[ActiveDir] OT - Promodag

2005-07-12 Thread Brian Desmond 



Has anyone here got experience with the Promodag Exchange 
reporting solution? They bought it here. Produces interesting statistics, but, 
it's a POS application so far as I can tell. I'm trying to figure out if I can 
either schedule their crappy reports to run off hours or optimize it's shoddy 
SQL perf. 
 
Thanks,Brian Desmond
[EMAIL PROTECTED]
 
 

RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL......)

2005-07-12 Thread Eric Fleischman 
For clarity, this is the flag I'm making reference to:

1> systemFlags: 0x10 = ( FLAG_SCHEMA_BASE_OBJECT );

If that is set on a schema element, my contention is that on an SP1 DC
it should not allow you to set the confidential bit.

Show me a counterexample please.

~Eric



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Tuesday, July 12, 2005 5:24 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking
for a list of SP1 changes? I think it was this DL..)

> > ~Eric wrote:
> > We actually block all base schema elements if I remember correctly.

> No you don't. Of the 1070 base schema attributes, you only block the
1007
> ones that are marked as category 1. The remaining 63 attributes, such
as
> msDS-ExternalKey, are not marked and therefore don't have this or any
> other protection for base schema attributes.

Looking at your example msds-externalkey, I don't see the base flags bit
set. Therefore, it would not be blocked.
Looking at the code, right now, I stand by the earlier statement: we
block base schema elements. Base schema elements are defined as the
elements with the base schema flag set. All of them should be blocked.

Please show me an example of a base schema element with the base schema
flag set where I'm wrong.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Tuesday, July 12, 2005 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking
for a list of SP1 changes? I think it was this DL..)

Hi Brett and ~Eric,

Thanks for your comments on my confidential attribute post. Now I
solved, how to set the confidentiality in a way where unnecessary
permissions are not granted.

> Brett wrote:
> A) Small note, 0xF is 15 decimal and is equivalent to 
> 4 bits set (0b)

Thanks for catching my silly mistake. Yes, I meant 0x10, which is 16 in
decimal. Fortunately this part was not about setting bits, but just
checking which base schema attributes have protection.

> Brett wrote (and ~Eric agreed):
> B) Why can't you grant the explicit extended right for reading the
> confidential attribute?  I assume there is one, there has to be.

No there isn't. I went through the 49 extended rights that exist in SP1,
and none of them seems to be for controlling confidentiality. This is
actually obvious, because each of them is linked to only certain object
classes, but the confidential attribute mechanism must apply to all
current and future object classes. Therefore, a specific extended right
cannot be used (unless Microsoft defined a fake rightsGuid for this,
without a corresponding controlAccessRight object in the Configuration
partition).

However, I now found out that the trick is to define a certain attribute
or property set with the control access permission. If you do this, the
trustee won't get normal extended rights, such as Reset Password.

This trick has been illegal so far, and therefore if you try it with
DSACLS, it will give you an error that you can specify an attribute or
property set only with WP(Write Property) and RP(Read Property)
permissions, not with CA(Control Access). So, the following is the
correct syntax, but the current DSACLS (nor the R2 ADAM version) doesn't
yet support it:

dsacls "ou=demo,dc=sanao,dc=com" /G jim:ca;msDS-ExternalKey;

> ~Eric wrote:
> The LDP required for this is the LDP in R2's ADAM, not in the 
> currently shipping one. Sorry.

Yes, exactly. Just get R2 beta, locate ADAM in it, extract LDP.EXE from
there, and use that tool's Security Descriptor feature to add a
following ACE (preferably to an OU, and with the inherit flag on):
- specify Control access as the permission
- specify the desired attribute or property set as the Object type

> ~Eric wrote:
> We actually block all base schema elements if I remember correctly.

No you don't. Of the 1070 base schema attributes, you only block the
1007 ones that are marked as category 1. The remaining 63 attributes,
such as msDS-ExternalKey, are not marked and therefore don't have this
or any other protection for base schema attributes.

Yours, Sakari
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL......)

2005-07-12 Thread Eric Fleischman 
> > ~Eric wrote:
> > We actually block all base schema elements if I remember correctly.

> No you don't. Of the 1070 base schema attributes, you only block the
1007
> ones that are marked as category 1. The remaining 63 attributes, such
as
> msDS-ExternalKey, are not marked and therefore don't have this or any
> other protection for base schema attributes.

Looking at your example msds-externalkey, I don't see the base flags bit
set. Therefore, it would not be blocked.
Looking at the code, right now, I stand by the earlier statement: we
block base schema elements. Base schema elements are defined as the
elements with the base schema flag set. All of them should be blocked.

Please show me an example of a base schema element with the base schema
flag set where I'm wrong.

~Eric


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Tuesday, July 12, 2005 4:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: Confidential Attributes (was RE: [ActiveDir] Who was asking
for a list of SP1 changes? I think it was this DL..)

Hi Brett and ~Eric,

Thanks for your comments on my confidential attribute post. Now I
solved, how to set the confidentiality in a way where unnecessary
permissions are not granted.

> Brett wrote:
> A) Small note, 0xF is 15 decimal and is equivalent to 
> 4 bits set (0b)

Thanks for catching my silly mistake. Yes, I meant 0x10, which is 16 in
decimal. Fortunately this part was not about setting bits, but just
checking which base schema attributes have protection.

> Brett wrote (and ~Eric agreed):
> B) Why can't you grant the explicit extended right for reading the
> confidential attribute?  I assume there is one, there has to be.

No there isn't. I went through the 49 extended rights that exist in SP1,
and none of them seems to be for controlling confidentiality. This is
actually obvious, because each of them is linked to only certain object
classes, but the confidential attribute mechanism must apply to all
current and future object classes. Therefore, a specific extended right
cannot be used (unless Microsoft defined a fake rightsGuid for this,
without a corresponding controlAccessRight object in the Configuration
partition).

However, I now found out that the trick is to define a certain attribute
or property set with the control access permission. If you do this, the
trustee won't get normal extended rights, such as Reset Password.

This trick has been illegal so far, and therefore if you try it with
DSACLS, it will give you an error that you can specify an attribute or
property set only with WP(Write Property) and RP(Read Property)
permissions, not with CA(Control Access). So, the following is the
correct syntax, but the current DSACLS (nor the R2 ADAM version) doesn't
yet support it:

dsacls "ou=demo,dc=sanao,dc=com" /G jim:ca;msDS-ExternalKey;

> ~Eric wrote:
> The LDP required for this is the LDP in R2's ADAM, not in the 
> currently shipping one. Sorry.

Yes, exactly. Just get R2 beta, locate ADAM in it, extract LDP.EXE from
there, and use that tool's Security Descriptor feature to add a
following ACE (preferably to an OU, and with the inherit flag on):
- specify Control access as the permission
- specify the desired attribute or property set as the Object type

> ~Eric wrote:
> We actually block all base schema elements if I remember correctly.

No you don't. Of the 1070 base schema attributes, you only block the
1007 ones that are marked as category 1. The remaining 63 attributes,
such as msDS-ExternalKey, are not marked and therefore don't have this
or any other protection for base schema attributes.

Yours, Sakari
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: Confidential Attributes (was RE: [ActiveDir] Who was asking for a list of SP1 changes? I think it was this DL......)

2005-07-12 Thread Sakari Kouti 
Hi Brett and ~Eric,

Thanks for your comments on my confidential attribute post. Now I solved, how 
to set the confidentiality in a way where unnecessary permissions are not 
granted.

> Brett wrote:
> A) Small note, 0xF is 15 decimal and is equivalent to 
> 4 bits set (0b)

Thanks for catching my silly mistake. Yes, I meant 0x10, which is 16 in 
decimal. Fortunately this part was not about setting bits, but just checking 
which base schema attributes have protection.

> Brett wrote (and ~Eric agreed):
> B) Why can't you grant the explicit extended right for reading the
> confidential attribute?  I assume there is one, there has to be.

No there isn't. I went through the 49 extended rights that exist in SP1, and 
none of them seems to be for controlling confidentiality. This is actually 
obvious, because each of them is linked to only certain object classes, but the 
confidential attribute mechanism must apply to all current and future object 
classes. Therefore, a specific extended right cannot be used (unless Microsoft 
defined a fake rightsGuid for this, without a corresponding controlAccessRight 
object in the Configuration partition).

However, I now found out that the trick is to define a certain attribute or 
property set with the control access permission. If you do this, the trustee 
won't get normal extended rights, such as Reset Password.

This trick has been illegal so far, and therefore if you try it with DSACLS, it 
will give you an error that you can specify an attribute or property set only 
with WP(Write Property) and RP(Read Property) permissions, not with CA(Control 
Access). So, the following is the correct syntax, but the current DSACLS (nor 
the R2 ADAM version) doesn't yet support it:

dsacls "ou=demo,dc=sanao,dc=com" /G jim:ca;msDS-ExternalKey;

> ~Eric wrote:
> The LDP required for this is the LDP in R2's ADAM, not in the 
> currently shipping one. Sorry.

Yes, exactly. Just get R2 beta, locate ADAM in it, extract LDP.EXE from there, 
and use that tool's Security Descriptor feature to add a following ACE 
(preferably to an OU, and with the inherit flag on):
- specify Control access as the permission
- specify the desired attribute or property set as the Object type

> ~Eric wrote:
> We actually block all base schema elements if I remember correctly.

