RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Ruston, Neil 
You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an ANET3 
EXE, but don't misunderstand me, I loved some of the older shells or requestors 
like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new 
and different local SAM account each time you logged on as a NetWare account 
... garbage!

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great job 
security. No one who didn't know any better couldn't possibly figure out the 
right combination of ODI drivers, VLMs and client shells to bind together to 
actually get access to Netware. The best was the Netware 2.x client, where you 
had to run something equivalent to a compiler to actually create a client. 
After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they 
produced (current versions are better but still remain lesser integrated than 
that of Windows' native ability) ... utterly, utterly pathetic attempt. 
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle. I 
remember when NT first shipped the mantra was, Netware is great for file and 
print and NT is great for applications. Netware NLMs were impossible to 
develop and that meant that folks either developed apps on NT or more likely 
Unix (at the time). Apps are sticky, file and print is not. Over time, as 
Windows ruled the desktop and people realized that file and print was commodity 
and that arguing about whether Netware was a better file and print server than 
NT became meaningless compared to better desktop/server integration, Novell 
lost out. Novell failed to keep up, in my opinion. The market was theirs to 
lose...and they lost it. Proof once again that great technology coupled with 
bad management is just as bad as bad technology. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra 
stable but diff to manage once you deployed more than ~100 servers). Netware 
4/NDS had issues in its first version and quickly lost traction, leaving MS and 
NT to pick up the thread.

It was for this reason that very few orgs deployed NDS across a large env - NDS 
was more than capable of supporting 100K users and the 
management/maintenance/support would have far simpler that it was for NT.

Once NT gained the upper hand, momentum took over and led us to where we are 
today.

neil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 05 August 2005 00:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes


Yeah, ADAM scared some folks in the widget factory as well. On the positive 
side, it can register in AD so you can chase them down that way via their SCPs. 
If they don't register, well then that will be fun to chase as it will be like 
trying to find rogue AD's, network scanning but even worse, any port can be 
used... If all machines are part of a domain or forest, you could set up 
policies to block the running of the ADAM binaries I guess. 

I like AD/AM more from the standpoint that I think it can hint as to where AD 
will go.

What is the largest Enterprise deployment of NDS that anyone has seen? I 
haven't seen anything larger than say 5000 or so users, it seems that the 
management got too difficult even at that level, but then I never looked really 
close at it, so

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Ruston, Neil 
I see your HIMEM and raise you a QEMM!


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick
Sent: 05 August 2005 17:19
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes


Don't make me get out my copies of himem and loadhigh!

And his name was Ray Noorda.

-gil (resident old guy and networking historian)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E.
Sent: Friday, August 05, 2005 9:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

 LSL
 NE3200
 IPXODI
 VLM
 
 C:\F:
 
 F:\LOGIN
 
 ... ah, even now I get a gooey comfortable feeling. :o)
 

You may call it a gooey comfortable feeling, Dean, but I'm having 
screaming-nightmare flashbacks over here!  ;-)

I actually think that Novell lost the race when they had that CEO (damned if I 
remember his name) who got on this kick of We need to do
-everything- Microsoft does in order to compete.  So since MS had Office, 
Novell went and acquired Corel...stuff like that.  Though I'd probably lump 
that into the larger heading of inadequate/misinformed marketing that others 
have already mentioned.

- L
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT - Biggest AD Gripes

2005-08-08 Thread Ruston, Neil 
There are certainly fairly large (~10k) installations and NDS/eDIR will scale 
way beyond that too.

A lack of client/dir/server integration may become an issue as the org grows, 
though.

neil


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: 06 August 2005 00:30
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - Biggest AD Gripes


Were there any comments to Joe's question about large deployments of NDS? 
Are/were there any out there? I am just interested because I still hear 
comments about how scalable it is.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Friday, August 05, 2005 7:12 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest 
AD Gripes)

Heh  From a pure technical view, quite right.

However - that's where I started - NetWare 2.0  (I mean the FIRST NetWare 2.0). 
 I still remember the proprietary servers that they used to manufacture.

However, what really killed Novell was not the brilliant technical ideas of 
Drew Majors (who, I still respect as a guy with real vision), but the 
Megalomania and obsessive behavior or Ray Noorda.  

Ray so envied Bill Gates that he was going to do anything to better Gates. This 
meant that Ray effectively lost focus of what Novell was all about in the 
interest of buying up products that he thought would better Microsoft. Hence, 
absolutely ridiculous amounts of money (OK, for that time it was
ridiculous...) were spent for WordPerfect and ATT Unix, as well as other pieces 
that were picked up.

But, the focus was lost, NT 4.0 caught on, and the Microsoft marketing machine 
paid no attention (outwardly, at least) to Noorda.  They just went after the 
customers who had lost patience with the very badly off track NetWare.

What was once a major player - and owned greater than 80% of the server market 
all but became a bit player overnight.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 8:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they 
produced (current versions are better but still remain lesser integrated than 
that of Windows' native ability) ... utterly, utterly pathetic attempt. 
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle. I 
remember when NT first shipped the mantra was, Netware is great for file and 
print and NT is great for applications. Netware NLMs were impossible to 
develop and that meant that folks either developed apps on NT or more likely 
Unix (at the time). Apps are sticky, file and print is not. Over time, as 
Windows ruled the desktop and people realized that file and print was commodity 
and that arguing about whether Netware was a better file and print server than 
NT became meaningless compared to better desktop/server integration, Novell 
lost out. Novell failed to keep up, in my opinion. The market was theirs to 
lose...and they lost it. Proof once again that great technology coupled with 
bad management is just as bad as bad technology.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra 
stable but diff to manage once you deployed more than ~100 servers). Netware 
4/NDS had issues in its first version and quickly lost traction, leaving MS and 
NT to pick up the thread.

It was for this reason that very few orgs deployed NDS across a large env - NDS 
was more than capable of supporting 100K users and the 
management/maintenance/support would have far simpler that it was for NT.

Once NT gained the upper hand, momentum took over and led us to where we are 
today.

neil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 05 August 2005 00:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes


Yeah, ADAM scared some folks in the widget factory as well. On the positive 
side, it can register in AD so you can chase them down that way via their SCPs. 
If they don't register, well then that will be fun to chase as it will be like 
trying to find rogue AD's, network scanning but

RE: [ActiveDir] Merging two domains

2005-08-08 Thread chris . ryan 




Migration Manager for Active Directory from Quest will allow you to migrate
objects from the external domain without setting up a trust. I believe you
do need to be running 2003 in the source domain as it stores information in
ADAM during the migration. Check out the URL below.

http://wm.quest.com/products/migrationmanagerad/





   
 Almeida Pinto,   
 Jorge de 
 jorge.de.almeida  To 
 [EMAIL PROTECTED] ActiveDir@mail.activedir.org  
 com   cc 
 Sent by:  
 [EMAIL PROTECTED] Subject 
 ail.activedir.org RE: [ActiveDir] Merging two domains 
   
   
 08/06/2005 02:39  
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




yeah... this is also the first thing I thought.  I also thought of
something else. Will those users ever need to access their old resources?
(like mail, files ,etc) If no access is allowed how are you going to do
that? Exmerge all mailboxes into PSTs en burn files on DVD or something
like that?

Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sat 8/6/2005 7:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Merging two domains



Interesting issue.  SIDHistory is not much of an issue, obviously.
Apparently, the users won't have access to the old forest, so it's of
little
value.

I would suspect, as a 'from the hip' approach - given you limits you really

only have a .ldf or a .csv dump of the accounts that are to become a part
of
your domain.

However, if you aren't going to be allowed any access to the old forest,
then there is no reason to think that the users would be any more than
newly
created principlas, along with the computers that you might acquire.

Dump the information, but I wouldn't get to terribly concerned about what
is
coming with them.  Other than name, logon name, samAccountName, there isn't

much that you can use.

Rick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Saturday, August 06, 2005 11:17 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Merging two domains




We have an external domain that we will not be allow to set up a two way
trust with, not be allowed to migrate users from, etc.  Basically it's a
partial domain import from one domain to our current Win2k3 domain.

Getting access to the external domain is out of the question since the
external domain is not currently ours.  Part of it will become ours.


Are there any alternative ways to import or migrate users from an
external domain?  I understand SID history and all the nice things that
go along with it (profile migrations, etc) will not work.  What about
doing some type of an LDIFDE export and import?  Will that at least get
us the account creations?  What other alternatives are there to have the
least end-user impact when changing their domain?  Any documents out
there outlining this?

Thanks to all.

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/



This e-mail and any attachment is for authorised

RE: [ActiveDir] Merging two domains

2005-08-08 Thread Rick Kingslan 
Title: RE: [ActiveDir] Merging two domains










The trust
is only one issue. It doesnt appear that hes being allowed
enough access to set anything up.

Im
certain (though I havent worked with Migration Manager) that there must
be some type of LDAP Bind or agreement setup between ADAM and the source /
targets.

Im
not sure that hes going to have this degree of latitude, either.
However, if he is  go for it. Not cheap, but it might be worth the money
in man-hours for recreation of functional user and computer accounts, not to
mention the Exchange.

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, August 08, 2005 7:00
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Merging
two domains










Migration
Manager for Active Directory from Quest will allow you to migrate
objects from the external domain without setting up a trust. I believe you
do need to be running 2003 in the source domain as it stores information in
ADAM during the migration. Check out the URL below.

http://wm.quest.com/products/migrationmanagerad/






Almeida Pinto, 
Jorge de 

[EMAIL PROTECTED]

com cc
Sent by: 
[EMAIL PROTECTED] Subject
ail.activedir.org RE: [ActiveDir] Merging two domains


08/06/2005 02:39 
PM 


Please respond to 
[EMAIL PROTECTED] 
tivedir.org





yeah... this is also the first thing I
thought. I also thought of something else. Will those users ever need to
access their old resources? (like mail, files ,etc) If no access is allowed how
are you going to do that? Exmerge all mailboxes into PSTs en burn files on DVD
or something like that?











Cheers





#JORGE#















From:
[EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Sat 8/6/2005 7:11 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Merging
two domains





Interesting
issue. SIDHistory is not much of an issue, obviously. 
Apparently, the users won't have
access to the old forest, so it's of little 
value. 

I would
suspect, as a 'from the hip' approach - given you limits you really

only have a .ldf or a .csv dump of
the accounts that are to become a part of 
your domain. 

However,
if you aren't going to be allowed any access to the old forest, 
then there is no reason to think
that the users would be any more than newly 
created principlas, along with the
computers that you might acquire. 

Dump the
information, but I wouldn't get to terribly concerned about what is

coming with them. Other than name,
logon name, samAccountName, there isn't 
much that you can use.


Rick




-Original
Message- 
From:
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]
On Behalf Of Rimmerman, Russ 
Sent: Saturday, August 06, 2005
11:17 AM 
To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] Merging two
domains 





We have
an external domain that we will not be allow to set up a two way 
trust with, not be allowed to migrate
users from, etc. Basically it's a 
partial domain import from one
domain to our current Win2k3 domain. 

Getting
access to the external domain is out of the question since the 
external domain is not currently
ours. Part of it will become ours. 



Are there
any alternative ways to import or migrate users from an 
external domain? I understand
SID history and all the nice things that 
go along with it (profile
migrations, etc) will not work. What about 
doing some type of an LDIFDE export
and import? Will that at least get 
us the account creations?
What other alternatives are there to have the 
least end-user impact when changing
their domain? Any documents out 
there outlining this?


Thanks to
all. 

~~

This e-mail is confidential, may
contain proprietary information 
of the Cooper Cameron Corporation
and its operating Divisions 
and may be confidential or
privileged. 

This
e-mail should be read, copied, disseminated and/or used only 
by the addressee. If you have
received this message in error please 
delete it, together with any
attachments, from your system. 
~~

List info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List
info : http://www.activedir.org/List.aspx

List FAQ : http://www.activedir.org/ListFAQ.aspx

List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/









This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
(See attached file: winmail.dat)

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-08 Thread Mayuresh Kshirsagar 








Hi Joe,



Can you tell me a good sniffer? And of course
a free one ;-)



The setup is like, the mds in installed on
one machine (on a different domain) which talks to the agent which is installed
on the exchange machine. The agent then uses the exchange native apis to create
the mail boxes which would be added to the AD. AD and exchange servers are on
same domain.



Regards,

Mayuresh.













From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Saturday, August 06, 2005
2:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





That would tell me that the homeMDB value
either isn't correct or isn't being set properly. homeMDB is a linked DN
attribute, it *MUST* be valid when it is set.



If the tool allows you to retreive the
extended LDAP error that would be great, if not get out a network sniffer and
trace the operation. If the issue is with homeMDB from the DC, you will see a
CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC.



I would pull out a network sniffer









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mayuresh Kshirsagar
Sent: Saturday, August 06, 2005
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The only sad thing about it is that when
with the same attributes minus the homeMDB, the users get created perfectly.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005
11:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





Yes, again those attributes below seem
fine, there should be no issues setting them through LDAP, certainly AD won't
reject them. Again I would change the mailnickname to the same as
sAMAccountName but that is just me. 



If you are just mailbox enabling, setting
mailnickname and homemdb will do it. That whole thing is documented to be
unsupported by MS but I don't know of a single large company that doesn't do it
the same way. The RUS will fire with that info and set up the rest of the
attributes.



Now if this is a user create from the
ground up, there could be issues with creating an enabled account. I
thinkwe wenthrough that before here on the list with you though
didn't we?



 joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 6:40
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The meta tries to create the entry. so it
creates the entry in AD and the agent is responsible for creating mailbox. Are
the attributes seen for the entry correct? Also what all is required if I am
creating a mailbox user from a meta or a script, etc. also can you
suggest if I can find some useful information from the exchange server? Any
diagnostics, etc?



Thanks.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Friday, August 05, 2005 4:37
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





That error log isn't very good. You can't
even tell if it is an error being floated back from a DC. Could be something in
the meta directory tool.



As for the specific data below for the
attributes to be set on the user, I don't see anything bad though I wouldn't
recommend the mailnickname to have that format, I would recommend it be the
same as the sAMAccountName value. I tend to put the nice full
version of the name in the displayName and that is the only place it is.



What info specifically is the product
trying to set and how is it setting it? You may have to do a network trace or
something like it.

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 1:19
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

Hi 



I am trying to use a metadirectory to add an exchange user.
An agent sitting on the Exchange server machine, which will add the mail box
for the user.



But when I try to add the user, I am getting the following
error An operations error occurred



10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Mapping Add/Modify Request

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Mapping Add/Modify operation to Exchange operation

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Getting an AD Object

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving
AD object

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Retrieving AD object. Bind using Configured Credentials:

10:38:01.127: [1412.724] DataAccess: EXCH2K:

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-08 Thread Rick Kingslan 










Ethereal 
no question. Get it at:

www.ethereal.com

Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mayuresh Kshirsagar
Sent: Monday, August 08, 2005 9:45
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





Hi Joe,



Can you tell me a good sniffer? And of
course a free one ;-)



The setup is like, the mds in installed on
one machine (on a different domain) which talks to the agent which is installed
on the exchange machine. The agent then uses the exchange native apis to create
the mail boxes which would be added to the AD. AD and exchange servers are on
same domain.



Regards,

Mayuresh.













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 06, 2005
2:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





That would tell me that the homeMDB value either
isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it
*MUST* be valid when it is set.



If the tool allows you to retreive the
extended LDAP error that would be great, if not get out a network sniffer and
trace the operation. If the issue is with homeMDB from the DC, you will see a
CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC.



I would pull out a network sniffer









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Saturday, August 06, 2005
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The only sad thing about it is that when
with the same attributes minus the homeMDB, the users get created perfectly.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005
11:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





Yes, again those attributes below seem
fine, there should be no issues setting them through LDAP, certainly AD won't
reject them. Again I would change the mailnickname to the same as
sAMAccountName but that is just me. 



If you are just mailbox enabling, setting
mailnickname and homemdb will do it. That whole thing is documented to be
unsupported by MS but I don't know of a single large company that doesn't do it
the same way. The RUS will fire with that info and set up the rest of the
attributes.



Now if this is a user create from the
ground up, there could be issues with creating an enabled account. I
thinkwe wenthrough that before here on the list with you though
didn't we?



 joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 6:40
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The meta tries to create the entry. so it
creates the entry in AD and the agent is responsible for creating mailbox. Are
the attributes seen for the entry correct? Also what all is required if I am
creating a mailbox user from a meta or a script, etc. also can you
suggest if I can find some useful information from the exchange server? Any
diagnostics, etc?



Thanks.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005 4:37
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





That error log isn't very good. You can't
even tell if it is an error being floated back from a DC. Could be something in
the meta directory tool.



As for the specific data below for the
attributes to be set on the user, I don't see anything bad though I wouldn't recommend
the mailnickname to have that format, I would recommend it be the same as the
sAMAccountName value. I tend to put the nice full version of the
name in the displayName and that is the only place it is.



What info specifically is the product trying
to set and how is it setting it? You may have to do a network trace or
something like it.

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 1:19
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

Hi 



I am trying to use a metadirectory to add an exchange user.
An agent sitting on the Exchange server machine, which will add the mail box
for the user.



But when I try to add the user, I am getting the following
error An operations error occurred



10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Mapping Add/Modify Request

10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation:
Mapping Add/Modify operation to Exchange operation

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-08 Thread Mayuresh Kshirsagar 








Thanks,



Would it be worth running it on the agent machine,
or the AD machine?



Regards,

Mayuresh











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 1:55
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred







Ethereal
 no question. Get it at:

www.ethereal.com

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Monday, August 08, 2005 9:45
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





Hi Joe,



Can you tell me a good sniffer? And of
course a free one ;-)



The setup is like, the mds in installed on
one machine (on a different domain) which talks to the agent which is installed
on the exchange machine. The agent then uses the exchange native apis to create
the mail boxes which would be added to the AD. AD and exchange servers are on
same domain.



Regards,

Mayuresh.













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 06, 2005
2:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





That would tell me that the homeMDB value
either isn't correct or isn't being set properly. homeMDB is a linked DN
attribute, it *MUST* be valid when it is set.



