RE: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy
The DNS is BIND. And the there is only one DNS zone for this scenario in BIND, SCHOOL.EDU. All individual domains manually register the appropriate records from netlogon.dns. I guess that the different forests/domains might assume that they are not in the same zone but I've never really run a full fledged MS DNS service before. The problem seems to be solely that if the disparate domains are not arranged with the trusting domains at least one level further from the root of the DNS than the trusted domain, authentication fails.So it has to be DOMAIN.AD.SCHOOL.EDU trusts AD.SCHOOL.EDU not DOMAIN.SCHOOL.EDU trusts AD.SCHOOL.EDU. The only thing I can figure is that somehow the authentication path for a user principal such as [EMAIL PROTECTED] tries to walk a path that hierarchically takes it closer to SCHOOL.EDU from whatever domain it's in. I thought it might be similar to how the default for unqualified hostname resolution in windows is to "Append parent suffixes of the primary DNS suffix". So if the trusted domain doesn't happen to be in parent suffix it never looks there. But that's just a guess. andrew --On Wednesday, June 22, 2005 11:04 PM -0500 Rick Kingslan <[EMAIL PROTECTED]> wrote: Andrew, Really interesting problem that you're experiencing here. I can't say that I have seen this, but I would say in my experience I've worked with a few multi-tree and multi-forest scenarios. Both the multi-tree and forest would naturally use a different DNS namespace for each tree or forest. I don't see this behavior, so it is concerning. You note that this is Windows Server 2003. Is there anything that you can detail about the DNS configuration? Being a Realm 'root', is the DNS on BIND? (Not that it's a bad thing...) How do the clients find the DNS that is authoritative for a given domain, (standard forwarding, conditional, stub zones) and where are the glue records for the specific cross-domain resolution (stub zones or secondaries)? If this was Windows 2000, I'd be more apt to be asking questions about the configuration of the trusts - are they set as transitive for the Realm Trusts? On and on and so forth... 2K3 seems to have resolved much of that issue. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Riley Sent: Wednesday, June 22, 2005 4:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy A few months ago I started aproject to allow a Windows domain to trust another windows domain that trusts an MIT Kerberos Realm for user logons. An example of this setup would be SCHOOL.EDU <- our MIT Realm AD.SCHOOL.EDU <- the Windows domain that trusts the MIT Realm OTHER.AD.SCHOOL.EDU <- a trusting windows domain All of the Windows servers are Windows Server 2003. We have established a forest trust between the two Windows domains/forests, entered a new Domain Suffix in AD.SCHOOL.EDU for SCHOOL.EDU, established a REALM Trust between AD.SCHOOL.EDU and SCHOOL.EDU, used KSETUP or registry entries to add the references to the KDCs for SCHOOL.EDU on the workstations in OTHER.AD.UPENN.EDU. Additionally users in AD.SCHOOL.EDU have a name mapping to their MIT kerberos principal. In this setup, someone with a user account in AD.SCHOOL.EDU can walk up to a workstation in OTHER.AD.SCHOOL.EDU, and enter their MIT kerberos principal and password, and select SCHOOL.EDU(Kerberos Realm) from the "Log on to:" box and be authenticated as their user account in AD.SCHOOL.EDU. The preceding solution works great, but I've found that if we establish a trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS hierarchy as AD.SCHOOL.EDU) then user logons fail. I've gone as far as setting up 2 other domains in a different DNS hierarchy and then swapping the trust around between the 4 and it's definitely something to do with how the domains are arranged DNS-wise. None of them are in the same forests, so It seems like some parent DNS suffix fallback that's being applied, but I have no idea where to look. Any ideas? thanks andrew List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy
Andrew, Really interesting problem that you're experiencing here. I can't say that I have seen this, but I would say in my experience I've worked with a few multi-tree and multi-forest scenarios. Both the multi-tree and forest would naturally use a different DNS namespace for each tree or forest. I don't see this behavior, so it is concerning. You note that this is Windows Server 2003. Is there anything that you can detail about the DNS configuration? Being a Realm 'root', is the DNS on BIND? (Not that it's a bad thing...) How do the clients find the DNS that is authoritative for a given domain, (standard forwarding, conditional, stub zones) and where are the glue records for the specific cross-domain resolution (stub zones or secondaries)? If this was Windows 2000, I'd be more apt to be asking questions about the configuration of the trusts - are they set as transitive for the Realm Trusts? On and on and so forth... 