was when I had the conversation with Chris. You are correct in that this is an OS-limitation and Chris and I agreed on that too. But, he was thinking that they could put a work-around into V3, although we didn't know what that work-around might be. I don't mind mentioning that I've always tried to avoid it and didn't have the requirement until now. I used to also - until they released the current rendom and the Fixups. The original rendom (in the 2K3 CD) has some limitations. The new one addresses some of the concerns we had when Domain Rename was first introduced. I know quite well what's involved and what will potentially break if used in AD A very valid point, but one that has been addressed in a better form since the release of the new rendom and the efforts I have to go through on the client and member-server side If it were easy, nobody would need us to do it, no? :) I'd be happy to hear from you that I'm making this too difficult and rendom is no issue... ;-) I'd be happy to discuss my experience with you. I hope you are doing this on TM basis :P the best approach yet (thanks Jorge and Aric) is to add another BDC to the old dom, take it offline, promote to PDC and rename it's domain then migrate account and group objects accross to AD As I haven't experimented with this approach, I can't comment. Here are some things you might want to read over: http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRe f/4d0c3b6e-e6f5-4ab3-9d81-106ae3a71549.mspx http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90a2 a2e2/Domain-Rename-Procedure.doc http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fe n%2Ftranscripts%2Fwct052103.asp - The last 2 above are somewhat outdated, but they are informative. There are some useful blogs I've come across before, but they relate to Exchange-specific considerations in a rendom situation. HTH Sincerely, Dj Akmlf, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
Another strange thing is the client registers with the WINS server just fine. I can see it in the db's of each WINS server. The problem is the record continually gets a new owner as the WINS server order flip flops. This behavior seems pretty sub-optimal to me... -kevin On Fri, 17 Jun 2005 10:06:45 +0100, Ruston, Neil [EMAIL PROTECTED] said: FYI: I tried the below and *did* see the same (odd) behaviour - WINS entries 'flipped'. I'm not sure if perhaps the WINS client flips to another WINS server if the server does not respond within n msec?? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: 16 June 2005 21:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unexpected WINS registering behavior More info: I setup a test lab: 1 Windows 2003 Sp1. WINS installed 1 Windows 2003 Sp1. WINS installed 1 XP sp2 client Generic installs of WINS on each server. Setup Push/Pull replication between them. No other server configs done. Client points to the servers ip's for WINS. All boxes are on the same subnet on the same isolated switch. Doing a nbtstat -RR exibits the same behavior. It's swaps the WINS servers each time. Can someone else try: ipconfig /all = note the WINS order nbtstat -RR ipconfig /all = see if the WINS order changed I'm stumped... -alex On Thu, 16 Jun 2005 08:41:57 -0700, Kevin Taco [EMAIL PROTECTED] said: We have two WINS servers and one DHCP server. All are on different subnets. Is this what you were asking? On Thu, 16 Jun 2005 16:54:22 +0200, Jorge de Almeida Pinto [EMAIL PROTECTED] said: Are you using different DHCP servers that service the same subnet but where the WINS IP addresses are switched? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: donderdag 16 juni 2005 16:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unexpected WINS registering behavior I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Default value for some lanmanserver parameters
Title: Default value for some lanmanserver parameters We have recently had issues which led us to change various parameters on our w2k DCs. We plan to implement w2k3 DCs in the near future and would like to better understand the default and max values that these parameters may take. Parameters in question with values used on w2k DCs: MaxWorkItems 65535 MaxRawWorkItems 512 MaxFreeConnections 100 MinFreeConnections 32 Are the w2k3 defaults documented anywhere? I am concerned that by applying the above settings we may adversely affect w2k3 DCs, where the defaults are perhaps greater than the above. Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
Jorge, Thanks for that. This may well be my problem, since points: 2. Down-level members can't set up a netlogon secure channel. 4. Windows NT clients can't change their password after it expires. Seem to be exactly the problem I'm having. The error message when trying to log onto these servers with a domain account essentially says (I cant remember the exact wording) that the trust between the server and the domain has expired. I'm presuming that a workstation / server trust account would have the same password changing issue, even though the article doesn't explictly mention it. The Require Strong Key from the second article also might be the culprit, since the symptons are the same as well. I *thought* the DC security policy had this set correctly, but I might be wrong. Thats a nice article actually, you obviously have magic fingers with the MS Support site *grin* Time to wander back into work and have a look at this (going interstate in 4 hours and want to fix this before I fly outughI hate 5am flights). Thanks Again Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Friday, 17 June 2005 9:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: - Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the Network access words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers falling off the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as Account Unknown. All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Effect of change to MaxValRange