No you don't. Of the 1070 base schema attributes, you only block the 1007 ones 
that are marked as category 1. The remaining 63 attributes, such as 
msDS-ExternalKey, are not marked and therefore don't have this or any other 
protection for base schema attributes.

Yours, Sakari
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADMT Group SID History

2005-07-12 Thread John Strongosky 
Does the sid filtering apply to nt40 to w2k3 Native AD migration? 

john

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, July 12, 2005 2:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Group SID History

yep, sound just like the source-domain's SIDs are being filtered when the
resource is still in the source domain (external.dev).  Realize, that you
only need to disable SID filtering on the trust in the source domain - you
should leave it enabled on the target domain.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Dienstag, 12. Juli 2005 21:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Group SID History

Have your turned off SID filtering on the Trust?

NETDOM trust DomainX /domain:DomainY /quarantine:No
/usero:DomainX\AdministratorX /passwordo:*

The * will cause a prompt for the password.

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 July 2005 19:53
To: activedir@mail.activedir.org
Subject: [ActiveDir] ADMT Group SID History





All,
  I've been following the Sybex book, Mastering Windows 2003, to test an
inter-forest migration from external.dev to development.dev using the ADMT.
I have not received any errors during the migration and everything appears
to be setup correctly, however, I do not think the SID History is
functioning properly.

  I have a 200 domain named External.dev and a 2003 domain named
development.dev. I have a group on External.dev called "Accounting" and a
member of that group named "Pete". I have a member server in external.dev,
N060MSADDEV4, with a share named "Accounting". The Everyone group has been
removed from the ACL and the External\Accounting group has been given full
control.

  I migrate Accounting from external.dev to development.dev with the box
checked to migrate SID histories and I receive no errors. The new Accounting
group in development.dev should have a SID matching the one on the
Accounting group in external.dev and since that group has access to
N060MSADDEV4\Accounting any new member of Develppment\Accounting should be
able to access N060MSADDEV4\Accounting. I create a user named "Tom" in
development.dev and place him in the new Accounting group and attempt to
connect to the share and access is denied. If I then migrate
N060MSADDEV4
to development.dev and Add the equivalent security references for the target
object and leave the source references in tact I can then access the share
with Tom, but according to the book I should not have to do that.
Am
I not doing something correctly in this test?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADMT Group SID History

2005-07-12 Thread Grillenmeier, Guido 
yep, sound just like the source-domain's SIDs are being filtered when
the resource is still in the source domain (external.dev).  Realize,
that you only need to disable SID filtering on the trust in the source
domain - you should leave it enabled on the target domain.

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: Dienstag, 12. Juli 2005 21:58
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADMT Group SID History

Have your turned off SID filtering on the Trust?

NETDOM trust DomainX /domain:DomainY /quarantine:No
/usero:DomainX\AdministratorX /passwordo:*

The * will cause a prompt for the password.

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 July 2005 19:53
To: activedir@mail.activedir.org
Subject: [ActiveDir] ADMT Group SID History





All,
  I've been following the Sybex book, Mastering Windows 2003, to
test
an inter-forest migration from external.dev to development.dev using the
ADMT. I have not received any errors during the migration and everything
appears to be setup correctly, however, I do not think the SID History
is
functioning properly.

  I have a 200 domain named External.dev and a 2003 domain named
development.dev. I have a group on External.dev called "Accounting" and
a
member of that group named "Pete". I have a member server in
external.dev,
N060MSADDEV4, with a share named "Accounting". The Everyone group has
been
removed from the ACL and the External\Accounting group has been given
full
control.

  I migrate Accounting from external.dev to development.dev with the
box checked to migrate SID histories and I receive no errors. The new
Accounting group in development.dev should have a SID matching the one
on
the Accounting group in external.dev and since that group has access to
N060MSADDEV4\Accounting any new member of Develppment\Accounting should
be
able to access N060MSADDEV4\Accounting. I create a user named "Tom" in
development.dev and place him in the new Accounting group and attempt to
connect to the share and access is denied. If I then migrate
N060MSADDEV4
to development.dev and Add the equivalent security references for the
target object and leave the source references in tact I can then access
the
share with Tom, but according to the book I should not have to do that.
Am
I not doing something correctly in this test?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] ADMT Group SID History

2005-07-12 Thread Santhosh Sivarajan 
Try this…

After creating the new user in Accounting group in the Development
Domain, re-migrate the group using ADMT.

HTH
Santhosh

Santhosh Sivarajan
MCSE(W2K3/W2K/NT4), MCSA(W2K3/W2K/MSG), CCNA, Network+
Houston, TX


On 7/12/05, Mark Parris <[EMAIL PROTECTED]> wrote:
> Have your turned off SID filtering on the Trust?
> 
> NETDOM trust DomainX /domain:DomainY /quarantine:No
> /usero:DomainX\AdministratorX /passwordo:*
> 
> The * will cause a prompt for the password.
> 
> Mark
> 
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> [EMAIL PROTECTED]
> Sent: 12 July 2005 19:53
> To: activedir@mail.activedir.org
> Subject: [ActiveDir] ADMT Group SID History
> 
> 
> 
> 
> 
> All,
>  I've been following the Sybex book, Mastering Windows 2003, to test
> an inter-forest migration from external.dev to development.dev using the
> ADMT. I have not received any errors during the migration and everything
> appears to be setup correctly, however, I do not think the SID History is
> functioning properly.
> 
>  I have a 200 domain named External.dev and a 2003 domain named
> development.dev. I have a group on External.dev called "Accounting" and a
> member of that group named "Pete". I have a member server in external.dev,
> N060MSADDEV4, with a share named "Accounting". The Everyone group has been
> removed from the ACL and the External\Accounting group has been given full
> control.
> 
>  I migrate Accounting from external.dev to development.dev with the
> box checked to migrate SID histories and I receive no errors. The new
> Accounting group in development.dev should have a SID matching the one on
> the Accounting group in external.dev and since that group has access to
> N060MSADDEV4\Accounting any new member of Develppment\Accounting should be
> able to access N060MSADDEV4\Accounting. I create a user named "Tom" in
> development.dev and place him in the new Accounting group and attempt to
> connect to the share and access is denied. If I then migrate N060MSADDEV4
> to development.dev and Add the equivalent security references for the
> target object and leave the source references in tact I can then access the
> share with Tom, but according to the book I should not have to do that. Am
> I not doing something correctly in this test?
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> 
> 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> 


-- 
Santhosh Sivarajan
MCSE(W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),CCNA,Network+
Houston, TX

[ActiveDir] remove 'Tip of the Day'

2005-07-12 Thread Freddie Coleman III 

I need to remove 'tip of the day' from IE.  Under "user
configuration/administrative templates/windows components/internet
explorer/browser menus" it has been disabled, but the user still has
access.  Any ideas why?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADMT Group SID History

2005-07-12 Thread Mark Parris 
Have your turned off SID filtering on the Trust?

NETDOM trust DomainX /domain:DomainY /quarantine:No
/usero:DomainX\AdministratorX /passwordo:*

The * will cause a prompt for the password.

Mark

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: 12 July 2005 19:53
To: activedir@mail.activedir.org
Subject: [ActiveDir] ADMT Group SID History





All,
  I've been following the Sybex book, Mastering Windows 2003, to test
an inter-forest migration from external.dev to development.dev using the
ADMT. I have not received any errors during the migration and everything
appears to be setup correctly, however, I do not think the SID History is
functioning properly.

  I have a 200 domain named External.dev and a 2003 domain named
development.dev. I have a group on External.dev called "Accounting" and a
member of that group named "Pete". I have a member server in external.dev,
N060MSADDEV4, with a share named "Accounting". The Everyone group has been
removed from the ACL and the External\Accounting group has been given full
control.

  I migrate Accounting from external.dev to development.dev with the
box checked to migrate SID histories and I receive no errors. The new
Accounting group in development.dev should have a SID matching the one on
the Accounting group in external.dev and since that group has access to
N060MSADDEV4\Accounting any new member of Develppment\Accounting should be
able to access N060MSADDEV4\Accounting. I create a user named "Tom" in
development.dev and place him in the new Accounting group and attempt to
connect to the share and access is denied. If I then migrate N060MSADDEV4
to development.dev and Add the equivalent security references for the
target object and leave the source references in tact I can then access the
share with Tom, but according to the book I should not have to do that. Am
I not doing something correctly in this test?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADUC Extremely Slow

2005-07-12 Thread Alex Fontana 








Oddly enough, one admin here had a
ridiculously slow running ADUC, he updated his display driver and it started
responding as it should…

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Tuesday, July 12, 2005 11:15
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ADUC
Extremely Slow



 



Hello:





 





Any ideas on how to troubleshoot ADUC being slow to respond?
Basically, launching it takes several minutes and expanding an OU or getting
object properties takes a long time (and sometimes just fails completely). This
is locally on the DC that holds all FSMO roles and is a GC. The ADUC shows that
it is looking to the local machine when it finally comes up.





 





I suspected DNS but the machine looks to itself for primary
DNS and over a slow WAN link for secondary. Pings
and nslookup respond quickly. What is the process ADUC goes through when
launching and displaying objects?





 





Thanks.





 





-- Noah

Re: [ActiveDir] ADUC Extremely Slow

2005-07-12 Thread Mark Parris 
Does DSA open on an OU with a lot of objects in it, such as users or contacts 
and the number of objects to be displayed has been modified ?

Or have custom mmc views been created in the same mmc snap in and multiple mmc 
snapins open at the same time.