2K3 seems to have resolved much of that issue. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Riley Sent: Wednesday, June 22, 2005 4:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy A few months ago I started aproject to allow a Windows domain to trust another windows domain that trusts an MIT Kerberos Realm for user logons. An example of this setup would be SCHOOL.EDU <- our MIT Realm AD.SCHOOL.EDU <- the Windows domain that trusts the MIT Realm OTHER.AD.SCHOOL.EDU <- a trusting windows domain All of the Windows servers are Windows Server 2003. We have established a forest trust between the two Windows domains/forests, entered a new Domain Suffix in AD.SCHOOL.EDU for SCHOOL.EDU, established a REALM Trust between AD.SCHOOL.EDU and SCHOOL.EDU, used KSETUP or registry entries to add the references to the KDCs for SCHOOL.EDU on the workstations in OTHER.AD.UPENN.EDU. Additionally users in AD.SCHOOL.EDU have a name mapping to their MIT kerberos principal. In this setup, someone with a user account in AD.SCHOOL.EDU can walk up to a workstation in OTHER.AD.SCHOOL.EDU, and enter their MIT kerberos principal and password, and select SCHOOL.EDU(Kerberos Realm) from the "Log on to:" box and be authenticated as their user account in AD.SCHOOL.EDU. The preceding solution works great, but I've found that if we establish a trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS hierarchy as AD.SCHOOL.EDU) then user logons fail. I've gone as far as setting up 2 other domains in a different DNS hierarchy and then swapping the trust around between the 4 and it's definitely something to do with how the domains are arranged DNS-wise. None of them are in the same forests, so It seems like some parent DNS suffix fallback that's being applied, but I have no idea where to look. Any ideas? thanks andrew List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir][OT] File copy with security intact
Yep - what assist do you need, or what information related to it? Happy to help Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Tuesday, June 21, 2005 6:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Has anyone had any experience using the Microsoft File Server Migration Toolkit? http://www.microsoft.com/windowsserver2003/upgrading/nt4/tooldocs/msfsc.mspx Jose - -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Medeiros, Jose Sent: Tuesday, June 21, 2005 4:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact I don't want to seem like I am knocking Robocopy, however from my experience Robocopy also does the same thing. It will stop when a file is locked or in use. It does not copy at the block level like rsync. It is a very useful tool but beware of it's limitations. (Although the version I used was from the 2000 resource kit, so if there has been improvements I may be mistaken). Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 21, 2005 3:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact Robocopy is my FRS engine for Dfs. :) :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Webster Sent: Tuesday, June 21, 2005 4:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] File copy with security intact > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Jorge de Almeida Pinto > Subject: RE: [ActiveDir][OT] File copy with security intact > > My experience with XCOPY is that with large amounts of data > it suddendly quits. Jorge, Try XXCopy. Works great. Webster List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] GPO configuration
Very interesting that that's in Group Policy. We used to do something similar for our Internet kiosks with a teeny homegrown VB app. In that case we pretty much chose to ignore the "user can open 100 windows at once and gum up the works" problem, since the kiosk was on a ridiculously short idle timeout that would close everything and start over for the next person anyway. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Wed 6/22/2005 11:26 PM To: ActiveDir@mail.activedir.org Cc: Subject:RE: [ActiveDir] GPO configuration However, this solves part of the problem, yes? Seems that this won't prevent the closing of Windows Explorer windows... But, I could be wrong - I haven't tried it. :-) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, June 21, 2005 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO configuration that's what I call a surprise ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Dienstag, 21. Juni 2005 16:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO configuration Took me a while, but here it is: User Configuration/Administrative Templates/Browser menus/"File menu: Disable closing the browser and Explorer windows" > You could prevent users from logging on in the first place - this will > ensure they can't close any window. The only issue is that they can't > open any either ;-)) > > Just curious - why would you want to achieve this in the first place? > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia > Sent: Donnerstag, 16. Juni 2005 00:07 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] GPO configuration > > I've not seen one. I think that would be pretty hard to pull off unless > you can remove the hot keys and window buttons. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman > III > Sent: Wednesday, June 15, 2005 1:47 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] GPO configuration > > > Isn't there a GPO setting that can prevent users from closing any window > they open? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <>
RE: [ActiveDir] GPO configuration
However, this solves part of the problem, yes? Seems that this won't prevent the closing of Windows Explorer windows... But, I could be wrong - I haven't tried it. :-) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Tuesday, June 21, 2005 12:18 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO configuration that's what I call a surprise ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Dienstag, 21. Juni 2005 16:03 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] GPO configuration Took me a while, but here it is: User Configuration/Administrative Templates/Browser menus/"File menu: Disable closing the browser and Explorer windows" > You could prevent users from logging on in the first place - this will > ensure they can't close any window. The only issue is that they can't > open any either ;-)) > > Just curious - why would you want to achieve this in the first place? > > /Guido > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia > Sent: Donnerstag, 16. Juni 2005 00:07 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] GPO configuration > > I've not seen one. I think that would be pretty hard to pull off unless > you can remove the hot keys and window buttons. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman > III > Sent: Wednesday, June 15, 2005 1:47 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] GPO configuration > > > Isn't there a GPO setting that can prevent users from closing any window > they open? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can't find anyting on this
Seen it. I get -1603, not -1605. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 22, 2005 5:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Can't find anyting on this This? http://support.microsoft.com/?kbid=834926 Next time, if Google lets you down, there is still eventid.net :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Tue 6/21/2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can't find anyting on this Event Type: Warning Event Source: NTDS General Event Category: Internal Processing Event ID: 1173 Date:6/21/2005 Time:10:08:47 AM User:NT AUTHORITY\ANONYMOUS LOGON Computer: TheServer Description: Internal event: Active Directory has encountered the following exception and associated parameters. Exception: e0010004 Parameter: 0 Additional Data Error value: -1603 Internal ID: 2050344 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Closest thing I Found was a -1605. Box is a 2k3 SP1 clean build (aka I built it on 2k3 SP1) PDC FSMO and GC. --brian List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Windows -> MIT Cross-realm auth to domains not in the same dns hierarchy
A few months ago I started aproject to allow a Windows domain to trust another windows domain that trusts an MIT Kerberos Realm for user logons. An example of this setup would be SCHOOL.EDU <- our MIT Realm AD.SCHOOL.EDU <- the Windows domain that trusts the MIT Realm OTHER.AD.SCHOOL.EDU <- a trusting windows domain All of the Windows servers are Windows Server 2003. We have established a forest trust between the two Windows domains/forests, entered a new Domain Suffix in AD.SCHOOL.EDU for SCHOOL.EDU, established a REALM Trust between AD.SCHOOL.EDU and SCHOOL.EDU, used KSETUP or registry entries to add the references to the KDCs for SCHOOL.EDU on the workstations in OTHER.AD.UPENN.EDU. Additionally users in AD.SCHOOL.EDU have a name mapping to their MIT kerberos principal. In this setup, someone with a user account in AD.SCHOOL.EDU can walk up to a workstation in OTHER.AD.SCHOOL.EDU, and enter their MIT kerberos principal and password, and select SCHOOL.EDU(Kerberos Realm) from the "Log on to:" box and be authenticated as their user account in AD.SCHOOL.EDU. The preceding solution works great, but I've found that if we establish a trust to a domain such as DOMAIN.SCHOOL.EDU (not in the same DNS hierarchy as AD.SCHOOL.EDU) then user logons fail. I've gone as far as setting up 2 other domains in a different DNS hierarchy and then swapping the trust around between the 4 and it's definitely something to do with how the domains are arranged DNS-wise. None of them are in the same forests, so It seems like some parent DNS suffix fallback that's being applied, but I have no idea where to look. Any ideas? thanks andrew List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating remote users to new domain
