RE: [ActiveDir] OT: Command line to create a local account
Jeff, CLS @echo off ECHO. ECHO Create User Account Whatever... net user Whatever whatevermypasswordis /add net localgroup Guests Whatever /add net accounts /maxpwage:unlimited net user Whatever /active:no ECHO. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, 28 June 2005 10:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command line to create a local account What would be the syntax in a batch files that I could create a local account. Assign it a password and disable the account. Also the account needs to be part of the guest group and password be required for it. I got an idead but trying to do it in as little commands as possible. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
FW: [ActiveDir] OT: Command line to create a local account
Sorry about the last truncated post...PEBKAC (Problem Exists Between Keyboard Computer)... Jeff, CLS @echo off ECHO. ECHO Create User Account Whatever... net user Whatever whatevermypasswordis /add net localgroup Guests Whatever /add net accounts /maxpwage:unlimited net user Whatever /active:no ECHO. EXIT James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Tuesday, 28 June 2005 10:39 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Command line to create a local account What would be the syntax in a batch files that I could create a local account. Assign it a password and disable the account. Also the account needs to be part of the guest group and password be required for it. I got an idead but trying to do it in as little commands as possible. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Scavenging
Hi, A quote: ## The refresh interval must be long enough to allow all servers that maintain resource records to update their timestamps. Because the Dynamic Host Configuration Protocol (DHCP) server is usually the last server to update its records, you can monitor DHCP records to make sure you have scheduled enough time for updates. If records are being scavenged too soon, use the DNS console to set this value back to the default value of one week (168 hours). ## The rule: At zone level AGING is default configured to prevent dynamic refreshes of resource records the first 7 days of their existance. This prevents unnecessary replication traffic because clients/servers update their records all the time. The no-refresh interval by default is configured to the same value of the refresh interval. It is best to keep these two values the same. De second 7 days dynamic refreshes are allowed. The refresh interval preferably has a value that is the same as the maximum time possible, in normal circumstances, to refresh/update a record. The latter applies to DHCP clients clients (see quote above). The DHCP lease duration is by default the longest period, and the period within the lease duration a client tries to update its lease is 87,5% of it. In short: no-refresh value = refresh value refresh value = 87,5% DHCP lease duration Cheers, #JORGE# From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Tue 6/28/2005 4:42 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Thanks for your response. I have one more question, is the recommended settings still one hour for no-refresh and 7 days for refresh? This is what I initially had it set to but since it didn't appear to be working I lowered the intervals. I think I will start by dumping the zone and sorting out the static entries, I don't think there are too many so it shouldn't be too difficult, I just wanted to be sure that I didn't miss any. The zones that I am concerned with are all AD integrated, but scavenging was turned on after the fact. Thanks, -Tim From: [EMAIL PROTECTED] on behalf of David Adner Sent: Mon 6/27/2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Scavenging First off, you need to be careful with such low no refresh/refresh intervals since, for example, 2003 computers only refresh their records every 24 hours (it initially refreshes faster, but it uses ever-widening intervals until it reaches 24 hours). For your primary concern, you can enable Advanced in the DNS console and view the properties of your old records. If you don't see a timestamp then they won't fall under the scavenging rules. You can also use dnscmd.exe /zoneexport to dump the entire zone(s) to a file. You'll see an [Age:###] (Or maybe it's Aging:) value for records with timestamps. If your zone used to be a standard primary zone and you never had scavenging enabled on it then any dynamically registered records into that zone would have not received a timestamp. An AD integrated zone with scavenging disabled will cause an initial timestamp to be recorded for dynamically registered records but won't cause them to be refreshed until scavenging is enabled. As for easier ways to address your issue, I'm unaware of a solution that doesn't require some leg work. You could dump the zone via dnscmd.exe /zoneexport and see which don't have timestamps and from there figure out which ones are supposed to be static and which ones aren't. This will be simplified if you have a standard naming convention... --- Wright, T. MR NSSB [EMAIL PROTECTED] wrote: All, I am not 100% sure, but it appears that I may be having some issues with scavenging old records. I have a Win2003 domain with 5 DC's running 2003 functional level. All of the DC's run DNS and on one of them I enabled scavening at the server level and configured all zones to have a no-refresh interval of 1 hour and a refresh interval of 8 hours. I did this a few weeks ago and many of the records still exist in DNS. I know for a fact that I have a few thousand workstations which have been off the network for more than 30 days. I think what I am seeing is the issue where the records that existed prior to me enabling scavenging won't get scaveneged. That said, I know I can manually age all of the records using the dnscmd, but this will take all of my statically created records with it. Are there any ways around this so that my static records don't get touched? Thanks, -Tim List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ
RE: [ActiveDir] Advertising RPC services - best practices
Title: Message Apologies for being vague :) I would like to restrict the app so it has read/write/delete to its own RPC container [in AD] and no more. Moreover, I'm interested to hear any experiences others have of similar RPC advertised apps. neil -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: 24 June 2005 16:37To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Advertising RPC services - best practices Neil, What are you trying to restrict? Access to the App, access via RPC, or access via AD? I can help, but the scope is pretty big at this point. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Friday, June 24, 2005 9:40 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] Advertising RPC services - best practices Does anyone have any suggestions, comments or experiences with applications that advertise themselves via the RPCservices container in AD? Specifically, the subject of security is of interest to me. i.e. how can the application be restricted so that it has a minimum set of privileges without 'breaking' the app? I have read various MS papers on the subject and am happy with the general principles involved. I'm more interested in "real world" examples :) TIA, neil ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml== == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Delegation to Child Domain Failing
Title: Delegation to Child Domain Failing Gonna do that next time. Problem is when it happens, its usually mid-day and dont have much time to do anything in depth. Anyway, since it happened twice though I guess I need to press a little more diligence into finding root cause. :/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 6:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation to Child Domain Failing Are you getting anything returned from the DNS Server for the query where anything is defined as seeing something in a network sniffer, not whatever tool is asking. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, June 26, 2005 11:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation to Child Domain Failing Sure Guido thanks for the response. For an unknown reason, root name servers stop responding properly to requests for records in a child domain. In other words, delegation is setup, but delegation isnt working. For example, root domain is root.com. If I query for child.root.com, I get no returns. When it works properly, I get a list of all the NS records for child.root.com. Rebooting the server or restarting DNS doesnt clear this up. However, if I remove the delegation to child.root.com and create it again, delegation works properly. Have you heard of anything like this before? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Saturday, June 25, 2005 4:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation to Child Domain Failing can you explain your issue a little more? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Donnerstag, 23. Juni 2005 22:42 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation to Child Domain Failing Anyone else seeing this? This is the second time Ive had to delete and create the child domain delegation. For some reason, the root NS seems to quit referring. Im running Windows 2003. I cant find anything regarding this problem. The last time I had a case opened with MS but they didnt know of anything either. No errors, etc
RE: [ActiveDir] Domain Admins Group Membership
Now that we're beyond the technical specs... does anyone else cringe at the idea of granting domain admin privileges to satisfy local administrative rights privileges to machines? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick From: Ibarra, Juan [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 11:24:58 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related