If the tool allows you to retreive the
extended LDAP error that would be great, if not get out a network sniffer and
trace the operation. If the issue is with homeMDB from the DC, you will see a
CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC.



I would pull out a network sniffer









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Saturday, August 06, 2005
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The only sad thing about it is that when
with the same attributes minus the homeMDB, the users get created perfectly.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005
11:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





Yes, again those attributes below seem
fine, there should be no issues setting them through LDAP, certainly AD won't
reject them. Again I would change the mailnickname to the same as
sAMAccountName but that is just me. 



If you are just mailbox enabling, setting
mailnickname and homemdb will do it. That whole thing is documented to be
unsupported by MS but I don't know of a single large company that doesn't do it
the same way. The RUS will fire with that info and set up the rest of the
attributes.



Now if this is a user create from the
ground up, there could be issues with creating an enabled account. I
thinkwe wenthrough that before here on the list with you though
didn't we?



 joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 6:40
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The meta tries to create the entry. so it
creates the entry in AD and the agent is responsible for creating mailbox. Are
the attributes seen for the entry correct? Also what all is required if I am
creating a mailbox user from a meta or a script, etc. also can you
suggest if I can find some useful information from the exchange server? Any
diagnostics, etc?



Thanks.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, August 05, 2005 4:37
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





That error log isn't very good. You can't
even tell if it is an error being floated back from a DC. Could be something in
the meta directory tool.



As for the specific data below for the
attributes to be set on the user, I don't see anything bad though I wouldn't
recommend the mailnickname to have that format, I would recommend it be the
same as the sAMAccountName value. I tend to put the nice full
version of the name in the displayName and that is the only place it is.



What info specifically is the product
trying to set and how is it setting it? You may have to do a network trace or
something like it.

















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 1:19
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

Hi 



I am trying to use a metadirectory to add an exchange user.
An agent sitting on the Exchange server machine, which will add the mail box
for the user.

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Dean Wells 
Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file
and print and NT is great for applications. Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely
Unix (at the time). Apps are sticky, file and print is not. Over time, as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion. The
market was theirs to lose...and they lost it. Proof once again that great
technology coupled with bad management is just as bad as bad technology. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky
(ultra stable but diff to manage once you deployed more than ~100 servers).
Netware 4/NDS had issues in its first version and quickly lost traction,
leaving MS and NT to pick up the thread.

It was for this reason that very few orgs deployed NDS across a large env -
NDS was more than capable of supporting 100K users and the
management/maintenance/support would have far simpler that it was for NT.

Once NT gained the upper hand, momentum took over and led us to where we are
today.

neil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 05 August 2005 00:35
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir]

RE: [ActiveDir] Branch Office Question

2005-08-08 Thread Dean Wells 
As always, I'm late to this thread so I'll chime in with one (hopefully)
worthwhile clarification.  The ISTG and the KCC are not the same thing
though the ISTG is considered a sub-component of the KCC.  Disabling the KCC
is a quite different thing from merely disabling the ISTG.

May I ask inquire as to the OS version here, I don't believe it's been
mentioned as yet (apologies if I missed it).

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Sunday, August 07, 2005 9:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question

Yeah.  Stop trying to disable the KCC already.  The KCC is your friend.  :)
You do, however, want to disable 'bridge all site links' (located under the
properties of Intersite Transports - IP).  You need to do this because
the network is not fully routable due to your VPN tunnels.  With BASL
enabled, all site links are treated as transitive, meaning any DC can
potentially replicate with any other DC.  Since that's not true in your
environment you need to disable BASL.

...After reading your response more thoroughly, you mention that you have no
custom site links.  I assume that means you only have the
DEFAULTIPSITELINK with all sites in it.  If true, you need to stop that
practice, too, as you're effectively creating a full mesh topology.  Since
your network isn't a full mesh, that won't work.  You need to create
individual site links between each site to form the proper topology.  Don't
disable BASL until you've done this.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, August 07, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question

Noah,

Just my curiosity - what is the reason for disabling (or, wanting to
disable) the KCC?  It's not a recommended practice unless you have a very
large number of links / sites / replication objects (and the number changes
to a significantly larger number in Win2k3 Functional), or the topology is
such that the KCC and the ISTG is not able to do its job of creating a
proper spanning tree - neither of which are very likely.  Companies with
200k plus users and 150 sites don't normally run into this problem.

The normal remedy is to take a look at everything else and eliminate *IT*
(meaning everything else) as a potential reason for why the KCC/ISTG isn't
working to expectations.  Then when everything else has been eliminated,
reviewing what the impact will be of killing off the KCC.

Specifically, the first realization of killing the KCC - all of the
replication objects between servers - will have to be manually maintained.
The ISTG will no longer do it.  In all but the smallest shops, this would
likely take most of the time of one very adept admin.

So - think carefully on this move.  As I said - it's not recommended.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Sunday, August 07, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question

Thanks, Jorge.

So the KCC is on at all sites. In my situation, I want to disable the KCC. A
few questions:
- Is the command to do so: 
repadmin /siteoptions branch1dc.company.com /site:branch1
+IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED
- Do I have to run this against each DC?
- I believe I only want to disable the INTER_SITE, not the INTRA_SITE,
right?
- Do I think need to manually create the connection objects or can I just
leave the auto generated ones in place?
- Does all this change if the VPN topology allows for a fully routed
network?

Thanks.

-- nme

P.S. I checked the questions you asked. DCs and GCs are correct; no custom
site links or connections; site membership is correct.

 -Original Message-
 From: Almeida Pinto, Jorge de
 [mailto:[EMAIL PROTECTED]
 Sent: Saturday, August 06, 2005 11:59 AM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Branch Office Question
 
 I expected that.. in a few words hub-and-spoke topology in a non fully 
 routed network. For this to work you need a site for each location and 
 a site link between each spoke (the
 bracnhes) and the hub and auto site link bridging is off
  
 The other thing I can think of:
 * Is each DC/GC in the correct site?
 * Do you have custom site link bridges?
 * Do you have custom connections (auto connections are visible as 
 automatic connections and custom connections are visible as GUIDs)
 * Check the site membership of the site links. Is it correct
 * Other site links connecting the branches somehow
 * etc
  
 By the way. To see if the KCC/ISTG for a site has been disabled open 
 up the properties of the NTDS Site Settings object of each site. If 
 you see yellow exclamation marks at the bottom with text explaining 
 it,

RE: [ActiveDir] Branch Office Question

2005-08-08 Thread Noah Eiger 
G'morning (still blerry eyes on the west coast and yet to get some coffee)

The OS is Windows 2000 SP4. And, as per Jorge's initial suggestion, I
disabled BASL, and I am still getting the errors. Finally, if I said no
custom site links, I misspoke. There are three links -- one for each spoke
(- There are three IP site links: Hub-B1, Hub-B2, and Hub-B3).

I think that Jorge and I were just discussing killing the ISTG, not the KCC,
right? And, as I asked yesterday, maybe all this does not matter as
_replication_ is working and we are doing a full redesign and implementation
in the next 6-9 months.

Thanks. Time to get some coffee.

-- nme

 -Original Message-
 From: Dean Wells [mailto:[EMAIL PROTECTED] 
 Sent: Monday, August 08, 2005 7:18 AM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Branch Office Question
 
 As always, I'm late to this thread so I'll chime in with one 
 (hopefully) worthwhile clarification.  The ISTG and the KCC 
 are not the same thing though the ISTG is considered a 
 sub-component of the KCC.  Disabling the KCC is a quite 
 different thing from merely disabling the ISTG.
 
 May I ask inquire as to the OS version here, I don't believe 
 it's been mentioned as yet (apologies if I missed it).
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
 Sent: Sunday, August 07, 2005 9:49 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Branch Office Question
 
 Yeah.  Stop trying to disable the KCC already.  The KCC is 
 your friend.  :) You do, however, want to disable 'bridge all 
 site links' (located under the properties of Intersite 
 Transports - IP).  You need to do this because the network 
 is not fully routable due to your VPN tunnels.  With BASL 
 enabled, all site links are treated as transitive, meaning 
 any DC can potentially replicate with any other DC.  Since 
 that's not true in your environment you need to disable BASL.
 
 ...After reading your response more thoroughly, you mention 
 that you have no custom site links.  I assume that means 
 you only have the DEFAULTIPSITELINK with all sites in it.  If 
 true, you need to stop that practice, too, as you're 
 effectively creating a full mesh topology.  Since your 
 network isn't a full mesh, that won't work.  You need to 
 create individual site links between each site to form the 
 proper topology.  Don't disable BASL until you've done this.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Sunday, August 07, 2005 4:46 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Branch Office Question
 
 Noah,
 
 Just my curiosity - what is the reason for disabling (or, wanting to
 disable) the KCC?  It's not a recommended practice unless you 
 have a very large number of links / sites / replication 
 objects (and the number changes to a significantly larger 
 number in Win2k3 Functional), or the topology is such that 
 the KCC and the ISTG is not able to do its job of creating a 
 proper spanning tree - neither of which are very likely.  
 Companies with 200k plus users and 150 sites don't normally 
 run into this problem.
 
 The normal remedy is to take a look at everything else and 
 eliminate *IT* (meaning everything else) as a potential 
 reason for why the KCC/ISTG isn't working to expectations.  
 Then when everything else has been eliminated, reviewing what 
 the impact will be of killing off the KCC.
 
 Specifically, the first realization of killing the KCC - all 
 of the replication objects between servers - will have to be 
 manually maintained.
 The ISTG will no longer do it.  In all but the smallest 
 shops, this would likely take most of the time of one very 
 adept admin.
 
 So - think carefully on this move.  As I said - it's not recommended.
 
 Rick
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
 Sent: Sunday, August 07, 2005 4:14 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Branch Office Question
 
 Thanks, Jorge.
 
 So the KCC is on at all sites. In my situation, I want to 
 disable the KCC. A few questions:
 - Is the command to do so: 
 repadmin /siteoptions branch1dc.company.com /site:branch1
 +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED
 - Do I have to run this against each DC?
 - I believe I only want to disable the INTER_SITE, not the 
 INTRA_SITE, right?
 - Do I think need to manually create the connection objects 
 or can I just leave the auto generated ones in place?
 - Does all this change if the VPN topology allows for a fully 
 routed network?
 
 Thanks.
 
 -- nme
 
 P.S. I checked the questions you asked. DCs and GCs are 
 correct; no custom site links or connections; site membership 
 is correct.
 
  -Original Message-
  From: Almeida Pinto, Jorge de
  [mailto:[EMAIL PROTECTED]

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Carlos Magalhaes 
Hah - older than me :P but doesn't the saying go - the older you are
the wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only
dumb
terminals as clients and the server ran on a Motorola proc. ... at that
time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both
monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling
an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells
or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a
new
and different local SAM account each time you logged on as a NetWare
account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what
great
job security. No one who didn't know any better couldn't possibly figure
out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to
actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client
they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic
attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the
battle.
I remember when NT first shipped the mantra was, Netware is great for
file
and print and NT is great for applications. Netware NLMs were
impossible to
develop and that meant that folks either developed apps on NT or more
likely
Unix (at the time). Apps are sticky, file and print is not. Over time,
as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and
print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion.
The
market was theirs to lose...and they lost it. Proof once again that
great
technology coupled with bad management is just as bad as bad technology.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky
(ultra stable but diff to manage once you deployed more than ~100
servers).
Netware 4/NDS had issues in its first version and quickly lost traction,
leaving MS and NT to pick up the thread.

It was for this reason that very few orgs deployed NDS across a large
env -
NDS was more than capable of supporting 100K users and the
management/maintenance/support would have far simpler

[ActiveDir] Output Shared Contacts

2005-08-08 Thread Jerry Welch 
Anyone have an easy way to output shared contacts from a public folder to a
flat file?
Thanks,
Jerry

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] DC replicating with deleted DSA object

2005-08-08 Thread Ruston, Neil 
Title: DC replicating with deleted DSA object





We have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade is achieved as follows:
1. demote w2k DC
2. build and promote w2k3 DC


Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used.


Furthermore, sometimes the same name is used in 1 and 2 but not always.


If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see the following issue:


snip
 y\
DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC
 objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb
 z\ (deleted DSA) via RPC
 objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63
 y\
DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC
 objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb
snip


Where:
xx is a DC which was built temporarily and then demoted several days ago
aa is a DC which was re-built (as per above) with the same name
bb is a DC which was re-built (as per above) with the same name (in the same site as xx)


I have been considering using repadmin /delete to remove these incorrect replication connections and wondered if anyone had used such a method before or could offer any alternatives?

Thanks,
neil



==
Please access the attached hyperlink for an important electronic communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Dean Wells 
Nod, good point ... which explains why Joe always has so much to say and why
I'm generally so quiet!

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file
and print and NT is great for applications. Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely
Unix (at the time). Apps are sticky, file and print is not. Over time, as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion.
The
market was theirs to lose...and they lost it. Proof once again that great
technology coupled with bad management is just as bad as bad technology.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Rick Kingslan 
Or, Rick

007 Pathetic

;op

-r

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 08, 2005 9:11 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file
and print and NT is great for applications. Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely
Unix (at the time). Apps are sticky, file and print is not. Over time, as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion. The
market was theirs to lose...and they lost it. Proof once again that great
technology coupled with bad management is just as bad as bad technology. 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky
(ultra stable but diff to manage once you deployed more than ~100 servers).
Netware 4/NDS had issues in its first version and quickly lost traction,
leaving MS and NT to pick up the thread.

It was for this reason that very few orgs deployed NDS across a large env -
NDS was more than capable of supporting 100K users and the
management/maintenance/support would have far simpler that it was for NT.

Once NT gained

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Dean Wells 
... and as for being older than you, I've got shirts in my closet older than
you.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file
and print and NT is great for applications. Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely
Unix (at the time). Apps are sticky, file and print is not. Over time, as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion.
The
market was theirs to lose...and they lost it. Proof once again that great
technology coupled with bad management is just as bad as bad technology.




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, August 05, 2005 5:05 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

IMHO Novell lost out to MS due to the fact that Netware 3 was

RE: [ActiveDir] Branch Office Question

2005-08-08 Thread Rick Kingslan 
The ISTG and the KCC are not the same thing

And there you go again - getting all technical and stuff on us 

Gee, does that KCC/ISTG diference REALLY matter?  :o)

Rick


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 08, 2005 9:18 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Branch Office Question

As always, I'm late to this thread so I'll chime in with one (hopefully)
worthwhile clarification.  The ISTG and the KCC are not the same thing
though the ISTG is considered a sub-component of the KCC.  Disabling the KCC
is a quite different thing from merely disabling the ISTG.

May I ask inquire as to the OS version here, I don't believe it's been
mentioned as yet (apologies if I missed it).

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Sunday, August 07, 2005 9:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question

Yeah.  Stop trying to disable the KCC already.  The KCC is your friend.  :)
You do, however, want to disable 'bridge all site links' (located under the
properties of Intersite Transports - IP).  You need to do this because
the network is not fully routable due to your VPN tunnels.  With BASL
enabled, all site links are treated as transitive, meaning any DC can
potentially replicate with any other DC.  Since that's not true in your
environment you need to disable BASL.

...After reading your response more thoroughly, you mention that you have no
custom site links.  I assume that means you only have the
DEFAULTIPSITELINK with all sites in it.  If true, you need to stop that
practice, too, as you're effectively creating a full mesh topology.  Since
your network isn't a full mesh, that won't work.  You need to create
individual site links between each site to form the proper topology.  Don't
disable BASL until you've done this.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, August 07, 2005 4:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question

Noah,

Just my curiosity - what is the reason for disabling (or, wanting to
disable) the KCC?  It's not a recommended practice unless you have a very
large number of links / sites / replication objects (and the number changes
to a significantly larger number in Win2k3 Functional), or the topology is
such that the KCC and the ISTG is not able to do its job of creating a
proper spanning tree - neither of which are very likely.  Companies with
200k plus users and 150 sites don't normally run into this problem.

The normal remedy is to take a look at everything else and eliminate *IT*
(meaning everything else) as a potential reason for why the KCC/ISTG isn't
working to expectations.  Then when everything else has been eliminated,
reviewing what the impact will be of killing off the KCC.

Specifically, the first realization of killing the KCC - all of the
replication objects between servers - will have to be manually maintained.
The ISTG will no longer do it.  In all but the smallest shops, this would
likely take most of the time of one very adept admin.

So - think carefully on this move.  As I said - it's not recommended.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger
Sent: Sunday, August 07, 2005 4:14 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Branch Office Question

Thanks, Jorge.

So the KCC is on at all sites. In my situation, I want to disable the KCC. A
few questions:
- Is the command to do so: 
repadmin /siteoptions branch1dc.company.com /site:branch1
+IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED
- Do I have to run this against each DC?
- I believe I only want to disable the INTER_SITE, not the INTRA_SITE,
right?
- Do I think need to manually create the connection objects or can I just
leave the auto generated ones in place?
- Does all this change if the VPN topology allows for a fully routed
network?

Thanks.

-- nme

P.S. I checked the questions you asked. DCs and GCs are correct; no custom
site links or connections; site membership is correct.

 -Original Message-
 From: Almeida Pinto, Jorge de
 [mailto:[EMAIL PROTECTED]
 Sent: Saturday, August 06, 2005 11:59 AM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Branch Office Question
 
 I expected that.. in a few words hub-and-spoke topology in a non fully 
 routed network. For this to work you need a site for each location and 
 a site link between each spoke (the
 bracnhes) and the hub and auto site link bridging is off
  
 The other thing I can think of:
 * Is each DC/GC in the correct site?
 * Do you have custom site link bridges?
 * Do you have custom connections (auto connections are visible as 
 automatic

RE : [ActiveDir] Output Shared Contacts

2005-08-08 Thread TIROA YANN 
Hi,
 
Have you tried using the import/export feature that you will find in Outlook ? 
I think could do this with your oulook.:
- select your contact
- go to fileimport/export
- then chose export and you will be prompt for the format of file (.txt, 
.csv,.xls,etc...)
 