Great idea Charlie, I'll test that in the lab. Ian > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Carerros, Charles > Sent: 22 June 2005 13:06 > To: 'ActiveDir@mail.activedir.org'; Jorge de Almeida Pinto > Cc: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Migrating remote users to new domain > > Ian, > > One thing that you might want to try (and that I think will > work) is if you migrate the machine over their VPN, but when > the computer comes back online have them use their old > network ID to log on once, connect through your VPN client > and then have them use the "run as" feature on any > application using their new domain credentials. > > When they use the "run as" it should download their new > credentials to the machine so when they log off their old > account and back in with the new account the laptop should > already have the SAM entry for the new domain account. > > It's a theory, but it might work. > > Charlie > > -Original Message- > From: Ian Moran [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 22, 2005 2:31 AM > To: Jorge de Almeida Pinto > Cc: Ian Moran; [EMAIL PROTECTED]; > ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Migrating remote users to new domain > > > Sorry, I should have been clearer. It's the computer accounts > that concern me. We can arrange for the users workstation to > be connected to the domain at the time of migration but I'm > just thinking it may be safer to simply have all remote > computers returned to the main office for the migration. > > On 21 Jun 2005, at 21:43, Jorge de Almeida Pinto wrote: > > > The user accounts can be migrated without the actual user > connecting > > to the LAN, no matter what migration tool you use. However > to migrate > > the client computers and re-acl the client computer the > computers must > > be connected to the LAN. I'm sure of that if you use ADMT. I'm not > > aware if there exists a migration tool that can migrate "offline" > > > > #JORGE# > > > > -Original Message- > > From: [EMAIL PROTECTED] > > To: ActiveDir@mail.activedir.org > > Sent: 6/21/2005 10:26 PM > > Subject: [ActiveDir] Migrating remote users to new domain > > > > I'd appreciate a quick heads up on this. I have a Windows > 2003 native > > Mode domain with 150 odd remote users. These users are connected to > > the domain via client VPN over Broadband. > > > > Will it be possible to migrate these users and computers to a new > > domain using ADMT (or third party tool) without bringing the > > workstations onto the LAN. Anyone done something similar ? > > > > Ian > > > > > > > > This e-mail and any attachment is for authorised use by the > > intended recipient(s) only. It may contain proprietary material, > > confidential information and/or be subject to legal privilege. It > > should not be copied, disclosed to, retained or used by, any other > > party. If you are not an intended recipient then please promptly > > delete this e-mail and any attachment and all copies and > inform the > > sender. Thank you. > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] RRAS pptp issue
We've experienced similar issues and they are always a client side issue; usually dropped packets. VPNs don't like dropped packets. :-) When we get more than 20-30% dropped packets, we see the VPN start to flap. I start by checking the client IP settings and if I don't find an issue there, I get the ISP involved. Sometimes something as simple as a DSL router reboot cures the problem. I have frequently found line issues when the ISP gets involved, though. My experience has been like yours; extremely limited logging on the client side. There may be a way to crank it up, but I haven't really looked for it. I usually find lower-level errors quickly and work from there... ** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Monday, June 20, 2005 9:36 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] RRAS pptp issue > > still having issues with this. > it just disconnects after 5mins and logs a 20159 event on the client. > Nothing is logged on the RRAS server. > Can someone point me as to what else to look for? > > As I've said, all the other(4) clients have the same > OS/config and use the same netopia router with no issues. > > Thanks > > -Original Message- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, June 17, 2005 5:33 