Hi, Thanks for your input guys. I've since resolved the issue by altering the PIX. I've found that it's not possible to increase the size of the allowed ICMP packets but I can alter the way the PIX handles large ICMP packets. This is a function of the IDS element of the PIX which will look at the data and compare the signatures of the traffic to its known list. An IDS policy exists to stop the 'Ping Of Death' attack on the firewall. When I disabled this signature, my large ICMP packets were allowed through and thus my GPO's worked! However, there is a security implication of disabling this IDS signatures so please check with your Network/Firewall consultants before making these changes. What I plan to do is disable the IDS signature on the PIX and then up-date all my PC's with a GPO that alters the registry so not to send these oversize pings. To make the change on the Pix I used the PDM: Log on and go to Configuration | System Properties. Expand Intrusion Detection then select IDS Signatures. Disable '2150 - A fragmented ICMP' and '2151 - Large ICMP' Apply then save. Thanks again, Adam -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: 24 June 2005 16:45 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related This is one of those chicken and egg problems. When ICMP slow link detection fails (i.e. no response is received to the ping request), no GP processing occurs at all, so you can't disable slow detection through GP. So you can't deliver the reg changes to disable slow link detection through GP. Fun. One novel approach I've seen is to make the change on the local GPO and then copy the relevant registry.pol files from the local GPO to all machines in the environment. Not elegant, but it gets the job done. I've seen it documented that slow link detection uses max. packet sizes of 2048 bytes. However, in looking at the code around slow link detection, I found nothing in there that limited it to that, so I kinda wonder. In sniffer traces that I've done, however, I've not seen it above that, and often see smaller sizes. You say below that you are allowing 2K packets--is it exactly 2000 bytes or is it 2048? Frankly, rather than having to lose the benefits of slow link detection by disabling it completely, I would definitely take the approach of opening up the firewall a bit to allow it to happen naturally. Unfortunately, my Cisco skills have evaporated over the years so I am no help in directing you to actually make the change. A quick look at a Cisco Pix config. guide didn't show it where I would have expected it, either in the access list commands or in the icmp command. Darren -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, June 24, 2005 8:23 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Increase ICMP packet size on a PIX - GPO related I initially started looking at this from one viewpoint, and then I began to think about slow link detection. You've taken traces to determine the size... What is the return message from ICMP when this large packet is detected by the PIX? Or, does the PIX just discard it? If the PIX is discarding it, I suspect it might be possible that the link is being interpreted as very slow. What if you disable slow link detection at the GPOs? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of knighTslayer Sent: Friday, June 24, 2005 5:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Increase ICMP packet size on a PIX - GPO related Hi, I have a problem with remote sites in active directory not applying group policies. I've discovered that when the PC starts or logs on it will send an oversize ICMP packet to the DC to establish that the connection is available and good. As my sites are connected through a VPN via a PIX I've discovered that the ICMP gets blocked by the PIX. App., by default, the PIX does not allow ICMP packets greater the 2k and the packet from the PC to the DC is bigger than this, therefore the PC doesn't get a reply so assumes that the connection is not that great, thus the USERENV does not download and apply the GPO's. I've found that there are two work-arounds to this problem; One is to modify the registry on every PC to not bother sending the packet and just download GPO's anyway by adding these keys: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System] GroupPolicyMinTransferRate=dword: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System] GroupPolicyMinTransferRate=dword: ..and the other is to increase the allowed size of the ICMP packet on the PIX from 2k to something higher like 3k. I can't really justify changing 1000's of PCs registry settings when I believe
SV: [ActiveDir] Domain Admins Group Membership
Hi Try to add them to the Administrators group. br Anders Från: [EMAIL PROTECTED] genom [EMAIL PROTECTED] Skickat: ti 2005-06-28 10:47 Till: ActiveDir@mail.activedir.org Ämne: RE: [ActiveDir] Domain Admins Group Membership Now that we're beyond the technical specs... does anyone else cringe at the idea of granting domain admin privileges to satisfy local administrative rights privileges to machines? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick From: Ibarra, Juan [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 11:24:58 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
[ActiveDir] Move DC server to another site and SRV records
Hello, Do you know anybody when the SRV records in _site.domainname are deleted (changed), when I move server W2k3 DC to another site ? How can I find out TTL of SRV records ? THX Z.
RE: [ActiveDir] OT: Outlook Web Access Split DNS
No no no no no no no no no. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Monday, June 27, 2005 10:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS though lately I have been fielding questions on event sinks Sweet. Can we expect a chapter on this in the cat book? :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 6:16 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS I am decent with the Exchange/AD interface, Exchange's functionality itself is out of my scope and not anything I want in my scope though lately I have been fielding questions on event sinks which is scaring me. Mostly I am interested in how AD works. Not so interested in how technologies that use AD work such as GPOs and Exchange and other things. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 8:02 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS You and Jeff are both completely correct - well, almost :). It's well-documented - I was just too excited to think when I saw Joe cop a plea on Exchange :) Since he has E2K3, I believe that this is what he wants: http://support.microsoft.com/kb/820378/ Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Brian Desmond Sent: Mon 6/27/2005 4:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This of course only works in a single domain forest. In a multidomain forest, if you put a \ in the domain box your users don't have to specify a domain and IIS/Exchange does some magic to figure that part out. You should be specifying this in ESM though, not inetmgr. DS2MB will resync it and clear out anything you do in inetmgr. Thanks, Brian Desmond [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS IIS - Default Website (or wherever your exchange VD is located) - right-click on Exchange - Directory Security - Default Domain. Type in the name of your domain in there or just browse and select it. And he says this isn't his specialty .. Yeah, right ;) Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 3:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info
RE: [ActiveDir] Domain Admins Group Membership
No not at all, I find it perfectly acceptable to use a 100lbs sledgehammer to work on the balance wheel in a priceless antique watch or to use a nuclear device to take out one person in the middle of a packed Rose Bowl. Yes, this is obviously a bit too much permission to give out to get admin rights to machines other than DCs. :o) If someone says they need domain admin for anything, my first question is why. No one has ever gotten past that point with me when I held the keys. I have been told that by AV people, Tivoli/Monitoring people, software delivery people, and other people and every single one of them get a response back of fix their app or find another way. Unfortunately, MS automatically populates Domain Admins and doesn't allow that to be configured. Of course you can use a GPO but that is just using another tech to crutch the lack in the original implementation which is happening a lot already (i.e. confidentiality bit, et al). The proper answer is to create some other group and populate the machines with that group that you want to give out admins rights to the members of that group. This can be done before or after the machine is a member of the domain. Either through GPOs or by adding the group directly when you build the machine or add it to the domain. My lg commandline tool will allow you to specify a group be added to a machine prior to it being added to a domain as long as it can resolve the domain SIDs needed. Honestly I wonder if we have passed the time when domain admin has exceeded its useful life. In all but the smallest implementations it probably isn't likely the domain admin designees are actually responsible for working on all machines in the domain. Maybe remove it from all products but SBS. That would certainly force crap app makers to find something else to do to work on the next rev of the OS. They won't just be able to say, make the service account a domain admin. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 4:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Now that we're beyond the technical specs... does anyone else cringe at the idea of granting domain admin privileges to satisfy local administrative rights privileges to machines? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick From: Ibarra, Juan [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 11:24:58 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Move DC server to another site and SRV records
For DNS records to be scavenged you need to enable scavenging on a DNS server and record aging on DNS zones. If this is already enebled select the zone with the records - pull down menu VIEW - select ADVANCED - go back to the DNS zone and right click the record and select properties See also a post from a few days back or yesterday about scavenging Cheers, Jorge From: Lev Zdenek [mailto:[EMAIL PROTECTED] Sent: Tue 6/28/2005 2:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move DC server to another site and SRV records Hello, Do you know anybody when the SRV records in _site.domainname are deleted (changed), when I move server W2k3 DC to another site ? How can I find out TTL of SRV records ? THX Z. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS Scavenging
Ok, so if using the default DHCP lease time of 8 days, I should have both the refresh and no-refresh set to 7 days. Once I identify my static records and I manually age all of the records, I am still going to have to wait at least 7 days for them to clean themselves up even if I force scavenging correct? Thanks, -Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, June 28, 2005 3:33 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Hi, A quote: ## The refresh interval must be long enough to allow all servers that maintain resource records to update their timestamps. Because the Dynamic Host Configuration Protocol (DHCP) server is usually the last server to update its records, you can monitor DHCP records to make sure you have scheduled enough time for updates. If records are being scavenged too soon, use the DNS console to set this value back to the default value of one week (168 hours). ## The rule: At zone level AGING is default configured to prevent dynamic refreshes of resource records the first 7 days of their existance. This prevents unnecessary replication traffic because clients/servers update their records all the time. The no-refresh interval by default is configured to the same value of the refresh interval. It is best to keep these two values the same. De second 7 days dynamic refreshes are allowed. The refresh interval preferably has a value that is the same as the maximum time possible, in normal circumstances, to refresh/update a record. The latter applies to DHCP clients clients (see quote above). The DHCP lease duration is by default the longest period, and the period within the lease duration a client tries to update its lease is 87,5% of it. In short: no-refresh value = refresh value refresh value = 87,5% DHCP lease duration Cheers, #JORGE# From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Tue 6/28/2005 4:42 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Thanks for your response. I have one more question, is the recommended settings still one hour for no-refresh and 7 days for refresh? This is what I initially had it set to but since it didn't appear to be working I lowered the intervals. I think I will start by dumping the zone and