MaxValRange - This value controls the number of values that are returned for an attribute of an object, independent of how many attributes that object has, or of how many objects were in the search result. In Windows 2000 this control is hard coded at 1,000. If an attribute has more than the number of values that are specified by the MaxValRange value, you must use value range controls in LDAP to retrieve values that exceed the MaxValRange value. MaxValueRange controls the number of values that are returned on a single attribute on a single object. The repurcussion is that it would be easier to allow a bad or otherwise expensive query have a greater impact on your domain controllers. Generally it's not a good idea to change this safeguard. My advice? I think it should be considered a high risk item. The reason is because if the vendor is unwilling to change their query to be more efficient, then it indicates to me that there is a significant risk of that same vendor taking down my DCs with a bad query. It also opens the door for other vendors to cause that same issue. Force the vendor to fix the query else find another vendor if you can. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
Hmmm Further to that, just gone and checked both the working and non-working DC's. All of the servers have the same (and expected values) for all of the options in both those articles. There were some minor policy differences around things that wouldn't have been involved (like remembering the last logged on user). Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Saturday, 18 June 2005 12:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue Jorge, Thanks for that. This may well be my problem, since points: 2. Down-level members can't set up a netlogon secure channel. 4. Windows NT clients can't change their password after it expires. Seem to be exactly the problem I'm having. The error message when trying to log onto these servers with a domain account essentially says (I cant remember the exact wording) that the trust between the server and the domain has expired. I'm presuming that a workstation / server trust account would have the same password changing issue, even though the article doesn't explictly mention it. The Require Strong Key from the second article also might be the culprit, since the symptons are the same as well. I *thought* the DC security policy had this set correctly, but I might be wrong. Thats a nice article actually, you obviously have magic fingers with the MS Support site *grin* Time to wander back into work and have a look at this (going interstate in 4 hours and want to fix this before I fly outughI hate 5am flights). Thanks Again Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Friday, 17 June 2005 9:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: - Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the Network access words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers falling off the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as Account Unknown. All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
Neil, Yes, they are in the same domain unfortunately. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, 17 June 2005 9:29 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue I found I needed to set Network access: Allow anonymous SID/Name translation to Enabled. This is required to allow translation across trusts but then again, your NT servers are in the same domain as the DCs (I assume). neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 17 June 2005 12:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: - Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the Network access words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers falling off the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as Account Unknown. All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
[ActiveDir] OT: Missing Offline Files
I have a user who has lost all of their data from the past four months because they were using off line file sync with their my documents folder but didn't have the default to sync the files in subfolders. As she has lost all of her data, she would like it back but I don't know where to look for it. I can't seem to find where the system saves the offline synced files. Does anyone where this is? Does anyone have any good solution to working around this type of issue. My only guess at this time is to throw a document recovery program at that machine and see if the data is in a deleted state on the hard drive. I'm not to confident in this scenario. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Missing Offline Files