I don not remember the whole process, but you will easily find the different 
steps yourself :)
 
PS: if you can not import/export a contact that is in your public forlder, then 
- Create a second contact in you private mailbox
- Copy the one in the public folder to the one you have created
- do again the import/export process
 
Regards,
 
Yann



De: [EMAIL PROTECTED] de la part de Jerry Welch
Date: lun. 08/08/2005 16:49
À: ActiveDir@mail.activedir.org
Objet : [ActiveDir] Output Shared Contacts 



Anyone have an easy way to output shared contacts from a public folder to a
flat file?
Thanks,
Jerry

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat

RE: [ActiveDir] DC replicating with deleted DSA object

2005-08-08 Thread Rick Kingslan 
Title: DC replicating with deleted DSA object










Nah 
no need to. They will go away by themselves as a normal part of the
tombstoning process. They are marked as deleted, which is just what the DS
needs to let it know its no longer functioning and should be deleted
from any references.

Rick











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ruston,
Neil
Sent: Monday, August 08, 2005 9:50
AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] DC
replicating with deleted DSA object





We
have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade
is achieved as follows: 
1.
demote w2k DC 
2.
build and promote w2k3 DC 

Sometimes
the h/w in 1 and 2 are different but sometimes the same h/w is used.


Furthermore,
sometimes the same name is used in 1 and 2 but not always. 

If
I now execute repadmin /showreps on an existing (bridgehead) w2k
DC, I see the following issue: 

snip


y\ 
DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6
(deleted DSA) via RPC 

objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb 

z\ (deleted DSA) via RPC 

objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 

y\ 
DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a
(deleted DSA) via RPC 

objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb 
snip


Where:

xx
is a DC which was built temporarily and then demoted several days ago

aa
is a DC which was re-built (as per above) with the same name 
bb
is a DC which was re-built (as per above) with the same name (in the same site
as xx) 

I
have been considering using repadmin /delete to remove these
incorrect replication connections and wondered if anyone had used such a method
before or could offer any alternatives?

Thanks,

neil


==
Please access the attached hyperlink for an important electronic communications
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Carlos Magalhaes 
Heheeh does that make your shirts more clever than I am :P - and I
thought my DIT tool was cool

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:53 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

... and as for being older than you, I've got shirts in my closet older
than
you.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are
the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only
dumb
terminals as clients and the server ran on a Motorola proc. ... at that
time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both
monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling
an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells
or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a
new
and different local SAM account each time you logged on as a NetWare
account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what
great
job security. No one who didn't know any better couldn't possibly figure
out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to
actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client
they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic
attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the
battle.
I remember when NT first shipped the mantra was, Netware is great for
file
and print and NT is great for applications. Netware NLMs were
impossible to
develop and that meant that folks either developed apps on NT or more
likely
Unix (at the time). Apps are sticky, file and print is not. Over time,
as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and
print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion.
The
market was theirs to lose...and they lost it. Proof once again that
great
technology coupled with bad management is just

RE: [ActiveDir] DC replicating with deleted DSA object

2005-08-08 Thread Steve Linehan 
Title: DC "replicating" with deleted DSA object



Those connections are in a Stay of Execution state. 
With SP1 we changed so that we would not attempt to replicate with them but 
prior to that we will. If your forest has a normal config these will be 
removed after 15 days. They cause no harm and you can remove them with the 
/delete option or wait until the stay of execution period, normally 15 
days.

Thanks,

-Steve


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, 
NeilSent: Monday, August 08, 2005 9:50 AMTo: 
'ActiveDir@mail.activedir.org'Subject: [ActiveDir] DC "replicating" 
with deleted DSA object

We have recently re-built and upgraded several DCs 
from w2k to w2k3. The upgrade is achieved as follows: 1. demote w2k DC 2. build 
and promote w2k3 DC 
Sometimes the h/w in 1 and 2 are different but 
sometimes the same h/w is used. 
Furthermore, sometimes the same name is used in 1 and 
2 but not always. 
If I now execute "repadmin /showreps" on an existing 
(bridgehead) w2k DC, I see the following issue: 
snip  y\ DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC 
 
objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb  z\ (deleted DSA) via RPC 
 
objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63  y\ DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC 
 
objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb snip 
Where: xx 
is a DC which was built temporarily and then demoted several days ago 
aa is a DC which was re-built (as per above) 
with the same name bb is a DC which 
was re-built (as per above) with the same name (in the same site as 
xx) 
I have been considering using "repadmin /delete" to 
remove these incorrect replication connections and wondered if anyone had used 
such a method before or could offer any alternatives?
Thanks, neil 
==Please 
access the attached hyperlink for an important electronic communications 
disclaimer: 
http://www.csfb.com/legal_terms/disclaimer_external_email.shtml==

RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes

2005-08-08 Thread Rick Kingslan 
Given your retro appearance, maybe - but not likely.  ;o)

So, just hold old do you put me at Dean?  Would you believe me if I told you
I was born shortly after Kennedy's Inauguration (mere days)? 

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 08, 2005 9:53 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

... and as for being older than you, I've got shirts in my closet older than
you.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file
and print and NT is great for applications. Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely
Unix (at the time). Apps are sticky, file and print is not. Over time, as
Windows ruled the desktop and people realized that file and print was
commodity and that arguing about whether Netware was a better file and print
server than NT became meaningless compared to better desktop/server
integration, Novell lost out. Novell failed to keep up, in my opinion.
The
market was theirs

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Hunter, Laura E. 
 
 ... and as for being older than you, I've got shirts in my 
 closet older than
 you.
 

Come to think of it, I'm wearing one -right now-!

;-P

(As the list of nicknames I have for Mr. Wells just grows and grows:
Data, 007, Mr. Bond.)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] MailAlias in AD

2005-08-08 Thread Samuel T. Cossette 
Hi,

I need basic Mail Alias stored in my AD. How can I add some kind of
Mail attribute tab in the User and Computer AD Manager?

I've already installed the Service For Unix and authenticated my Unix
user and Postfix also lookup my user in AD. Now, I want to be able to
edit/add the msSFU30AMailAlias (or any Mail attribute in the default
AD+SFU schema) attribute, but I can't find how in the Microsoft AD
Manager.

Thanks,

-- 
Samuel T. Cossette
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [OT] Biggest AD Gripes

2005-08-08 Thread joe 
Yes, I am much older and wiser than Dean.  

Anything I figure out, I know it will take at least two more days for Dean
to fully grasp. :o)

On the flip side, when he figures something out and tries to explain it to
me I just sort of turn my head to the side and drool. Once I finally snap
out of it I say You young whippersnapper... Why when I was your age things
were quite like they are now but younger

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 08, 2005 10:52 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Nod, good point ... which explains why Joe always has so much to say and why
I'm generally so quiet!

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file
and print and NT is great for applications. Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely
Unix (at the time). Apps are sticky, file and print is not. Over time, as
Windows ruled the desktop and people realized that file and print was

RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes

2005-08-08 Thread joe 
Kennedy... Or was it Roosevelt?

EG
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes

Given your retro appearance, maybe - but not likely.  ;o)

So, just hold old do you put me at Dean?  Would you believe me if I told you
I was born shortly after Kennedy's Inauguration (mere days)? 

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 08, 2005 9:53 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

... and as for being older than you, I've got shirts in my closet older than
you.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file
and print and NT is great for applications. Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely
Unix (at the time). Apps are sticky, file and print is not. Over time, as
Windows ruled the desktop

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Almeida Pinto, Jorge de 
In fact you are saying that Dean's shirts can do more than your DIT
tool, and they are not as expensive as your tool. Stop working on the
tool and ask Dean for one of his shirts!

;-)

jorge

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
Magalhaes
Sent: Monday, August 08, 2005 17:13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Heheeh does that make your shirts more clever than I am :P - and I
thought my DIT tool was cool

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:53 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

... and as for being older than you, I've got shirts in my closet older
than you.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos
Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are
the wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only
dumb terminals as clients and the server ran on a Motorola proc. ... at
that time they were known as Innovative Systems.  When the Intel product
came out (v2.0 I believe), the shell and the server-side kernel were
both monolithic binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling
an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells
or requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a
new and different local SAM account each time you logged on as a NetWare
account ... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what
great job security. No one who didn't know any better couldn't possibly
figure out the right combination of ODI drivers, VLMs and client shells
to bind together to actually get access to Netware. The best was the
Netware 2.x client, where you had to run something equivalent to a
compiler to actually create a client. After that, VLMs seemed like going
to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client
they produced (current versions are better but still remain lesser
integrated than that of Windows' native ability) ... utterly, utterly
pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the
battle.
I remember when NT first shipped the mantra was, Netware is great for
file and print and NT is great for applications. Netware NLMs were
impossible to develop and that meant that folks either developed apps on
NT or more likely Unix (at the time). Apps are sticky, file and print is
not. Over time, as

RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes

2005-08-08 Thread Dean Wells 
Sure, I've seen you close up ... LOL ;o)

just teasing

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes

Given your retro appearance, maybe - but not likely.  ;o)

So, just hold old do you put me at Dean?  Would you believe me if I told you
I was born shortly after Kennedy's Inauguration (mere days)? 

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 08, 2005 9:53 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

... and as for being older than you, I've got shirts in my closet older than
you.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file
and print and NT is great for applications. Netware NLMs were impossible to
develop and that meant that folks either developed apps on NT or more likely

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-08 Thread joe 



Either should work, you just need to watch the traffic 
between the two. If you have a shared hub, you can install it on a third machine 
and plug it into the hub and watch the traffic that way as well. That works well 
when there are rules about what software can be installed on a 
machine.

Also if you want, if you have netmon already loaded, you 
can do a netmon capture and then have ethereal read it. 

 joe



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh 
KshirsagarSent: Monday, August 08, 2005 11:12 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding 
an Exchange User - An operations error occurred


Thanks,

Would it be worth 
running it on the agent machine, or the AD machine?

Regards,
Mayuresh





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Rick 
KingslanSent: Monday, August 
08, 2005 1:55 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred


Ethereal  
no question. Get it at:
www.ethereal.com
Rick




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Monday, August 
08, 2005 9:45 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred

Hi 
Joe,

Can you tell me a good 
sniffer? And of course a free one ;-)

The setup is like, the 
mds in installed on one machine (on a different domain) which talks to the agent 
which is installed on the exchange machine. The agent then uses the exchange 
native apis to create the mail boxes which would be added to the AD. AD and 
exchange servers are on same domain.

Regards,
Mayuresh.






From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Saturday, August 06, 2005 2:30 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred

That would tell me that 
the homeMDB value either isn't correct or isn't being set properly. homeMDB is a 
linked DN attribute, it *MUST* be valid when it is 
set.

If the tool allows you 
to retreive the extended LDAP error that would be great, if not get out a 
network sniffer and trace the operation. If the issue is with homeMDB from the 
DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet 
from the DC.

I would pull out a 
network sniffer




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Saturday, 
August 06, 2005 6:01 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred
The only sad thing 
about it is that when with the same attributes minus the homeMDB, the users get 
created perfectly.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, August 05, 2005 11:46 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred

Yes, again those 
attributes below seem fine, there should be no issues setting them through LDAP, 
certainly AD won't reject them. Again I would change the mailnickname to the 
same as sAMAccountName but that is just me. 

If you are just mailbox 
enabling, setting mailnickname and homemdb will do it. That whole thing is 
documented to be unsupported by MS but I don't know of a single large company 
that doesn't do it the same way. The RUS will fire with that info and set up the 
rest of the attributes.

Now if this is a user 
create from the ground up, there could be issues with creating an enabled 
account. I thinkwe wenthrough that before here on the list with you 
though didn't we?

 
joe





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Friday, August 
05, 2005 6:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred
The meta tries to 
create the entry. so it creates the entry in AD and the agent is responsible for 
creating mailbox. Are the attributes seen for the entry correct? Also what all 
is required if I am creating a mailbox user from a meta or a script, etc. 
also can you suggest if I can find some useful information from the 
exchange server? Any diagnostics, etc?

Thanks.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, August 05, 2005 4:37 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred

That error log isn't 
very good. You can't even tell if it is an error being floated back from a DC. 
Could be something in the meta directory tool.

As for the specific 
data below for the attributes to be set on the user, I don't see anything bad 
though I wouldn't recommend the mailnickname to have that format, I would 
recommend it be the same as the sAMAccountName value. I tend to put the "nice" 
full

[ActiveDir] Loosing Printer Connectivity on clients regularly - W2K3 LAN

2005-08-08 Thread Nigel Glasgow 
Working on a new W2k3 installation with ten new HP4250 Laserjet printers. 

On a regular basis, users will loose printer connectivity and have to
recapture these new printers. 

The print server is the second DC in the domain with only DHCP, File and
Print Server roles assigned. 

Any help out there?

Thanks.

Nigel
System Admin
CARICOM Secretariat.

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [OT] Biggest AD Gripes

2005-08-08 Thread Dean Wells 
Ummm, nod, I do see your confusion Joe, an obvious mistake to make ... but
the 2 days isn't occupied figuring anything out, the 2 days is necessary to
sift through the encyclopedia's worth of text you've written from which I
finally deduce that you said ugh, it's broken dude!. :o)

--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 08, 2005 11:42 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OT] Biggest AD Gripes

Yes, I am much older and wiser than Dean.  

Anything I figure out, I know it will take at least two more days for Dean
to fully grasp. :o)

On the flip side, when he figures something out and tries to explain it to
me I just sort of turn my head to the side and drool. Once I finally snap
out of it I say You young whippersnapper... Why when I was your age things
were quite like they are now but younger

  joe


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 08, 2005 10:52 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Nod, good point ... which explains why Joe always has so much to say and why
I'm generally so quiet!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of

RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes

2005-08-08 Thread Rick Kingslan 
Teddy, FDR?

:-D

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 08, 2005 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes

Kennedy... Or was it Roosevelt?

EG
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 11:20 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes

Given your retro appearance, maybe - but not likely.  ;o)

So, just hold old do you put me at Dean?  Would you believe me if I told you
I was born shortly after Kennedy's Inauguration (mere days)? 

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Monday, August 08, 2005 9:53 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

... and as for being older than you, I've got shirts in my closet older than
you.


--
Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes
Sent: Monday, August 08, 2005 10:45 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Hah - older than me :P but doesn't the saying go - the older you are the
wiser... 

Carlos

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 08 August 2005 04:11 PM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
wanted to be able to write is as 007 -- how sad :o).  

The first version of NetWare I ran was 4.7 I believe, it supported only dumb
terminals as clients and the server ran on a Motorola proc. ... at that time
they were known as Innovative Systems.  When the Intel product came out
(v2.0 I believe), the shell and the server-side kernel were both monolithic
binaries; ANET2.exe and NET$OS.EXE methinks.

Believe me, I'm old .. but still not as old as Joe :o)

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 4:11 AM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Biggest AD Gripes

You're obviously too young to remember:

LSL
NE3200
IPXODI
NETX

:)

VLMs made life a whole lot easier.

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: 05 August 2005 16:59
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes


Grin ... you're right of course, I think you're referring to compiling an
ANET3 EXE, but don't misunderstand me, I loved some of the older shells or
requestors like the VLMs, for nostalgic purposes -

LSL
NE3200
IPXODI
VLM

C:\F:

F:\LOGIN

... ah, even now I get a gooey comfortable feeling. :o)

It's the Windows NT/2000 client I was referring to that used to create a new
and different local SAM account each time you logged on as a NetWare account
... garbage!

--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 11:47 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I don't know Dean--I kinda liked the old Netware client. I mean, what great
job security. No one who didn't know any better couldn't possibly figure out
the right combination of ODI drivers, VLMs and client shells to bind
together to actually get access to Netware. The best was the Netware 2.x
client, where you had to run something equivalent to a compiler to actually
create a client. After that, VLMs seemed like going to the moon...



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
Sent: Friday, August 05, 2005 9:01 AM
To: Send - AD mailing list
Subject: RE: [ActiveDir] Biggest AD Gripes

All great points, lets not forget the less than well-thought-out client they
produced (current versions are better but still remain lesser integrated
than that of Windows' native ability) ... utterly, utterly pathetic attempt.
Arrogance and a distinct lack of marketing (when compared to the
competition) was also a contributing factor IMO.


--

Dean Wells
MSEtechnology
* Email: [EMAIL PROTECTED]
http://msetechnology.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Friday, August 05, 2005 7:22 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

I think there were a few very important reasons why Netware lost the battle.
I remember when NT first shipped the mantra was, Netware is great for file

RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes

2005-08-08 Thread Hunter, Laura E. 
Good Lord, I can practically hear it from here:

Dean Bloody Americans. /Dean 

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of joe
 Sent: Monday, August 08, 2005 11:44 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes
 
 Kennedy... Or was it Roosevelt?
 
 EG
  
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
 Sent: Monday, August 08, 2005 11:20 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes
 
 Given your retro appearance, maybe - but not likely.  ;o)
 
 So, just hold old do you put me at Dean?  Would you believe 
 me if I told you
 I was born shortly after Kennedy's Inauguration (mere days)? 
 
 Rick
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: Monday, August 08, 2005 9:53 AM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 ... and as for being older than you, I've got shirts in my 
 closet older than
 you.
 
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Carlos Magalhaes
 Sent: Monday, August 08, 2005 10:45 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 Hah - older than me :P but doesn't the saying go - the older 
 you are the
 wiser... 
 
 Carlos
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: 08 August 2005 04:11 PM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I
 wanted to be able to write is as 007 -- how sad :o).  
 
 The first version of NetWare I ran was 4.7 I believe, it 
 supported only dumb
 terminals as clients and the server ran on a Motorola proc. 
 ... at that time
 they were known as Innovative Systems.  When the Intel 
 product came out
 (v2.0 I believe), the shell and the server-side kernel were 
 both monolithic
 binaries; ANET2.exe and NET$OS.EXE methinks.
 