sorting out the static entries, I don't think there are too many so it shouldn't be too difficult, I just wanted to be sure that I didn't miss any. The zones that I am concerned with are all AD integrated, but scavenging was turned on after the fact. Thanks, -Tim From: [EMAIL PROTECTED] on behalf of David Adner Sent: Mon 6/27/2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Scavenging First off, you need to be careful with such low no refresh/refresh intervals since, for example, 2003 computers only refresh their records every 24 hours (it initially refreshes faster, but it uses ever-widening intervals until it reaches 24 hours). For your primary concern, you can enable Advanced in the DNS console and view the properties of your old records. If you don't see a timestamp then they won't fall under the scavenging rules. You can also use dnscmd.exe /zoneexport to dump the entire zone(s) to a file. You'll see an [Age:###] (Or maybe it's Aging:) value for records with timestamps. If your zone used to be a standard primary zone and you never had scavenging enabled on it then any dynamically registered records into that zone would have not received a timestamp. An AD integrated zone with scavenging disabled will cause an initial timestamp to be recorded for dynamically registered records but won't cause them to be refreshed until scavenging is enabled. As for easier ways to address your issue, I'm unaware of a solution that doesn't require some leg work. You could dump the zone via dnscmd.exe /zoneexport and see which don't have timestamps and from there figure out which ones are supposed to be static and which ones aren't. This will be simplified if you have a standard naming convention... --- Wright, T. MR NSSB [EMAIL PROTECTED] wrote: All, I am not 100% sure, but it appears that I may be having some issues with scavenging old records. I have a Win2003 domain with 5 DC's running 2003 functional level. All of the DC's run DNS and on one of them I enabled scavening at the server level and configured all zones to have a no-refresh interval of 1 hour and a refresh interval of 8 hours. I did this a few weeks ago and many of the records still exist in DNS. I know for a fact that I have a few thousand workstations which have been off the network for more than 30 days. I think what I am seeing is the issue where the records that existed prior to
RE: [ActiveDir] Move DC server to another site and SRV records
I have switch off record scavenging but the checkbox Delete this records when it become scale is selected and Record time stamp is in the past. Is it mean, that will be deletet after I switch on the record scavenging -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, June 28, 2005 2:45 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Move DC server to another site and SRV records For DNS records to be scavenged you need to enable scavenging on a DNS server and record aging on DNS zones. If this is already enebled select the zone with the records - pull down menu VIEW - select ADVANCED - go back to the DNS zone and right click the record and select properties See also a post from a few days back or yesterday about scavenging Cheers, Jorge From: Lev Zdenek [mailto:[EMAIL PROTECTED] Sent: Tue 6/28/2005 2:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Move DC server to another site and SRV records Hello, Do you know anybody when the SRV records in _site.domainname are deleted (changed), when I move server W2k3 DC to another site ? How can I find out TTL of SRV records ? THX Z. This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Default Domain Policy Issues
Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - rpc exception] ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 904: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - Send Penalty] Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed above . failed with 3 error entries Checking NtFrs Service (and dependent services) state...passed Checking NtFrs related Registry Keys for possible problems...passed Checking Repadmin Showreps for errors...passed I have 2 domain controllers in a Windows 2003 Domain both running AD Integrated DNS. I followed the KB Article 839880 How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003 and was not able to produce an error following all of the tests mentioned in the article that I ran. (DCDIAG, NETDIAG, Repadmin, Ntdsutil, Gpotool, Portqry) I did not run ADMT or DCPROMO. I also ran nslookup and verified my DNS was returning the proper IP address. I checked to see if the FRS service was running on both computers and it is indeed started. I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Everything seems to be working properly. Can I safely ignore this error? Does anyone know of a KB article that can help me correct this error or shed some light on what might be causing the error? Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the named recipient, you are hereby notified that any use, disclosure, copying, or distribution of the contents hereof is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Chris Roosien/NA/Johnson_Controls is out of the office.
I will be out of the office starting Tue 06/28/2005 and will not return until Wed 06/29/2005. I will be out of the office until Tuesday October 17. Please email the help desk at I S HelpDesk if you need assistance. Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts
Title: [ActiveDir] Increase ICMP packet size on a PIX - GPO related Thanks, that is the conclusion I came to as well. I am not 100% sure on what the impact would be changing the Legacy DN on Mail enabled Contact objects. Programmatically via a script itappears straight forward change "5.5LegacyDN"/object CN to "new 2K3 Admin Group Legacy DN"/object CN The main goal here is to get around a limitation that these contacts are getting a recipient policy applied to them that is a legacy of our 5.5 installation. We still have a couple of 5.5 servers that will not go away despite our best efforts, and as a result these contacts are getting stamped with our default smtp addresses by the recipient policy/RUS. Since the filter for the legacy policy is ((mailnickname=*)(exchangeLegacyDn=5.5LegacyDN)) They get caught, and there is no way to change that filter. I amPretty sure I have found a formula that will ensure I get Unique SMTP addresses for these contacts, so now All I have to do is populate the desired smtp:proxyaddress and uncheck the attribute that corresponds to Automatically update address based on Recipient policy on the ADUC Email addresses tab. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: June 27, 2005 6:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts Changing the associated AG would involve changing the legacyExchangeDNs. This is a touchy thing as you want to make sure you do not get any duplicates and can impact mail delivery since outlook likes to store legacyExchangeDNs with messages. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, June 24, 2005 10:52 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts You will find a series of articles on Exchange scripting at http://www.microsoft.com/technet/scriptcenter/hubs/exchange.mspx Mail-enabled, mailbox-enabled contacts are covered. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frost, David: #CIO-BPISent: Friday, June 24, 2005 7:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: Scripting changing of Exchange Admin Group for Contacts Can anyone offer some guidance on whether it is possible to script the change of the associated Exchange Admin Group for mail enabled contacts? I have a large number of mail enabled contacts that I would like to move from one Exchange Admin Group to another without deleting and recreating them. David Frost Directory Engineering, Messaging, Directories and PKI Engineering Services Industry Canada email:[EMAIL PROTECTED] (613) 957-8442
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - rpc exception] ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 904: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - Send Penalty] Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed above . failed with 3 error entries Checking NtFrs Service (and dependent services) state...passed Checking NtFrs related Registry Keys for possible problems...passed Checking Repadmin Showreps for errors...passed I have 2 domain controllers in a Windows 2003 Domain both running AD Integrated DNS. I followed the KB Article 839880 How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003 and was not able to produce an error following all of the tests mentioned in the article that I ran. (DCDIAG, NETDIAG, Repadmin, Ntdsutil, Gpotool, Portqry) I did not run ADMT or DCPROMO. I also ran nslookup and verified my DNS was returning the proper IP address. I checked to see if the FRS service was running on both computers and it is indeed started. I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Everything seems to be working properly. Can I safely ignore this error? Does anyone know of a KB article that can help me correct this error or shed some light on what might be causing the error? Robert The information contained in this e-mail transmittal, including any attached document(s) is confidential. The information is intended only for the use of the named recipient. If you are not the
RE: [ActiveDir] DNS Scavenging
Hey Tim, I wrote this a while back when I was trying to understand the whole process. Might help you... http://myitforum.techtarget.com/articles/16/view.asp?id=6287 :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSB Sent: Tuesday, June 28, 2005 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Ok, so if using the default DHCP lease time of 8 days, I should have both the refresh and no-refresh set to 7 days. Once I identify my static records and I manually age all of the records, I am still going to have to wait at least 7 days for them to clean themselves up even if I force scavenging correct? Thanks, -Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, June 28, 2005 3:33 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Hi, A quote: ## The refresh interval must be long enough to allow all servers that maintain resource records to update their timestamps. Because the Dynamic Host Configuration Protocol (DHCP) server is usually the last server to update its records, you can monitor DHCP records to make sure you have scheduled enough time for updates. If records are being scavenged too soon, use the DNS console to set this value back to the default value of one week (168 hours). ## The rule: At zone level AGING is default configured to prevent dynamic refreshes of resource records the first 7 days of their existance. This prevents unnecessary replication traffic because clients/servers update their records all the time. The no-refresh interval by default is configured to the same value of the refresh interval. It is best to keep these two values the same. De second 7 days dynamic refreshes are allowed. The refresh interval preferably has a value that is the same as the maximum time possible, in normal circumstances, to refresh/update a record. The latter applies to DHCP clients clients (see quote above). The DHCP lease duration is by default the longest period, and the period within the lease duration a client tries to update its lease is 87,5% of it. In short: no-refresh value = refresh value refresh value = 87,5% DHCP lease duration Cheers, #JORGE# From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Tue 