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] RRAS pptp issue > > > > Tom, > > > > I think what Ravi is saying that this is a client side > issue, and given the information on this event - he's likely > as right as anyone else is going to be, given the > information. The problem with the 20159 event is that > anytime anyone disconnects, a 20159 can be generated. So, > it's a bit difficult to pin this event down as substantive > evidence of a problem. > > > > I'd be interested on seeing complimentary entries on > the event logs or devices logs for the PPTP on the client. I > suspect we are going to learn more from the one client that > isn't working rather than the RRAS that appears to be working > just fine. > > > > Rick > > > > > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom > Sent: Friday, June 17, 2005 3:51 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] RRAS pptp issue > > > > all the other users are fine. > > i have 5 users sharing this router and only one has an issue... > > > > > > thanks > > -Original Message- > From: Ravi Dogra [mailto:[EMAIL PROTECTED] > Sent: Friday, June 17, 2005 4:27 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] RRAS pptp issue > > Hi > Please check your ADSL equipment. There may be > some issue with this equipment. you can check it by using > this equipment on some other user or you can swap this > equipment with any other working equipment. > > -- > DR > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Tuning the server service and event ID 2022
Title: Tuning the server service and event ID 2022 Whilst working with Windows NT and Windows 2000, I've encountered issues with the server service which manifest themselves as "event id 2022" http://support.microsoft.com/?kbid=245080 Specifically, I have observed this on w2k DCs (SP3) and made registry changes to the lanmanserver key as a result. See below for detail. Maximum Work Items 65535 Maximum Raw Work Items 512 Maximum Free Connections 100 Minimum Free Connections 32 The above changes appear to have alleviated the issues and I am now researching if these changes are needed on w2k3 DCs. I have read/been informed that the w2k3 server service is self tuning and therefore will not require the above changes to be made. I have also been led to believe that the default and max values for the above keys are significantly increased when comparing w2k and w2k3. Does anyone else have any experiences / suggestions / best practices they can share on this subject? TIA, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Migrating remote users to new domain
Ian, One thing that you might want to try (and that I think will work) is if you migrate the machine over their VPN, but when the computer comes back online have them use their old network ID to log on once, connect through your VPN client and then have them use the "run as" feature on any application using their new domain credentials. When they use the "run as" it should download their new credentials to the machine so when they log off their old account and back in with the new account the laptop should already have the SAM entry for the new domain account. It's a theory, but it might work. Charlie -Original Message- From: Ian Moran [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 22, 2005 2:31 AM To: Jorge de Almeida Pinto Cc: Ian Moran; [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Migrating remote users to new domain Sorry, I should have been clearer. It's the computer accounts that concern me. We can arrange for the users workstation to be connected to the domain at the time of migration but I'm just thinking it may be safer to simply have all remote computers returned to the main office for the migration. On 21 Jun 2005, at 21:43, Jorge de Almeida Pinto wrote: > The user accounts can be migrated without the actual user > connecting to the > LAN, no matter what migration tool you use. However to migrate the > client > computers and re-acl the client computer the computers must be > connected to > the LAN. I'm sure of that if you use ADMT. I'm not aware if there > exists a > migration tool that can migrate "offline" > > #JORGE# > > -Original Message- > From: [EMAIL PROTECTED] > To: ActiveDir@mail.activedir.org > Sent: 6/21/2005 10:26 PM > Subject: [ActiveDir] Migrating remote users to new domain > > I'd appreciate a quick heads up on this. I have a Windows 2003 native > Mode domain with 150 odd remote users. These users are connected to > the > domain via client VPN over Broadband. > > Will it be possible to migrate these users and computers to a new > domain > using ADMT (or third party tool) without bringing the workstations > onto > the LAN. Anyone done something similar ? > > Ian > > > > This e-mail and any attachment is for authorised use by the > intended recipient(s) only. It may contain proprietary material, > confidential information and/or be subject to legal privilege. It > should not be copied, disclosed to, retained or used by, any other > party. If you are not an intended recipient then please promptly > delete this e-mail and any attachment and all copies and inform the > sender. Thank you. > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Can't find anyting on this
