RE: [ActiveDir] Biggest AD Gripes
You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Yeah, ADAM scared some folks in the widget factory as well. On the positive side, it can register in AD so you can chase them down that way via their SCPs. If they don't register, well then that will be fun to chase as it will be like trying to find rogue AD's, network scanning but even worse, any port can be used... If all machines are part of a domain or forest, you could set up policies to block the running of the ADAM binaries I guess. I like AD/AM more from the standpoint that I think it can hint as to where AD will go. What is the largest Enterprise deployment of NDS that anyone has seen? I haven't seen anything larger than say 5000 or so users, it seems that the management got too difficult even at that level, but then I never looked really close at it, so
RE: [ActiveDir] Biggest AD Gripes
I see your HIMEM and raise you a QEMM! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: 05 August 2005 17:19 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Don't make me get out my copies of himem and loadhigh! And his name was Ray Noorda. -gil (resident old guy and networking historian) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Friday, August 05, 2005 9:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) You may call it a gooey comfortable feeling, Dean, but I'm having screaming-nightmare flashbacks over here! ;-) I actually think that Novell lost the race when they had that CEO (damned if I remember his name) who got on this kick of We need to do -everything- Microsoft does in order to compete. So since MS had Office, Novell went and acquired Corel...stuff like that. Though I'd probably lump that into the larger heading of inadequate/misinformed marketing that others have already mentioned. - L List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT - Biggest AD Gripes
There are certainly fairly large (~10k) installations and NDS/eDIR will scale way beyond that too. A lack of client/dir/server integration may become an issue as the org grows, though. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: 06 August 2005 00:30 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - Biggest AD Gripes Were there any comments to Joe's question about large deployments of NDS? Are/were there any out there? I am just interested because I still hear comments about how scalable it is. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, August 05, 2005 7:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT - The downfall of Novell and NetWare (was- Biggest AD Gripes) Heh From a pure technical view, quite right. However - that's where I started - NetWare 2.0 (I mean the FIRST NetWare 2.0). I still remember the proprietary servers that they used to manufacture. However, what really killed Novell was not the brilliant technical ideas of Drew Majors (who, I still respect as a guy with real vision), but the Megalomania and obsessive behavior or Ray Noorda. Ray so envied Bill Gates that he was going to do anything to better Gates. This meant that Ray effectively lost focus of what Novell was all about in the interest of buying up products that he thought would better Microsoft. Hence, absolutely ridiculous amounts of money (OK, for that time it was ridiculous...) were spent for WordPerfect and ATT Unix, as well as other pieces that were picked up. But, the focus was lost, NT 4.0 caught on, and the Microsoft marketing machine paid no attention (outwardly, at least) to Noorda. They just went after the customers who had lost patience with the very badly off track NetWare. What was once a major player - and owned greater than 80% of the server market all but became a bit player overnight. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 8:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Yeah, ADAM scared some folks in the widget factory as well. On the positive side, it can register in AD so you can chase them down that way via their SCPs. If they don't register, well then that will be fun to chase as it will be like trying to find rogue AD's, network scanning but
RE: [ActiveDir] Merging two domains
Migration Manager for Active Directory from Quest will allow you to migrate objects from the external domain without setting up a trust. I believe you do need to be running 2003 in the source domain as it stores information in ADAM during the migration. Check out the URL below. http://wm.quest.com/products/migrationmanagerad/ Almeida Pinto, Jorge de jorge.de.almeida To [EMAIL PROTECTED] ActiveDir@mail.activedir.org com cc Sent by: [EMAIL PROTECTED] Subject ail.activedir.org RE: [ActiveDir] Merging two domains 08/06/2005 02:39 PM Please respond to [EMAIL PROTECTED] tivedir.org yeah... this is also the first thing I thought. I also thought of something else. Will those users ever need to access their old resources? (like mail, files ,etc) If no access is allowed how are you going to do that? Exmerge all mailboxes into PSTs en burn files on DVD or something like that? Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sat 8/6/2005 7:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Merging two domains Interesting issue. SIDHistory is not much of an issue, obviously. Apparently, the users won't have access to the old forest, so it's of little value. I would suspect, as a 'from the hip' approach - given you limits you really only have a .ldf or a .csv dump of the accounts that are to become a part of your domain. However, if you aren't going to be allowed any access to the old forest, then there is no reason to think that the users would be any more than newly created principlas, along with the computers that you might acquire. Dump the information, but I wouldn't get to terribly concerned about what is coming with them. Other than name, logon name, samAccountName, there isn't much that you can use. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Saturday, August 06, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Merging two domains We have an external domain that we will not be allow to set up a two way trust with, not be allowed to migrate users from, etc. Basically it's a partial domain import from one domain to our current Win2k3 domain. Getting access to the external domain is out of the question since the external domain is not currently ours. Part of it will become ours. Are there any alternative ways to import or migrate users from an external domain? I understand SID history and all the nice things that go along with it (profile migrations, etc) will not work. What about doing some type of an LDIFDE export and import? Will that at least get us the account creations? What other alternatives are there to have the least end-user impact when changing their domain? Any documents out there outlining this? Thanks to all. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised
RE: [ActiveDir] Merging two domains
Title: RE: [ActiveDir] Merging two domains The trust is only one issue. It doesnt appear that hes being allowed enough access to set anything up. Im certain (though I havent worked with Migration Manager) that there must be some type of LDAP Bind or agreement setup between ADAM and the source / targets. Im not sure that hes going to have this degree of latitude, either. However, if he is go for it. Not cheap, but it might be worth the money in man-hours for recreation of functional user and computer accounts, not to mention the Exchange. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 08, 2005 7:00 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Merging two domains Migration Manager for Active Directory from Quest will allow you to migrate objects from the external domain without setting up a trust. I believe you do need to be running 2003 in the source domain as it stores information in ADAM during the migration. Check out the URL below. http://wm.quest.com/products/migrationmanagerad/ Almeida Pinto, Jorge de [EMAIL PROTECTED]com cc Sent by: [EMAIL PROTECTED] Subject ail.activedir.org RE: [ActiveDir] Merging two domains 08/06/2005 02:39 PM Please respond to [EMAIL PROTECTED] tivedir.org yeah... this is also the first thing I thought. I also thought of something else. Will those users ever need to access their old resources? (like mail, files ,etc) If no access is allowed how are you going to do that? Exmerge all mailboxes into PSTs en burn files on DVD or something like that? Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sat 8/6/2005 7:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Merging two domains Interesting issue. SIDHistory is not much of an issue, obviously. Apparently, the users won't have access to the old forest, so it's of little value. I would suspect, as a 'from the hip' approach - given you limits you really only have a .ldf or a .csv dump of the accounts that are to become a part of your domain. However, if you aren't going to be allowed any access to the old forest, then there is no reason to think that the users would be any more than newly created principlas, along with the computers that you might acquire. Dump the information, but I wouldn't get to terribly concerned about what is coming with them. Other than name, logon name, samAccountName, there isn't much that you can use. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, Russ Sent: Saturday, August 06, 2005 11:17 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Merging two domains We have an external domain that we will not be allow to set up a two way trust with, not be allowed to migrate users from, etc. Basically it's a partial domain import from one domain to our current Win2k3 domain. Getting access to the external domain is out of the question since the external domain is not currently ours. Part of it will become ours. Are there any alternative ways to import or migrate users from an external domain? I understand SID history and all the nice things that go along with it (profile migrations, etc) will not work. What about doing some type of an LDIFDE export and import? Will that at least get us the account creations? What other alternatives are there to have the least end-user impact when changing their domain? Any documents out there outlining this? Thanks to all. ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. (See attached file: winmail.dat)
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Hi Joe, Can you tell me a good sniffer? And of course a free one ;-) The setup is like, the mds in installed on one machine (on a different domain) which talks to the agent which is installed on the exchange machine. The agent then uses the exchange native apis to create the mail boxes which would be added to the AD. AD and exchange servers are on same domain. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 06, 2005 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Saturday, August 06, 2005 6:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K:
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Ethereal no question. Get it at: www.ethereal.com Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 08, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi Joe, Can you tell me a good sniffer? And of course a free one ;-) The setup is like, the mds in installed on one machine (on a different domain) which talks to the agent which is installed on the exchange machine. The agent then uses the exchange native apis to create the mail boxes which would be added to the AD. AD and exchange servers are on same domain. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 06, 2005 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Saturday, August 06, 2005 6:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Thanks, Would it be worth running it on the agent machine, or the AD machine? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Ethereal no question. Get it at: www.ethereal.com Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 08, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi Joe, Can you tell me a good sniffer? And of course a free one ;-) The setup is like, the mds in installed on one machine (on a different domain) which talks to the agent which is installed on the exchange machine. The agent then uses the exchange native apis to create the mail boxes which would be added to the AD. AD and exchange servers are on same domain. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 06, 2005 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Saturday, August 06, 2005 6:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 4:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the nice full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 1:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user.