I think its in a hidden folder in the windows dir called CSC... i'm not totally sure, but you can check that. Carerros, Charles wrote: I have a user who has lost all of their data from the past four months because they were using off line file sync with their my documents folder but didn't have the default to sync the files in subfolders. As she has lost all of her data, she would like it back but I don't know where to look for it. I can't seem to find where the system saves the offline synced files. Does anyone where this is? Does anyone have any good solution to working around this type of issue. My only guess at this time is to throw a document recovery program at that machine and see if the data is in a deleted state on the hard drive. I'm not to confident in this scenario. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Missing Offline Files
They're stored by default in %systemroot%\CSC... Here's a bit more info... http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=20373DisplayTa b=Article ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, Charles Sent: Friday, June 17, 2005 10:08 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Missing Offline Files I have a user who has lost all of their data from the past four months because they were using off line file sync with their my documents folder but didn't have the default to sync the files in subfolders. As she has lost all of her data, she would like it back but I don't know where to look for it. I can't seem to find where the system saves the offline synced files. Does anyone where this is? Does anyone have any good solution to working around this type of issue. My only guess at this time is to throw a document recovery program at that machine and see if the data is in a deleted state on the hard drive. I'm not to confident in this scenario. Thanks, Charlie List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
Resend... -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, June 17, 2005 11:34 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Effect of change to MaxValRange What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] RRAS pptp issue
I have this strange issue where a client using winxp sp1 pptp client connecting to my win2k sp4 RRAS server keeps disconnecting after 5mins. I do not have IE set up to disconnect if idle. Nothing is logged on the RRAS server. The client only logs an event id 20159- Event Type: Information Event Source: RemoteAccess Event Category: None Event ID: 20159 Date: 6/17/2005 Time: 1:35:06 PM User: N/A Computer: EFFICIEN-UA7PQA Description: The connection to charmer made by user using device VPN3-1 was disconnected. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. The client is using adsl to connect thru the internet. Its a Netopia router/dsl bridge. There are 5 other people in that remote office running the same OS and config with no issues. Any ideas? thanks a lot List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Effect of change to MaxValRange
Thanks for the feedback. I thought some of the experts would be able to better articulate the consequences of changing that value. I read about it in Eric's Blog and based on the information I had come up with this response to changing the value. Performance issues include increased processor time to run the query and increased network bandwidth to send unnecessary query results. If the answer to the query is found in the first 1500 results there is no need to send another 2500 records. This setting affects all applications, so if multiple queries are run with an unspecified range it will return all of the results to every query and as more applications begin to use Active Directory for LDAP queries we will feel the performance hit. I think I was basically right. Thanks for helping me strengthen my point. joe [EMAIL PROTECTED] .net To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Effect of change to 06/17/2005 11:33 MaxValRange AM Please respond to [EMAIL PROTECTED] tivedir.org What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migration between domains with same NetBios name
Thanks Dj - time to check rendom out a little more /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Freitag, 17. Juni 2005 15:20 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Migration between domains with same NetBios name Deji, you mention you've already leveraged rendom in production environments Correct. One of the most recent involved a divestiture, and that was when I had the conversation with Chris. You are correct in that this is an OS-limitation and Chris and I agreed on that too. But, he was thinking that they could put a work-around into V3, although we didn't know what that work-around might be. I don't mind mentioning that I've always tried to avoid it and didn't have the requirement until now. I used to also - until they released the current rendom and the Fixups. The original rendom (in the 2K3 CD) has some limitations. The new one addresses some of the concerns we had when Domain Rename was first introduced. I know quite well what's involved and what will potentially break if used in AD A very valid point, but one that has been addressed in a better form since the release of the new rendom and the efforts I have to go through on the client and member-server side If it were easy, nobody would need us to do it, no? :) I'd be happy to hear from you that I'm making this too difficult and rendom is no issue... ;-) I'd be happy to discuss my experience with you. I hope you are doing this on TM basis :P the best approach yet (thanks Jorge and Aric) is to add another BDC to the old dom, take it offline, promote to PDC and rename it's domain then migrate account and group objects accross to AD As I haven't experimented with this approach, I can't comment. Here are some things you might want to read over: http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRe f/4d0c3b6e-e6f5-4ab3-9d81-106ae3a71549.mspx http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90a2 a2e2/Domain-Rename-Procedure.doc http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fe n%2Ftranscripts%2Fwct052103.asp - The last 2 above are somewhat outdated, but they are informative. There are some useful blogs I've come across before, but they relate to Exchange-specific considerations in a rendom situation. HTH Sincerely, Dj Akmlf, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RRAS pptp issue