 Believe me, I'm old .. but still not as old as Joe :o)
 
 --
 
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
 Sent: Monday, August 08, 2005 4:11 AM
 To: 'ActiveDir@mail.activedir.org'
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 You're obviously too young to remember:
 
 LSL
 NE3200
 IPXODI
 NETX
 
 :)
 
 VLMs made life a whole lot easier.
 
 neil
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: 05 August 2005 16:59
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 
 Grin ... you're right of course, I think you're referring to 
 compiling an
 ANET3 EXE, but don't misunderstand me, I loved some of the 
 older shells or
 requestors like the VLMs, for nostalgic purposes -
 
 LSL
 NE3200
 IPXODI
 VLM
 
 C:\F:
 
 F:\LOGIN
 
 ... ah, even now I get a gooey comfortable feeling. :o)
 
 It's the Windows NT/2000 client I was referring to that used 
 to create a new
 and different local SAM account each time you logged on as a 
 NetWare account
 ... garbage!
 
 --
 
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Darren Mar-Elia
 Sent: Friday, August 05, 2005 11:47 AM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 I don't know Dean--I kinda liked the old Netware client. I 
 mean, what great
 job security. No one who didn't know any better couldn't 
 possibly figure out
 the right combination of ODI drivers, VLMs and client shells to bind
 together to actually get access to Netware. The best was the 
 Netware 2.x
 client, where you had to run something equivalent to a 
 compiler to actually
 create a client. After that, VLMs seemed like going to the moon...
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: Friday, August 05, 2005 9:01 AM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 All great points, lets not forget the less than 
 well-thought-out client they
 produced (current versions are better but still remain lesser 
 integrated
 than that of Windows' native ability) ... utterly, utterly 
 pathetic attempt.
 Arrogance and a distinct lack of marketing (when compared to the
 competition) was also a contributing factor IMO.
 
 
 --
 
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Darren

RE : [ActiveDir] DC replicating with del eted DSA object

2005-08-08 Thread TIROA YANN 
Hi,
 
Ah..so for my comprehension,  these Deleted Objects do not follow the Tombstone 
process for a deleted objects as users,computers.. (60 days if i remind...) as 
stated Rick.
 
Does the Stay of Execution state=15days ONLY apply to DCs state (demoted, 
renamed with same name,etc..?) or any other objects ?
 
Yann



De: [EMAIL PROTECTED] de la part de Steve Linehan
Date: lun. 08/08/2005 17:16
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] DC replicating with deleted DSA object


Those connections are in a Stay of Execution state.  With SP1 we changed so 
that we would not attempt to replicate with them but prior to that we will.  If 
your forest has a normal config these will be removed after 15 days.  They 
cause no harm and you can remove them with the /delete option or wait until the 
stay of execution period, normally 15 days.
 
Thanks,
 
-Steve



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 9:50 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] DC replicating with deleted DSA object



We have recently re-built and upgraded several DCs from w2k to w2k3. The 
upgrade is achieved as follows: 
1. demote w2k DC 
2. build and promote w2k3 DC 

Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. 

Furthermore, sometimes the same name is used in 1 and 2 but not always. 

If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see 
the following issue: 

snip 
y\ 
DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC 
objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb 
z\ (deleted DSA) via RPC 
objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 
y\ 
DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC 
objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb 
snip 

Where: 
xx is a DC which was built temporarily and then demoted several days 
ago 
aa is a DC which was re-built (as per above) with the same name 
bb is a DC which was re-built (as per above) with the same name (in the 
same site as xx) 

I have been considering using repadmin /delete to remove these incorrect 
replication connections and wondered if anyone had used such a method before or 
could offer any alternatives?

Thanks, 
neil 

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==


winmail.dat

RE: [ActiveDir] Virtual Domain Controllers

2005-08-08 Thread Matt Brown 
Title: Virtual Domain Controllers



I really could of got the job done without AD, this was the 
first server for the company and it took a while to talk them into it. I 
looked at SBS but didn't really see any benefits over 2003 Server Standard for 
their environment so decided against it. The domain is so small I can 
rebuild it from scratch in about 20 minutes so I'm not too worried about 
it.



Matt



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
joeSent: Friday, August 05, 2005 6:51 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain 
Controllers

That sounds like you should probably be running SBS. That 
was cough designed for those types of deployments. 



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt 
BrownSent: Friday, August 05, 2005 8:47 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain 
Controllers

I run a single DC in a small environment... only about 10 
users, and since it's just a single server office, and single DC domain... I 
just run everything on the domain controller. Domain, DNS, File, Print, 
and Accounting Software on the same server... no VM ware... although I 
considered it. Since it's a single domain server I just take ghost 
snapshots of the domain and then backup the files.

Seems to work pretty good, as it's been running solid for 
about a year now.



Thanks,
--
Matt 
Brown [EMAIL PROTECTED]Consultant for Student Technology 
Feewebsite: http://techfee.ewu.edu/+--+| 
509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 
99004+--+



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
[EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] 
Virtual Domain Controllers

Could 
you just do the file/print on the DC? In a small environment you could 
probably get away with it.
Al Maurer Service Manager, Naming and Authentication 
Services IT | Information 
Technology Agilent 
Technologies (719) 590-2639; 
Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan 
tomorrow. 
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan 
JSent: Friday, August 05, 2005 12:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain 
Controllers
Hi All, 
I have a question about running DCs on GSX 
server. I understand that MS does not support this configuration, but I've 
heard that many people are running DCs in this fashion. Can anyone give 
some advice in this arena? The idea here is to do VM for a file/print, and 
another one for a DC in our remote sites. Currently, we've got different 
hardware for each box, but we're trying to consolidate a bit out 
there.
Thank you. 
JJ Seely Systems 
Administrator Oregon Department of 
Justice Division of Child Support 
(503) 378-4500 x22277 [EMAIL PROTECTED] 
*CONFIDENTIALITY NOTICE*This e-mail may contain information 
that is privileged, confidential, or otherwise exempt from disclosure under 
applicable law. If you are not the addressee or it appears from the context or 
otherwise that you have received this e-mail in error, please advise me 
immediately by reply e-mail, keep the contents confidential, and immediately 
delete the message and any attachments from your system.

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-08 Thread Mayuresh Kshirsagar 








Hi Joe,



Solved the problem. The agent doing the
Job was not running with correct credentials. It was running as default. I set
the credentials explicitly to the user I required, and the users with mailboxes
are now being created.



Thanks a Lot,

Mayuresh.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, August 08, 2005 3:45
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





Either should work, you just need to watch
the traffic between the two. If you have a shared hub, you can install it on a
third machine and plug it into the hub and watch the traffic that way as well.
That works well when there are rules about what software can be installed on a
machine.



Also if you want, if you have netmon
already loaded, you can do a netmon capture and then have ethereal read it. 









 joe











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Monday, August 08, 2005
11:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

Thanks,



Would it be worth running it on the agent
machine, or the AD machine?



Regards,

Mayuresh











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 1:55
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem adding
an Exchange User - An operations error occurred







Ethereal
 no question. Get it at:

www.ethereal.com

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Monday, August 08, 2005 9:45
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





Hi Joe,



Can you tell me a good sniffer? And of
course a free one ;-)



The setup is like, the mds in installed on
one machine (on a different domain) which talks to the agent which is installed
on the exchange machine. The agent then uses the exchange native apis to create
the mail boxes which would be added to the AD. AD and exchange servers are on
same domain.



Regards,

Mayuresh.













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, August 06, 2005
2:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





That would tell me that the homeMDB value
either isn't correct or isn't being set properly. homeMDB is a linked DN
attribute, it *MUST* be valid when it is set.



If the tool allows you to retreive the
extended LDAP error that would be great, if not get out a network sniffer and
trace the operation. If the issue is with homeMDB from the DC, you will see a
CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC.



I would pull out a network sniffer









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Saturday, August 06, 2005
6:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The only sad thing about it is that when
with the same attributes minus the homeMDB, the users get created perfectly.











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of joe
Sent: Friday, August 05, 2005
11:46 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred





Yes, again those attributes below seem
fine, there should be no issues setting them through LDAP, certainly AD won't
reject them. Again I would change the mailnickname to the same as
sAMAccountName but that is just me. 



If you are just mailbox enabling, setting
mailnickname and homemdb will do it. That whole thing is documented to be
unsupported by MS but I don't know of a single large company that doesn't do it
the same way. The RUS will fire with that info and set up the rest of the
attributes.



Now if this is a user create from the
ground up, there could be issues with creating an enabled account. I
thinkwe wenthrough that before here on the list with you though
didn't we?



 joe











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 05, 2005 6:40
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Problem
adding an Exchange User - An operations error occurred

The meta tries to create the entry. so it
creates the entry in AD and the agent is responsible for creating mailbox. Are
the attributes seen for the entry correct? Also what all is required if I am
creating a mailbox user from a meta or a script, etc. also can you
suggest if I can find some useful information from the exchange server? Any
diagnostics, etc?



Thanks.











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday,

RE: [ActiveDir] OT: MIIS, ADAM, AD

2005-08-08 Thread Ken Cornetet 



The 
application(SAP enterprise portal) does an LDAP bind to authenticate the 
user. I do not know at this point what (if any) encryption options are 
available.

Proxy objects 
only work for the domain the ADAM server is in, or other domains with a 2-way 
trust.

Here's the 
scenario:

We have one 
domain (lets call it INTRANET) that contains our company employees. We have 
another domain (lets call it EXTRANET) that contains users for our existing 
business partner web-based Internet applications. The two domains do not 
currently, and will never in the foreseeable future, trust each 
other.

We will be 
deploying one SAP EP to service both internal and external (Internet) users. The 
SAP EP can only authenticate against one directory. We don't (for obvious 
reasons) want to put our external users in our internal AD. I think that ADAM 
would be a perfect fit for this. The question is how to sync 
passwords.

I could use the 
MS solution and use the free* MIIS which looks like it will do exactly what I 
want, but with a considerable bit of added complexity. Also, we use Psynch to 
let internal (INTRANET domain) users manage their passwords, and I'm afraid the 
password hook it requires on the domain controllers will not play nice with the 
MIIS password hook.

I can easily code 
up my own code to do the simple user object syncing required, but passwords 
would be tricky. Fortunately, I don't need to do the password sync. 
Theexternal users (EXTRANET domain) use an internally developedweb 
basedapp to manage passwords, 
so I can hook into it easily enough to change the passwords in ADAM.As for 
our internal users (INTRANET domain), I'm pretty sure Psynch can change 
passwords in ADAM for me, or at least provide hooks for me to code it up 
myself.

After reading 
about the proxy user object, I thought it seemed a natural fit for our internal 
users. That would eliminate on half of the password syncing issues. However, I'm 
rather concerned about the warning on not using them. 

BTW, I've been 
playing with trying to programmatically create proxy user objects without much 
luck. You have to supply the target SID when creating the object. I've tried 
using the binary SID as returned from a Get("objectSID") call to the INTRANET 
domain user object, and I've tried the "human readable" version "S-..." (which 
is what LDP expects when creating a proxy user). Neither seem to work. Anyone 
know the proper incantation for this bit of magic?






From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Al 
MulnickSent: Sunday, July 31, 2005 11:33 AMTo: 
ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: 
RE: [ActiveDir] OT: MIIS, ADAM,  AD


I'll be a lot more interested 
in MIIS when "free" doesn't mean I have to "buy" SQL licenses to run it. I can 
understand the server license for Windows, but it should run on any version of 
the latest Windows server (enterprise, standard, etc) or a desktop OS. Not sure 
why that is not possible, unless maybe there's a wait for the new SQL 2005 
products. 

Anyway, I'm with Joe on this. I think 
the simpler you can keep it the better. Writing it in-house with a series of 
scripts may be enough to do what you want and it's not too terribly 
difficult.

As for proxy objects, if I recall correctly 
you typically don't want to use them becauseof the security issues and 
because it's really designed for legacy apps. If you can use AD, use 
AD. If you have to use simple bind, then proxy objects may fit the 
requirementas long as you remember to use some sort of transport 
security.

You may have a problem with multiple 
forests as well. Haven't tried that, but since it's a proxy bind, I 
imagine it mayget a little confused. I'd be interested to hear if that's 
not thecase though.

Al 


From: [EMAIL PROTECTED] on 
behalf of Robert BobelSent: Sun 7/31/2005 10:56 AMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: MIIS, ADAM, 
 AD


Nice side benefit is 
that the license to use MIIS with the Feature Integration pack to sync AD to 
ADAM is free. 

http://www.microsoft.com/downloads/details.aspx?familyid=D9143610-C04D-41C4-B7EA-6F56819769D5displaylang=en


Bob





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Saturday, July 30, 2005 7:59 
PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: MIIS, ADAM, 
 AD

Where is this going to 
be located? Extranet or Intranet?

If you are going to be 
doing some very simple syncing, I would look at writing something myself or 
maybe implementing one of the lighter syncing tools like SimpleSync or HP's 
LDSU. If you need to do a lot of transforms or complex translations or connect 
to lots of different data sources such as SAP, etc, MIIS might be where you want 
to go. If you spin up MIIS, it ispossible you may need to have a body 
sitting there maintaining and troubleshooting it due to its complexity plus it 
is really in flux right now in my opinion in terms of how many

[ActiveDir] OT: Change ownership

2005-08-08 Thread Douglas M. Long 
Title: DC replicating with deleted DSA object








Is there an easy way to change ownership
on all files and folders in a directory owned by userA? 

I think I am having a stupid attack

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Ken Cornetet 
What is difficult about restoring a DC to different hardware? We just
did our yearly DR testing (at Sungard as a matter of fact!), and I
didn't have any problems. Just follow the little procedure they give you
(basically, remove all the network cards and video card in device
manager before you reboot after the recovery). Then, follow the other
procedure they give you if you end up with phantom NICs. It's the same
procedure for DCs as it is for member servers. 

It isn't hardware dependant, but if you are talking about the hours-long
waltz you do with ntdsutil to remove all of the DCs you aren't bringing
back, I've found a neat trick. Run through the process for one site once
manually recording all of the text you type, then using a text editor
create a command file duplicating the tons of commands required to
remove every server from every site. Run ntdsutil yourfile.txt. The
trick is that ntdsutil prompts before removing each server - just answer
no to the server you recover. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Tuesday, August 02, 2005 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Everyone is making a number of suggestions/comments that hit home to me,
so rather than chiming in with AOLMe too!/AOL, I'll bring up the one
that makes me crazy that no-one has mentioned yet:

Restoring a domain controller to alternate hardware (think Disaster
Recovery drill at a company like Sungard) should Not. Be. So. Friggin'.
Hard.  It's better in K3 than it was in 2K, but it's still way too much
of a hothouse-flower-y delicate operation.  (Maybe Longhorn's AD as a
service will make this better.  I can hope, at least, because right now
it still sucks canal water.)

- Laura

 -Original Message-
 From: Almeida Pinto, Jorge de
 [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 02, 2005 6:30 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 DFS-R is only supported for custom DFS namespaces. MS at the moment 
 does not support DFS-R for SYSVOL replication. MS states that in the 
 DFS-R overview document page 16
  
 See: 
 http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547
 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en
  
 QUOTE:
 
 DFS Replication is not supported for SYSVOL replication in Windows 
 Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL 
 by disabling FRS and setting up a replication group for SYSVOL. 
 Continue to use FRS for SYSVOL replication on domain controllers 
 running Windows Server 2003 R2. FRS and DFS Replication can co-exist 
 on the same member server or domain controller.
 
  
 A shame, but true! DFS-R really rocks!!! It is way better than NTFRS!
  
 Cheers
 #JORGE#
 
 
 
 From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes
 Sent: Tue 8/2/2005 11:15 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 
 
 * Using the new DFS-Replication mechanism in R2 for the SYSVOL
 
 This is available AFAIK if all your servers are running R2 :P
 
 Carlos Magalhaes
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: 02 August 2005 09:59 PM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 http://www.novell.com  :o)
 
 Bloody NetWare bigot ... 
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
 Pinto, Jorge de
 Sent: Tuesday, August 02, 2005 2:06 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 A while ago I put some AD feature thoughts in a textfile not knowing 
 what to do with them at that moment
 
 Here goes: 
 
 * Active Directory thoughts: 
 * OU = security principal 
 * Possibility to merge Forests 
 * Cut and paste a domain from one forest to another 
 * Domain concept: 
 * Domain controller - directory server (not specific 
 to a certain domain, but hosting naming contexts)
 * Password policies not only per domain but also per 
 OU
 * Keep domain as a replication boundary but remove the

 flat structure (prevent context login like NDS - Aliases?)
 * Multiple replication boundaries (naming
 contexts) per
 directory server 
 * Remove domain as an entity. Forest is only entity 
 needed
 * Integrate file system and possible other resources into the 
 directory (e.g. search where security principals are used)
 * Permissioning TOP-DOWN and BOTTOM-UP (file system) 
 * Delegation of Control: ability to dictate MEMBERS attribute 
 AND the MEMBEROF attribute (so the possibility exists to dictate which

 users can be added to what groups)

RE: [ActiveDir] OT: Change ownership

2005-08-08 Thread Bruyere, Michel 
Title: DC replicating with deleted DSA object








Right click on the folder then properties 

Go in security tab and click advanced 

In there click on the owner
tab and then select/add the owner you want 

Check the box that says replace owner
on subcontainers and object 



Youre done 



;) 

















De:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long
Envoyé: Monday, August 08, 2005 2:32 PM
À: ActiveDir@mail.activedir.org
Objet: [ActiveDir] OT:
Change ownership





Is there an easy way to change ownership
on all files and folders in a directory owned by userA? 

I think I am having a stupid attack

RE: [ActiveDir] OT: Change ownership

2005-08-08 Thread Douglas M. Long 
Title: DC replicating with deleted DSA object








I only want to replace the owner on
files/folders for a specific user, not all of them.