RE: [ActiveDir] Biggest AD Gripes
Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained the upper hand, momentum took over and led us to where we are today. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 05 August 2005 00:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir]
RE: [ActiveDir] Branch Office Question
As always, I'm late to this thread so I'll chime in with one (hopefully) worthwhile clarification. The ISTG and the KCC are not the same thing though the ISTG is considered a sub-component of the KCC. Disabling the KCC is a quite different thing from merely disabling the ISTG. May I ask inquire as to the OS version here, I don't believe it's been mentioned as yet (apologies if I missed it). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, August 07, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Yeah. Stop trying to disable the KCC already. The KCC is your friend. :) You do, however, want to disable 'bridge all site links' (located under the properties of Intersite Transports - IP). You need to do this because the network is not fully routable due to your VPN tunnels. With BASL enabled, all site links are treated as transitive, meaning any DC can potentially replicate with any other DC. Since that's not true in your environment you need to disable BASL. ...After reading your response more thoroughly, you mention that you have no custom site links. I assume that means you only have the DEFAULTIPSITELINK with all sites in it. If true, you need to stop that practice, too, as you're effectively creating a full mesh topology. Since your network isn't a full mesh, that won't work. You need to create individual site links between each site to form the proper topology. Don't disable BASL until you've done this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Noah, Just my curiosity - what is the reason for disabling (or, wanting to disable) the KCC? It's not a recommended practice unless you have a very large number of links / sites / replication objects (and the number changes to a significantly larger number in Win2k3 Functional), or the topology is such that the KCC and the ISTG is not able to do its job of creating a proper spanning tree - neither of which are very likely. Companies with 200k plus users and 150 sites don't normally run into this problem. The normal remedy is to take a look at everything else and eliminate *IT* (meaning everything else) as a potential reason for why the KCC/ISTG isn't working to expectations. Then when everything else has been eliminated, reviewing what the impact will be of killing off the KCC. Specifically, the first realization of killing the KCC - all of the replication objects between servers - will have to be manually maintained. The ISTG will no longer do it. In all but the smallest shops, this would likely take most of the time of one very adept admin. So - think carefully on this move. As I said - it's not recommended. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Sunday, August 07, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Thanks, Jorge. So the KCC is on at all sites. In my situation, I want to disable the KCC. A few questions: - Is the command to do so: repadmin /siteoptions branch1dc.company.com /site:branch1 +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED - Do I have to run this against each DC? - I believe I only want to disable the INTER_SITE, not the INTRA_SITE, right? - Do I think need to manually create the connection objects or can I just leave the auto generated ones in place? - Does all this change if the VPN topology allows for a fully routed network? Thanks. -- nme P.S. I checked the questions you asked. DCs and GCs are correct; no custom site links or connections; site membership is correct. -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Saturday, August 06, 2005 11:59 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question I expected that.. in a few words hub-and-spoke topology in a non fully routed network. For this to work you need a site for each location and a site link between each spoke (the bracnhes) and the hub and auto site link bridging is off The other thing I can think of: * Is each DC/GC in the correct site? * Do you have custom site link bridges? * Do you have custom connections (auto connections are visible as automatic connections and custom connections are visible as GUIDs) * Check the site membership of the site links. Is it correct * Other site links connecting the branches somehow * etc By the way. To see if the KCC/ISTG for a site has been disabled open up the properties of the NTDS Site Settings object of each site. If you see yellow exclamation marks at the bottom with text explaining it,
RE: [ActiveDir] Branch Office Question
G'morning (still blerry eyes on the west coast and yet to get some coffee) The OS is Windows 2000 SP4. And, as per Jorge's initial suggestion, I disabled BASL, and I am still getting the errors. Finally, if I said no custom site links, I misspoke. There are three links -- one for each spoke (- There are three IP site links: Hub-B1, Hub-B2, and Hub-B3). I think that Jorge and I were just discussing killing the ISTG, not the KCC, right? And, as I asked yesterday, maybe all this does not matter as _replication_ is working and we are doing a full redesign and implementation in the next 6-9 months. Thanks. Time to get some coffee. -- nme -Original Message- From: Dean Wells [mailto:[EMAIL PROTECTED] Sent: Monday, August 08, 2005 7:18 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Branch Office Question As always, I'm late to this thread so I'll chime in with one (hopefully) worthwhile clarification. The ISTG and the KCC are not the same thing though the ISTG is considered a sub-component of the KCC. Disabling the KCC is a quite different thing from merely disabling the ISTG. May I ask inquire as to the OS version here, I don't believe it's been mentioned as yet (apologies if I missed it). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, August 07, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Yeah. Stop trying to disable the KCC already. The KCC is your friend. :) You do, however, want to disable 'bridge all site links' (located under the properties of Intersite Transports - IP). You need to do this because the network is not fully routable due to your VPN tunnels. With BASL enabled, all site links are treated as transitive, meaning any DC can potentially replicate with any other DC. Since that's not true in your environment you need to disable BASL. ...After reading your response more thoroughly, you mention that you have no custom site links. I assume that means you only have the DEFAULTIPSITELINK with all sites in it. If true, you need to stop that practice, too, as you're effectively creating a full mesh topology. Since your network isn't a full mesh, that won't work. You need to create individual site links between each site to form the proper topology. Don't disable BASL until you've done this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Noah, Just my curiosity - what is the reason for disabling (or, wanting to disable) the KCC? It's not a recommended practice unless you have a very large number of links / sites / replication objects (and the number changes to a significantly larger number in Win2k3 Functional), or the topology is such that the KCC and the ISTG is not able to do its job of creating a proper spanning tree - neither of which are very likely. Companies with 200k plus users and 150 sites don't normally run into this problem. The normal remedy is to take a look at everything else and eliminate *IT* (meaning everything else) as a potential reason for why the KCC/ISTG isn't working to expectations. Then when everything else has been eliminated, reviewing what the impact will be of killing off the KCC. Specifically, the first realization of killing the KCC - all of the replication objects between servers - will have to be manually maintained. The ISTG will no longer do it. In all but the smallest shops, this would likely take most of the time of one very adept admin. So - think carefully on this move. As I said - it's not recommended. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Sunday, August 07, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Thanks, Jorge. So the KCC is on at all sites. In my situation, I want to disable the KCC. A few questions: - Is the command to do so: repadmin /siteoptions branch1dc.company.com /site:branch1 +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED - Do I have to run this against each DC? - I believe I only want to disable the INTER_SITE, not the INTRA_SITE, right? - Do I think need to manually create the connection objects or can I just leave the auto generated ones in place? - Does all this change if the VPN topology allows for a fully routed network? Thanks. -- nme P.S. I checked the questions you asked. DCs and GCs are correct; no custom site links or connections; site membership is correct. -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Biggest AD Gripes
Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler
[ActiveDir] Output Shared Contacts
Anyone have an easy way to output shared contacts from a public folder to a flat file? Thanks, Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] DC replicating with deleted DSA object
Title: DC replicating with deleted DSA object We have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade is achieved as follows: 1. demote w2k DC 2. build and promote w2k3 DC Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. Furthermore, sometimes the same name is used in 1 and 2 but not always. If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see the following issue: snip y\ DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb z\ (deleted DSA) via RPC objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 y\ DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb snip Where: xx is a DC which was built temporarily and then demoted several days ago aa is a DC which was re-built (as per above) with the same name bb is a DC which was re-built (as per above) with the same name (in the same site as xx) I have been considering using repadmin /delete to remove these incorrect replication connections and wondered if anyone had used such a method before or could offer any alternatives? Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Biggest AD Gripes
Nod, good point ... which explains why Joe always has so much to say and why I'm generally so quiet! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact
RE: [ActiveDir] Biggest AD Gripes
Or, Rick 007 Pathetic ;op -r -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 9:11 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was so clunky (ultra stable but diff to manage once you deployed more than ~100 servers). Netware 4/NDS had issues in its first version and quickly lost traction, leaving MS and NT to pick up the thread. It was for this reason that very few orgs deployed NDS across a large env - NDS was more than capable of supporting 100K users and the management/maintenance/support would have far simpler that it was for NT. Once NT gained
RE: [ActiveDir] Biggest AD Gripes
... and as for being older than you, I've got shirts in my closet older than you. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just as bad as bad technology. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, August 05, 2005 5:05 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes IMHO Novell lost out to MS due to the fact that Netware 3 was
RE: [ActiveDir] Branch Office Question
The ISTG and the KCC are not the same thing And there you go again - getting all technical and stuff on us Gee, does that KCC/ISTG diference REALLY matter? :o) Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 9:18 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Branch Office Question As always, I'm late to this thread so I'll chime in with one (hopefully) worthwhile clarification. The ISTG and the KCC are not the same thing though the ISTG is considered a sub-component of the KCC. Disabling the KCC is a quite different thing from merely disabling the ISTG. May I ask inquire as to the OS version here, I don't believe it's been mentioned as yet (apologies if I missed it). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Adner Sent: Sunday, August 07, 2005 9:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Yeah. Stop trying to disable the KCC already. The KCC is your friend. :) You do, however, want to disable 'bridge all site links' (located under the properties of Intersite Transports - IP). You need to do this because the network is not fully routable due to your VPN tunnels. With BASL enabled, all site links are treated as transitive, meaning any DC can potentially replicate with any other DC. Since that's not true in your environment you need to disable BASL. ...After reading your response more thoroughly, you mention that you have no custom site links. I assume that means you only have the DEFAULTIPSITELINK with all sites in it. If true, you need to stop that practice, too, as you're effectively creating a full mesh topology. Since your network isn't a full mesh, that won't work. You need to create individual site links between each site to form the proper topology. Don't disable BASL until you've done this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 07, 2005 4:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Noah, Just my curiosity - what is the reason for disabling (or, wanting to disable) the KCC? It's not a recommended practice unless you have a very large number of links / sites / replication objects (and the number changes to a significantly larger number in Win2k3 Functional), or the topology is such that the KCC and the ISTG is not able to do its job of creating a proper spanning tree - neither of which are very likely. Companies with 200k plus users and 150 sites don't normally run into this problem. The normal remedy is to take a look at everything else and eliminate *IT* (meaning everything else) as a potential reason for why the KCC/ISTG isn't working to expectations. Then when everything else has been eliminated, reviewing what the impact will be of killing off the KCC. Specifically, the first realization of killing the KCC - all of the replication objects between servers - will have to be manually maintained. The ISTG will no longer do it. In all but the smallest shops, this would likely take most of the time of one very adept admin. So - think carefully on this move. As I said - it's not recommended. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Sunday, August 07, 2005 4:14 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question Thanks, Jorge. So the KCC is on at all sites. In my situation, I want to disable the KCC. A few questions: - Is the command to do so: repadmin /siteoptions branch1dc.company.com /site:branch1 +IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED - Do I have to run this against each DC? - I believe I only want to disable the INTER_SITE, not the INTRA_SITE, right? - Do I think need to manually create the connection objects or can I just leave the auto generated ones in place? - Does all this change if the VPN topology allows for a fully routed network? Thanks. -- nme P.S. I checked the questions you asked. DCs and GCs are correct; no custom site links or connections; site membership is correct. -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Saturday, August 06, 2005 11:59 AM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Branch Office Question I expected that.. in a few words hub-and-spoke topology in a non fully routed network. For this to work you need a site for each location and a site link between each spoke (the bracnhes) and the hub and auto site link bridging is off The other thing I can think of: * Is each DC/GC in the correct site? * Do you have custom site link bridges? * Do you have custom connections (auto connections are visible as automatic