Try creating an mmc snapin, withjust the DSA snapin in it, and close it whilst 
on an ou with very little in it.

Is it faster?

Mark







-Original Message-
From: "Noah Eiger" <[EMAIL PROTECTED]>
Date: Tue, 12 Jul 2005 11:15:22 
To:
Subject: [ActiveDir] ADUC Extremely Slow

Hello: 
 
Any ideas on how to troubleshoot ADUC being slow to respond? Basically, 
launching it takes several minutes and expanding an OU or getting object 
properties takes a long time (and sometimes just fails completely). This is 
locally on the DC that holds all FSMO roles and is a GC. The ADUC shows that it 
is looking to the local machine when it finally comes up. 
 
I suspected DNS but the machine looks to itself for primary DNS and over a slow 
WAN link for secondary. Pings and nslookup respond quickly. What is the process 
ADUC goes through when launching and displaying objects? 
 
Thanks. 
 
-- Noah
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] ADMT Group SID History

2005-07-12 Thread chris . ryan 




All,
  I've been following the Sybex book, Mastering Windows 2003, to test
an inter-forest migration from external.dev to development.dev using the
ADMT. I have not received any errors during the migration and everything
appears to be setup correctly, however, I do not think the SID History is
functioning properly.

  I have a 200 domain named External.dev and a 2003 domain named
development.dev. I have a group on External.dev called "Accounting" and a
member of that group named "Pete". I have a member server in external.dev,
N060MSADDEV4, with a share named "Accounting". The Everyone group has been
removed from the ACL and the External\Accounting group has been given full
control.

  I migrate Accounting from external.dev to development.dev with the
box checked to migrate SID histories and I receive no errors. The new
Accounting group in development.dev should have a SID matching the one on
the Accounting group in external.dev and since that group has access to
N060MSADDEV4\Accounting any new member of Develppment\Accounting should be
able to access N060MSADDEV4\Accounting. I create a user named "Tom" in
development.dev and place him in the new Accounting group and attempt to
connect to the share and access is denied. If I then migrate N060MSADDEV4
to development.dev and Add the equivalent security references for the
target object and leave the source references in tact I can then access the
share with Tom, but according to the book I should not have to do that. Am
I not doing something correctly in this test?

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADUC Extremely Slow

2005-07-12 Thread Thommes, Michael M. 
You might want to try this publicly-accessible network tester:

http://miranda.ctd.anl.gov:7123/

If you can't run Java on the server to be tested, there is a command
line version also available.  See the notes at the bottom of the URL.

Mike Thommes

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser
Sent: Tuesday, July 12, 2005 1:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] ADUC Extremely Slow

Run a network sniff and see what it's doing. I would also look at
NIC/switch speed/duplex matching...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
> Sent: Tuesday, July 12, 2005 11:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] ADUC Extremely Slow
> 
> Hello:
>  
> Any ideas on how to troubleshoot ADUC being slow to respond? 
> Basically, launching it takes several minutes and expanding 
> an OU or getting object properties takes a long time (and 
> sometimes just fails completely). This is locally on the DC 
> that holds all FSMO roles and is a GC. The ADUC shows that it 
> is looking to the local machine when it finally comes up.
>  
> I suspected DNS but the machine looks to itself for primary 
> DNS and over a slow WAN link for secondary. Pings and 
> nslookup respond quickly. What is the process ADUC goes 
> through when launching and displaying objects?
>  
> Thanks.
>  
> -- Noah
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] ADUC Extremely Slow

2005-07-12 Thread Charlie Kaiser 
Run a network sniff and see what it's doing. I would also look at
NIC/switch speed/duplex matching...

**
Charlie Kaiser
MCSE, CCNA
Systems Engineer
Essex Credit / Brickwalk
510 595 5083
**
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
> Sent: Tuesday, July 12, 2005 11:15 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] ADUC Extremely Slow
> 
> Hello:
>  
> Any ideas on how to troubleshoot ADUC being slow to respond? 
> Basically, launching it takes several minutes and expanding 
> an OU or getting object properties takes a long time (and 
> sometimes just fails completely). This is locally on the DC 
> that holds all FSMO roles and is a GC. The ADUC shows that it 
> is looking to the local machine when it finally comes up.
>  
> I suspected DNS but the machine looks to itself for primary 
> DNS and over a slow WAN link for secondary. Pings and 
> nslookup respond quickly. What is the process ADUC goes 
> through when launching and displaying objects?
>  
> Thanks.
>  
> -- Noah
> 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] ADUC Extremely Slow

2005-07-12 Thread Noah Eiger 



Hello:
 
Any ideas on how to 
troubleshoot ADUC being slow to respond? Basically, launching it takes several 
minutes and expanding an OU or getting object properties takes a long time (and 
sometimes just fails completely). This is locally on the DC that holds all FSMO 
roles and is a GC. The ADUC shows that it is looking to the local machine when 
it finally comes up.
 
I suspected DNS but 
the machine looks to itself for primary DNS and over a slow WAN link for 
secondary. Pings and nslookup respond quickly. What is the process ADUC goes 
through when launching and displaying objects?
 
Thanks.
 
-- 
Noah

RE: [ActiveDir] branch office and dns

2005-07-12 Thread Bernard, Aric 
If you branch office DC will be a DNS server AND you only have *one*
internal DNS domain, then yes you should be able to configure your
branch office DNS server to leverage the ISPs DNS servers as forwarders
without additional configuration.

If you have additional internal DNS domains, than as Jorge mentions you
will have to configure some method to allow name resolution for those
other domains - forwarding to other internal DNS servers, conditional
forwarding for the specific namespaces, or transferring the zone to the
branch office DNS server are all (but not the only) examples.


Aric

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, July 11, 2005 12:03 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] branch office and dns

Assuming you have windows 2003 dns you can use conditional forwarding
I suppose you could configure forwarding for certain internal domains to
the HQ DNS servers if needed and for all other DNS domains forward to
the local ISPs
 
Cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Jeff Kraus
Sent: Mon 7/11/2005 8:02 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] branch office and dns


Hi all,
I would like to setup a branch office theat connects to our domain via a
vpn so that the branch office can resolve our internal  ad intrergrated
domain and use thier local isp dns for external instead of looking to
the  HQ dns servers and have them resolve the external name (which they
do already).
The Hq dns servers are setup to use fowarders. would i do the same for
the branch office ? .
the branch office server will be a domain controller as well. (I have
already address all concerns about a branch office domain controller---
it is nessary)
 
thanks for all your help 
 
 
Jeff Kraus
 
Network Manger 
NIC Holding Corp.
25 Melville Park Rd
Melville NY, 11747
Voice: 631.753.4272
Fax:631.753.4305
Email:  [EMAIL PROTECTED]
 
 


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE : [ActiveDir] Keep existing attributes from use rs restored.

2005-07-12 Thread TIROA YANN 
HI,
 
Just for information, and after talking to my boss, i've just extended our 
schema  and decided to keep these attibutes wich are necessary in our Intranet:
Sn, givenname, displayname (for Exchange GAL), title, locality, mail and 
telephonenumber.
 
We also follow the provisionning/deprovisionning strategy as stated Jorge with :
-a deprovisionning OU in which inactive accounts are moved *IF* their 
lastlogontimestamp > 60 days: a script ran every night to check this attribute 
and move users to the deprovisionning OU
-a script that set that Grants Associated External Account privileges to SELF 
in the deprovisionning OU.
At last a script that delete disable users which lastlogontimestamp > 90 days.
 
All these are now in place in our production, and work fine :)
 
With such strategies, I have now a real and good provisionning/deprovisionng 
"design", and i will use auth restore at the very very last resort, but i know 
that this last resort will give me the chance to have my deleted accounts 
recovered as they were before deletion. 
 
Thank you to Jorge and Dean for their advices.
 
Cheers,
 
Yann



De: [EMAIL PROTECTED] de la part de Dean Wells
Date: lun. 11/07/2005 23:36
À: Send - AD mailing list
Objet : RE: [ActiveDir] Keep existing attributes from users restored.


No.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]  
http://msetechnology.com  

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
Sent: Monday, July 11, 2005 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep existing attributes from users restored.


thanks for the useful information, Eric.  You've only mentioned sidHistory - 
does the same apply for the password?
 
/Gudo



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Montag, 11. Juli 2005 16:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep existing attributes from users restored.



> BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory 
> and Password attributes to the tombstone (I believe this

> is only valid for new installation of AD).

 

Actually, not quite. For sidHistory, the SP1 change in behavior works for 
existing installations juts as well as existing ones. However, to be safe, we 
didn't actually modify searchFlags. Instead, we added sidHistory to the list of 
attributes we always preserve on tombstones no matter what the schema tells us 
we should (there is a list so that you can't subvert replication and strip off 
more than should be allowed). This was deemed safer than modifying your schema 
out from under you on SP upgrade. I tend to agree.

This of course leads to the fact that non-SP1 DCs will strip sidHistory where 
SP1 will keep it. This was well understood, but we did not want a schema change 
for SP1. So we figured, it was this or wait for Longhorn. We went with this as 
being better than nothing.

 

~Eric

 

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
Sent: Monday, July 11, 2005 7:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep existing attributes from users restored.

 

realize that this search-flag can't be applied to all attributes (e.g. linked 
attributes such as member/memberOf) => as such you will always require a 
combination of actions to successfully recover users to a previous state.  If 
you do want to leverage the tombstone reanimation feature of 2003 (such as 
leveraged by SysInternal's adrestore), you'll have to have mechanisms in place 
to recover attributes which you can't contain in the tombstone object.