Hi Please check your ADSL equipment. There may be some issue with this equipment. you can check it by using this equipment on some other user or you can swap this equipment with any other working equipment. -- DR
RE: [ActiveDir] RRAS pptp issue
all the other users are fine. i have 5 users sharing this router and only one has an issue... thanks -Original Message-From: Ravi Dogra [mailto:[EMAIL PROTECTED]Sent: Friday, June 17, 2005 4:27 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] RRAS pptp issueHiPlease check your ADSL equipment. There may be some issue with this equipment. you can check it by using this equipment on some other user or you can swap this equipment with any other working equipment.--DR
RE: [ActiveDir] RRAS pptp issue
Tom, I think what Ravi is saying that this is a client side issue, and given the information on this event hes likely as right as anyone else is going to be, given the information. The problem with the 20159 event is that anytime anyone disconnects, a 20159 can be generated. So, its a bit difficult to pin this event down as substantive evidence of a problem. Id be interested on seeing complimentary entries on the event logs or devices logs for the PPTP on the client. I suspect we are going to learn more from the one client that isnt working rather than the RRAS that appears to be working just fine. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, June 17, 2005 3:51 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] RRAS pptp issue all the other users are fine. i have 5 users sharing this router and only one has an issue... thanks -Original Message- From: Ravi Dogra [mailto:[EMAIL PROTECTED] Sent: Friday, June 17, 2005 4:27 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] RRAS pptp issue Hi Please check your ADSL equipment. There may be some issue with this equipment. you can check it by using this equipment on some other user or you can swap this equipment with any other working equipment. -- DR
RE: [ActiveDir] Effect of change to MaxValRange
I also posted to this dl once before on MaxPageSize. The same argument could be made for MaxValRange as I made for MaxPageSize. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 11:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Effect of change to MaxValRange Thanks for the feedback. I thought some of the experts would be able to better articulate the consequences of changing that value. I read about it in Eric's Blog and based on the information I had come up with this response to changing the value. Performance issues include increased processor time to run the query and increased network bandwidth to send unnecessary query results. If the answer to the query is found in the first 1500 results there is no need to send another 2500 records. This setting affects all applications, so if multiple queries are run with an unspecified range it will return all of the results to every query and as more applications begin to use Active Directory for LDAP queries we will feel the performance hit. I think I was basically right. Thanks for helping me strengthen my point. joe [EMAIL PROTECTED] .net To Sent by: ActiveDir@mail.activedir.org [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Effect of change to 06/17/2005 11:33 MaxValRange AM Please respond to [EMAIL PROTECTED] tivedir.org What happens when that isn't enough and they refuse to change again and you have to change your policy once more? How do you know you hit the limit and you aren't dropping entries? The application surely won't know. It will simply think there were only 4000 values and be done with it. If that attribute is for anything important, that could surely spell disaster for something. It could break applications that handle ranging but have a hard coded value for how big they think the ranges are. This happened to several applications I heard about as well as my own adfind because the developers (and I) assumed that the range returned would always be a certain size. Hopefully it shouldn't be many now since we got caught out in the 2K to K3 MaxValRange change from 1000 to 1500 but you never know. How the apps break depends on the apps, adfind would display some of the same values multiple times. One app I heard would fault out because it knew there couldn't be duplicate values and would hit them thinking there was a directory corruption issue. I expect there could be some hit on perf from slight to pretty bad as additional resources would be tied up for every query that hit objects with more than 1500 values. I am not sure, this isn't something I would ever consider doing outside of playtime in the lab. It is just too dangerous in my opinion. I would consider increasing MaxResultSetSize before I increased MaxValRange and I almost certainly wouldn't ever increase MaxResultSetSize either. I would severely question using that vendor because you don't know what other things they aren't doing correctly for Active Directory. Production AD is not the place to play with crappy directory aware apps. Exchange is more than enough. :o) joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 17, 2005 10:50 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Effect of change to MaxValRange All, What are the effects of changing the MaxValRange value? I have a vendor that does not want to change their code for LDAP queries that exceed this value. I wanted to know what repercussions I would experience if I increase it to 4,000. Chris List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] RRAS pptp issue