RE : [ActiveDir] Output Shared Contacts
Hi, Have you tried using the import/export feature that you will find in Outlook ? I think could do this with your oulook.: - select your contact - go to fileimport/export - then chose export and you will be prompt for the format of file (.txt, .csv,.xls,etc...) I don not remember the whole process, but you will easily find the different steps yourself :) PS: if you can not import/export a contact that is in your public forlder, then - Create a second contact in you private mailbox - Copy the one in the public folder to the one you have created - do again the import/export process Regards, Yann De: [EMAIL PROTECTED] de la part de Jerry Welch Date: lun. 08/08/2005 16:49 À: ActiveDir@mail.activedir.org Objet : [ActiveDir] Output Shared Contacts Anyone have an easy way to output shared contacts from a public folder to a flat file? Thanks, Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ winmail.dat
RE: [ActiveDir] DC replicating with deleted DSA object
Title: DC replicating with deleted DSA object Nah no need to. They will go away by themselves as a normal part of the tombstoning process. They are marked as deleted, which is just what the DS needs to let it know its no longer functioning and should be deleted from any references. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 9:50 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] DC replicating with deleted DSA object We have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade is achieved as follows: 1. demote w2k DC 2. build and promote w2k3 DC Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. Furthermore, sometimes the same name is used in 1 and 2 but not always. If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see the following issue: snip y\ DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb z\ (deleted DSA) via RPC objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 y\ DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb snip Where: xx is a DC which was built temporarily and then demoted several days ago aa is a DC which was re-built (as per above) with the same name bb is a DC which was re-built (as per above) with the same name (in the same site as xx) I have been considering using repadmin /delete to remove these incorrect replication connections and wondered if anyone had used such a method before or could offer any alternatives? Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ==
RE: [ActiveDir] Biggest AD Gripes
Heheeh does that make your shirts more clever than I am :P - and I thought my DIT tool was cool Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:53 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes ... and as for being older than you, I've got shirts in my closet older than you. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs to lose...and they lost it. Proof once again that great technology coupled with bad management is just
RE: [ActiveDir] DC replicating with deleted DSA object
Title: DC "replicating" with deleted DSA object Those connections are in a Stay of Execution state. With SP1 we changed so that we would not attempt to replicate with them but prior to that we will. If your forest has a normal config these will be removed after 15 days. They cause no harm and you can remove them with the /delete option or wait until the stay of execution period, normally 15 days. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, NeilSent: Monday, August 08, 2005 9:50 AMTo: 'ActiveDir@mail.activedir.org'Subject: [ActiveDir] DC "replicating" with deleted DSA object We have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade is achieved as follows: 1. demote w2k DC 2. build and promote w2k3 DC Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. Furthermore, sometimes the same name is used in 1 and 2 but not always. If I now execute "repadmin /showreps" on an existing (bridgehead) w2k DC, I see the following issue: snip y\ DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb z\ (deleted DSA) via RPC objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 y\ DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb snip Where: xx is a DC which was built temporarily and then demoted several days ago aa is a DC which was re-built (as per above) with the same name bb is a DC which was re-built (as per above) with the same name (in the same site as xx) I have been considering using "repadmin /delete" to remove these incorrect replication connections and wondered if anyone had used such a method before or could offer any alternatives? Thanks, neil ==Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml==
RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes
Given your retro appearance, maybe - but not likely. ;o) So, just hold old do you put me at Dean? Would you believe me if I told you I was born shortly after Kennedy's Inauguration (mere days)? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 9:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes ... and as for being older than you, I've got shirts in my closet older than you. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was commodity and that arguing about whether Netware was a better file and print server than NT became meaningless compared to better desktop/server integration, Novell lost out. Novell failed to keep up, in my opinion. The market was theirs
RE: [ActiveDir] Biggest AD Gripes
... and as for being older than you, I've got shirts in my closet older than you. Come to think of it, I'm wearing one -right now-! ;-P (As the list of nicknames I have for Mr. Wells just grows and grows: Data, 007, Mr. Bond.) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] MailAlias in AD
Hi, I need basic Mail Alias stored in my AD. How can I add some kind of Mail attribute tab in the User and Computer AD Manager? I've already installed the Service For Unix and authenticated my Unix user and Postfix also lookup my user in AD. Now, I want to be able to edit/add the msSFU30AMailAlias (or any Mail attribute in the default AD+SFU schema) attribute, but I can't find how in the Microsoft AD Manager. Thanks, -- Samuel T. Cossette List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Biggest AD Gripes
Yes, I am much older and wiser than Dean. Anything I figure out, I know it will take at least two more days for Dean to fully grasp. :o) On the flip side, when he figures something out and tries to explain it to me I just sort of turn my head to the side and drool. Once I finally snap out of it I say You young whippersnapper... Why when I was your age things were quite like they are now but younger joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 10:52 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Nod, good point ... which explains why Joe always has so much to say and why I'm generally so quiet! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop and people realized that file and print was
RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes
Kennedy... Or was it Roosevelt? EG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes Given your retro appearance, maybe - but not likely. ;o) So, just hold old do you put me at Dean? Would you believe me if I told you I was born shortly after Kennedy's Inauguration (mere days)? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 9:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes ... and as for being older than you, I've got shirts in my closet older than you. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as Windows ruled the desktop
RE: [ActiveDir] Biggest AD Gripes
In fact you are saying that Dean's shirts can do more than your DIT tool, and they are not as expensive as your tool. Stop working on the tool and ask Dean for one of his shirts! ;-) jorge -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 17:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Heheeh does that make your shirts more clever than I am :P - and I thought my DIT tool was cool Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:53 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes ... and as for being older than you, I've got shirts in my closet older than you. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely Unix (at the time). Apps are sticky, file and print is not. Over time, as
RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes
Sure, I've seen you close up ... LOL ;o) just teasing -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes Given your retro appearance, maybe - but not likely. ;o) So, just hold old do you put me at Dean? Would you believe me if I told you I was born shortly after Kennedy's Inauguration (mere days)? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 9:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes ... and as for being older than you, I've got shirts in my closet older than you. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file and print and NT is great for applications. Netware NLMs were impossible to develop and that meant that folks either developed apps on NT or more likely
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Either should work, you just need to watch the traffic between the two. If you have a shared hub, you can install it on a third machine and plug it into the hub and watch the traffic that way as well. That works well when there are rules about what software can be installed on a machine. Also if you want, if you have netmon already loaded, you can do a netmon capture and then have ethereal read it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, August 08, 2005 11:12 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Thanks, Would it be worth running it on the agent machine, or the AD machine? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Monday, August 08, 2005 1:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Ethereal no question. Get it at: www.ethereal.com Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Monday, August 08, 2005 9:45 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi Joe, Can you tell me a good sniffer? And of course a free one ;-) The setup is like, the mds in installed on one machine (on a different domain) which talks to the agent which is installed on the exchange machine. The agent then uses the exchange native apis to create the mail boxes which would be added to the AD. AD and exchange servers are on same domain. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, August 06, 2005 2:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Saturday, August 06, 2005 6:01 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 11:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 6:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 4:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the "nice" full
[ActiveDir] Loosing Printer Connectivity on clients regularly - W2K3 LAN
Working on a new W2k3 installation with ten new HP4250 Laserjet printers. On a regular basis, users will loose printer connectivity and have to recapture these new printers. The print server is the second DC in the domain with only DHCP, File and Print Server roles assigned. Any help out there? Thanks. Nigel System Admin CARICOM Secretariat. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [OT] Biggest AD Gripes
Ummm, nod, I do see your confusion Joe, an obvious mistake to make ... but the 2 days isn't occupied figuring anything out, the 2 days is necessary to sift through the encyclopedia's worth of text you've written from which I finally deduce that you said ugh, it's broken dude!. :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 08, 2005 11:42 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] [OT] Biggest AD Gripes Yes, I am much older and wiser than Dean. Anything I figure out, I know it will take at least two more days for Dean to fully grasp. :o) On the flip side, when he figures something out and tries to explain it to me I just sort of turn my head to the side and drool. Once I finally snap out of it I say You young whippersnapper... Why when I was your age things were quite like they are now but younger joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 10:52 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Nod, good point ... which explains why Joe always has so much to say and why I'm generally so quiet! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes
Teddy, FDR? :-D Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 08, 2005 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes Kennedy... Or was it Roosevelt? EG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes Given your retro appearance, maybe - but not likely. ;o) So, just hold old do you put me at Dean? Would you believe me if I told you I was born shortly after Kennedy's Inauguration (mere days)? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 9:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes ... and as for being older than you, I've got shirts in my closet older than you. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 7:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I think there were a few very important reasons why Netware lost the battle. I remember when NT first shipped the mantra was, Netware is great for file
RE: [ActiveDir] OT:Gone Badly so....Biggest AD Gripes