6/28/2005 4:42 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Thanks for your response. I have one more question, is the recommended settings still one hour for no-refresh and 7 days for refresh? This is what I initially had it set to but since it didn't appear to be working I lowered the intervals. I think I will start by dumping the zone and sorting out the static entries, I don't think there are too many so it shouldn't be too difficult, I just wanted to be sure that I didn't miss any. The zones that I am concerned with are all AD integrated, but scavenging was turned on after the fact. Thanks, -Tim From: [EMAIL PROTECTED] on behalf of David Adner Sent: Mon 6/27/2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Scavenging First off, you need to be careful with such low no refresh/refresh intervals since, for example, 2003 computers only refresh their records every 24 hours (it initially refreshes faster, but it uses ever-widening intervals until it reaches 24 hours). For your primary concern, you can enable Advanced in the DNS console and view the properties of your old records. If you don't see a timestamp then they won't fall under the scavenging rules. You can also use dnscmd.exe /zoneexport to dump the entire zone(s) to a file. You'll see an [Age:###] (Or maybe it's Aging:) value for records with timestamps. If your zone used to be a standard primary zone and you never had scavenging enabled on it then any dynamically registered records into that zone would have not received a timestamp. An AD integrated zone with scavenging disabled will cause an initial timestamp to be recorded for dynamically registered records but won't cause them to be refreshed until scavenging is enabled. As for easier ways to address your issue, I'm unaware of a solution that doesn't require some leg work. You could dump the zone via dnscmd.exe /zoneexport and see which don't have timestamps and from there figure out which ones are supposed to be static and which ones aren't. This will be simplified if you have a standard naming convention... --- Wright, T. MR NSSB [EMAIL PROTECTED] wrote: All, I am not 100% sure, but it appears that I may be having some issues with scavenging old records. I have a Win2003 domain with 5 DC's running 2003 functional level. All of the DC's run DNS and on one of them I enabled
RE: [ActiveDir] Domain Admins Group Membership
The debauchery! The reason I ask is that I go through this trial nearly every week. It's very tiring being the bad guy and having to explain myself over and over again to the ranks of technical folks through senior management. Most of the folks that have been here awhile know my answer. The new fish, on the other hand, always have to test the water. There's still so much clean up to perform with keeping to least privilege models... and quite frankly our immaturity with a directory at the time we first planned it out. Growing pains... Anyway, I leave you with this funny little tidbit... In any system there is an entity at the top, the Supreme Overlord who answers to no one. Depending on the system, this entity might be called Mom or The Federal Government or God. Unix calls it Root; Windows calls it Administrator. Since the Supreme Overlord's power is unlimited, you must choose your Supreme Overlord wisely. If you don't like how your Supreme Overlord is behaving, your only recourse is overthrow. If you hire Darth Vader as your Supreme Overlord, no amount of Trustworthy Computing will save you. :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, June 28, 2005 9:04 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Yes, I do. But, his question had nothing to do with Is it right or not? I count on joe to totally over-react to such things! :op But, just for the record, I don't condone in any way the overuse or the mismanagement of advanced privileges and rights for convenience in any way, shape or form. I, personally, prefer to see a 'role based' administration model in which the defined NEEDS (as compared to the whacked out wants of most technical people) are developed in conjunction with the Technical people doing the work and the Technical staff in one's Information Security dept. These roles would align with what technical staff do. I only NEED one or two Domain Admins. On the other hand, I need a bunch of people that can manage, add, modify users, groups and computers, but they still have to earn the privilege. Same goes with GPO, etc, etc, etc. Just because you can spell GPO doesn't mean I trust you to work on them. And, I am also a strong believer that if you can review event logs to determine health of machines from your desktop, then why do you RDP to servers? I'm also not going to give you the right to shut down systems just because you think you're making MY life easier. Wake me up... If it needs to be shut down, I'll do it. I also am a strong believer in change control and following procedure. But, if you've done none of the above - then why bother with Change Control or procedures? Both assume that there is a sequence of control built into your systems - which if you're not doing the above - isn't the case. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 3:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Domain Admins Group Membership Now that we're beyond the technical specs... does anyone else cringe at the idea of granting domain admin privileges to satisfy local administrative rights privileges to machines? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, June 27, 2005 5:31 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Domain Admins Group Membership Juan, You won't be able to add users from another domain to the Domain Admins group. The Domain Admins group is a global group, and rules for Globals Groups are that they can contain users from the domain in which the global group was created. By that rule, only users of Domain A may be members of the Domain Admins group of Domain A. However, IIRC, the Administrators group is a special group or a Domain Local group, and will allow the add of users from Domain B. Rick From: Ibarra, Juan [EMAIL PROTECTED] Date: 2005/06/27 Mon AM 11:24:58 EDT To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Admins Group Membership Hi, I need to add certain users from domain B, Win 2000 Domain, to the Domain Admins group of Domain A, Windows 2003 Domain. There is a two way trust between the two domains; however, I don't seem to find the way to do this. I am able to add users to shares but not the group. How could I accomplish this? Thanks, Juan List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ:
RE: [ActiveDir] Default Domain Policy Issues
How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Default Domain Policy Issues
Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the replication cycle has completed with other DC's. I don't see any out of the ordinary NTFRS log events. Any leads would be appreciated? Thanks, List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Automate Adding Environment Variables
Is there a way to have a user specify an environment variable at first logon? We have a program that needs to send mail to an e-mail address and this has to be specific to each user. This server (a terminal server) will likely contain 200+ user accounts and doing this manually would be undesirable. Ideally, I would like it if the first time a user logs onto the server, they are prompted to enter their e-mail address and hit enter, and this will set a user variable that points to this e-mail address (something like [EMAIL PROTECTED]. I was thinking it would be best if this can be done with a simple DOS batch file that can be set to run at first user logon, probably by adding it to the Runonce key in the user's registry hive (unless there is a better way). We do not want this to execute every time the user logs onto the terminal server. I would greatly appreciate any help, Dan DeStefano
RE: [ActiveDir] DNS Scavenging
Marcus, That article is spot on. It cleared up all of my confusion. Great Job! Thanks, -Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Hey Tim, I wrote this a while back when I was trying to understand the whole process. Might help you... http://myitforum.techtarget.com/articles/16/view.asp?id=6287 :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSB Sent: Tuesday, June 28, 2005 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Ok, so if using the default DHCP lease time of 8 days, I should have both the refresh and no-refresh set to 7 days. Once I identify my static records and I manually age all of the records, I am still going to have to wait at least 7 days for them to clean themselves up even if I force scavenging correct? Thanks, -Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, June 28, 2005 3:33 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Hi, A quote: ## The refresh interval must be long enough to allow all servers that maintain resource records to update their timestamps. Because the Dynamic Host Configuration Protocol (DHCP) server is usually the last server to update its records, you can monitor DHCP records to make sure you have scheduled enough time for updates. If records are being scavenged too soon, use the DNS console to set this value back to the default value of one week (168 hours). ## The rule: At zone level AGING is default configured to prevent dynamic refreshes of resource records the first 7 days of their existance. This prevents unnecessary replication traffic because clients/servers update their records all the time. The no-refresh interval by default is configured to the same value of the refresh interval. It is best to keep these two values the same. De second 7 days dynamic refreshes are allowed. The refresh interval preferably has a value that is the same as the maximum time possible, in normal circumstances, to refresh/update a record. The latter applies to DHCP clients clients (see quote above). The DHCP lease duration is by default the longest period, and the period within the lease duration a client tries to update its lease is 87,5% of it. In short: no-refresh value = refresh value refresh value = 87,5% DHCP lease duration Cheers, #JORGE# From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Tue 6/28/2005 4:42 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Thanks for your response. I have one more question, is the recommended settings still one hour for no-refresh and 7 days for refresh? This is what I initially had it set to but since it didn't appear to be working I lowered the intervals. I think I will start by dumping the zone and sorting out the static entries, I don't think there are too many so it shouldn't be too difficult, I just wanted to be sure that I didn't miss any. The zones that I am concerned with are all AD integrated, but scavenging was turned on after the fact. Thanks, -Tim From: [EMAIL PROTECTED] on behalf of David Adner Sent: Mon 6/27/2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Scavenging First off, you need to be careful with such low no refresh/refresh intervals since, for example, 2003 computers only refresh their records every 24 hours (it initially refreshes faster, but it uses ever-widening intervals until it reaches 24 hours). For your primary concern, you can enable Advanced in the DNS console and view the properties of your old records. If you don't see a timestamp then they won't fall under the scavenging rules. You can also use dnscmd.exe /zoneexport to dump the entire zone(s) to a file. You'll see an [Age:###] (Or maybe it's Aging:) value for records with timestamps. If your zone used to be a standard primary zone and you never had scavenging enabled on it then any dynamically registered records into that zone would have not received a timestamp. An AD integrated zone with scavenging disabled will cause an initial timestamp to be recorded for dynamically registered records but won't cause them to be refreshed until scavenging is enabled. As for easier ways to address your issue, I'm unaware of a solution that doesn't require some leg work. You could dump the zone via dnscmd.exe /zoneexport and see which don't have timestamps and from there figure out which ones are supposed to be static and which ones aren't. This will be simplified if you have a