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel
Sent: Monday, August 08, 2005 2:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Change ownership





Right click on the folder then properties 

Go in security tab and click advanced 

In there click on the owner
tab and then select/add the owner you want 

Check the box that says replace
owner on subcontainers and object 



Youre done 



;) 

















De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] De
la part de Douglas M. Long
Envoyé: Monday, August 08, 2005 2:32 PM
À: ActiveDir@mail.activedir.org
Objet: [ActiveDir] OT:
Change ownership





Is there an easy way to change ownership
on all files and folders in a directory owned by userA? 

I think I am having a stupid attack

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Rick Kingslan 
Help me understand where I'm missing this (I've been in a con-call for 3.5
hours this AM...).

Isn't the registry backed up as part of the System State?  And, doesn't the
registry pretty much make something 'hardware dependent' to some great
degree, just by its very nature?

I'm sure that there's something very simple that I'm missing.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, August 08, 2005 1:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

What is difficult about restoring a DC to different hardware? We just
did our yearly DR testing (at Sungard as a matter of fact!), and I
didn't have any problems. Just follow the little procedure they give you
(basically, remove all the network cards and video card in device
manager before you reboot after the recovery). Then, follow the other
procedure they give you if you end up with phantom NICs. It's the same
procedure for DCs as it is for member servers. 

It isn't hardware dependant, but if you are talking about the hours-long
waltz you do with ntdsutil to remove all of the DCs you aren't bringing
back, I've found a neat trick. Run through the process for one site once
manually recording all of the text you type, then using a text editor
create a command file duplicating the tons of commands required to
remove every server from every site. Run ntdsutil yourfile.txt. The
trick is that ntdsutil prompts before removing each server - just answer
no to the server you recover. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Tuesday, August 02, 2005 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Everyone is making a number of suggestions/comments that hit home to me,
so rather than chiming in with AOLMe too!/AOL, I'll bring up the one
that makes me crazy that no-one has mentioned yet:

Restoring a domain controller to alternate hardware (think Disaster
Recovery drill at a company like Sungard) should Not. Be. So. Friggin'.
Hard.  It's better in K3 than it was in 2K, but it's still way too much
of a hothouse-flower-y delicate operation.  (Maybe Longhorn's AD as a
service will make this better.  I can hope, at least, because right now
it still sucks canal water.)

- Laura

 -Original Message-
 From: Almeida Pinto, Jorge de
 [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 02, 2005 6:30 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 DFS-R is only supported for custom DFS namespaces. MS at the moment 
 does not support DFS-R for SYSVOL replication. MS states that in the 
 DFS-R overview document page 16
  
 See: 
 http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547
 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en
  
 QUOTE:
 
 DFS Replication is not supported for SYSVOL replication in Windows 
 Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL 
 by disabling FRS and setting up a replication group for SYSVOL. 
 Continue to use FRS for SYSVOL replication on domain controllers 
 running Windows Server 2003 R2. FRS and DFS Replication can co-exist 
 on the same member server or domain controller.
 
  
 A shame, but true! DFS-R really rocks!!! It is way better than NTFRS!
  
 Cheers
 #JORGE#
 
 
 
 From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes
 Sent: Tue 8/2/2005 11:15 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 
 
 * Using the new DFS-Replication mechanism in R2 for the SYSVOL
 
 This is available AFAIK if all your servers are running R2 :P
 
 Carlos Magalhaes
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: 02 August 2005 09:59 PM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 http://www.novell.com  :o)
 
 Bloody NetWare bigot ... 
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
 Pinto, Jorge de
 Sent: Tuesday, August 02, 2005 2:06 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 A while ago I put some AD feature thoughts in a textfile not knowing 
 what to do with them at that moment
 
 Here goes: 
 
 * Active Directory thoughts: 
 * OU = security principal 
 * Possibility to merge Forests 
 * Cut and paste a domain from one forest to another 
 * Domain concept: 
 * Domain controller - directory server (not specific 
 to a certain domain, but hosting naming contexts)
 * Password policies not only per domain but also per 
 OU
 * Keep domain as a replication boundary but remove the

 flat structure (prevent context login like NDS -

[ActiveDir] Preferred Bridgeheads

2005-08-08 Thread Rimmerman, Russ 



We're almost all
Win2k3 Domain Controllers, have a few left to upgrade.

Question is, we have
at least one DC at each site configured as a preferred bridgehead for IP.
Is this not a good idea? Is it best to not prefer any bridgeheads and let
AD do its job? I'm seeing a lot of event ID 1567's about it as
well.

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

[ActiveDir] user profiles

2005-08-08 Thread Freddie Coleman III 

What would be the easiest way to setup a default profile for a few
thousand users and make sure that their profile is deleted from their
local machines at logoff.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] OT: Change ownership

2005-08-08 Thread Bruyere, Michel 
Title: DC replicating with deleted DSA object








Oh! I did not understand the question,
other than scripting I cant think of a way to do that. 

















De:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de
 Douglas M. Long
Envoyé: Monday, August 08,
2005 2:51 PM
À: ActiveDir@mail.activedir.org
Objet: RE: [ActiveDir] OT:
Change ownership





I only want to replace the owner on
files/folders for a specific user, not all of them.













From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere,
 Michel
Sent: Monday, August 08, 2005 2:39
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT:
Change ownership





Right click on the folder then properties 

Go in security tab and click advanced 

In there click on the owner
tab and then select/add the owner you want 

Check the box that says replace owner
on subcontainers and object 



Youre done 



;) 

















De:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long
Envoyé: Monday, August 08, 2005 2:32 PM
À: ActiveDir@mail.activedir.org
Objet: [ActiveDir] OT:
Change ownership





Is there an easy way to change ownership
on all files and folders in a directory owned by userA? 

I think I am having a stupid attack

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread Rick Kingslan 










Not that
its necessarily BAD, but the one problem is that if the system that the ISTG
is on fails, then the ISTG is down for that site until the role
is moved to another suitable machine.

Rick











From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, August 08, 2005 2:03
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Preferred
Bridgeheads







We're almost all Win2k3 Domain Controllers, have a few left
to upgrade.











Question is, we have at least one DC at each site configured
as a preferred bridgehead for IP. Is this not a good idea? Is it
best to not prefer any bridgeheads and let AD do its job? I'm seeing a
lot of event ID 1567's about it as well.











Thanks








~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] user profiles

2005-08-08 Thread Dan Holme 
Do you want them each to get their 'own' profile (that they can change
and those changes would be there the next time they log on) or is it a
'standard' profile that needs to be the same for every user, every time
they log on?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman
III
Sent: Monday, August 08, 2005 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] user profiles


What would be the easiest way to setup a default profile for a few
thousand users and make sure that their profile is deleted from their
local machines at logoff.


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] For the Exchange heads out there...

2005-08-08 Thread John Parker 



Hello all.

Query:

We are running Ex2K Ent fully spacked 
on Svr2K also fully spacked.
I have several public folders that 
were created by a user who is no longer here.When I right click on the 
folders, I do not get a Permissions tab.Oddly enough, if I look at the 
folder in the M drive, there is a Security tab.But I get a message stating 
that I only have VIEW rights.The Owner is 
"S-1-5-21-2000478354-1606980848-839522115-1793"
At this time, I can only view and I am 
the admin!Sorry for the greenie query but, I am 
stumped.

Thank you.

John Parker, MCSE IS Admin. 
Senior Technical Specialist Alpha Display Systems.

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread Dean Wells 



If you 
constrain the list of bridgeheads you may be incapable of replicating an app. NC 
in and out of a site since in order to replicate a particular 
partition,the bridgehead in question must hold a copy of it ... if the 
preferred list contains only 2K DCs, that can't happen .. for the most part 
...a 2K3 ISTG will override your choices and allocate a suitable 
bridgehead for you, it will however whine and whine and whine and ... you get 
the idea.

I've 
found only a few scenarios in which they proved valuable ... may I ask why 
you're using 
them?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 3:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred 
Bridgeheads

We're almost all 
Win2k3 Domain Controllers, have a few left to upgrade.

Question is, we have 
at least one DC at each site configured as a preferred bridgehead for IP. 
Is this not a good idea? Is it best to not prefer any bridgeheads and let 
AD do its job? I'm seeing a lot of event ID 1567's about it as 
well.

Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

RE: [ActiveDir] For the Exchange heads out there...

2005-08-08 Thread Michael B. Smith 



pfDAVadmin is the tool you want.

ftp://ftp.microsoft.com/pss/tools/exchange 
support tools/pfdavadmin

I recommend,strongly, that you not use Windows 
Explorer to modify permissions via the infamous "M: 
Drive".


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
ParkerSent: Monday, August 08, 2005 3:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange 
heads out there...

Hello all.

Query:

We are running Ex2K Ent fully spacked 
on Svr2K also fully spacked.
I have several public folders that were 
created by a user who is no longer here.When I right click on the folders, I 
do not get a Permissions tab.Oddly enough, if I look at the folder in the M 
drive, there is a Security tab.But I get a message stating that I only have 
VIEW rights.The Owner is 
"S-1-5-21-2000478354-1606980848-839522115-1793"
At this time, I can only view and I am the 
admin!Sorry for the greenie query but, I am 
stumped.

Thank you.

John Parker, MCSE IS Admin. 
Senior Technical Specialist Alpha Display Systems.

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Rick Kingslan 
And, knowing fully that I'm replying to myself - I don't, nor have I ever
used SunGuard, so I have no idea what 'card' they hand a client.

I'd assume that it's something along the lines of the procedures lined out
in:

http://support.microsoft.com/default.aspx?scid=kb;en-us;249694

Which is still fraught with difficulty and lower than resonable success rate
for most of the people and customers that I've talked with.

I'm just indicating that there *IS* some difficulty involved - instructions
neatly laid out or not.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Help me understand where I'm missing this (I've been in a con-call for 3.5
hours this AM...).

Isn't the registry backed up as part of the System State?  And, doesn't the
registry pretty much make something 'hardware dependent' to some great
degree, just by its very nature?

I'm sure that there's something very simple that I'm missing.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, August 08, 2005 1:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

What is difficult about restoring a DC to different hardware? We just
did our yearly DR testing (at Sungard as a matter of fact!), and I
didn't have any problems. Just follow the little procedure they give you
(basically, remove all the network cards and video card in device
manager before you reboot after the recovery). Then, follow the other
procedure they give you if you end up with phantom NICs. It's the same
procedure for DCs as it is for member servers. 

It isn't hardware dependant, but if you are talking about the hours-long
waltz you do with ntdsutil to remove all of the DCs you aren't bringing
back, I've found a neat trick. Run through the process for one site once
manually recording all of the text you type, then using a text editor
create a command file duplicating the tons of commands required to
remove every server from every site. Run ntdsutil yourfile.txt. The
trick is that ntdsutil prompts before removing each server - just answer
no to the server you recover. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Tuesday, August 02, 2005 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Everyone is making a number of suggestions/comments that hit home to me,
so rather than chiming in with AOLMe too!/AOL, I'll bring up the one
that makes me crazy that no-one has mentioned yet:

Restoring a domain controller to alternate hardware (think Disaster
Recovery drill at a company like Sungard) should Not. Be. So. Friggin'.
Hard.  It's better in K3 than it was in 2K, but it's still way too much
of a hothouse-flower-y delicate operation.  (Maybe Longhorn's AD as a
service will make this better.  I can hope, at least, because right now
it still sucks canal water.)

- Laura

 -Original Message-
 From: Almeida Pinto, Jorge de
 [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 02, 2005 6:30 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 DFS-R is only supported for custom DFS namespaces. MS at the moment 
 does not support DFS-R for SYSVOL replication. MS states that in the 
 DFS-R overview document page 16
  
 See: 
 http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547
 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en
  
 QUOTE:
 
 DFS Replication is not supported for SYSVOL replication in Windows 
 Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL 
 by disabling FRS and setting up a replication group for SYSVOL. 
 Continue to use FRS for SYSVOL replication on domain controllers 
 running Windows Server 2003 R2. FRS and DFS Replication can co-exist 
 on the same member server or domain controller.
 
  
 A shame, but true! DFS-R really rocks!!! It is way better than NTFRS!
  
 Cheers
 #JORGE#
 
 
 
 From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes
 Sent: Tue 8/2/2005 11:15 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 
 
 * Using the new DFS-Replication mechanism in R2 for the SYSVOL
 
 This is available AFAIK if all your servers are running R2 :P
 
 Carlos Magalhaes
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: 02 August 2005 09:59 PM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 http://www.novell.com  :o)
 
 Bloody NetWare bigot ... 
 
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 http://msetechnology.com
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Almeida 
 Pinto, Jorge de
 Sent: Tuesday,

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Ken Cornetet 
Recovery programs are supposed to be smart enough to not recover the
parts of the registry that describe the hardware. I know Ntbackup does
this since windows 2000 (it even does it correctly since 2k SP3 or
so...)

I'm really curious as to what problems people are having recovering to
different hardware. I've done recoveries galore using Legato and
ntbackup to different hardware (Compaq/HP to Dell, etc), and I've never
ran into problems that couldn't easily be fixed (like phantom NICs). 

One thing that will bite you if you aren't careful is that BOOT.INI *is*
recovered as part of the system state. That means if your partition
layout isn't the same between original server and recovery server, it
won't reboot after the recover. It's easy to fix before you reboot after
the recovery, but correcting it after the fact is a bit more difficult.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Help me understand where I'm missing this (I've been in a con-call for
3.5 hours this AM...).

Isn't the registry backed up as part of the System State?  And, doesn't
the registry pretty much make something 'hardware dependent' to some
great degree, just by its very nature?

I'm sure that there's something very simple that I'm missing.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, August 08, 2005 1:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

What is difficult about restoring a DC to different hardware? We just
did our yearly DR testing (at Sungard as a matter of fact!), and I
didn't have any problems. Just follow the little procedure they give you
(basically, remove all the network cards and video card in device
manager before you reboot after the recovery). Then, follow the other
procedure they give you if you end up with phantom NICs. It's the same
procedure for DCs as it is for member servers. 

It isn't hardware dependant, but if you are talking about the hours-long
waltz you do with ntdsutil to remove all of the DCs you aren't bringing
back, I've found a neat trick. Run through the process for one site once
manually recording all of the text you type, then using a text editor
create a command file duplicating the tons of commands required to
remove every server from every site. Run ntdsutil yourfile.txt. The
trick is that ntdsutil prompts before removing each server - just answer
no to the server you recover. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Tuesday, August 02, 2005 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Everyone is making a number of suggestions/comments that hit home to me,
so rather than chiming in with AOLMe too!/AOL, I'll bring up the one
that makes me crazy that no-one has mentioned yet:

Restoring a domain controller to alternate hardware (think Disaster
Recovery drill at a company like Sungard) should Not. Be. So. Friggin'.
Hard.  It's better in K3 than it was in 2K, but it's still way too much
of a hothouse-flower-y delicate operation.  (Maybe Longhorn's AD as a
service will make this better.  I can hope, at least, because right now
it still sucks canal water.)

- Laura

 -Original Message-
 From: Almeida Pinto, Jorge de
 [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 02, 2005 6:30 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 DFS-R is only supported for custom DFS namespaces. MS at the moment 
 does not support DFS-R for SYSVOL replication. MS states that in the 
 DFS-R overview document page 16
  
 See: 
 http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547
 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en
  
 QUOTE:
 
 DFS Replication is not supported for SYSVOL replication in Windows 
 Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL 
 by disabling FRS and setting up a replication group for SYSVOL.
 Continue to use FRS for SYSVOL replication on domain controllers 
 running Windows Server 2003 R2. FRS and DFS Replication can co-exist 
 on the same member server or domain controller.
 
  
 A shame, but true! DFS-R really rocks!!! It is way better than NTFRS!
  
 Cheers
 #JORGE#
 
 
 
 From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes
 Sent: Tue 8/2/2005 11:15 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 
 
 * Using the new DFS-Replication mechanism in R2 for the SYSVOL
 
 This is available AFAIK if all your servers are running R2 :P
 
 Carlos Magalhaes
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells
 Sent: 02 August 2005 09:59 PM
 To: Send - AD mailing list

RE: [ActiveDir] For the Exchange heads out there...

2005-08-08 Thread Medeiros, Jose 



I have 
even a better idea.. Migrate to Exchange 2003,Microsoft eliminated the 
need for a M: Drive( Thank you Microsoft ). What were they 
thinking in the first place when they decided to add a M: Drive to Exchange 
2000, I never really understood the logic in it?

Jose 
:-)

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. 
  SmithSent: Monday, August 08, 2005 12:31 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the 
  Exchange heads out there...
  pfDAVadmin is the tool you want.
  
  ftp://ftp.microsoft.com/pss/tools/exchange 
  support tools/pfdavadmin
  
  I recommend,strongly, that you not use Windows 
  Explorer to modify permissions via the infamous "M: 
  Drive".
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of John 
  ParkerSent: Monday, August 08, 2005 3:12 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange 
  heads out there...
  
  Hello all.
  
  Query:
  
  We are running Ex2K Ent fully 
  spacked on Svr2K also fully spacked.
  I have several public folders that were 
  created by a user who is no longer here.When I right click on the folders, 
  I do not get a Permissions tab.Oddly enough, if I look at the folder in 
  the M drive, there is a Security tab.But I get a message stating that I 
  only have VIEW rights.The Owner is 
  "S-1-5-21-2000478354-1606980848-839522115-1793"
  At this time, I can only view and I am the 
  admin!Sorry for the greenie query but, I am 
  stumped.
  
  Thank you.
  
  John Parker, MCSE IS Admin. 
  Senior Technical Specialist Alpha Display Systems.

Re: [ActiveDir] OT: Change ownership

2005-08-08 Thread ASB 
Try using SUBINACL..http://www.ultratech-llc.com/KB/?File=Perms.TXT
-ASBFAST, CHEAP, SECURE: Pick Any TWOhttp://www.ultratech-llc.com/KB/
On 8/8/05, Douglas M. Long [EMAIL PROTECTED] wrote:   Is there an easy way to change ownership on all files and folders in a directory owned by userA? 
  I think I am having a stupid attack

RE: [ActiveDir] Biggest AD Gripes

2005-08-08 Thread Creamer, Mark 
I too am a Sungard refugee - twice this year already. The doc they hand you to 
rebuild your systems is
pretty much like the one referenced below. We have found it less than reliable 
(especially when using
Compaq/HP backups and restoring to Dell or vice-versa).