 

BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and 
Password attributes to the tombstone (I believe this is only valid for new 
installation of AD). These are the ones that other third-party tools which help 
with re-populating the missing attributes can't rewrite after tombstone revival 
occures => as such I would certainly consider changing these search flags in 
other AD implementations, which leverage restore tools that also use the 
tombstone reanimation method.

 

/Guido

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Samstag, 9. Juli 2005 00:03
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] Keep existing attributes from users restored.

Thanks Dean,

 

I will test it.

 

Cheers,

 

Yann



De: [EMAIL PROTECTED] de la part de Dean Wells
Date: ven. 08/07/2005 18:29
À: Send - AD mailing list
Objet : RE: [ActiveDir] Keep existing attributes from users restored.



... modify the searchFlags property of the attributeSchema class that
represents the attribute you'd like preserved during logical

RE: [ActiveDir] Keep existing attributes from users restored.

2005-07-12 Thread Grillenmeier, Guido 
Title: RE: [ActiveDir] Keep existing attributes from users restored.



thanks Eriic for lending me that i - I've just added 
another one to your name so you won't have to miss out on one in your next mail 
;-)
 
ok - I've just checked myself as well - keeping the 
password was more like wishful thinking as I've planned before to change the 
searchFlags to keep it since it's another one of those attributes you wouldn't 
be able to store offline => however, I do agree it's not critical.  

 
Though even that statement certainly "depends" => if you 
just have to recover a single user or a few, you wouldn't worry about the 
password and simply set it after tombstone reanimation. If you have to recover a 
whole OU with many users, setting the PW and communicating it to the users could 
be quite a pain-point.  As such - if you can't recover it online (i.e. via 
tombstone reanimation), I'd actually vote for the native auth.-restore to get 
back as much as I can (and then tackle to repair the missing links 
etc.)...
 
Towards what Al wrote: I don't see recovering users with 
passwords more of a security risk than recovering them without the password 
=> this is not a process that normal users can perfom anyways and a service 
admin has a multitude of options to circumvent AD security. And since the PW 
won't ever be readable, I don't really see the point.
 
/Guido


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Dienstag, 12. Juli 2005 00:09To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Keep existing 
attributes from users restored.


Having been in this 
code before, I never noticed this applying to passwords. I don’t believe we keep 
them on tombstones today.
Can you confirm that we 
do in fact keep them on tombstones as of SP1? If so I’ll take a peak at this in 
further detail to see if there is some magic there that I just didn’t pick up on 
last time through. But I didn’t think we did.
 
~Erc
(Where’s did the i in 
my name go? Well, when you replied in the last mail, you forgot the i in your 
name, so I’ve taken it out of mine so you can borrow it for your next 
reply.)
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grillenmeier, 
GuidoSent: Monday, July 11, 
2005 2:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Keep existing 
attributes from users restored.
 
thanks for the useful 
information, Eric.  You've only mentioned sidHistory - does the same apply 
for the password?
 
/Gudo
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Eric 
FleischmanSent: Montag, 11. 
Juli 2005 16:45To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Keep existing 
attributes from users restored.
> BTW, Win2003 SP1 
has updated some search flags, so as to add the SIDhistory and Password 
attributes to the tombstone (I believe this
> is only valid 
for new installation of AD).
 
Actually, not quite. 
For sidHistory, the SP1 change in behavior works for existing installations juts 
as well as existing ones. However, to be safe, we didn’t actually modify 
searchFlags. Instead, we added sidHistory to the list of attributes we always 
preserve on tombstones no matter what the schema tells us we should (there is a 
list so that you can’t subvert replication and strip off more than should be 
allowed). This was deemed safer than modifying your schema out from under you on 
SP upgrade. I tend to agree.
This of course leads to 
the fact that non-SP1 DCs will strip sidHistory where SP1 will keep it. This was 
well understood, but we did not want a schema change for SP1. So we figured, it 
was this or wait for Longhorn. We went with this as being better than 
nothing.
 
~Eric
 
 
 
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Grillenmeier, 
GuidoSent: Monday, July 11, 
2005 7:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Keep existing 
attributes from users restored.
 
realize that this 
search-flag can't be applied to all attributes (e.g. linked attributes such as 
member/memberOf) => as such you will always require a combination of actions 
to successfully recover users to a previous state.  If you do want to 
leverage the tombstone reanimation feature of 2003 (such as leveraged by 
SysInternal's adrestore), you'll have to have mechanisms in place to recover 
attributes which you can't contain in the tombstone 
object.
 
BTW, Win2003 SP1 has 
updated some search flags, so as to add the SIDhistory and Password attributes 
to the tombstone (I believe this is only valid for new installation of AD). 
These are the ones that other third-party tools which help with re-populating 
the missing attributes can't rewrite after tombstone revival occures => as 
such I would certainly consider changing these search flags in other AD 
implementations, which leverage restore tools that also use the tombstone 
reanimation method.
 
/Guido
 



From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]

RE: [ActiveDir] 2003 Replication Issue

2005-07-12 Thread Almeida Pinto, Jorge de 
It looks like the following servers have not replicated with other DCs for more 
than the tombstone lifetime:
13BNRCTBNSHARE
155BCTN01C
155BCTN02C

155BCTLIMAN01C

What does the event log of those servers say?

You also need to find out why these servers have not replicated for so long.

My 2 cents at the moment: seize the FSMO roles 
(http://support.microsoft.com/kb/255504) those DCs were holding and shut them 
down, cleanup metadata 
(http://support.microsoft.com/default.aspx?scid=kb;en-us;216498) and rebuild if 
necessary (you could also do a DCPROMO/ forceremoval instead of shutdown and 
install AD again after the metadata cleanup)

 

Cheers,

#JORGE#

 

 

 

 

 
 



From: [EMAIL PROTECTED] on behalf of Yates SFC Robert W (C212 Network Engineer)
Sent: Tue 7/12/2005 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 Replication Issue



Here is the output from DC Diag. 


I am learning fast, but still learning on most on the problems that just 
do 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, 
Jorge de 
Sent: Tuesday, July 12, 2005 9:37 AM 
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org 
Subject: RE: [ActiveDir] 2003 Replication Issue 

what is the outout of DCDIAG 
  
any event log errors? 
cheers, 
#JORGE# 

 

From: [EMAIL PROTECTED] on behalf of Yates SFC Robert W 
(C212 Network Engineer) 
Sent: Tue 7/12/2005 3:10 PM 
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] 2003 Replication Issue 



All, 

I am having a replication issue with one or my 2003 servers.  I am 
replicating to servers outside of my domain, but this server can no 
replicate to servers within its own domain.  When I open the Operations 
master on the server I see ERROR on all three tabs.   I can not find 
what would cause that.  DNS is working and has been tested. 

I have 5 other servers that are replicating fine to their other sites 
and between each other.  

SFC Robert Yates 

C212 / 155 BCT Network Engineer 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be 
copied, disclosed to, retained or used by, any other party. If you are 
not an intended recipient then please promptly delete this e-mail and 
any attachment and all copies and inform the sender. Thank you. 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/ 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Issues with newly built w2k3 DCs

2005-07-12 Thread Ruston, Neil 
Thanks Mark. Will investigate that KB.

DCs use another DC for DNS res until built and then use there own address (not 
loopback) thereafter.

Will try the MUP cache workaround too.

Thanks,
neil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark Parris
Sent: 12 July 2005 16:14
To: ActiveDir.org
Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs


Sorry,

Pushed send too quickly, I found clearing the MUP cache made the errors go 
away, additionally are you using 127.0.0.1 or the dc's ip address for DNS and 
is the secondary DNS address utilised? -Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
Date: Tue, 12 Jul 2005 15:08:15 
To:"ActiveDir.org" 
Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs

Neil,

I have had this issue too,

Have you seen 842804?

Mark
-Original Message-
From: "Ruston, Neil" <[EMAIL PROTECTED]>
Date: Tue, 12 Jul 2005 13:48:57 
To:"'ActiveDir@mail.activedir.org'" 
Subject: [ActiveDir] Issues with newly built w2k3 DCs

I'm seeing the following errors on newly built w2k3 DCs (w2k native mode 
domain): 
 
 
Source: userenv; ID:1030 
Windows cannot query for the list of Group Policy objects. A message that 
describes the reason for this was previously logged by this policy engine.
 
Source: userenv; ID: 1097 
Windows cannot find the machine account, The Local Security Authority cannot be 
contacted . 
 
 
The above occur in pairs every 5 mins. 
 
All existing w2k DCs are fine. 
 
Other symptoms: DNS service cannot be managed on the DC (server shown with red 
cross indicating DNS server not contactable).
 
Time and DNS resolution all appear fine. 
 
Any ideas anyone? Google shows this to be quite common but with no specific 
solution / root cause. 
 
 
 
Thanks, 
neil 
 
==
 Please access the attached hyperlink for an important electronic 
communications disclaimer: 
 
 http://www.csfb.com/legal_terms/disclaimer_external_email.shtml
 
 ==
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Sysprep Win2k3 Servers...maybe a DC?

2005-07-12 Thread Phil Renouf 
Thats why I use automated builds, although I've never tried to do that
with a Virtual Server so perhaps an image would be easier/better in
that case.

Phil

On 7/11/05, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:
> wait until you have to handle many virtual servers - even DCs...
> 
> /Guido
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Keep existing attributes from users restored.