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - rpc exception] ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 904: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - Send Penalty] Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed above . failed with 3 error entries Checking NtFrs Service (and dependent services) state...passed Checking NtFrs related Registry Keys for possible problems...passed Checking Repadmin Showreps for errors...passed I have 2 domain controllers in a Windows 2003 Domain both running AD Integrated DNS. I followed the KB Article 839880 How to troubleshoot RPC Endpoint Mapper errors in Windows Server 2003 and was not able to produce an error following all of the tests mentioned in the article that I ran. (DCDIAG, NETDIAG, Repadmin, Ntdsutil, Gpotool, Portqry) I did not run ADMT
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
Roberthold on a sec, before you open a case. Are those your only two DC's? their names are DC1 DC2?? In your FRS debug log, you see that the EPT_S_NOT_REGISTERED is referring to jao-ad.lajao.org. Was jao-ad at some point a domain controller or does that name have any other significance to you? If that used to be a DC, then I'd recommend going through this article to remove all the metadata junk: 216498 How to remove data in Active Directory after an unsuccessful domain http://support.microsoft.com/?id=216498 You didn't mention any other problems, but if you once had this jao-ad server as a DC then the KCC on your other DC's would be complaining in the event log because they can't replicate with jao-ad. If I just saved you $245, a big THANK YOU will do :-) Come to think of it, if I just saved YOU $245 dollars then I just cost myself $245 dollars (I own part of the company of course). Please disregard everything above...LOL :-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 2:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the
Re: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
So even though you are replicating fine both ways and you don't see any real problem - you want to open a PSS case for this error in a debug log? Is this a consistent error in your FRS logs or was it a one time error? I dunno - just seems kinda silly to me to tshoot something which may have been a passing network hiccup or is simply not occurring any more. FRSdiag is simply parsing out your FS logs for keywords - as long as those entries are in your logs ( until the logs wrap) you will get the alert. The real deal is to see if your latest log entries have the same error. my .02 steve - Original Message - From: Robert N. Leali [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 11:38 AM Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 884: S0: 18:16:33 :SR: Cmd 01225c78, CxtG a0cc0d78, WS EPT_S_NOT_REGISTERED, To jao-ad.lajao.org Len: (366) [SndFail - rpc exception] ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 904: S0: 18:16:33 :SR: Cmd 01225c78,
Re: [ActiveDir] Default Domain Policy Issues
Sonar and Ultrasound may indeed tell you everything is OK - since FRS is actually doing its job (replicating the data back in properly) However you could have enough latency in site replication where something (like the AD in some cases) is causing the file to be replicated back out towards the original change due to changes. Maybe the changes are not fast enough to be caught via the FRS churn warning indicator. There is a process where, as Joe noted, the AD and FRS are kept in sync for domain password policies. The real trick here is to find the originating change and determine why that server caused the original FRS change order (IMHO) First of all you need to make sure that replication is actually working end to end- it sounds like you have done this scenario: DC1 is your PDCE and you change password policy from A to B DC10 is another DC which receives the value B but then reverts back to A - this eventually gets replicated back to DC1 and now all DC's show original value of A The hard way but I dont know any others since I never have really used frsdiag\sonar\ultrasound On DC10 run ntfrsutl idtable Find the file name - in your case gpttmpl.inf and make sure it is the correct one by mapping the ParentGuid back to 31B2F340-016D-11D2-945F-00C04FB984F9 Note the OriginatorGuid value To match the OriginatorGUID to a machine you have to gather the ntfrsutl configtable data from the DCs and match the ReplicaVersionGuid to the OriginatorGuid value on the file. This can all be scripted into a batch file to parse all the data - or -- wait someone just told me you can also do this (mapping the GUIDS to server) via frsdiag here: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en Good luck! steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 10:19 AM Subject: RE: [ActiveDir] Default Domain Policy Issues Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain level account policy replicates both through FRS and through AD. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Monday, June 27, 2005 6:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Default Domain Policy Issues Hi all, After making changes to the Password Policy (Enforing password History) for a child domain's Default Domain Policy it reverts back to the previous setting right after the
Re: [ActiveDir] Default Domain Policy Issues
One more thing - since you are on Win2k you might as well make sure you are on the latest Win2k FRS version - which is 896712 (youll need to call into PSS to get this one) steve - Original Message - From: Steve Patrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 12:37 PM Subject: Re: [ActiveDir] Default Domain Policy Issues Sonar and Ultrasound may indeed tell you everything is OK - since FRS is actually doing its job (replicating the data back in properly) However you could have enough latency in site replication where something (like the AD in some cases) is causing the file to be replicated back out towards the original change due to changes. Maybe the changes are not fast enough to be caught via the FRS churn warning indicator. There is a process where, as Joe noted, the AD and FRS are kept in sync for domain password policies. The real trick here is to find the originating change and determine why that server caused the original FRS change order (IMHO) First of all you need to make sure that replication is actually working end to end- it sounds like you have done this scenario: DC1 is your PDCE and you change password policy from A to B DC10 is another DC which receives the value B but then reverts back to A - this eventually gets replicated back to DC1 and now all DC's show original value of A The hard way but I dont know any others since I never have really used frsdiag\sonar\ultrasound On DC10 run ntfrsutl idtable Find the file name - in your case gpttmpl.inf and make sure it is the correct one by mapping the ParentGuid back to 31B2F340-016D-11D2-945F-00C04FB984F9 Note the OriginatorGuid value To match the OriginatorGUID to a machine you have to gather the ntfrsutl configtable data from the DCs and match the ReplicaVersionGuid to the OriginatorGuid value on the file. This can all be scripted into a batch file to parse all the data - or -- wait someone just told me you can also do this (mapping the GUIDS to server) via frsdiag here: http://www.microsoft.com/downloads/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBFdisplaylang=en Good luck! steve - Original Message - From: Devan Pala [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 10:19 AM Subject: RE: [ActiveDir] Default Domain Policy Issues Hi Darren, 22 Domain Controllers at Windows 2000/ SP4. Just about 15mins ago I restarted the NTfrs service on DC's then I made the change on the PDC Emulator on the password policy. I noted down the file size and time stamp of that gpttmpl.inf file. It's set to 11:58 (CST) today when I changed the policy. While looking at some of the other DC's its set to last year (perhaps the last time I made a change to the scurity policies. Now I will wait for it to replicate then see what happens. What if this file reverts back to what it was (with last years time stamp), any thoughts at that point... Your help is very much appreciated. Thanks, Firefox - Rediscover the web Original Message Follows From: Darren Mar-Elia [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Tue, 28 Jun 2005 09:45:48 -0700 How many DCs do you have and what OS version? First thing you can do is go to the PDC role holder DC, look at the file at \SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE \Microsoft\Windows NT\SecEdit\gpttmpl.inf. Note its size, and date/timestamp. Then check the same file on all other DCs. They should be the same. This is the file that delivers the security policy within the Default Domain Policy. If its not in synch, then you could be getting the differences you are experiencing. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Devan Pala Sent: Tuesday, June 28, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Well I've just downloaded Sonar and Ultrasoound. Sonar tells me evrything is OK! Not sure what I'm looking for actually, how can I pinpoint which DC is causing the reversion back to the old setting (being authoratative)? Thanks, Original Message Follows From: joe [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Default Domain Policy Issues Date: Mon, 27 Jun 2005 18:28:13 -0400 I would check very carefully to verify the policy has made it properly to all DCs. It is possible you have a little policy battle going on where one or more machines have the old policy and the rest have the newer policy and they keep changing it back and forth. I have seen this more times than I can count. It is due to the fact that domain
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
I completely agree with Steve here...if you don't see a problem, don't call But if it's bugging the hell out of you and is worth the dime (a few dimes, actually) then do what you need to do :-) Are there any other items in your FRSDiag that are alarming or is this one the only one? If you don't see other indications of a problem currently happening, then they won't have much to troubleshoot if you called anyway :-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Tuesday, June 28, 2005 3:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED So even though you are replicating fine both ways and you don't see any real problem - you want to open a PSS case for this error in a debug log? Is this a consistent error in your FRS logs or was it a one time error? I dunno - just seems kinda silly to me to tshoot something which may have been a passing network hiccup or is simply not occurring any more. FRSdiag is simply parsing out your FS logs for keywords - as long as those entries are in your logs ( until the logs wrap) you will get the alert. The real deal is to see if your latest log entries have the same error. my .02 steve - Original Message - From: Robert N. Leali [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 11:38 AM Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR - EXCEPTION (06d9) : WStatus: EPT_S_NOT_REGISTERED ERROR on