The last few times we went, we junked the Sungard technique and used Veritas' 
system state restore,
which has been *far* more successful. Still, the idea of doing a DR test with 
mostly VMWare disk
images would really put a smile on this OLD guy's face :-) Hopefully by next 
year we'll have at least
some of those to do.

-Mark


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick
Kingslan
Sent: Monday, August 08, 2005 3:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

And, knowing fully that I'm replying to myself - I don't, nor have I ever
used SunGuard, so I have no idea what 'card' they hand a client.

I'd assume that it's something along the lines of the procedures lined out
in:

http://support.microsoft.com/default.aspx?scid=kb;en-us;249694

Which is still fraught with difficulty and lower than resonable success rate
for most of the people and customers that I've talked with.

I'm just indicating that there *IS* some difficulty involved - instructions
neatly laid out or not.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Monday, August 08, 2005 1:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Help me understand where I'm missing this (I've been in a con-call for 3.5
hours this AM...).

Isn't the registry backed up as part of the System State?  And, doesn't the
registry pretty much make something 'hardware dependent' to some great
degree, just by its very nature?

I'm sure that there's something very simple that I'm missing.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Monday, August 08, 2005 1:36 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

What is difficult about restoring a DC to different hardware? We just
did our yearly DR testing (at Sungard as a matter of fact!), and I
didn't have any problems. Just follow the little procedure they give you
(basically, remove all the network cards and video card in device
manager before you reboot after the recovery). Then, follow the other
procedure they give you if you end up with phantom NICs. It's the same
procedure for DCs as it is for member servers. 

It isn't hardware dependant, but if you are talking about the hours-long
waltz you do with ntdsutil to remove all of the DCs you aren't bringing
back, I've found a neat trick. Run through the process for one site once
manually recording all of the text you type, then using a text editor
create a command file duplicating the tons of commands required to
remove every server from every site. Run ntdsutil yourfile.txt. The
trick is that ntdsutil prompts before removing each server - just answer
no to the server you recover. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura
E.
Sent: Tuesday, August 02, 2005 6:06 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Everyone is making a number of suggestions/comments that hit home to me,
so rather than chiming in with AOLMe too!/AOL, I'll bring up the one
that makes me crazy that no-one has mentioned yet:

Restoring a domain controller to alternate hardware (think Disaster
Recovery drill at a company like Sungard) should Not. Be. So. Friggin'.
Hard.  It's better in K3 than it was in 2K, but it's still way too much
of a hothouse-flower-y delicate operation.  (Maybe Longhorn's AD as a
service will make this better.  I can hope, at least, because right now
it still sucks canal water.)

- Laura

 -Original Message-
 From: Almeida Pinto, Jorge de
 [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, August 02, 2005 6:30 PM
 To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Biggest AD Gripes
 
 DFS-R is only supported for custom DFS namespaces. MS at the moment 
 does not support DFS-R for SYSVOL replication. MS states that in the 
 DFS-R overview document page 16
  
 See: 
 http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547
 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en
  
 QUOTE:
 
 DFS Replication is not supported for SYSVOL replication in Windows 
 Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL 
 by disabling FRS and setting up a replication group for SYSVOL. 
 Continue to use FRS for SYSVOL replication on domain controllers 
 running Windows Server 2003 R2. FRS and DFS Replication can co-exist 
 on the same member server or domain controller.
 
  
 A shame, but true! DFS-R really rocks!!! It is way better than NTFRS!
  
 Cheers
 #JORGE#

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-08 Thread Ken Cornetet 



I seem to recall that"(" and ")"have to be 
escaped in LDAP.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 
6:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Problem adding an Exchange User - An operations error 
occurred


The meta directory is 
on a different domain, and is on HP-UX. The exchange server is on one machine, 
and the AD is on a different one. Both the AD and the exchange machines have the 
same admin login (the domain admin). The meta uses this login to connect to the 
AD and exchange. If I dont pass the attribute homeMDB, a simple AD user is 
created just fine. Just when I try to create the user with the homeMDB attribute 
does it give the problem. Found out this on the net

# for hex 0x2020 / 
decimal 8224 :
 
ERROR_DS_OPERATIONS_ERROR

Also the homeMDB value 
is correct. I created a sample mailbox user from the exchange interface (users 
and computers) and verified the homeMDB attribute.

What conditions can 
then lead to this problem?

Thanks,
Mayuresh.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Friday, August 
05, 2005 10:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred

The meta tries to 
create the entry. so it creates the entry in AD and the agent is responsible for 
creating mailbox. Are the attributes seen for the entry correct? Also what all 
is required if I am creating a mailbox user from a meta or a script, etc. 
also can you suggest if I can find some useful information from the 
exchange server? Any diagnostics, etc?

Thanks.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, August 05, 2005 4:37 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred

That error log isn't 
very good. You can't even tell if it is an error being floated back from a DC. 
Could be something in the meta directory tool.

As for the specific 
data below for the attributes to be set on the user, I don't see anything bad 
though I wouldn't recommend the mailnickname to have that format, I would 
recommend it be the same as the sAMAccountName value. I tend to put the "nice" 
full version of the name in the displayName and that is the only place it 
is.

What info specifically 
is the product trying to set and how is it setting it? You may have to do a 
network trace or something like it.








From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Friday, August 
05, 2005 1:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred
Hi 

I am trying to use a metadirectory 
to add an exchange user. An agent sitting on the Exchange server machine, which 
will add the mail box for the user.

But when I try to add the user, I am 
getting the following error An operations error 
occurred

10:38:01.112: [1412.724] DataAccess: 
UP_AddRecord EXCH2K
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Mapping Add/Modify Request
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Mapping Add/Modify operation to Exchange 
operation
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD Object
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object. Bind using Configured 
Credentials:
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net 
bind=ADS_SECURE_AUTHENTICATION
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD Object. Success 
server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Add Or Move a Mailbox
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD User Object from an an AD 
Object
10:38:03.502: [1412.724] DataAccess: 
EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... 
Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:03.502: [1412.724] DataAccess: 
EXCH2K: Mapping Add/Modify Request, Error: An operations error 
occurred...
10:38:03.502: [1412.724] DataAccess: 
UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An 
operations error occurred...
10:38:03.502: [1412.724] RUPS: 
Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of 
UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: 
Mapping Add/Modify Request, Error: An operations error 
occurred...)

Pasted the part of the tarce only 
just in an attempt to give more information. The entry I am

RE: [ActiveDir] For the Exchange heads out there...

2005-08-08 Thread John Parker 



That 
is definitely in the plans for next year Jose.
I 
truly agree with you.



John Parker, MCSEIS Admin.Senior Technical 
SpecialistAlpha Display Systems. 
Alpha Video7711 Computer 
Ave.Edina, MN. 55435952-896-9898 Local800-388-0008 
Watts952-896-9899 Fax612-804-8769 Cell952-841-3327 
Direct [EMAIL PROTECTED]"Be excellent to each other"---End of 
Line--- 

  -Original Message-From: Medeiros, Jose 
  [mailto:[EMAIL PROTECTED]Sent: Monday, August 08, 2005 
  2:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] For the Exchange heads out there...
  I 
  have even a better idea.. Migrate to Exchange 2003,Microsoft eliminated 
  the need for a M: Drive( Thank you Microsoft ). What were they 
  thinking in the first place when they decided to add a M: Drive to Exchange 
  2000, I never really understood the logic in it?
  
  Jose 
  :-)
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Michael B. 
SmithSent: Monday, August 08, 2005 12:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the 
Exchange heads out there...
pfDAVadmin is the tool you want.

ftp://ftp.microsoft.com/pss/tools/exchange 
support tools/pfdavadmin

I recommend,strongly, that you not use Windows 
Explorer to modify permissions via the infamous "M: 
Drive".


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
ParkerSent: Monday, August 08, 2005 3:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange 
heads out there...

Hello all.

Query:

We are running Ex2K Ent fully 
spacked on Svr2K also fully spacked.
I have several public folders that were 
created by a user who is no longer here.When I right click on the 
folders, I do not get a Permissions tab.Oddly enough, if I look at the 
folder in the M drive, there is a Security tab.But I get a message 
stating that I only have VIEW rights.The Owner is 
"S-1-5-21-2000478354-1606980848-839522115-1793"
At this time, I can only view and I am 
the admin!Sorry for the greenie query but, I am 
stumped.

Thank you.

John Parker, MCSE IS Admin. 
Senior Technical Specialist Alpha Display Systems.

RE: [ActiveDir] For the Exchange heads out there...

2005-08-08 Thread Michael B. Smith 



That won't fix his problem - pfDAVadmin will. 
:-)

But I agree with your philosophy. ExIFS is great. Exposing 
it that way was a mistake.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
JoseSent: Monday, August 08, 2005 3:46 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange 
heads out there...

I have 
even a better idea.. Migrate to Exchange 2003,Microsoft eliminated the 
need for a M: Drive( Thank you Microsoft ). What were they 
thinking in the first place when they decided to add a M: Drive to Exchange 
2000, I never really understood the logic in it?

Jose 
:-)

  -Original Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. 
  SmithSent: Monday, August 08, 2005 12:31 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the 
  Exchange heads out there...
  pfDAVadmin is the tool you want.
  
  ftp://ftp.microsoft.com/pss/tools/exchange 
  support tools/pfdavadmin
  
  I recommend,strongly, that you not use Windows 
  Explorer to modify permissions via the infamous "M: 
  Drive".
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of John 
  ParkerSent: Monday, August 08, 2005 3:12 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange 
  heads out there...
  
  Hello all.
  
  Query:
  
  We are running Ex2K Ent fully 
  spacked on Svr2K also fully spacked.
  I have several public folders that were 
  created by a user who is no longer here.When I right click on the folders, 
  I do not get a Permissions tab.Oddly enough, if I look at the folder in 
  the M drive, there is a Security tab.But I get a message stating that I 
  only have VIEW rights.The Owner is 
  "S-1-5-21-2000478354-1606980848-839522115-1793"
  At this time, I can only view and I am the 
  admin!Sorry for the greenie query but, I am 
  stumped.
  
  Thank you.
  
  John Parker, MCSE IS Admin. 
  Senior Technical Specialist Alpha Display Systems.

Re: [ActiveDir] OT: Change ownership

2005-08-08 Thread James_Day 
Log in as an administrator, goto advanced, choose take ownership and check
the apply to all sub folders and files.  You are now the owner.  Change
permissions to give the take ownership right to the person that should own
it, log in as them and do the same.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]


|-+--
| |   ASB [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   08/08/2005 03:45 PM AST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
  
--|
  | 
 |
  |   To:   ActiveDir@mail.activedir.org
 |
  |   cc:   (bcc: James Day/Contractor/NPS) 
 |
  |   Subject:  Re: [ActiveDir] OT: Change ownership
 |
  
--|




Try using SUBINACL..

http://www.ultratech-llc.com/KB/?File=Perms.TXT



-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/



On 8/8/05, Douglas M. Long [EMAIL PROTECTED] wrote:


 Is there an easy way to change ownership on all files and folders in a
 directory owned by userA?

 I think I am having a stupid attack




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] MailAlias in AD

2005-08-08 Thread Tomasz Onyszko 

Samuel T. Cossette wrote:

Hi,

I need basic Mail Alias stored in my AD. How can I add some kind of
Mail attribute tab in the User and Computer AD Manager?

I've already installed the Service For Unix and authenticated my Unix
user and Postfix also lookup my user in AD. Now, I want to be able to
edit/add the msSFU30AMailAlias (or any Mail attribute in the default
AD+SFU schema) attribute, but I can't find how in the Microsoft AD
Manager.


If You want to add something to the ADUC snap-in You have to develop 
Your own extension to this snap-in. You can find details about 
interfaces etc on the MSDN pages.


--
Tomasz Onyszko
http://www.w2k.pl
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user profiles

2005-08-08 Thread Freddie Coleman III 
For the first time it would be standard, but after their first logon, they
could make changes as needed.  (currently each user has their own, but it
needs to be cleaned up)


 Do you want them each to get their 'own' profile (that they can change
 and those changes would be there the next time they log on) or is it a
 'standard' profile that needs to be the same for every user, every time
 they log on?


List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] For the Exchange heads out there...

2005-08-08 Thread John Parker 



I just 
DL'd pfDAV.
Damn! 
That's cool. 
Thanks 
Guys...

John Parker, MCSEIS Admin.Senior Technical 
SpecialistAlpha Display Systems. 
Alpha Video7711 Computer 
Ave.Edina, MN. 55435952-896-9898 Local800-388-0008 
Watts952-896-9899 Fax612-804-8769 Cell952-841-3327 
Direct [EMAIL PROTECTED]"Be excellent to each other"---End of 
Line--- 

  -Original Message-From: Michael B. Smith 
  [mailto:[EMAIL PROTECTED]Sent: Monday, August 08, 2005 2:58 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
  [ActiveDir] For the Exchange heads out there...
  That won't fix his problem - pfDAVadmin will. 
  :-)
  
  But I agree with your philosophy. ExIFS is great. 
  Exposing it that way was a mistake.
  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, 
  JoseSent: Monday, August 08, 2005 3:46 PMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the 
  Exchange heads out there...
  
  I 
  have even a better idea.. Migrate to Exchange 2003,Microsoft eliminated 
  the need for a M: Drive( Thank you Microsoft ). What were they 
  thinking in the first place when they decided to add a M: Drive to Exchange 
  2000, I never really understood the logic in it?
  
  Jose 
  :-)
  
-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]On Behalf Of Michael B. 
SmithSent: Monday, August 08, 2005 12:31 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the 
Exchange heads out there...
pfDAVadmin is the tool you want.

ftp://ftp.microsoft.com/pss/tools/exchange 
support tools/pfdavadmin

I recommend,strongly, that you not use Windows 
Explorer to modify permissions via the infamous "M: 
Drive".


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of John 
ParkerSent: Monday, August 08, 2005 3:12 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange 
heads out there...

Hello all.

Query:

We are running Ex2K Ent fully 
spacked on Svr2K also fully spacked.
I have several public folders that were 
created by a user who is no longer here.When I right click on the 
folders, I do not get a Permissions tab.Oddly enough, if I look at the 
folder in the M drive, there is a Security tab.But I get a message 
stating that I only have VIEW rights.The Owner is 
"S-1-5-21-2000478354-1606980848-839522115-1793"
At this time, I can only view and I am 
the admin!Sorry for the greenie query but, I am 
stumped.

Thank you.

John Parker, MCSE IS Admin. 
Senior Technical Specialist Alpha Display Systems.

RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred

2005-08-08 Thread joe 



The parens characters ( and ) *should* be encoded as \28 
and \29 in a search filter. They will generally work fine without it though. 



Using those the parens characters in DNs or other 
attributes when making updates is fine assuming the tool being used doesn't get 
confused and interprets them as meta-data. Commas on the other hand would need 
to be escaped. 





From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Ken 
CornetetSent: Monday, August 08, 2005 3:54 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding 
an Exchange User - An operations error occurred

I seem to recall that"(" and ")"have to be 
escaped in LDAP.




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 
6:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: 
[ActiveDir] Problem adding an Exchange User - An operations error 
occurred


The meta directory is 
on a different domain, and is on HP-UX. The exchange server is on one machine, 
and the AD is on a different one. Both the AD and the exchange machines have the 
same admin login (the domain admin). The meta uses this login to connect to the 
AD and exchange. If I dont pass the attribute homeMDB, a simple AD user is 
created just fine. Just when I try to create the user with the homeMDB attribute 
does it give the problem. Found out this on the net

# for hex 0x2020 / 
decimal 8224 :
 
ERROR_DS_OPERATIONS_ERROR

Also the homeMDB value 
is correct. I created a sample mailbox user from the exchange interface (users 
and computers) and verified the homeMDB attribute.

What conditions can 
then lead to this problem?

Thanks,
Mayuresh.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Friday, August 
05, 2005 10:40 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred

The meta tries to 
create the entry. so it creates the entry in AD and the agent is responsible for 
creating mailbox. Are the attributes seen for the entry correct? Also what all 
is required if I am creating a mailbox user from a meta or a script, etc. 
also can you suggest if I can find some useful information from the 
exchange server? Any diagnostics, etc?

Thanks.





From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of joeSent: Friday, August 05, 2005 4:37 
PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred

That error log isn't 
very good. You can't even tell if it is an error being floated back from a DC. 
Could be something in the meta directory tool.

As for the specific 
data below for the attributes to be set on the user, I don't see anything bad 
though I wouldn't recommend the mailnickname to have that format, I would 
recommend it be the same as the sAMAccountName value. I tend to put the "nice" 
full version of the name in the displayName and that is the only place it 
is.

What info specifically 
is the product trying to set and how is it setting it? You may have to do a 
network trace or something like it.








From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of Mayuresh 
KshirsagarSent: Friday, August 
05, 2005 1:19 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem adding an 
Exchange User - An operations error occurred
Hi 

I am trying to use a metadirectory 
to add an exchange user. An agent sitting on the Exchange server machine, which 
will add the mail box for the user.

But when I try to add the user, I am 
getting the following error An operations error 
occurred

10:38:01.112: [1412.724] DataAccess: 
UP_AddRecord EXCH2K
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Mapping Add/Modify Request
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Mapping Add/Modify operation to Exchange 
operation
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD Object
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object
10:38:01.112: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object. Bind using Configured 
Credentials:
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net 
bind=ADS_SECURE_AUTHENTICATION
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD Object. Success 
server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Add Or Move a Mailbox
10:38:01.127: [1412.724] DataAccess: 
EXCH2K: Operation: Getting an AD User Object from an an AD 
Object
10:38:03.502: [1412.724] DataAccess: 
EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... 
Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, 
ANGUS,OU=test,DC=gepurbsres01,DC=net
10:38:03.502: [1412.724]

RE: [ActiveDir] OT: Change ownership

2005-08-08 Thread Rick Kingslan 
I'm thinking that he's saying that this isn't an option that is available to
him.  I've run into exactly the same thing, as the Administrator of a given
system CAN be removed from the ACL of a given object.  