Good Lord, I can practically hear it from here: Dean Bloody Americans. /Dean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 08, 2005 11:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes Kennedy... Or was it Roosevelt? EG -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Gone Badly soBiggest AD Gripes Given your retro appearance, maybe - but not likely. ;o) So, just hold old do you put me at Dean? Would you believe me if I told you I was born shortly after Kennedy's Inauguration (mere days)? Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 9:53 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes ... and as for being older than you, I've got shirts in my closet older than you. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlos Magalhaes Sent: Monday, August 08, 2005 10:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Hah - older than me :P but doesn't the saying go - the older you are the wiser... Carlos -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 08 August 2005 04:11 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Not at all my young Jedi, my MCNI # is 7 (would have been 5 IIRC but I wanted to be able to write is as 007 -- how sad :o). The first version of NetWare I ran was 4.7 I believe, it supported only dumb terminals as clients and the server ran on a Motorola proc. ... at that time they were known as Innovative Systems. When the Intel product came out (v2.0 I believe), the shell and the server-side kernel were both monolithic binaries; ANET2.exe and NET$OS.EXE methinks. Believe me, I'm old .. but still not as old as Joe :o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 4:11 AM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Biggest AD Gripes You're obviously too young to remember: LSL NE3200 IPXODI NETX :) VLMs made life a whole lot easier. neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 05 August 2005 16:59 To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes Grin ... you're right of course, I think you're referring to compiling an ANET3 EXE, but don't misunderstand me, I loved some of the older shells or requestors like the VLMs, for nostalgic purposes - LSL NE3200 IPXODI VLM C:\F: F:\LOGIN ... ah, even now I get a gooey comfortable feeling. :o) It's the Windows NT/2000 client I was referring to that used to create a new and different local SAM account each time you logged on as a NetWare account ... garbage! -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia Sent: Friday, August 05, 2005 11:47 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes I don't know Dean--I kinda liked the old Netware client. I mean, what great job security. No one who didn't know any better couldn't possibly figure out the right combination of ODI drivers, VLMs and client shells to bind together to actually get access to Netware. The best was the Netware 2.x client, where you had to run something equivalent to a compiler to actually create a client. After that, VLMs seemed like going to the moon... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Friday, August 05, 2005 9:01 AM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes All great points, lets not forget the less than well-thought-out client they produced (current versions are better but still remain lesser integrated than that of Windows' native ability) ... utterly, utterly pathetic attempt. Arrogance and a distinct lack of marketing (when compared to the competition) was also a contributing factor IMO. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren
RE : [ActiveDir] DC replicating with del eted DSA object
Hi, Ah..so for my comprehension, these Deleted Objects do not follow the Tombstone process for a deleted objects as users,computers.. (60 days if i remind...) as stated Rick. Does the Stay of Execution state=15days ONLY apply to DCs state (demoted, renamed with same name,etc..?) or any other objects ? Yann De: [EMAIL PROTECTED] de la part de Steve Linehan Date: lun. 08/08/2005 17:16 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] DC replicating with deleted DSA object Those connections are in a Stay of Execution state. With SP1 we changed so that we would not attempt to replicate with them but prior to that we will. If your forest has a normal config these will be removed after 15 days. They cause no harm and you can remove them with the /delete option or wait until the stay of execution period, normally 15 days. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 9:50 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] DC replicating with deleted DSA object We have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade is achieved as follows: 1. demote w2k DC 2. build and promote w2k3 DC Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. Furthermore, sometimes the same name is used in 1 and 2 but not always. If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see the following issue: snip y\ DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb z\ (deleted DSA) via RPC objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 y\ DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb snip Where: xx is a DC which was built temporarily and then demoted several days ago aa is a DC which was re-built (as per above) with the same name bb is a DC which was re-built (as per above) with the same name (in the same site as xx) I have been considering using repadmin /delete to remove these incorrect replication connections and wondered if anyone had used such a method before or could offer any alternatives? Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == winmail.dat
RE: [ActiveDir] Virtual Domain Controllers
Title: Virtual Domain Controllers I really could of got the job done without AD, this was the first server for the company and it took a while to talk them into it. I looked at SBS but didn't really see any benefits over 2003 Server Standard for their environment so decided against it. The domain is so small I can rebuild it from scratch in about 20 minutes so I'm not too worried about it. Matt From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 6:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers That sounds like you should probably be running SBS. That was cough designed for those types of deployments. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt BrownSent: Friday, August 05, 2005 8:47 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers I run a single DC in a small environment... only about 10 users, and since it's just a single server office, and single DC domain... I just run everything on the domain controller. Domain, DNS, File, Print, and Accounting Software on the same server... no VM ware... although I considered it. Since it's a single domain server I just take ghost snapshots of the domain and then backup the files. Seems to work pretty good, as it's been running solid for about a year now. Thanks, -- Matt Brown [EMAIL PROTECTED]Consultant for Student Technology Feewebsite: http://techfee.ewu.edu/+--+| 509.359.6972 ph. - 509.359.7087 fx| 307 MONROE HALL | Cheney, WA 99004+--+ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Friday, August 05, 2005 3:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual Domain Controllers Could you just do the file/print on the DC? In a small environment you could probably get away with it. Al Maurer Service Manager, Naming and Authentication Services IT | Information Technology Agilent Technologies (719) 590-2639; Telnet 590-2639 http://activedirectory.it.agilent.com -- A good plan today is better than a perfect plan tomorrow. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Seely Jonathan JSent: Friday, August 05, 2005 12:54 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual Domain Controllers Hi All, I have a question about running DCs on GSX server. I understand that MS does not support this configuration, but I've heard that many people are running DCs in this fashion. Can anyone give some advice in this arena? The idea here is to do VM for a file/print, and another one for a DC in our remote sites. Currently, we've got different hardware for each box, but we're trying to consolidate a bit out there. Thank you. JJ Seely Systems Administrator Oregon Department of Justice Division of Child Support (503) 378-4500 x22277 [EMAIL PROTECTED] *CONFIDENTIALITY NOTICE*This e-mail may contain information that is privileged, confidential, or otherwise exempt from disclosure under applicable law. If you are not the addressee or it appears from the context or otherwise that you have received this e-mail in error, please advise me immediately by reply e-mail, keep the contents confidential, and immediately delete the message and any attachments from your system.