2005-07-12 Thread Dan Holme 
Title: RE: [ActiveDir] Keep existing attributes from users restored.








I’m curious, Al, as to what you mean
about .NET not handling group memberships well… do you mind elaborating
on that (can be a separate thread)…?

 

Thanks!

 

Dan

 

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 12, 2005 8:03
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep
existing attributes from users restored.



 

As Al indicated interesting thread, my
comments

 

1. I don't see the reason not to do this.
I like it and think it is a good idea. The point I would start to
reconsider is if you do a lot of deleting and creating, saying in a test lab,
this may make your DIT grow out of control. Also if you have an excessively
long TSL it may not be optimum as well. Otherwise, I think this is extremely
useful and MUCH easier than following the auth restore processes which are, frankly
IMO, rather involved for what it is. That is why people are willing to shell
out so much money for third party products. I agree this should be a very rare
thing to do, but if would be willing to do an auth restore to get something
back, I think being willing to do this first makes more sense. 

 

2. As Guido mentioned, this doesn't work
for everything. Be aware of what it does and doesn't work for PRIOR to hoping
it saves your butt on something. For the things that it doesn't work for, it
shouldn't be too terribly hard to set up an AD/AM instance or a DB to maintain
the info you want repopulated. The really hard things are like objectSID,
ObjectGUID, sIDHistory, etc as you can't easily put those back into place. 

 

3. I am with ~Eric and I don't see where
password is being kept. I have also been over that section of the source and
don't recall anything with passwords. It also doesn't appear the password
attributes are marked in the schema either. Are we sure passwords are
being kept? I admit to not trying it. I really haven't done much with SP1 yet
due to the Virtual Server guest bits blunder. The docs I have seen mention
sIDHistory but not the password attributes (there are several password
attributes that would need to be saved).

 

 

 

 

 

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Tuesday, July 12, 2005 9:08
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep
existing attributes from users restored.





Interesting thread.  I've always
been a fan of keeping the information separate for this situation.  I need
the sid in order to allow the user to access the resources he had prior to
accidental deletion (that's another thread :) but otherwise, I wouldn't want
password for a user I restored.  That would be very dangerous in my mind
as it could allow a rogue admin (yet another thread right?) access to resources
that purposefully deleted users had and they'd be able to do so in a relatively
covert manner. They'd be hard to track for sure. 





 





Additionally, restoring the user to groups could be a
nightmare.  I'd prefer to keep that information in a separate off-line
format (text file? db?) where I can report against it and use it to breath life
into a reanimated user should the need absolutely arise. 





 





I'm a huge fan of setting up process to do as much as
possible to prevent the accidental deletion of users at every turn. My thoughts
are that those shops with the wherewithal to set the schema mods, aren't the
ones that need an undelete in most cases, but good processes are always a good
idea.





 





Still, the odd accident can occur.  I realize
that.  Now I'm just not sure that taking the time to practice against such
a thing is worth the effort of practicing this on a regular basis to make
sure you don't mess it up.  Besides, you'll have to restore the other
information anyway, so you may as well get what's absolutely needed (sidHistory
should be in that list IMHO) but plan to get other information (fax
#? Phone #, group information, nickname, petname, etc) separately. 
To try and hold it in deleted items would be more of a PITA due
to replication than it would be to store it out of band for other
uses. 





 





My $0.04 (USD) anyway. 





 





Al





 





P.S. if you use .NET to write an app to suck the data out to
an off-line storage medium, be aware that it doesn't natively handle group
membership very well.  Trust me, that's important ;) 





 





 







 







From:
[EMAIL PROTECTED] on behalf of Dean Wells
Sent: Mon 7/11/2005 5:36 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Keep
existing attributes from users restored.







No.



--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com



 



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Monday, July 11, 2005 5:05
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep
existing attributes from users restored.

tha

Re: [ActiveDir] Issues with newly built w2k3 DCs

2005-07-12 Thread Mark Parris 
Sorry,

Pushed send too quickly, I found clearing the MUP cache made the errors go 
away, additionally are you using 127.0.0.1 or the dc's ip address for DNS and 
is the secondary DNS address utilised?
-Original Message-
From: "Mark Parris" <[EMAIL PROTECTED]>
Date: Tue, 12 Jul 2005 15:08:15 
To:"ActiveDir.org" 
Subject: Re: [ActiveDir] Issues with newly built w2k3 DCs

Neil,

I have had this issue too,

Have you seen 842804?

Mark
-Original Message-
From: "Ruston, Neil" <[EMAIL PROTECTED]>
Date: Tue, 12 Jul 2005 13:48:57 
To:"'ActiveDir@mail.activedir.org'" 
Subject: [ActiveDir] Issues with newly built w2k3 DCs

I'm seeing the following errors on newly built w2k3 DCs (w2k native mode 
domain): 
 
 
Source: userenv; ID:1030 
Windows cannot query for the list of Group Policy objects. A message that 
describes the reason for this was previously logged by this policy engine.
 
Source: userenv; ID: 1097 
Windows cannot find the machine account, The Local Security Authority cannot be 
contacted . 
 
 
The above occur in pairs every 5 mins. 
 
All existing w2k DCs are fine. 
 
Other symptoms: DNS service cannot be managed on the DC (server shown with red 
cross indicating DNS server not contactable).
 
Time and DNS resolution all appear fine. 
 
Any ideas anyone? Google shows this to be quite common but with no specific 
solution / root cause. 
 
 
 
Thanks, 
neil 
 
==
 Please access the attached hyperlink for an important electronic 
communications disclaimer: 
 
 http://www.csfb.com/legal_terms/disclaimer_external_email.shtml
 
 ==
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Issues with newly built w2k3 DCs

2005-07-12 Thread Mark Parris 
Neil,

I have had this issue too,

Have you seen 842804?

Mark
-Original Message-
From: "Ruston, Neil" <[EMAIL PROTECTED]>
Date: Tue, 12 Jul 2005 13:48:57 
To:"'ActiveDir@mail.activedir.org'" 
Subject: [ActiveDir] Issues with newly built w2k3 DCs

I'm seeing the following errors on newly built w2k3 DCs (w2k native mode 
domain): 
 
 
Source: userenv; ID:1030 
Windows cannot query for the list of Group Policy objects. A message that 
describes the reason for this was previously logged by this policy engine.
 
Source: userenv; ID: 1097 
Windows cannot find the machine account, The Local Security Authority cannot be 
contacted . 
 
 
The above occur in pairs every 5 mins. 
 
All existing w2k DCs are fine. 
 
Other symptoms: DNS service cannot be managed on the DC (server shown with red 
cross indicating DNS server not contactable).
 
Time and DNS resolution all appear fine. 
 
Any ideas anyone? Google shows this to be quite common but with no specific 
solution / root cause. 
 
 
 
Thanks, 
neil 
 
==
 Please access the attached hyperlink for an important electronic 
communications disclaimer: 
 
 http://www.csfb.com/legal_terms/disclaimer_external_email.shtml
 
 ==
 
 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 Replication Issue

2005-07-12 Thread Yates SFC Robert W \(C212 Network Engineer\) 
Here is the output from DC Diag.


I am learning fast, but still learning on most on the problems that just
do

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Tuesday, July 12, 2005 9:37 AM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 Replication Issue

what is the outout of DCDIAG
 
any event log errors?
cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Yates SFC Robert W
(C212 Network Engineer)
Sent: Tue 7/12/2005 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 Replication Issue



All,

 

I am having a replication issue with one or my 2003 servers.  I am
replicating to servers outside of my domain, but this server can no
replicate to servers within its own domain.  When I open the Operations
master on the server I see ERROR on all three tabs.   I can not find
what would cause that.  DNS is working and has been tested.

 

I have 5 other servers that are replicating fine to their other sites
and between each other.  

 

 

SFC Robert Yates

C212 / 155 BCT Network Engineer

 



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied, disclosed to, retained or used by, any other party. If you are
not an intended recipient then please promptly delete this e-mail and
any attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: 155BCTDUKE\155BCTDUKEN01C
  Starting test: Connectivity
 . 155BCTDUKEN01C passed test Connectivity