[ActiveDir] Of interest to anyone ? - Release of Update Rollup 1 for Windows 2000 Service Pack 4
Security Advisories Updated or Released Today == Security Advisory (891861) Title: Release of Update Rollup 1 for Windows 2000 Service Pack 4 (SP4) Web site: http://go.microsoft.com/fwlink/?LinkId=49772 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
Isn't it kind of overwhelming to get a read receipt from everyone on the dlist? Dana -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Roberthold on a sec, before you open a case. Are those your only two DC's? their names are DC1 DC2?? In your FRS debug log, you see that the EPT_S_NOT_REGISTERED is referring to jao-ad.lajao.org. Was jao-ad at some point a domain controller or does that name have any other significance to you? If that used to be a DC, then I'd recommend going through this article to remove all the metadata junk: 216498 How to remove data in Active Directory after an unsuccessful domain http://support.microsoft.com/?id=216498 You didn't mention any other problems, but if you once had this jao-ad server as a DC then the KCC on your other DC's would be complaining in the event log because they can't replicate with jao-ad. If I just saved you $245, a big THANK YOU will do :-) Come to think of it, if I just saved YOU $245 dollars then I just cost myself $245 dollars (I own part of the company of course). Please disregard everything above...LOL :-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 2:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33
RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED
Sorry, it was the one before yours that requested a read receipt. Dana -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Roberthold on a sec, before you open a case. Are those your only two DC's? their names are DC1 DC2?? In your FRS debug log, you see that the EPT_S_NOT_REGISTERED is referring to jao-ad.lajao.org. Was jao-ad at some point a domain controller or does that name have any other significance to you? If that used to be a DC, then I'd recommend going through this article to remove all the metadata junk: 216498 How to remove data in Active Directory after an unsuccessful domain http://support.microsoft.com/?id=216498 You didn't mention any other problems, but if you once had this jao-ad server as a DC then the KCC on your other DC's would be complaining in the event log because they can't replicate with jao-ad. If I just saved you $245, a big THANK YOU will do :-) Come to think of it, if I just saved YOU $245 dollars then I just cost myself $245 dollars (I own part of the company of course). Please disregard everything above...LOL :-) Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 2:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Tried your suggestion and the file does replicate in both directions in the sysvol folder. Firewalls are off on both DC's and I successful did portqry on the ports shown in the KB article (NtFRS Service MS NT Directory DRS). My ports were slightly different but I was guessing that was expected behavior. (DC1 used 1071,1025,1030 and DC2 used 1053,1026,1027) Guess I'll take your other advise and open a case with PSS. Thanks! Robert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Williams (RRE) Sent: Tuesday, June 28, 2005 11:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED Hey Robert...you mentioned I can put a txt file in my sysvol share on one DC and see it replicate to the other DC. Which DC did you put the file on? My point is that maybe replication is broken in only one direction. Try putting a file on each DC named DCNAME.txt and see if you see that file replicate in *both* directions. Usually that error would indicate that there are RPC communication problems or that the FRS service is stopped but you said it was running. Maybe FRS is broken in one direction due to the firewall running on the other side (just a stab in the dark without knowing if FRS is replicating in both directions yet). FRS is pretty sticky sometimes and the detailed documentation is rather difficult to come across...it may be a good idea to open a case with PSS if you really wanna get to the bottom of things. Or you can feel free to keep posting here but it may take weeks to get all the details out so that any progress would be made (FRS is hard enough to troubleshoot in person sometimes...hehe) I hope that was helpful; have a great afternoon! Robert Williams, MCSE NT4/2K/2K3, Security+ Infrastructure Rapid Response Engineer Northeast Region Microsoft Corporation Global Solutions Support Center -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert N. Leali Sent: Tuesday, June 28, 2005 10:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] FRSDiag - EPT_S_NOT_REGISTERED I'm getting the following error when I run the FRSDIAG utility. FRSDiag v1.7 on 6/28/2005 8:08:25 AM .\jao-dc1 on 2005-06-28 at 8.08.25 AM Checking for errors in Directory Service Event Log passed Checking for minimum FRS version requirement ... passed Checking for errors/warnings in ntfrsutl ds ... passed Checking for Replica Set configuration triggers... passed Checking for suspicious file Backlog size... passed Checking Overall Disk Space and SYSVOL structure (note: integrity is not checked)... passed Checking for suspicious inlog entries ... passed Checking for suspicious outlog entries ... passed Checking for appropriate staging area size ... passed Checking for errors in debug logs ... ERROR on NtFrs_0004.log : EPT_S_NOT_REGISTERED(This may indicate that DNS returns the IP address of the wrong computer. Check DNS records being returned, Check if FRS is currently running on the target server. Check if Ntfrs is registered with the End-Point-Mapper on target server!) : SndCsMain: 700: 883: S0: 18:16:33 ++ ERROR -
RE: [ActiveDir] OT: Outlook Web Access Split DNS
The correct domain is actually set in ESM (and changes are replicated to IIS), but the OWA web site still requires users to enter the domain name with their username. The same thing happens both internally and externally when accessing the OWA site. Assume the following: Internal DNS domain name: domain.org External DNS domain name: domain.com NetBIOS domain name: domain If I just enter username password, the login fails, and the logon box returns with domain.com\username in the username field. That won't work, though, as the user accounts exist in the internal domain. If you enter either domain.org\username or domain\username, and a password, you log in just fine. The fact that the failed logon returns with the external domain name appended to the username makes me think this is a DNS issue, but I'm pretty new to Exchange so that's just my shot in the dark. Any other suggestions on where to look? Thanks! --Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Well, you can, and it will work for a while, but Exchange will reset it to whatever is set in Exchange Enterprise Manager. You can change it by browsing to Organization/Administrative Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange, right click Exchange, Properties, Access tab, Authentication and set whatever options you like. Whatever you set here will show up in IIS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 5:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] OT: Outlook Web Access Spli t DNS
Hi :) If I understand u, u set domain in the ESM and the logon page always return the domain.com\username ? 1) Try to set domain.org in ESM rather than domain 2) See this link to hardcoded domain in the Logon.asp file of your OWA Logon page. http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html That supposes u use FBA ( Forms-based Authentication ) in your exchange. Let us know how it goes for u :) Cheers, Yann De: [EMAIL PROTECTED] de la part de Lamberty, Dave Date: mar. 28/06/2005 22:59 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: Outlook Web Access Split DNS The correct domain is actually set in ESM (and changes are replicated to IIS), but the OWA web site still requires users to enter the domain name with their username. The same thing happens both internally and externally when accessing the OWA site. Assume the following: Internal DNS domain name: domain.org External DNS domain name: domain.com NetBIOS domain name: domain If I just enter username password, the login fails, and the logon box returns with domain.com\username in the username field. That won't work, though, as the user accounts exist in the internal domain. If you enter either domain.org\username or domain\username, and a password, you log in just fine. The fact that the failed logon returns with the external domain name appended to the username makes me think this is a DNS issue, but I'm pretty new to Exchange so that's just my shot in the dark. Any other suggestions on where to look? Thanks! --Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Well, you can, and it will work for a while, but Exchange will reset it to whatever is set in Exchange Enterprise Manager. You can change it by browsing to Organization/Administrative Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange, right click Exchange, Properties, Access tab, Authentication and set whatever options you like. Whatever you set here will show up in IIS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 5:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] OT: Outlook Web Access Split DNS