Granted, going to the parent and FORCING the permission for the admin does
work, but it happens to have a rather negative affect to all permissions on
all folders and files below it.

However there are times when it's absolutely necessary, regardless of the
backend work restoring permissions for the innocent.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Monday, August 08, 2005 3:03 PM
To: ActiveDir@mail.activedir.org
Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: Re: [ActiveDir] OT: Change ownership

Log in as an administrator, goto advanced, choose take ownership and check
the apply to all sub folders and files.  You are now the owner.  Change
permissions to give the take ownership right to the person that should own
it, log in as them and do the same.

Regards;

James R. Day
Active Directory Core Team
Office of the Chief Information Officer
National Park Service
202-230-2983
[EMAIL PROTECTED]


|-+--
| |   ASB [EMAIL PROTECTED] |
| |   Sent by:   |
| |   [EMAIL PROTECTED]|
| |   tivedir.org|
| |  |
| |  |
| |   08/08/2005 03:45 PM AST|
| |   Please respond to  |
| |   ActiveDir  |
|-+--
 
---
---|
  |
|
  |   To:   ActiveDir@mail.activedir.org
|
  |   cc:   (bcc: James Day/Contractor/NPS)
|
  |   Subject:  Re: [ActiveDir] OT: Change ownership
|
 
---
---|




Try using SUBINACL..

http://www.ultratech-llc.com/KB/?File=Perms.TXT



-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/



On 8/8/05, Douglas M. Long [EMAIL PROTECTED] wrote:


 Is there an easy way to change ownership on all files and folders in a
 directory owned by userA?

 I think I am having a stupid attack




List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] AD migration

2005-08-08 Thread Tom Kern 
I just started working for a company. they used to outsource their
AD/Exchange but now they're trying to get it back.

Its a 2 tree, 2 domain forest. the root domain is empty.
this company only has DA access on the child domain. No EA access. In
fact, they are cut off from the root domain pyhsically.

What they want to do is create a new forest and migrate all
users,exchange,computers,etc to the new forest and be done with the
old.
They are going to use Quest sw and a consultant from Quest for this.

My question is- can this be done without any connectivity to the root?
both dns zones are in the root so they really don't have any dns
locally as well(needless to say, you cam imagine what the rep logs
look like). I'm sure this complicates matters.
however, the Quest people seem to think this can still work.
can it?

also, can the new forest have the same domain names as the old one?

Thanks(I'm the guy who posted about his new job jitters about a week
or 2 ago, and here i am. Their AD is more messed up than I thought :)
)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE : [ActiveDir] DC replicating with del eted DSA object

2005-08-08 Thread TIROA YANN 
Steve,
 
Thanks for your explanation, it is clearer now for me :)
 
Regards,
 
Yann



De: [EMAIL PROTECTED] de la part de Steve Linehan
Date: lun. 08/08/2005 19:49
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] DC replicating with deleted DSA object


Replication Metadata is handled somewhat different than a typical deleted 
object.  The following reference gives more details: 
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/1465d773-b763-45ec-b971-c23cdc27400e.mspx
See the section titled How Replication Metadata is Preserved in Windows Server 
2003 for more information on how/why this occurs.  The original idea was to 
help in situations where we removed a connection and then re-added it back so 
that less overhead was required.
 
Thanks,
 
-Steve



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN
Sent: Monday, August 08, 2005 11:00 AM
To: ActiveDir@mail.activedir.org
Subject: RE : [ActiveDir] DC replicating with deleted DSA object


Hi,
 
Ah..so for my comprehension,  these Deleted Objects do not follow the Tombstone 
process for a deleted objects as users,computers.. (60 days if i remind...) as 
stated Rick.
 
Does the Stay of Execution state=15days ONLY apply to DCs state (demoted, 
renamed with same name,etc..?) or any other objects ?
 
Yann



De: [EMAIL PROTECTED] de la part de Steve Linehan
Date: lun. 08/08/2005 17:16
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] DC replicating with deleted DSA object


Those connections are in a Stay of Execution state.  With SP1 we changed so 
that we would not attempt to replicate with them but prior to that we will.  If 
your forest has a normal config these will be removed after 15 days.  They 
cause no harm and you can remove them with the /delete option or wait until the 
stay of execution period, normally 15 days.
 
Thanks,
 
-Steve



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 9:50 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] DC replicating with deleted DSA object



We have recently re-built and upgraded several DCs from w2k to w2k3. The 
upgrade is achieved as follows: 
1. demote w2k DC 
2. build and promote w2k3 DC 

Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. 

Furthermore, sometimes the same name is used in 1 and 2 but not always. 

If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see 
the following issue: 

snip 
y\ 
DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC 
objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb 
z\ (deleted DSA) via RPC 
objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 
y\ 
DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC 
objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb 
snip 

Where: 
xx is a DC which was built temporarily and then demoted several days 
ago 
aa is a DC which was re-built (as per above) with the same name 
bb is a DC which was re-built (as per above) with the same name (in the 
same site as xx) 

I have been considering using repadmin /delete to remove these incorrect 
replication connections and wondered if anyone had used such a method before or 
could offer any alternatives?

Thanks, 
neil 

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==


winmail.dat

RE: [ActiveDir] AD migration

2005-08-08 Thread Grillenmeier, Guido 
Hey Tom - sounds like fun.

The phrase they are cut of from the root domain physically combined
with both dns zones are in the root and they don't have any dns
locally sounds a bit unrealistic - this should naturally cause numerous
replication issues; basically nothing should work (even normal
authentication) as it all requires DNS lookup.  

So I'm guessing that you do have some DNS servers in your child domains
and it would be worthwhile for you to check if there are any secondary
zones from the root domain (or the _msdcs subzone) being hosted on your
child DCs or another DNS server used in your network.  But your task
doesn't seem to be fixing the current AD implementation, but rather to
move away from it.

DNS name-resolution is critical for any kind of trust in AD (except for
trusts to NT4 domains which is not your scenario), however, you do not
require EA permissions to set them up from your child domain to another
domain in a new forest.  But naturally you won't be able to creat a
forest-trust (i.e. from root of current forest to root of new forest). 

The names of those domains that are directly trusted can NOT be the same
(need to have different NetBios domain names). 

So yes, migration should work and even if you don't want to fix the
current caos, you should ensure that DNS works well (in worst case
concentrate on creating a workaround just for your child-domain - which
should be sufficient for trust creation to your new forest where I'm
sure you fully control DNS).


/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: Dienstag, 9. August 2005 00:09
To: activedirectory
Subject: [ActiveDir] AD migration

I just started working for a company. they used to outsource their
AD/Exchange but now they're trying to get it back.

Its a 2 tree, 2 domain forest. the root domain is empty.
this company only has DA access on the child domain. No EA access. In
fact, they are cut off from the root domain pyhsically.

What they want to do is create a new forest and migrate all
users,exchange,computers,etc to the new forest and be done with the
old.
They are going to use Quest sw and a consultant from Quest for this.

My question is- can this be done without any connectivity to the root?
both dns zones are in the root so they really don't have any dns
locally as well(needless to say, you cam imagine what the rep logs
look like). I'm sure this complicates matters.
however, the Quest people seem to think this can still work.
can it?

also, can the new forest have the same domain names as the old one?

Thanks(I'm the guy who posted about his new job jitters about a week
or 2 ago, and here i am. Their AD is more messed up than I thought :)
)
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread Almeida Pinto, Jorge de 
Rick,
 
Don't you mean the bridgehead server role instead of the ISTG? I think you were 
saying: As long as DCs on the static BH list are up, everything is OK. When 
all DCs on the static list are for some reason unavailable the ISTG will not 
choose other available DCs as new BHs as it will happen with auto BHs
 
Must have been a very long con-call? Or do I need to get a lot of coffee? ;-))
 
For this to work you almost need to make a GC the BH and it also depends on 
your site and replication topology. I have seen it happen in a W2K network 
where DCs/GCs from domain A and B where in site X (configured with auto BHs) 
and DCs/GCs from domain A and B and C where in site Y (configured with static 
BHs from domain C). All DCs where also a GC. As Dean alreaday said, the ISTG in 
site X whined and whined and whined there were no BH in site Y that could 
replicate a WRITABLE partition for domain A and B although the DCs were 
available. And a DC wil not replicate with a GC to replicate its own writable 
partition and thus it still chose a non-BH DC from domain A and B and reported 
that in the event-viewer. The solution is this case was to configure site Y 
with auto BHs which was not an option because of the scalability issue with W2K 
AD. the only solution left was to add at least one DC from domain A and B to 
the static BH list from site Y
 
Cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Mon 8/8/2005 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Preferred Bridgeheads



Not that it's necessarily BAD, but the one problem is that if the system that 
the ISTG is on fails, then the ISTG is down for that site until the 'role' is 
moved to another suitable machine.

Rick



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, August 08, 2005 2:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Preferred Bridgeheads

 

We're almost all Win2k3 Domain Controllers, have a few left to upgrade.

 

Question is, we have at least one DC at each site configured as a preferred 
bridgehead for IP.  Is this not a good idea?  Is it best to not prefer any 
bridgeheads and let AD do its job?  I'm seeing a lot of event ID 1567's about 
it as well.

 

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] user profiles

2005-08-08 Thread Almeida Pinto, Jorge de 
When a user logs on for the first time the system the users logs on to wil 
first look in the netlogon share for a default user profile and if it does not 
find one it will use the default profile from the local computer the user logs 
on to. If you don't want the users to change the profile (as in make it 
mandatory) rename the NTUSER.DAT to NTUSER.MAN.
 
What you could do is:
* Create a folder named Default User in the netlogon share
* Configure a default user profile as you want it and place it in the Default 
user folder on the netlogon share
* Rename the NTUSER.DAT to NTUSER.MAN if the user will not be allowed to change 
the profile
* Configure each user with a profile directory in its AD user object
 
Cheers
#JORGE#



From: [EMAIL PROTECTED] on behalf of Dan Holme
Sent: Mon 8/8/2005 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] user profiles



Do you want them each to get their 'own' profile (that they can change 
and those changes would be there the next time they log on) or is it a 
'standard' profile that needs to be the same for every user, every time 
they log on? 

-Original Message- 
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman 
III 
Sent: Monday, August 08, 2005 12:06 PM 
To: ActiveDir@mail.activedir.org 
Subject: [ActiveDir] user profiles 


What would be the easiest way to setup a default profile for a few 
thousand users and make sure that their profile is deleted from their 
local machines at logoff. 


List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/ 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread Rick Kingslan 
Yes, it was a long Con-Call.  And, yes - I do need more coffee. :o)

Yep - I did mean BH.

Oy.  time for a nap.

Rick

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, August 08, 2005 4:34 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Preferred Bridgeheads

Rick,
 
Don't you mean the bridgehead server role instead of the ISTG? I think you
were saying: As long as DCs on the static BH list are up, everything is OK.
When all DCs on the static list are for some reason unavailable the ISTG
will not choose other available DCs as new BHs as it will happen with auto
BHs
 
Must have been a very long con-call? Or do I need to get a lot of coffee?
;-))
 
For this to work you almost need to make a GC the BH and it also depends on
your site and replication topology. I have seen it happen in a W2K network
where DCs/GCs from domain A and B where in site X (configured with auto BHs)
and DCs/GCs from domain A and B and C where in site Y (configured with
static BHs from domain C). All DCs where also a GC. As Dean alreaday said,
the ISTG in site X whined and whined and whined there were no BH in site Y
that could replicate a WRITABLE partition for domain A and B although the
DCs were available. And a DC wil not replicate with a GC to replicate its
own writable partition and thus it still chose a non-BH DC from domain A and
B and reported that in the event-viewer. The solution is this case was to
configure site Y with auto BHs which was not an option because of the
scalability issue with W2K AD. the only solution left was to add at least
one DC from domain A and B to the static BH list from site Y
 
Cheers,
#JORGE#



From: [EMAIL PROTECTED] on behalf of Rick Kingslan
Sent: Mon 8/8/2005 9:13 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Preferred Bridgeheads



Not that it's necessarily BAD, but the one problem is that if the system
that the ISTG is on fails, then the ISTG is down for that site until the
'role' is moved to another suitable machine.

Rick



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, August 08, 2005 2:03 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Preferred Bridgeheads

 

We're almost all Win2k3 Domain Controllers, have a few left to upgrade.

 

Question is, we have at least one DC at each site configured as a preferred
bridgehead for IP.  Is this not a good idea?  Is it best to not prefer any
bridgeheads and let AD do its job?  I'm seeing a lot of event ID 1567's
about it as well.

 

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~



This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread Rimmerman, Russ 



We thought it would "help" with replication speed. I
guess it was more of a WAG.


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dean
WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD
mailing listSubject: RE: [ActiveDir] Preferred
Bridgeheads

If you
constrain the list of bridgeheads you may be incapable of replicating an app. NC
in and out of a site since in order to replicate a particular
partition,the bridgehead in question must hold a copy of it ... if the
preferred list contains only 2K DCs, that can't happen .. for the most part
...a 2K3 ISTG will override your choices and allocate a suitable
bridgehead for you, it will however whine and whine and whine and ... you get
the idea.

I've
found only a few scenarios in which they proved valuable ... may I ask why
you're using
them?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman,
RussSent: Monday, August 08, 2005 3:03 PMTo:
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred
Bridgeheads

We're almost all
Win2k3 Domain Controllers, have a few left to upgrade.

Question is, we have
at least one DC at each site configured as a preferred bridgehead for IP.
Is this not a good idea? Is it best to not prefer any bridgeheads and let
AD do its job? I'm seeing a lot of event ID 1567's about it as
well.

Thanks

  
  
~~This
  e-mail is confidential, may contain proprietary informationof the
  Cooper Cameron Corporation and its operating Divisionsand may be
  confidential or privileged.This e-mail should be read, copied,
  disseminated and/or used onlyby the addressee. If you have received
  this message in error pleasedelete it, together with any attachments,
  from your
  system.~~

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread Dean Wells 



Without wishing to labor the point Russ, what aspect of replication 
'speed' was thought to be improved? I ask as I often lecture on AD (and 
related technologies) and am interested to understand some of the 
misconceptions.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 6:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred 
Bridgeheads

We thought it would "help" with replication speed. I 
guess it was more of a WAG.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Preferred 
Bridgeheads

If you 
constrain the list of bridgeheads you may be incapable of replicating an app. NC 
in and out of a site since in order to replicate a particular 
partition,the bridgehead in question must hold a copy of it ... if the 
preferred list contains only 2K DCs, that can't happen .. for the most part 
...a 2K3 ISTG will override your choices and allocate a suitable 
bridgehead for you, it will however whine and whine and whine and ... you get 
the idea.

I've 
found only a few scenarios in which they proved valuable ... may I ask why 
you're using 
them?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 3:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred 
Bridgeheads

We're almost all 
Win2k3 Domain Controllers, have a few left to upgrade.

Question is, we have 
at least one DC at each site configured as a preferred bridgehead for IP. 
Is this not a good idea? Is it best to not prefer any bridgeheads and let 
AD do its job? I'm seeing a lot of event ID 1567's about it as 
well.

Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

RE: [ActiveDir] AD migration

2005-08-08 Thread Almeida Pinto, Jorge de 
What do you mean with In fact, they are cut off from the root domain 
pyhsically. ? Do you mean as in there is not replication between the two 
domains? If yes... dare I ask for how long?
 
As I know of you can migrate the child domain without the root being available 
because you will be having a trust between the new domain and the child domain
 
I still don't understand what you mean... They are cut off from the root and 
the DNS is avlable in the root. I must be missing something. Can you explain a 
bit more?
 
Jorge



From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Mon 8/8/2005 11:08 PM
To: activedirectory
Subject: [ActiveDir] AD migration



I just started working for a company. they used to outsource their 
AD/Exchange but now they're trying to get it back. 

Its a 2 tree, 2 domain forest. the root domain is empty. 
this company only has DA access on the child domain. No EA access. In 
fact, they are cut off from the root domain pyhsically. 

What they want to do is create a new forest and migrate all 
users,exchange,computers,etc to the new forest and be done with the 
old. 
They are going to use Quest sw and a consultant from Quest for this. 

My question is- can this be done without any connectivity to the root? 
both dns zones are in the root so they really don't have any dns 
locally as well(needless to say, you cam imagine what the rep logs 
look like). I'm sure this complicates matters. 
however, the Quest people seem to think this can still work. 
can it? 

also, can the new forest have the same domain names as the old one? 

Thanks(I'm the guy who posted about his new job jitters about a week 
or 2 ago, and here i am. Their AD is more messed up than I thought :) 
) 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE : [ActiveDir] DC replicating with del eted DSA object

2005-08-08 Thread TIROA YANN 
Oups sorry..  ...as stated Rick -  I make a mistake betwenn Rick Kingslan 
and Neil Ruston ;)
Sorry Neil :-)

Cheers,

Yann 



De: [EMAIL PROTECTED] de la part de TIROA YANN
Date: lun. 08/08/2005 17:59
À: ActiveDir@mail.activedir.org
Objet : RE : [ActiveDir] DC replicating with deleted DSA object


Hi,
 
Ah..so for my comprehension,  these Deleted Objects do not follow the Tombstone 
process for a deleted objects as users,computers.. (60 days if i remind...) as 
stated Rick.
 
Does the Stay of Execution state=15days ONLY apply to DCs state (demoted, 
renamed with same name,etc..?) or any other objects ?
 
Yann



De: [EMAIL PROTECTED] de la part de Steve Linehan
Date: lun. 08/08/2005 17:16
À: ActiveDir@mail.activedir.org
Objet : RE: [ActiveDir] DC replicating with deleted DSA object


Those connections are in a Stay of Execution state.  With SP1 we changed so 
that we would not attempt to replicate with them but prior to that we will.  If 
your forest has a normal config these will be removed after 15 days.  They 
cause no harm and you can remove them with the /delete option or wait until the 
stay of execution period, normally 15 days.
 