This? http://support.microsoft.com/?kbid=834926 Next time, if Google lets you down, there is still eventid.net :) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Tue 6/21/2005 7:35 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Can't find anyting on this Event Type: Warning Event Source: NTDS General Event Category: Internal Processing Event ID: 1173 Date:6/21/2005 Time:10:08:47 AM User:NT AUTHORITY\ANONYMOUS LOGON Computer: TheServer Description: Internal event: Active Directory has encountered the following exception and associated parameters. Exception: e0010004 Parameter: 0 Additional Data Error value: -1603 Internal ID: 2050344 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Closest thing I Found was a -1605. Box is a 2k3 SP1 clean build (aka I built it on 2k3 SP1) PDC FSMO and GC. --brian List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Migrating remote users to new domain
Sorry, I should have been clearer. It's the computer accounts that concern me. We can arrange for the users workstation to be connected to the domain at the time of migration but I'm just thinking it may be safer to simply have all remote computers returned to the main office for the migration. On 21 Jun 2005, at 21:43, Jorge de Almeida Pinto wrote: > The user accounts can be migrated without the actual user > connecting to the > LAN, no matter what migration tool you use. However to migrate the > client > computers and re-acl the client computer the computers must be > connected to > the LAN. I'm sure of that if you use ADMT. I'm not aware if there > exists a > migration tool that can migrate "offline" > > #JORGE# > > -Original Message- > From: [EMAIL PROTECTED] > To: ActiveDir@mail.activedir.org > Sent: 6/21/2005 10:26 PM > Subject: [ActiveDir] Migrating remote users to new domain > > I'd appreciate a quick heads up on this. I have a Windows 2003 native > Mode domain with 150 odd remote users. These users are connected to > the > domain via client VPN over Broadband. > > Will it be possible to migrate these users and computers to a new > domain > using ADMT (or third party tool) without bringing the workstations > onto > the LAN. Anyone done something similar ? > > Ian > > > > This e-mail and any attachment is for authorised use by the > intended recipient(s) only. It may contain proprietary material, > confidential information and/or be subject to legal privilege. It > should not be copied, disclosed to, retained or used by, any other > party. If you are not an intended recipient then please promptly > delete this e-mail and any attachment and all copies and inform the > sender. Thank you. > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrating remote users to new domain
Title: ADMT and Error 7422 Excellent, thanks Charlie, makes complete sense. In this case all VPN's are client based so it looks like a return to base will be required. Ian From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carerros, CharlesSent: 21 June 2005 21:35To: 'ActiveDir@mail.activedir.org'Subject: RE: [ActiveDir] Migrating remote users to new domain As long as the VPN connection is at the router level and isn't a desktop VPN then you will be alright. I just finished migrating most my of Division with eight different locations being VPN locations. The only problem I ran into was with our remote users who use desktop VPN software. The desktop VPN software needs to be launched by the end-user which means after the laptop was migrated and reboot the user could not log on because the laptop couldn't find the domain until after it was connected with the VPN software which couldn't be launched until after the user was logged on. The Chicken and the Egg problem. But the site based VPN users went flawlessly, (oh, after we solved an MTU sizing issue at those locations). Hope this info helps. Charlie -Original Message-From: Ian Moran [mailto:[EMAIL PROTECTED]Sent: Tuesday, June 21, 2005 3:27 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Migrating remote users to new domain I'd appreciate a quick heads up on this. I have a Windows 2003 native Mode domain with 150 odd remote users. These users are connected to the domain via client VPN over Broadband. Will it be possible to migrate these users and computers to a new domain using ADMT (or third party tool) without bringing the workstations onto the LAN. Anyone done something similar ? Ian