I'm not using FBA, and I've tried several different forms of domain names (e.g., domain, domain\, domain.org, domain.org\). None seem to work. Or, as I just discovered, they don't work with IE (at least on XP SP2). Setting the default domain to domain\ works if you're using Firefox--you get right in without specifying a domain in the username field. I'd have expected them to both be the same, or if one worked it would be IE. Not so. I've inherited this Exchange server, and the guy who set it up is long gone (isn't this a familiar theme on this list?). I'm considering just whacking the whole thing and starting over, but I'm new enough to Exchange to know that may not be advisable in the short term. People are currently able to send and receive e-mail, so it's not totally hosed up. Looks like I'll be doing a little reading over the holiday weekend, though. If anyone has any other advice, I'd appreciate it. Thanks! --Dave From: [EMAIL PROTECTED] on behalf of TIROA YANN Sent: Tue 6/28/2005 16:36 To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] OT: Outlook Web Access Split DNS Hi :) If I understand u, u set domain in the ESM and the logon page always return the domain.com\username ? 1) Try to set domain.org in ESM rather than domain 2) See this link to hardcoded domain in the Logon.asp file of your OWA Logon page. http://www.msexchange.org/tutorials/OWA2003Forms-based-Authentication-default-domain.html That supposes u use FBA ( Forms-based Authentication ) in your exchange. Let us know how it goes for u :) Cheers, Yann De: [EMAIL PROTECTED] de la part de Lamberty, Dave Date: mar. 28/06/2005 22:59 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] OT: Outlook Web Access Split DNS The correct domain is actually set in ESM (and changes are replicated to IIS), but the OWA web site still requires users to enter the domain name with their username. The same thing happens both internally and externally when accessing the OWA site. Assume the following: Internal DNS domain name: domain.org External DNS domain name: domain.com NetBIOS domain name: domain If I just enter username password, the login fails, and the logon box returns with domain.com\username in the username field. That won't work, though, as the user accounts exist in the internal domain. If you enter either domain.org\username or domain\username, and a password, you log in just fine. The fact that the failed logon returns with the external domain name appended to the username makes me think this is a DNS issue, but I'm pretty new to Exchange so that's just my shot in the dark. Any other suggestions on where to look? Thanks! --Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crawford, Scott Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS Well, you can, and it will work for a while, but Exchange will reset it to whatever is set in Exchange Enterprise Manager. You can change it by browsing to Organization/Administrative Group/Servers/Server/Protocols/HTTP/Exchange Virtual Server/Exchange, right click Exchange, Properties, Access tab, Authentication and set whatever options you like. Whatever you set here will show up in IIS. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, June 27, 2005 5:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Outlook Web Access Split DNS This isn't my specialty but I believe you can set the default auth domain in the IIS settings where you configure authentication types. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lamberty, Dave Sent: Monday, June 27, 2005 6:00 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Outlook Web Access Split DNS When users log in to our Outlook Web Access site, they must enter their username in the format domainname\username, as the domain name isn't being passed. I'd like to be able to pass the domain name so users don't have to remember to enter it when they log on (and reduce help desk call volume by about 50%...). We're not using ISA Server, and have just a single Exchange 2003 server for our mail. AD is 2003 mixed mode, soon to be switched to native mode. We have a split DNS structure, where the OWA page resides in a different DNS domain than our AD user accounts, and I'm wondering if that might be part of the problem. Does anyone know how (or if it's possible) to pass OWA a different domain name? Thanks! --Dave List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List
[ActiveDir] Group Management
Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Group Management
I wish we had a system to do that here. I wont create any group without the managed by attribute being populated. This way I can then pass off the membership management to whomever. I havent really identified yet the magnitude of the problem here, but, were going to figure out a way to get that attribute populated on as many groups as possible and then it will tie into a web portal for AD mgmt that were developing in house. IMHO thats the way to go. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] DNS Scavenging
Glad to hear it. Thanks! :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSB Sent: Tuesday, June 28, 2005 2:17 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Marcus, That article is spot on. It cleared up all of my confusion. Great Job! Thanks, -Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 12:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Hey Tim, I wrote this a while back when I was trying to understand the whole process. Might help you... http://myitforum.techtarget.com/articles/16/view.asp?id=6287 :m:dsm:cci:mvp -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSB Sent: Tuesday, June 28, 2005 9:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Ok, so if using the default DHCP lease time of 8 days, I should have both the refresh and no-refresh set to 7 days. Once I identify my static records and I manually age all of the records, I am still going to have to wait at least 7 days for them to clean themselves up even if I force scavenging correct? Thanks, -Tim -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, June 28, 2005 3:33 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Hi, A quote: ## The refresh interval must be long enough to allow all servers that maintain resource records to update their timestamps. Because the Dynamic Host Configuration Protocol (DHCP) server is usually the last server to update its records, you can monitor DHCP records to make sure you have scheduled enough time for updates. If records are being scavenged too soon, use the DNS console to set this value back to the default value of one week (168 hours). ## The rule: At zone level AGING is default configured to prevent dynamic refreshes of resource records the first 7 days of their existance. This prevents unnecessary replication traffic because clients/servers update their records all the time. The no-refresh interval by default is configured to the same value of the refresh interval. It is best to keep these two values the same. De second 7 days dynamic refreshes are allowed. The refresh interval preferably has a value that is the same as the maximum time possible, in normal circumstances, to refresh/update a record. The latter applies to DHCP clients clients (see quote above). The DHCP lease duration is by default the longest period, and the period within the lease duration a client tries to update its lease is 87,5% of it. In short: no-refresh value = refresh value refresh value = 87,5% DHCP lease duration Cheers, #JORGE# From: Wright, T. MR NSSB [mailto:[EMAIL PROTECTED] Sent: Tue 6/28/2005 4:42 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Scavenging Thanks for your response. I have one more question, is the recommended settings still one hour for no-refresh and 7 days for refresh? This is what I initially had it set to but since it didn't appear to be working I lowered the intervals. I think I will start by dumping the zone and sorting out the static entries, I don't think there are too many so it shouldn't be too difficult, I just wanted to be sure that I didn't miss any. The zones that I am concerned with are all AD integrated, but scavenging was turned on after the fact. Thanks, -Tim From: [EMAIL PROTECTED] on behalf of David Adner Sent: Mon 6/27/2005 7:40 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS Scavenging First off, you need to be careful with such low no refresh/refresh intervals since, for example, 2003 computers only refresh their records every 24 hours (it initially refreshes faster, but it uses ever-widening intervals until it reaches 24 hours). For your primary concern, you can enable Advanced in the DNS console and view the properties of your old records. If you don't see a timestamp then they won't fall under the scavenging rules. You can also use dnscmd.exe /zoneexport to dump the entire zone(s) to a file. You'll see an [Age:###] (Or maybe it's Aging:) value for records with timestamps. If your zone used to be a standard primary zone and you never had scavenging enabled on it then any dynamically registered records into that zone would have not received a timestamp. An AD integrated zone with scavenging disabled will cause an initial timestamp to be recorded for dynamically registered records but won't cause them to be refreshed until scavenging is enabled. As for easier ways to address your issue, I'm unaware of a solution
RE: [ActiveDir] Group Management
We do the vast majority of our group management via a custom web interface. The system is self-service and requires no approval process for creating a group. We do enforce some semantics and business rules though. For example, we enforce specific naming conventions, require a sponsor to be named (manager+ level internally), 2+ owners (can be valid users or other security groups) and a valid description. We allow users to create security groups, mail-enabled distro groups or mail-enabled security groups. Owners can modify or delete the group. Name changes are not allowed after creation. We also support email change notifications for different types of events, an expiration process where groups have to be renewed periodically and a background process that ensures that groups maintain the business rules enforced by the UI in the event that sponsors and owners leave the organization or owner groups are deleted. This app manages about 60K groups in a single domain with about 110K users. It works really well for us. The original web app took about 2 months for 2 guys to build and is 100% ASP.NET. Note that all of the security in the app is application-managed, in that a super user account makes all of the modifications and enforces the security policy in the business rules. We chose this approach to prevent people from using AD UC to modify groups or any other LDAP code. We also use custom schema for representing all of the security attributes instead of DACLs as DACLs are a PITA to program and cant be queried effectively (which groups do I own or sponsor? etc.). Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Group Management
Did you consider using SQL to store all the metadata for the groups? Thats what Im doing now, or planning to, but Id be interested to hear if you debated this what the final reasoning was. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:43 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Group Management We do the vast majority of our group management via a custom web interface. The system is self-service and requires no approval process for creating a group. We do enforce some semantics and business rules though. For example, we enforce specific naming conventions, require a sponsor to be named (manager+ level internally), 2+ owners (can be valid users or other security groups) and a valid description. We allow users to create security groups, mail-enabled distro groups or mail-enabled security groups. Owners can modify or delete the group. Name changes are not allowed after creation. We also support email change notifications for different types of events, an expiration process where groups have to be renewed periodically and a background process that ensures that groups maintain the business rules enforced by the UI in the event that sponsors and owners leave the organization or owner groups are deleted. This app manages about 60K groups in a single domain with about 110K users. It works really well for us. The original web app took about 2 months for 2 guys to build and is 100% ASP.NET. Note that all of the security in the app is application-managed, in that a super user account makes all of the modifications and enforces the security policy in the business rules. We chose this approach to prevent people from using AD UC to modify groups or any other LDAP code. We also use custom schema for representing all of the security attributes instead of DACLs as DACLs are a PITA to program and cant be queried effectively (which groups do I own or sponsor? etc.). Joe K. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 28, 2005 10:05 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Group Management Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.