Doing primary tests
   
   Testing server: 155BCTDUKE\155BCTDUKEN01C
  Starting test: Replications
 REPLICATION-RECEIVED LATENCY WARNING
 155BCTDUKEN01C:  Current time is 2005-07-12 18:50:13.
DC=ForestDnsZones,DC=mnf-wiraq,DC=usmc,DC=mil
   Last replication recieved from 1BNRCTAN01C at 2005-07-09 
02:16:04.
CN=Schema,CN=Configuration,DC=mnf-wiraq,DC=usmc,DC=mil
   Last replication recieved from LARN02C at 2005-06-30 16:58:34.
   Last replication recieved from 13BNRCTBNSHARE at 2005-04-25 
08:57:23.
   WARNING:  This latency is over the Tombstone Lifetime of 60 days!
   Last replication recieved from CEMNFFWDN02E at 2005-06-30 
10:59:58.
   Last replication recieved from HITN02C at 2005-06-30 16:57:31.
   Last replication recieved from CEMNFFWDN01C at 2005-06-30 
11:58:01.
   Last replication recieved from 1BNRCTAN01C at 2005-07-09 
02:17:01.
CN=Configuration,DC=mnf-wiraq,DC=usmc,DC=mil
   Last replication recieved from LARN02C at 2005-06-30 17:29:20.
   Last replication recieved from 13BNRCTBNSHARE at 2005-04-25 
08:57:23.
   WARNING:  This latency is over the Tombstone Lifetime of 60 days!
   Last replication recieved from CEMNFFWDN02E at 2005-06-30 
11:45:28.
   Last replication recieved from HITN02C at 2005-06-30 17:33:03.
   Last replication recieved from CEMNFFWDN01C at 2005-06-30 
11:57:50.
   Last replication recieved from 1BNRCTAN01C at 2005-06-14 
11:16:06.
DC=cemnf-wiraq,DC=usmc,DC=mil
   Last replication recieved from CEMNFFWDN02E at 2005-06-30 
11:45:31.
   Last replication recieved from CEMNFFWDN01C at 2005-06-30 
11:58:02.
DC=gcemnf-wiraq,DC=usmc,DC=mil
   Last replication recieved from LARN02C at 2005-06-30 17:35:15.
   Last replication recieved from 13BNRCTBNSHARE at 2005-04-25 
09:13:30.
   WARNING:  This latency is over the Tombstone Lifetime of 60 days!
   Last replication recieved from HITN02C at 2005-06-30 17:35:24.
   Last replication recieved from 1BNRCTAN01C at 2005-06-22 
16:02:06.
DC=DomainDnsZones,DC=155bct,DC=mnf-wiraq,DC=usmc,DC=mil
   Last replication recieved from 155BCTN02C at 2005-05-12 15:53:29.
   WARNING:  This latency is over the Tombstone Lifetime of 60 days!
   Last replication recieved from 155BCTN01C at 2005-05-12 15:53:12.
   WARNING:  This latency is over the Tombstone Lifetime of 60 days!
   Last replication recieved from 155BCTLIMAN01C at 2005-05-12 
15:51:40.
   WARNING:  This latency is over the Tombstone Lifetime of 60 days!
DC=155bct,DC=mnf-wiraq,DC=usmc,DC=mil
   Last replication recieved from 155BCTN02C at 2005-05-1

RE: [ActiveDir] Keep existing attributes from users restored.

2005-07-12 Thread joe 
Title: RE: [ActiveDir] Keep existing attributes from users restored.



As Al indicated interesting thread, my 
comments
 
1. I don't see the reason not to do this. I like it 
and think it is a good idea. The point I would start to reconsider is if 
you do a lot of deleting and creating, saying in a test lab, this may make your 
DIT grow out of control. Also if you have an excessively long TSL it may not be 
optimum as well. Otherwise, I think this is extremely useful and MUCH easier 
than following the auth restore processes which are, frankly IMO, rather 
involved for what it is. That is why people are willing to shell out so much 
money for third party products. I agree this should be a very rare thing to do, 
but if would be willing to do an auth restore to get something back, I think 
being willing to do this first makes more sense. 
 
2. As Guido mentioned, this doesn't work for everything. Be 
aware of what it does and doesn't work for PRIOR to hoping it saves your butt on 
something. For the things that it doesn't work for, it shouldn't be too terribly 
hard to set up an AD/AM instance or a DB to maintain the info you want 
repopulated. The really hard things are like objectSID, ObjectGUID, sIDHistory, 
etc as you can't easily put those back into place. 
 
3. I am with ~Eric and I don't see where password is 
being kept. I have also been over that section of the source and don't recall 
anything with passwords. It also doesn't appear the password attributes are 
marked in the schema either. Are we 
sure passwords are being kept? I admit to not trying it. I really haven't done 
much with SP1 yet due to the Virtual Server guest bits blunder. The docs I have 
seen mention sIDHistory but not the password attributes (there are several 
password attributes that would need to be 
saved).
 
 
 
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Tuesday, July 12, 2005 9:08 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Keep existing 
attributes from users restored.


Interesting thread.  
I've always been a fan of keeping the information separate for this 
situation.  I need the sid in order to allow the user to access the 
resources he had prior to accidental deletion (that's another thread :) but 
otherwise, I wouldn't want password for a user I restored.  That would be 
very dangerous in my mind as it could allow a rogue admin (yet another thread 
right?) access to resources that purposefully deleted users had and they'd be 
able to do so in a relatively covert manner. They'd be hard to track for sure. 

 
Additionally, restoring the user to groups 
could be a nightmare.  I'd prefer to keep that information in a separate 
off-line format (text file? db?) where I can report against it and use it to 
breath life into a reanimated user should the need absolutely arise. 

 
I'm a huge fan of setting up process to do 
as much as possible to prevent the accidental deletion of users at every turn. 
My thoughts are that those shops with the wherewithal to set the schema mods, 
aren't the ones that need an undelete in most cases, but good processes are 
always a good idea.
 
Still, the odd accident can occur.  I 
realize that.  Now I'm just not sure that taking the time to practice 
against such a thing is worth the effort of practicing this on a regular basis 
to make sure you don't mess it up.  Besides, you'll have to restore 
the other information anyway, so you may as well get what's absolutely needed 
(sidHistory should be in that list IMHO) but plan to get other 
information (fax #? Phone #, group information, nickname, petname, etc) 
separately.  To try and hold it in deleted items would be more of a PITA 
due to replication than it would be to store it out of band for other 
uses. 
 
My $0.04 (USD) anyway. 
 
Al
 
P.S. if you use .NET to write an app to 
suck the data out to an off-line storage medium, be aware that it doesn't 
natively handle group membership very well.  Trust me, that's important 
;) 
 
 


From: [EMAIL PROTECTED] on 
behalf of Dean WellsSent: Mon 7/11/2005 5:36 PMTo: Send - 
AD mailing listSubject: RE: [ActiveDir] Keep existing attributes from 
users restored.

No.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
GuidoSent: Monday, July 11, 2005 5:05 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Keep existing 
attributes from users restored.

thanks for the useful information, Eric.  You've only 
mentioned sidHistory - does the same apply for the password?
 
/Gudo


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric 
FleischmanSent: Montag, 11. Juli 2005 16:45To: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Keep existing 
attributes from users restored.


> BTW, Win2003 SP1 
has updated some search flags, so as to add the SIDhistory and Password 
attributes to the tombstone (I belie

RE: [ActiveDir] 2003 Replication Issue

2005-07-12 Thread Almeida Pinto, Jorge de 
what is the exact notification concerning the tombstone lifetime. Please paste 
it here



From: [EMAIL PROTECTED] on behalf of Yates SFC Robert W (C212 Network Engineer)
Sent: Tue 7/12/2005 4:43 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 Replication Issue



DC DIAG gives me warning the tombstone life has expired.  LDAP bind failed with 
error 8341 and it sees the PDC owner, but says the server is not responding to 
RPC bind.

 

 

There is no firewall between the servers.  The NTFS service is running.

 

 

SFC Yates

 

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Tuesday, July 12, 2005 9:19 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003 Replication Issue

 

What diagnostic tools have you run to test it?

DCDIAG?  NTFS.exe service running? Firewall?

 

-Z.V.-MCSE

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yates SFC Robert 
W (C212 Network Engineer)
Sent: Tuesday, July 12, 2005 9:11 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 Replication Issue

All,

 

I am having a replication issue with one or my 2003 servers.  I am replicating 
to servers outside of my domain, but this server can no replicate to servers 
within its own domain.  When I open the Operations master on the server I see 
ERROR on all three tabs.   I can not find what would cause that.  DNS is 
working and has been tested.

 

I have 5 other servers that are replicating fine to their other sites and 
between each other.  

 

 

SFC Robert Yates

C212 / 155 BCT Network Engineer

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] 2003 Replication Issue

2005-07-12 Thread Yates SFC Robert W \(C212 Network Engineer\) 









DC DIAG gives me warning the tombstone
life has expired.  LDAP bind failed with error 8341 and it sees the PDC
owner, but says the server is not responding to RPC bind.

 

 

There is no firewall between the
servers.  The NTFS service is running.

 

 

SFC Yates

 

 

-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue
Sent: Tuesday, July 12, 2005 9:19
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] 2003
Replication Issue

 

What diagnostic tools
have you run to test it?

DCDIAG?  NTFS.exe
service running? Firewall?

 

-Z.V.-MCSE

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Yates SFC Robert W (C212 Network Engineer)
Sent: Tuesday, July 12, 2005 9:11
AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003
Replication Issue

All,

 

I am having a replication issue with
one or my 2003 servers.  I am replicating to servers outside of my domain,
but this server can no replicate to servers within its own domain.  When I
open the Operations master on the server I see ERROR on all three tabs. 
 I can not find what would cause that.  DNS is working and has been
tested.

 

I have 5 other servers that are
replicating fine to their other sites and between each other.  

 

 

SFC Robert Yates

C212 / 155 BCT Network Engineer

 

RE: [ActiveDir] 2003 Replication Issue

2005-07-12 Thread Almeida Pinto, Jorge de 
what is the outout of DCDIAG
 
any event log errors?
cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Yates SFC Robert W (C212 Network Engineer)
Sent: Tue 7/12/2005 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] 2003 Replication Issue



All,

 

I am having a replication issue with one or my 2003 servers.  I am replicating 
to servers outside of my domain, but this server can no replicate to servers 
within its own domain.  When I open the Operations master on the server I see 
ERROR on all three tabs.   I can not find what would cause that.  DNS is 
working and has been tested.

 

I have 5 other servers that are replicating fine to their other sites and 
between each other.  

 

 

SFC Robert Yates

C212 / 155 BCT Network Engineer

 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: user home directory permissions?