The 20159 event is on the client. That's the only event on the client. The RRAS server does not generate any events or logs. Is there any other place the client logs pptp info besides event viewer? All the other clients use the same netopia router as a gateway with no issues so I think this is only specific to this particular client. Thanks -- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add computers to domain
It depends on how they are added. If the nondomainadmins precreate the machine accounts and give themselves the right to join them then no, you will not bump into the join quota enforced for normal users. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Thursday, June 16, 2005 3:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Add computers to domain Hi all, Single W2k3 domain We have moved the default Computer Container to a newly created OU called "COMPUTERS". On this OU, we have delegated Create Computer Objects and Delete Computer Objects to a group called "NONDOMAINADMINS" This group is also a member of the local admins group on all member servers. Note that this group is not a member of the domain admins group. I read somewhere that all authenticated users can add up to 10 workstations to the domain by default. Would this group be restricted to the amount of computers it can add to the domain, as it is not a member of the domain admins group? If this group is restricted to 10 computers, how can I increase this? Thanks Frank __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Determining active user accounts
Glad you like it. wink joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Thursday, June 16, 2005 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Determining active user accounts Thanks Laura, good suggestion. I forgot I could use oldcmp for users as well. Great tool, Joe. Thanks mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Thursday, June 16, 2005 3:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Determining active user accounts Wouldn't the accounts that don't need server access show up as inactive if you ran them through joe's 'oldcmp'? If so, then couldn't you get a fair approximation from: CALs required = [Total user objects] - [user objects flagged by oldcmp] ? [Insert standard Call your reseller for definitive licensing advice disclaimer here.] - Laura -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, June 16, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Determining active user accounts We need to get a count of users that are active, so we can make sure our purchasing of 2003 User CALs is as accurate as possible. However, every employee of the company has an account in Active Directory, but only a certain percentage of those users ever access a server or need to authenticate. What's the best way to determine how many users we need to have a User CAL for? Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Determining active user accounts
Yes, oldcmp will disable accounts if you would like it to. I would also recommend possibly moving the accounts that aren't normally used into some OU set up for that purpose. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Thursday, June 16, 2005 5:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Determining active user accounts Additionally, if it were me and if you've not done so already, I'd disable all of those unused accounts while I was counting. (oldcmp does this as well, no?) Many unused accounts + at least one or two that have probably never changed from some default (or blank) password = monstrous attack vector waiting to happen. (I'm big on the equations today for some reason.) - Laura -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, June 16, 2005 4:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Determining active user accounts Thanks Laura, good suggestion. I forgot I could use oldcmp for users as well. Great tool, Joe. Thanks mc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Thursday, June 16, 2005 3:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Determining active user accounts Wouldn't the accounts that don't need server access show up as inactive if you ran them through joe's 'oldcmp'? If so, then couldn't you get a fair approximation from: CALs required = [Total user objects] - [user objects flagged by oldcmp] ? [Insert standard Call your reseller for definitive licensing advice disclaimer here.] - Laura -Original Message- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, June 16, 2005 3:40 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Determining active user accounts We need to get a count of users that are active, so we can make sure our purchasing of 2003 User CALs is as accurate as possible. However, every employee of the company has an account in Active Directory, but only a certain percentage of those users ever access a server or need to authenticate. What's the best way to determine how many users we need to have a User CAL for? Mark Creamer Systems Engineer Cintas Corporation This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail transmission contains information that is intended to be confidential and privileged. If you receive this e-mail and you are not a named addressee you are hereby notified that you are not authorized to read, print, retain, copy or disseminate this communication without the consent of the sender and that doing so is prohibited and may be unlawful. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please delete and otherwise erase it and any attachments from your computer system. Your assistance in correcting this error is appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Unexpected WINS registering behavior