RE: [ActiveDir] Error while adding user to AD
Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have different values across different versions of the binary even if it is referring to the same error. What can be helpful however is the first part of the error after the Server_Info tag because it is an error/status message. In this case using the handy err.exe tool that is available on the download.microsoft.com site you will find that the error you received is:C:\toolserr 052D# for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h# Unable to update the password. The value provided for the# new password does not meet the length, complexity, or# history requirement of the domain.# 1 matches found for 052DSo now that you have read all of this you are saying prove it to me so here are the repro steps that will produce the above error on Windows Server 2003 RTM (note Windows 2000 server was not affected) and of course if you run it against Windows Server 2003 SP1 it will be successful:1) Ensure you have a password policy enabled requiring complexity and minimum characters.2) Fire up LDP and connect via SSL to the DC of your choice. 3) Perform a simple bind and then select the User OU of your choice4) Right click and Select Add child, modifying the DN to be the new user you want to create5) Enter the following attributes in this orderobjectclass: top;user;person;organizationalpersonsamaccountname: yourchoiceuseraccountcontrol: 512unicodepwd:\UNI:yourpassword6) Select RUN and you will get the error above on a Windows Server 2003 machine.If you set the useraccountcontrol attribute after the unicodepwd attribute, assuming the password meets the complexity requirements, then it will succeed without throwing an error. Also note that the quotes are needed when specifying the password when using the \UNI: switch which tells LDP to pass the password in Unicode. One provisioning tool that was affected by this issue was HP Openview Select Identity.Thanks,-Steve -Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, June 27, 2005 9:49 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Error while adding user to ADThanks a lots Joe. I'll try this out.One more query. After I've changed my password policy, they dont seem to bereflected immediately. how can i force it?- Original Message -From: joe [EMAIL PROTECTED]To: ActiveDir@mail.activedir.orgSent: Tuesday, June 28, 2005 5:38 AMSubject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someoneis trying to set the account enabled in the actual creation of the accountwhen there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of MayureshKshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity requirements Disabled Store passwords using reversible encryption Disabled Provisioning new accounts failed eventhough our passwords are longer than 8 characters. When modifying the policy to a minimum length of 0 characters provisioning works. Any pointers of how this happened? Regards, Mayuresh - Original Message - From: Gil Kirkpatrick [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 4:57 AM Subject: RE: [ActiveDir] Error while adding user to AD This sort of error happens when the user you are provisioning doesn't meet
RE: [ActiveDir] Error while adding user to AD
Resending do to a formatting error on my part, sorry for the duplicate post but it is much easier to read with the lines wrapped. J -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Tuesday, June 28, 2005 11:58 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Error while adding user to AD Just to add a few more things to the thread. If this is Windows Server 2003 RTM then you may be hitting a known issue if your provisioning tool uses LDAP to create the accounts and the attributes are not in a specific order. Do to a change made in Windows 2003 if you created a user using LDAP and the unicodepwd attribute was not specified before the useracountcontrol attribute in your LDAP Modification request and the useraccountcontrol was not setting the account disabled then we would return the error that the password did not meet complexity requirements even if the password did meet the requirements. Since LDAP operations are supposed to be atomic this behavior was incorrect and a fix was created. This fix is in Windows Server 2003 SP1 so if you are running into this particular scenario on Windows Server 2003 RTM and can not go to SP1 then you can call Microsoft and request the hotfix for KB 891299 (note this KB is currently not public). I also wanted to point out that the DSID number will not normally be that helpful to those outside of Microsoft and that the DSID can have different values across different versions of the binary even if it is referring to the same error. What can be helpful however is the first part of the error after the Server_Info tag because it is an error/status message. In this case using the handy err.exe tool that is available on the download.microsoft.com site you will find that the error you received is: C:\toolserr 052D # for hex 0x52d / decimal 1325 : ERROR_PASSWORD_RESTRICTION winerror.h # Unable to update the password. The value provided for the # new password does not meet the length, complexity, or # history requirement of the domain. # 1 matches found for 052D So now that you have read all of this you are saying prove it to me so here are the repro steps that will produce the above error on Windows Server 2003 RTM (note Windows 2000 server was not affected) and of course if you run it against Windows Server 2003 SP1 it will be successful: 1) Ensure you have a password policy enabled requiring complexity and minimum characters. 2) Fire up LDP and connect via SSL to the DC of your choice. 3) Perform a simple bind and then select the User OU of your choice 4) Right click and Select Add child, modifying the DN to be the new user you want to create 5) Enter the following attributes in this order objectclass: top;user;person;organizationalperson samaccountname: yourchoice useraccountcontrol: 512 unicodepwd:\UNI:yourpassword 6) Select RUN and you will get the error above on a Windows Server 2003 machine. If you set the useraccountcontrol attribute after the unicodepwd attribute, assuming the password meets the complexity requirements, then it will succeed without throwing an error. Also note that the quotes are needed when specifying the password when using the \UNI: switch which tells LDP to pass the password in Unicode. One provisioning tool that was affected by this issue was HP Openview Select Identity. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Thanks a lots Joe. I'll try this out. One more query. After I've changed my password policy, they dont seem to be reflected immediately. how can i force it? - Original Message - From: joe [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Tuesday, June 28, 2005 5:38 AM Subject: RE: [ActiveDir] Error while adding user to AD That DSID can pop up when an account is improperly created. I.E. Someone is trying to set the account enabled in the actual creation of the account when there is password length policy. If you have a password length policy you need to create the account disabled, then set a password, then enable it. It sounds like the meta directory product doesn't know how to properly create an account in AD. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, June 27, 2005 7:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Error while adding user to AD Active Directory password policy was set as follows: Policy Setting Enforce password history 0 passwords remembered Maximum password age 999 days Minimum password age 0 days Minimum password length 8 characters Password must meet complexity