2005-07-12 Thread Olegario, Alan 
Also, there's an excellent KB article on this if you're using folder
redirection for the users home directories...

http://support.microsoft.com/default.aspx?scid=kb;en-us;274443


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Tuesday, July 12, 2005 9:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: user home directory permissions?

The hope would be that admins shouldn't have nor need access. The
reality of
what accesses are needed as I have seen in the real world are that the
admins are quite often asked to go in and grab files of some employees
for
security group operations or look for abusive file space usage such as
MP3's/movies/joke files, etc or grab files from someone who was
terminated
or is about to be terminated or has quit. 

I have more of a real concern of an admin "clicking on" or executing
files
in user share areas on servers versus what data the admins are getting
at.
If a user knows admins are looking they may put something "juicy" in a
folder that has a trojan and hope that an admin will run it. If you have
untrustworthy or not the brightest admins that is exactly what can
happen
and suddenly admin level rights are running something on a server that
shouldn't be run.

You certainly shouldn't tell users that their home folders are private
unless you can enforce it and you can't enforce it easily if at all.
Basically, you can't really stop built-in admins from accessing the
files
unless you encrypt the files with third party software where each user
is
the only person holding the encryption keys to their data.
  
>From a holistic perspective, users using corporate resources (or EDU
resources) should never expect any semblance of privacy. They do not own
in
part or in whole any piece of it, the space and resources are simply
loaned
to them to do their work. If they choose to put something on a fileshare
or
PC or in email they should expect that it is viewable by at least one
person
other than them within the company. Personal Resumes, porn,
music/movie/multimedia files, etc really don't belong on those resources
unless they are related to the officially stated job function of the
individual in question. 

When I was a resource domain Admin way back when, I was once asked to
zip up
and copy a home folder to someone who moved to another division. I
initially
zipped up the folder and found that the user was using a tremendous
amount
of space and the zip didn't compress it well. So I started digging into
it
and found that he had a GB of porn videos and about 300MB of dirty jokes
and
maybe 5MB of real work files. I had his old manager review the 5MB of
real
work files to verify they were things that the guy should take to his
new
position. In the end he simply had one DOC file transferred, a personal
resume. He also got called by security and HR and his new manager was
given
details on what he had kept on his fileshare. I never found out, but I
expect he needed his resume that we shipped over to him. This whole
thing
initiated regular scans for files that were media files as well as files
by
name, etc to be cleaned up and reported on. This was a very manual
process
for a while but got better and better with perl automation to the point
that
it checked for files names, file types, read the first 1024 bytes of a
file
to check for files that had been renamed to hide them, looking for
identical
files in multiple home folders or project folders, etc. We ended up
cleaning
out hundreds of GBs of space doing this and getting rid of a lots of
legally
actionable material. 

Oh, the permissions I generally recommend on home folders. System:FC,
Data
Admin:FC, User:Modify. The Data Admin group is a group of normal userids
that are responsible for fishing through the user's data for things. The
IDs
in the group should not be in the admin group of the server nor in
domain
admins, etc.  Keep in mind that users who create files/folders will have
implicit FC over them due to the Creator/Owner "feature". Consider
having
processes that go through and take ownership of files, keeping in mind
this
can impact some quota software and encryption software though.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes,
Michael M.
Sent: Monday, July 11, 2005 9:43 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: user home directory permissions?

Sorry if this has been covered in the past.  I checked the archives and
really couldn't find anything related.  We are in a discussion about
what
permissions are really required for users' home directories.  I contend
that
users' home directories should be private.  The "backup operators" group
should have access for backup.  A service account should be granted
whatever
permissions are needed to run virus scanning.  But the file server
admins
really should not have carte blanche access to user's files.  How do you
address this issue?  Thanks!
 
Mik

RE: [ActiveDir] 2003 Replication Issue

2005-07-12 Thread Za Vue 



What diagnostic tools have you run to test 
it?
DCDIAG?  NTFS.exe service running? 
Firewall?
 
-Z.V.-MCSE


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Yates SFC Robert 
W (C212 Network Engineer)Sent: Tuesday, July 12, 2005 9:11 
AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] 
2003 Replication Issue


All,
 
I am having a replication issue with 
one or my 2003 servers.  I am replicating to servers outside of my domain, 
but this server can no replicate to servers within its own domain.  When I 
open the Operations master on the server I see ERROR on all three tabs.  
 I can not find what would cause that.  DNS is working and has been 
tested.
 
I have 5 other servers that are 
replicating fine to their other sites and between each other.  

 
 
SFC Robert Yates
C212 / 155 BCT Network 
Engineer
 

[ActiveDir] 2003 Replication Issue

2005-07-12 Thread Yates SFC Robert W \(C212 Network Engineer\) 








All,

 

I am having a replication issue with one or my 2003
servers.  I am replicating to servers outside of my domain, but this
server can no replicate to servers within its own domain.  When I open the
Operations master on the server I see ERROR on all three tabs.   I
can not find what would cause that.  DNS is working and has been tested.

 

I have 5 other servers that are replicating fine to their
other sites and between each other.  

 

 

SFC Robert Yates

C212 / 155 BCT Network Engineer

 

RE: [ActiveDir] Keep existing attributes from users restored.

2005-07-12 Thread Al Mulnick 
Interesting thread.  I've always been a fan of keeping the information separate 
for this situation.  I need the sid in order to allow the user to access the 
resources he had prior to accidental deletion (that's another thread :) but 
otherwise, I wouldn't want password for a user I restored.  That would be very 
dangerous in my mind as it could allow a rogue admin (yet another thread 
right?) access to resources that purposefully deleted users had and they'd be 
able to do so in a relatively covert manner. They'd be hard to track for sure. 
 
Additionally, restoring the user to groups could be a nightmare.  I'd prefer to 
keep that information in a separate off-line format (text file? db?) where I 
can report against it and use it to breath life into a reanimated user should 
the need absolutely arise. 
 
I'm a huge fan of setting up process to do as much as possible to prevent the 
accidental deletion of users at every turn. My thoughts are that those shops 
with the wherewithal to set the schema mods, aren't the ones that need an 
undelete in most cases, but good processes are always a good idea.
 
Still, the odd accident can occur.  I realize that.  Now I'm just not sure that 
taking the time to practice against such a thing is worth the effort of 
practicing this on a regular basis to make sure you don't mess it up.  Besides, 
you'll have to restore the other information anyway, so you may as well get 
what's absolutely needed (sidHistory should be in that list IMHO) but plan to 
get other information (fax #? Phone #, group information, nickname, petname, 
etc) separately.  To try and hold it in deleted items would be more of a PITA 
due to replication than it would be to store it out of band for other uses. 
 
My $0.04 (USD) anyway. 
 
Al
 
P.S. if you use .NET to write an app to suck the data out to an off-line 
storage medium, be aware that it doesn't natively handle group membership very 
well.  Trust me, that's important ;) 
 
 



From: [EMAIL PROTECTED] on behalf of Dean Wells
Sent: Mon 7/11/2005 5:36 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Keep existing attributes from users restored.


No.
--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]  
http://msetechnology.com  

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
Sent: Monday, July 11, 2005 5:05 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep existing attributes from users restored.


thanks for the useful information, Eric.  You've only mentioned sidHistory - 
does the same apply for the password?
 
/Gudo



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Montag, 11. Juli 2005 16:45
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep existing attributes from users restored.



> BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory 
> and Password attributes to the tombstone (I believe this

> is only valid for new installation of AD).

 

Actually, not quite. For sidHistory, the SP1 change in behavior works for 
existing installations juts as well as existing ones. However, to be safe, we 
didn't actually modify searchFlags. Instead, we added sidHistory to the list of 
attributes we always preserve on tombstones no matter what the schema tells us 
we should (there is a list so that you can't subvert replication and strip off 
more than should be allowed). This was deemed safer than modifying your schema 
out from under you on SP upgrade. I tend to agree.

This of course leads to the fact that non-SP1 DCs will strip sidHistory where 
SP1 will keep it. This was well understood, but we did not want a schema change 
for SP1. So we figured, it was this or wait for Longhorn. We went with this as 
being better than nothing.

 

~Eric

 

 

 

 



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, 
Guido
Sent: Monday, July 11, 2005 7:08 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Keep existing attributes from users restored.

 

realize that this search-flag can't be applied to all attributes (e.g. linked 
attributes such as member/memberOf) => as such you will always require a 
combination of actions to successfully recover users to a previous state.  If 
you do want to leverage the tombstone reanimation feature of 2003 (such as 
leveraged by SysInternal's adrestore), you'll have to have mechanisms in place 
to recover attributes which you can't contain in the tombstone object.

 

BTW, Win2003 SP1 has updated some search flags, so as to add the SIDhistory and 
Password attributes to the tombstone (I believe this is only valid for new 
installation of AD). These are the ones that other third-party tools which help 
with re-populating the missing attributes can't rewrite after

RE: [ActiveDir] OT: user home directory permissions?

2005-07-12 Thread joe 
The hope would be that admins shouldn't have nor need access. The reality of
what accesses are needed as I have seen in the real world are that the
admins are quite often asked to go in and grab files of some employees for
security group operations or look for abusive file space usage such as
MP3's/movies/joke files, etc or grab files from someone who was terminated
or is about to be terminated or has quit. 

I have more of a real concern of an admin "clicking on" or executing files
in user share areas on servers versus what data the admins are getting at.
If a user knows admins are looking they may put something "juicy" in a
folder that has a trojan and hope that an admin will run it. If you have
untrustworthy or not the brightest admins that is exactly what can happen
and suddenly admin level rights are running something on a server that
shouldn't be run.