Thanks,
 
-Steve



From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Monday, August 08, 2005 9:50 AM
To: 'ActiveDir@mail.activedir.org'
Subject: [ActiveDir] DC replicating with deleted DSA object



We have recently re-built and upgraded several DCs from w2k to w2k3. The 
upgrade is achieved as follows: 
1. demote w2k DC 
2. build and promote w2k3 DC 

Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. 

Furthermore, sometimes the same name is used in 1 and 2 but not always. 

If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see 
the following issue: 

snip 
y\ 
DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC 
objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb 
z\ (deleted DSA) via RPC 
objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 
y\ 
DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC 
objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb 
snip 

Where: 
xx is a DC which was built temporarily and then demoted several days 
ago 
aa is a DC which was re-built (as per above) with the same name 
bb is a DC which was re-built (as per above) with the same name (in the 
same site as xx) 

I have been considering using repadmin /delete to remove these incorrect 
replication connections and wondered if anyone had used such a method before or 
could offer any alternatives?

Thanks, 
neil 

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==


winmail.dat

RE: [ActiveDir] AD migration

2005-08-08 Thread Medeiros, Jose 
I am sure Quest's consultant's knows what they are doing. Didn't you have them 
put a quote and migration plan together prior to the actual migration? Or are 
you asking these questions because you are second guessing them? Or is this 
just for your own knowledge?

My understanding is that both domain names have to be different when using ADMT 
to migrate from a Source Domain to a Target Domain, unless Quest has a tool 
that over comes this that I am not aware of. Are you trying to keep the same 
domain name as the source? Microsoft also has a free tool that will allow you 
to rename the traget 2003 AD domain as after you have completed your migration 
and decommissioned old DC's.

Jose

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto,
Jorge de
Sent: Monday, August 08, 2005 2:46 PM
To: ActiveDir@mail.activedir.org; activedirectory
Subject: RE: [ActiveDir] AD migration


What do you mean with In fact, they are cut off from the root domain 
pyhsically. ? Do you mean as in there is not replication between the two 
domains? If yes... dare I ask for how long?
 
As I know of you can migrate the child domain without the root being available 
because you will be having a trust between the new domain and the child domain
 
I still don't understand what you mean... They are cut off from the root and 
the DNS is avlable in the root. I must be missing something. Can you explain a 
bit more?
 
Jorge



From: [EMAIL PROTECTED] on behalf of Tom Kern
Sent: Mon 8/8/2005 11:08 PM
To: activedirectory
Subject: [ActiveDir] AD migration



I just started working for a company. they used to outsource their 
AD/Exchange but now they're trying to get it back. 

Its a 2 tree, 2 domain forest. the root domain is empty. 
this company only has DA access on the child domain. No EA access. In 
fact, they are cut off from the root domain pyhsically. 

What they want to do is create a new forest and migrate all 
users,exchange,computers,etc to the new forest and be done with the 
old. 
They are going to use Quest sw and a consultant from Quest for this. 

My question is- can this be done without any connectivity to the root? 
both dns zones are in the root so they really don't have any dns 
locally as well(needless to say, you cam imagine what the rep logs 
look like). I'm sure this complicates matters. 
however, the Quest people seem to think this can still work. 
can it? 

also, can the new forest have the same domain names as the old one? 

Thanks(I'm the guy who posted about his new job jitters about a week 
or 2 ago, and here i am. Their AD is more messed up than I thought :) 
) 
List info   : http://www.activedir.org/List.aspx 
List FAQ: http://www.activedir.org/ListFAQ.aspx 
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ 



This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] AD migration

2005-08-08 Thread Tom Kern 
I just started today so what I got was-
they have connectivity to the child dns server but they cut off
connectivity to anything in the root domain.
the firewall is blocking all root traffic.
this has been like this for a week.
nothing is replicating to the root and there is no access to the _msdc
forest zone.

The forest is win2k native with an empty root and 1 child domain in a
seperate tree.
they have DA access in the child domain but no DA/EA access in the root.
all the exchange servers(about 10) are in the child domain.
the only recipent policy in the root is the default one and the enterprise RUS.


They want to migrate the child domain and all the resources to a new
forest where we have full control of everything.
i assume we do not need connectivity to the _msdc forest dns zone to
create a trust with the old child domain to migrate everything over(or
anything in the root dns zone).

I'm not 2nd guessing the Quest guys, this is only for my own education.

Thanks a lot


On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote:
 I am sure Quest's consultant's knows what they are doing. Didn't you have 
 them put a quote and migration plan together prior to the actual migration? 
 Or are you asking these questions because you are second guessing them? Or is 
 this just for your own knowledge?
 
 My understanding is that both domain names have to be different when using 
 ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a 
 tool that over comes this that I am not aware of. Are you trying to keep the 
 same domain name as the source? Microsoft also has a free tool that will 
 allow you to rename the traget 2003 AD domain as after you have completed 
 your migration and decommissioned old DC's.
 
 Jose
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto,
 Jorge de
 Sent: Monday, August 08, 2005 2:46 PM
 To: ActiveDir@mail.activedir.org; activedirectory
 Subject: RE: [ActiveDir] AD migration
 
 
 What do you mean with In fact, they are cut off from the root domain 
 pyhsically. ? Do you mean as in there is not replication between the two 
 domains? If yes... dare I ask for how long?
 
 As I know of you can migrate the child domain without the root being 
 available because you will be having a trust between the new domain and the 
 child domain
 
 I still don't understand what you mean... They are cut off from the root and 
 the DNS is avlable in the root. I must be missing something. Can you explain 
 a bit more?
 
 Jorge
 
 
 
 From: [EMAIL PROTECTED] on behalf of Tom Kern
 Sent: Mon 8/8/2005 11:08 PM
 To: activedirectory
 Subject: [ActiveDir] AD migration
 
 
 
 I just started working for a company. they used to outsource their
 AD/Exchange but now they're trying to get it back.
 
 Its a 2 tree, 2 domain forest. the root domain is empty.
 this company only has DA access on the child domain. No EA access. In
 fact, they are cut off from the root domain pyhsically.
 
 What they want to do is create a new forest and migrate all
 users,exchange,computers,etc to the new forest and be done with the
 old.
 They are going to use Quest sw and a consultant from Quest for this.
 
 My question is- can this be done without any connectivity to the root?
 both dns zones are in the root so they really don't have any dns
 locally as well(needless to say, you cam imagine what the rep logs
 look like). I'm sure this complicates matters.
 however, the Quest people seem to think this can still work.
 can it?
 
 also, can the new forest have the same domain names as the old one?
 
 Thanks(I'm the guy who posted about his new job jitters about a week
 or 2 ago, and here i am. Their AD is more messed up than I thought :)
 )
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 
 
 This e-mail and any attachment is for authorised use by the intended 
 recipient(s) only. It may contain proprietary material, confidential 
 information and/or be subject to legal privilege. It should not be copied, 
 disclosed to, retained or used by, any other party. If you are not an 
 intended recipient then please promptly delete this e-mail and any attachment 
 and all copies and inform the sender. Thank you.
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
 
 List info   : http://www.activedir.org/List.aspx
 List FAQ: http://www.activedir.org/ListFAQ.aspx
 List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread David Cliffe 



In the same spirit - but on the other side of the coin :) - I wouldn't 
mind hearing a brief elaborationon your earlier 
statement:

"I've found only a few scenarios in which they proved 
valuable"

Perhaps one reason might be when one of 
the servers in a site is underpowered/waiting to be upgraded, 
etc..?

-DaveC
ReutersIST Service 
Delivery


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Monday, August 08, 2005 6:14 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Preferred 
Bridgeheads

Without wishing to labor the point Russ, what aspect of replication 
'speed' was thought to be improved? I ask as I often lecture on AD (and 
related technologies) and am interested to understand some of the 
misconceptions.
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 6:08 PMTo: 
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred 
Bridgeheads

We thought it would "help" with replication speed. I 
guess it was more of a WAG.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Dean 
WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD 
mailing listSubject: RE: [ActiveDir] Preferred 
Bridgeheads

If you 
constrain the list of bridgeheads you may be incapable of replicating an app. NC 
in and out of a site since in order to replicate a particular 
partition,the bridgehead in question must hold a copy of it ... if the 
preferred list contains only 2K DCs, that can't happen .. for the most part 
...a 2K3 ISTG will override your choices and allocate a suitable 
bridgehead for you, it will however whine and whine and whine and ... you get 
the idea.

I've 
found only a few scenarios in which they proved valuable ... may I ask why 
you're using 
them?
--Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com



From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, 
RussSent: Monday, August 08, 2005 3:03 PMTo: 
ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred 
Bridgeheads

We're almost all 
Win2k3 Domain Controllers, have a few left to upgrade.

Question is, we have 
at least one DC at each site configured as a preferred bridgehead for IP. 
Is this not a good idea? Is it best to not prefer any bridgeheads and let 
AD do its job? I'm seeing a lot of event ID 1567's about it as 
well.

Thanks

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

  
  
~~This 
  e-mail is confidential, may contain proprietary informationof the 
  Cooper Cameron Corporation and its operating Divisionsand may be 
  confidential or privileged.This e-mail should be read, copied, 
  disseminated and/or used onlyby the addressee. If you have received 
  this message in error pleasedelete it, together with any attachments, 
  from your 
  system.~~

-
Visit our Internet site at http://www.reuters.com

To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo 

Any views expressed in this message are those of  the  individual
sender,  except  where  the sender specifically states them to be
the views of Reuters Ltd.

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread David Adner 
So Russ doesn't feel so bad, I've been to many
customers that decided to specify preferred BH's. 
When I ask why I normally get any of the following
responses.
1) They want a predictable DC to goto when they need
to force replication between sites.  This is
relatively easy to ween them off of.
2) Like Russ, they thought it would either speed up
replication or fix it.  When I try to dig into what
was broken that doing this might have fixed they have
no clue.
3) Why not, it's in the GUI.  I can normally shame
them into undoing it.
4) Um, what's a preferred BH?  These are mindless
sheep that are easily controlled and will do whatever
I tell them, so it's an easy fix.

To be fair, there was 1 customer that actually had
firewalls between Sites and were trying to limit
communiation through specific DC's.  They hadn't
specified enough preferred BH's to account for each
partition but you can't have everything.

--- Dean Wells [EMAIL PROTECTED] wrote:

 Without wishing to labor the point Russ, what aspect
 of replication 'speed'
 was thought to be improved?  I ask as I often
 lecture on AD (and related
 technologies) and am interested to understand some
 of the misconceptions.
 --
 Dean Wells
 MSEtechnology
 * Email: dwells mailto:[EMAIL PROTECTED]
 @msetechnology.com
  http://msetechnology.com/
 http://msetechnology.com
 
  
 
   _  
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Rimmerman, Russ
 Sent: Monday, August 08, 2005 6:08 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Preferred Bridgeheads
 
 
 We thought it would help with replication speed. 
 I guess it was more of a
 WAG.
 
   _  
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Dean Wells
 Sent: Monday, August 08, 2005 2:13 PM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Preferred Bridgeheads
 
 
 If you constrain the list of bridgeheads you may be
 incapable of replicating
 an app. NC in and out of a site since in order to
 replicate a particular
 partition, the bridgehead in question must hold a
 copy of it ... if the
 preferred list contains only 2K DCs, that can't
 happen .. for the most part
 ... a 2K3 ISTG will override your choices and
 allocate a suitable bridgehead
 for you, it will however whine and whine and whine
 and ... you get the idea.
  
 I've found only a few scenarios in which they proved
 valuable ... may I ask
 why you're using them?
 --
 Dean Wells
 MSEtechnology
 * Email: dwells mailto:[EMAIL PROTECTED]
 @msetechnology.com
  http://msetechnology.com/
 http://msetechnology.com
 
  
 
   _  
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Rimmerman, Russ
 Sent: Monday, August 08, 2005 3:03 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Preferred Bridgeheads
 
 
 We're almost all Win2k3 Domain Controllers, have a
 few left to upgrade.
  
 Question is, we have at least one DC at each site
 configured as a preferred
 bridgehead for IP.  Is this not a good idea?  Is it
 best to not prefer any
 bridgeheads and let AD do its job?  I'm seeing a lot
 of event ID 1567's
 about it as well.
  
 Thanks
 ~~
 This e-mail is confidential, may contain proprietary
 information
 of the Cooper Cameron Corporation and its operating
 Divisions
 and may be confidential or privileged.
 
 This e-mail should be read, copied, disseminated
 and/or used only
 by the addressee. If you have received this message
 in error please
 delete it, together with any attachments, from your
 system.
 ~~
   
 ~~
 This e-mail is confidential, may contain proprietary
 information
 of the Cooper Cameron Corporation and its operating
 Divisions
 and may be confidential or privileged.
 
 This e-mail should be read, copied, disseminated
 and/or used only
 by the addressee. If you have received this message
 in error please
 delete it, together with any attachments, from your
 system.
 ~~
   
 

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Preferred Bridgeheads

2005-08-08 Thread David Adner 
Inadequate hardware is one, although that's typically
less and less of an issue since most server class
hardware nowadays is more than robust enough.

Firewalls or router ACL's between sites and only
designated DC's can intercommunicate with each other
is another reason.

Branch environments where many remote sites hub back
to a central site.  Specific BH's may be designated
(although they're often put into their own sites
anyway) as much for DR reasons as normal replication
traffic.  The act of connection objects moving around
can cause vvjoin's which are relatively CPU intensive.

Besides designating them, most customers only
configure 1 per site, not realizing they're creating a
single point of failure.  They also will configure a
DC to be a preferred BH when it's the only one in its
site.  Since it would have been the BH regardless,
it's redundant and just adds administrative overhead. 
They also fail to designate enough BH's to support
each partition.

--- David Cliffe [EMAIL PROTECTED] wrote:

 In the same spirit - but on the other side of the
 coin :) - I wouldn't
 mind hearing a brief elaboration on your earlier
 statement:
  
 I've found only a few scenarios in which they
 proved valuable
  
 Perhaps one reason might be when one of the servers
 in a site is
 underpowered/waiting to be upgraded, etc..?
  
 -DaveC
 Reuters IST Service Delivery
 
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Dean Wells
 Sent: Monday, August 08, 2005 6:14 PM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Preferred Bridgeheads
 
 
 Without wishing to labor the point Russ, what aspect
 of replication
 'speed' was thought to be improved?  I ask as I
 often lecture on AD (and
 related technologies) and am interested to
 understand some of the
 misconceptions.
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] 
 http://msetechnology.com http://msetechnology.com/
 
 
  
 
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Rimmerman, Russ
 Sent: Monday, August 08, 2005 6:08 PM
 To: ActiveDir@mail.activedir.org
 Subject: RE: [ActiveDir] Preferred Bridgeheads
 
 
 We thought it would help with replication speed. 
 I guess it was more
 of a WAG.
 
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Dean Wells
 Sent: Monday, August 08, 2005 2:13 PM
 To: Send - AD mailing list
 Subject: RE: [ActiveDir] Preferred Bridgeheads
 
 
 If you constrain the list of bridgeheads you may be
 incapable of
 replicating an app. NC in and out of a site since in
 order to replicate
 a particular partition, the bridgehead in question
 must hold a copy of
 it ... if the preferred list contains only 2K DCs,
 that can't happen ..
 for the most part ... a 2K3 ISTG will override your
 choices and allocate
 a suitable bridgehead for you, it will however whine
 and whine and whine
 and ... you get the idea.
  
 I've found only a few scenarios in which they proved
 valuable ... may I
 ask why you're using them?
 --
 Dean Wells
 MSEtechnology
 * Email: [EMAIL PROTECTED]
 mailto:[EMAIL PROTECTED] 
 http://msetechnology.com http://msetechnology.com/
 
 
  
 
 
 
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On
 Behalf Of Rimmerman, Russ
 Sent: Monday, August 08, 2005 3:03 PM
 To: ActiveDir@mail.activedir.org
 Subject: [ActiveDir] Preferred Bridgeheads
 
 
 We're almost all Win2k3 Domain Controllers, have a
 few left to upgrade.
  
 Question is, we have at least one DC at each site
 configured as a
 preferred bridgehead for IP.  Is this not a good
 idea?  Is it best to
 not prefer any bridgeheads and let AD do its job? 
 I'm seeing a lot of
 event ID 1567's about it as well.
  
 Thanks
 ~~
 This e-mail is confidential, may contain proprietary
 information
 of the Cooper Cameron Corporation and its operating
 Divisions
 and may be confidential or privileged.
 
 This e-mail should be read, copied, disseminated
 and/or used only
 by the addressee. If you have received this message
 in error please
 delete it, together with any attachments, from your
 system.
 ~~
   
 ~~
 This e-mail is confidential, may contain proprietary
 information
 of the Cooper Cameron Corporation and its operating
 Divisions
 and may be confidential or privileged.
 
 This e-mail should be read, copied, disseminated
 and/or used only
 by the addressee. If you have received this message
 in error please
 delete it, together with any attachments, from your
 system.
 ~~
   
 
 

-
 Visit our Internet site at
 http://www.reuters.com
 
 To find out more about Reuters Products and Services

RE: [ActiveDir] OT: Change ownership

2005-08-08 Thread Douglas M. Long 








This is exactly what I was looking for.
THANKS



Too bad I messed with it for an hour only
to find out that the version in the resource kit doesnt work. I actually
had to download it separately to get the proper version (even though I was
using the 2003 resource kit that I downloaded today).















From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB
Sent: Monday, August 08, 2005 3:46
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT:
Change ownership







Try using SUBINACL..

http://www.ultratech-llc.com/KB/?File=Perms.TXT








-ASB
FAST, CHEAP, SECURE: Pick Any TWO
http://www.ultratech-llc.com/KB/








On 8/8/05, Douglas M. Long [EMAIL PROTECTED] wrote:
 
 
 Is there an easy way to change ownership on all files and folders in a
 directory owned by userA? 
 
 I think I am having a stupid attack