So it there an actual issue you are experiencing in all of this or is it just something you are trying to understand. I recall this flipping back and forth all the way back to NT4 SP2/3. In fact I had servers with 4 and 5 NICs in them and any time I did an ipconfig each of the NICs would be showing something different. It was all working so I really didn't care about anything else. If you are really curious if there are errors or something going on, spin up ethereal and start watching the network traces. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: Friday, June 17, 2005 9:26 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unexpected WINS registering behavior Another strange thing is the client registers with the WINS server just fine. I can see it in the db's of each WINS server. The problem is the record continually gets a new owner as the WINS server order flip flops. This behavior seems pretty sub-optimal to me... -kevin On Fri, 17 Jun 2005 10:06:45 +0100, Ruston, Neil [EMAIL PROTECTED] said: FYI: I tried the below and *did* see the same (odd) behaviour - WINS entries 'flipped'. I'm not sure if perhaps the WINS client flips to another WINS server if the server does not respond within n msec?? neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: 16 June 2005 21:04 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Unexpected WINS registering behavior More info: I setup a test lab: 1 Windows 2003 Sp1. WINS installed 1 Windows 2003 Sp1. WINS installed 1 XP sp2 client Generic installs of WINS on each server. Setup Push/Pull replication between them. No other server configs done. Client points to the servers ip's for WINS. All boxes are on the same subnet on the same isolated switch. Doing a nbtstat -RR exibits the same behavior. It's swaps the WINS servers each time. Can someone else try: ipconfig /all = note the WINS order nbtstat -RR ipconfig /all = see if the WINS order changed I'm stumped... -alex On Thu, 16 Jun 2005 08:41:57 -0700, Kevin Taco [EMAIL PROTECTED] said: We have two WINS servers and one DHCP server. All are on different subnets. Is this what you were asking? On Thu, 16 Jun 2005 16:54:22 +0200, Jorge de Almeida Pinto [EMAIL PROTECTED] said: Are you using different DHCP servers that service the same subnet but where the WINS IP addresses are switched? Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Taco Sent: donderdag 16 juni 2005 16:23 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Unexpected WINS registering behavior I hope this email pertains to this mailing list. I apologize if it isn't. Two WINS server, both setup a replication partners with each other with push/pulls. From Win2k, XP, and Win2k3 clients: 1. ipconfig /all 2. Primary WINS: 10.x.x.x Secondary WINS 192.x.x.x 3. nbtstat -RR 4. ipconfig /all 5. Primary WINS: 192.x.x.x Secondary WINS 10.x.x.x Essentially the Primary and Secondary WINS servers get switched after doing a nbtstat -RR. Is this to be expected? What am I missing? Has anyone else seen this? Any help is greatly appreciated. Thnx, Kevin List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info :
RE: [ActiveDir] Virtual Domain Controllers
No MS OS is supported on VMWARE unless you have a Premier contract and then it is only best effort. See http://www.support.microsoft.com/kb/897615 Any mechanism to roll back the DCs disk in time is dangerous and would need to be strictly controlled. It could definitely cause significant forest issues. There needs to be one group under one manager that controls the domain controllers in a forest. This goes for any forest on physical or virtual so that everyone is on the same page with how things are done. Different admins reporting through different managers is a recipe for disaster. The virtualization simply makes things easier to rollback which puts you a little closer to the line of pain. Don't get me wrong, proper use of virtualization can give you some very cool benefits. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 16, 2005 8:52 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Virtual Domain Controllers All, Is anybody currently running Domain Controllers in VMware of Virtual Server? Have there been any problems with this environment? There is a big push at my company to virtualize every environment but, I am sure Domain Controllers should be virtualized. One of my biggest concerns is the snapshot feature. I do not have full control over the Domain Controllers and I worry that another Admin will take a snapshot of the DC and make a few changes and if they don't work, revert to the snapshot before the changes. Wouldn't this be the same as using an older ghost image of the DC? I'm just looking for some feedback to see if this is a viable solution. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/