You certainly shouldn't tell users that their home folders are private
unless you can enforce it and you can't enforce it easily if at all.
Basically, you can't really stop built-in admins from accessing the files
unless you encrypt the files with third party software where each user is
the only person holding the encryption keys to their data.
  
>From a holistic perspective, users using corporate resources (or EDU
resources) should never expect any semblance of privacy. They do not own in
part or in whole any piece of it, the space and resources are simply loaned
to them to do their work. If they choose to put something on a fileshare or
PC or in email they should expect that it is viewable by at least one person
other than them within the company. Personal Resumes, porn,
music/movie/multimedia files, etc really don't belong on those resources
unless they are related to the officially stated job function of the
individual in question. 

When I was a resource domain Admin way back when, I was once asked to zip up
and copy a home folder to someone who moved to another division. I initially
zipped up the folder and found that the user was using a tremendous amount
of space and the zip didn't compress it well. So I started digging into it
and found that he had a GB of porn videos and about 300MB of dirty jokes and
maybe 5MB of real work files. I had his old manager review the 5MB of real
work files to verify they were things that the guy should take to his new
position. In the end he simply had one DOC file transferred, a personal
resume. He also got called by security and HR and his new manager was given
details on what he had kept on his fileshare. I never found out, but I
expect he needed his resume that we shipped over to him. This whole thing
initiated regular scans for files that were media files as well as files by
name, etc to be cleaned up and reported on. This was a very manual process
for a while but got better and better with perl automation to the point that
it checked for files names, file types, read the first 1024 bytes of a file
to check for files that had been renamed to hide them, looking for identical
files in multiple home folders or project folders, etc. We ended up cleaning
out hundreds of GBs of space doing this and getting rid of a lots of legally
actionable material. 

Oh, the permissions I generally recommend on home folders. System:FC, Data
Admin:FC, User:Modify. The Data Admin group is a group of normal userids
that are responsible for fishing through the user's data for things. The IDs
in the group should not be in the admin group of the server nor in domain
admins, etc.  Keep in mind that users who create files/folders will have
implicit FC over them due to the Creator/Owner "feature". Consider having
processes that go through and take ownership of files, keeping in mind this
can impact some quota software and encryption software though.

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Monday, July 11, 2005 9:43 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: user home directory permissions?

Sorry if this has been covered in the past.  I checked the archives and
really couldn't find anything related.  We are in a discussion about what
permissions are really required for users' home directories.  I contend that
users' home directories should be private.  The "backup operators" group
should have access for backup.  A service account should be granted whatever
permissions are needed to run virus scanning.  But the file server admins
really should not have carte blanche access to user's files.  How do you
address this issue?  Thanks!
 
Mike Thommes
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Issues with newly built w2k3 DCs

2005-07-12 Thread Ruston, Neil 
Title: Issues with newly built w2k3 DCs





I'm seeing the following errors on newly built w2k3 DCs (w2k native mode domain):



Source: userenv; ID:1030
Windows cannot query for the list of Group Policy objects. A message that describes the reason for this was previously logged by this policy engine.

Source: userenv; ID: 1097
Windows cannot find the machine account, The Local Security Authority cannot be contacted .



The above occur in pairs every 5 mins.


All existing w2k DCs are fine.


Other symptoms: DNS service cannot be managed on the DC (server shown with red cross indicating DNS server not contactable).

Time and DNS resolution all appear fine.


Any ideas anyone? Google shows this to be quite common but with no specific solution / root cause.




Thanks,
neil



==
Please access the attached hyperlink for an important electronic communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

RE: [ActiveDir] Install Windows 2003 in a Windows 2000 AD Infrast ructure

2005-07-12 Thread joe 
I am of the same mind as Brian in that I like my DCs all to mirror each
other so I rebuild them from scratch, it avoids any one off issues that
occur on some but not all machines. 

While I fully believe a machine that has been upgraded should be the same as
one that is loaded from scratch, this has not been my experience through the
years though I have no specific K3 stories to tell since I simply stopped
following the upgrade processes. 


 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray
Sent: Monday, July 11, 2005 10:23 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Install Windows 2003 in a Windows 2000 AD Infrast
ructure

Just a couple of things to add to what Brian has said.

- When all your DCs within a domain are at 2003 the domain won't
automatically be at 2003 domain functional level.  You need to flip the
switch using the Domains and Trusts snap-in.
- When all your domains are at 2003 domain functional level your forest
won't automatically be at 2003 forest functional level.  Again, you need to
use the Domains and Trusts snap-in to flip the switch.  See this article for
more detail
(http://support.microsoft.com/default.aspx?scid=kb;en-us;322692#3)
- I take Brian's point about wanting to rebuild the DCs from scratch, rather
than in-place upgrade.  On the other hand it can be a fair bit more effort
and I personally have not seen any major problems with an in-place upgrade.

Tony

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Tuesday, 12 July 2005 1:56 p.m.
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Install Windows 2003 in a Windows 2000 AD
Infrastructure

Jennifer-

Following a forestprep and domainprep of your environment 2003 DCs will
coexist peacefully with 2000. There are some Exchange 2000 issues you must
be aware of though:

Before you convert to 2003 native mode, the RUS must be running on Exchange
2003
You must import the inetorgpersonfix.ldf schema fix before running adprep
/forestprep if you're running Exchange 2000.

In general, when you modify the schema under 2000 ALL of your global
catalogs are going to perform a FULL resync. This is potentially a lot of
bandwidth sucked if you have more than one domain and your links are not
optimal. If you have one domain in your forest then this is not an issue.

To replace that box, run dcpromo on it to demote it to a member server, and
then run dcpromo to promote the new box to a domain controller. Quite easy. 

I personally recommend rebuilding DCs from scratch in lieu of an inplace
upgrade, but that's an issue to tackle on a case-by-case basis. 

Thanks,
Brian Desmond
[EMAIL PROTECTED]
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jennifer Fountain
Sent: Monday, July 11, 2005 8:40 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Install Windows 2003 in a Windows 2000 AD
Infrastructure

Hi All:

Currently, we have nine w2k domain controllers (remote sites, corp,
etc).   We want to upgrade them all to 2k3.  I have been googling but
haven't find the right q-article or step by step that will help me
accomplish this.  We want to one replace of the servers with new hardware
but the other eight are fine and do not need to be replaced.
Should I just upgrade them? Can I install the new server with w2k3 and can
it coexist with the 2k servers?  Any guidance would be greatly appreciated! 

Kind Regards,

Jennifer Fountain
Systems Administrator/Security
R&B Distribution
3400 E Walnut Street
Colmar, PA  18915 
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail message has been scanned for Viruses and Content and cleared by
NetIQ MailMarshal at Gen-i Limited



#
This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it.
Thank You.

Please note that this communication does not designate an information system
for the purposes of the NZ Electronic Transactions Act 2002.

This email was scanned and cleared by NetIQ MailMarshal at Gen-i Limited.

#
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: h

RE: [ActiveDir] Win2k3 server issue

2005-07-12 Thread Ken Schaefer 
Anything being logged in the SUALB-EXCH2 event logs?

Cheers
Ken

www.adOpenStatic.com/cs/blogs/ken/ 

: -Original Message-
: From: [EMAIL PROTECTED] [mailto:ActiveDir-
: [EMAIL PROTECTED] On Behalf Of Kern, Tom
: Sent: Tuesday, 12 July 2005 12:09 PM
: To: ActiveDir (E-mail)
: Subject: [ActiveDir] Win2k3 server issue
: 
: Ok, i'm going thru this one more time because its driving me nuts-
: 
: i win2k3 sp1 server was made a domain member by an admin.
: I then was called to install exchange 2k3 on it.. i term serviced to the
: server and ran domainprep(forestprep was run ages ago) and i got a
: "exchange2k3 is not compatibile with this software" error, which i googled
: and was told was benign as long as i installed sp1 for exchange after
: install.
: ok, i ran setup and i got an error that the win2k3 server was not a member
: of the exchange domain servers group and i would have to manually add it.
: That was weird because i could've sworn setup does it for you.
: so, i navaigate to the group via aduc and when i try to add the server,
: the object picker can't find it.
: you can see it in aduc in the computers container but the picker can't
: find it. also, the servr does not show up in Term Services manager
: the server also registered its a and ptr records in dns and is pointing to
: the correct dns servers.
: 
: on my gc, i get this error-
: 
: 
: Event Type:   Error
: Event Source: NETLOGON
: Event Category:   None
: Event ID: 5790
: Date: 7/11/2005
: Time: 1:29:02 PM
: User: N/A
: Computer: SUALB-USR1
: Description:
: No suitable Domain Controller is available for domain SUALB-EXCH2. An NT4
: or older domain controller is available but it cannot be used for
: authentication purposes in the Windows 2000 or newer domain that this
: computer is a member of. The following error occurred:
: Access is denied.
: 
: For more information, see Help and Support Center at
: http://go.microsoft.com/fwlink/events.asp.
: Data:
: : 22 00 00 c0   "..À
: 
: 
: 
: Now whats really weird about this is that SUALB-EXCH2 is NOT a domain but
: the name of the member server in question(no, its not running exchange
: yet).
: 
: and now,when i term service to it, i can't logon. "Domain cannot be
: found". also i get "access denied" when trying to connect via comp
: management ot event viewer.
: though i can browse to the admin$ share.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/