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
Hi Joe, Solved the problem. The agent doing the Job was not running with correct credentials. It was running as default. I set the credentials explicitly to the user I required, and the users with mailboxes are now being created. Thanks a Lot, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, August 08, 2005 3:45 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Either should work, you just need to watch the traffic between the two. If you have a shared hub, you can install it on a third machine and plug it into the hub and watch the traffic that way as well. That works well when there are rules about what software can be installed on a machine. Also if you want, if you have netmon already loaded, you can do a netmon capture and then have ethereal read it. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 08, 2005 11:12 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Thanks, Would it be worth running it on the agent machine, or the AD machine? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Ethereal no question. Get it at: www.ethereal.com Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Monday, August 08, 2005 9:45 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi Joe, Can you tell me a good sniffer? And of course a free one ;-) The setup is like, the mds in installed on one machine (on a different domain) which talks to the agent which is installed on the exchange machine. The agent then uses the exchange native apis to create the mail boxes which would be added to the AD. AD and exchange servers are on same domain. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, August 06, 2005 2:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That would tell me that the homeMDB value either isn't correct or isn't being set properly. homeMDB is a linked DN attribute, it *MUST* be valid when it is set. If the tool allows you to retreive the extended LDAP error that would be great, if not get out a network sniffer and trace the operation. If the issue is with homeMDB from the DC, you will see a CONSTRAINT_ATT_TYPE error in clear text in the return packet from the DC. I would pull out a network sniffer From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Saturday, August 06, 2005 6:01 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The only sad thing about it is that when with the same attributes minus the homeMDB, the users get created perfectly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, August 05, 2005 11:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred Yes, again those attributes below seem fine, there should be no issues setting them through LDAP, certainly AD won't reject them. Again I would change the mailnickname to the same as sAMAccountName but that is just me. If you are just mailbox enabling, setting mailnickname and homemdb will do it. That whole thing is documented to be unsupported by MS but I don't know of a single large company that doesn't do it the same way. The RUS will fire with that info and set up the rest of the attributes. Now if this is a user create from the ground up, there could be issues with creating an enabled account. I thinkwe wenthrough that before here on the list with you though didn't we? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 05, 2005 6:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday,
RE: [ActiveDir] OT: MIIS, ADAM, AD
The application(SAP enterprise portal) does an LDAP bind to authenticate the user. I do not know at this point what (if any) encryption options are available. Proxy objects only work for the domain the ADAM server is in, or other domains with a 2-way trust. Here's the scenario: We have one domain (lets call it INTRANET) that contains our company employees. We have another domain (lets call it EXTRANET) that contains users for our existing business partner web-based Internet applications. The two domains do not currently, and will never in the foreseeable future, trust each other. We will be deploying one SAP EP to service both internal and external (Internet) users. The SAP EP can only authenticate against one directory. We don't (for obvious reasons) want to put our external users in our internal AD. I think that ADAM would be a perfect fit for this. The question is how to sync passwords. I could use the MS solution and use the free* MIIS which looks like it will do exactly what I want, but with a considerable bit of added complexity. Also, we use Psynch to let internal (INTRANET domain) users manage their passwords, and I'm afraid the password hook it requires on the domain controllers will not play nice with the MIIS password hook. I can easily code up my own code to do the simple user object syncing required, but passwords would be tricky. Fortunately, I don't need to do the password sync. Theexternal users (EXTRANET domain) use an internally developedweb basedapp to manage passwords, so I can hook into it easily enough to change the passwords in ADAM.As for our internal users (INTRANET domain), I'm pretty sure Psynch can change passwords in ADAM for me, or at least provide hooks for me to code it up myself. After reading about the proxy user object, I thought it seemed a natural fit for our internal users. That would eliminate on half of the password syncing issues. However, I'm rather concerned about the warning on not using them. BTW, I've been playing with trying to programmatically create proxy user objects without much luck. You have to supply the target SID when creating the object. I've tried using the binary SID as returned from a Get("objectSID") call to the INTRANET domain user object, and I've tried the "human readable" version "S-..." (which is what LDP expects when creating a proxy user). Neither seem to work. Anyone know the proper incantation for this bit of magic? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Sunday, July 31, 2005 11:33 AMTo: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: MIIS, ADAM, AD I'll be a lot more interested in MIIS when "free" doesn't mean I have to "buy" SQL licenses to run it. I can understand the server license for Windows, but it should run on any version of the latest Windows server (enterprise, standard, etc) or a desktop OS. Not sure why that is not possible, unless maybe there's a wait for the new SQL 2005 products. Anyway, I'm with Joe on this. I think the simpler you can keep it the better. Writing it in-house with a series of scripts may be enough to do what you want and it's not too terribly difficult. As for proxy objects, if I recall correctly you typically don't want to use them becauseof the security issues and because it's really designed for legacy apps. If you can use AD, use AD. If you have to use simple bind, then proxy objects may fit the requirementas long as you remember to use some sort of transport security. You may have a problem with multiple forests as well. Haven't tried that, but since it's a proxy bind, I imagine it mayget a little confused. I'd be interested to hear if that's not thecase though. Al From: [EMAIL PROTECTED] on behalf of Robert BobelSent: Sun 7/31/2005 10:56 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: MIIS, ADAM, AD Nice side benefit is that the license to use MIIS with the Feature Integration pack to sync AD to ADAM is free. http://www.microsoft.com/downloads/details.aspx?familyid=D9143610-C04D-41C4-B7EA-6F56819769D5displaylang=en Bob From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, July 30, 2005 7:59 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: MIIS, ADAM, AD Where is this going to be located? Extranet or Intranet? If you are going to be doing some very simple syncing, I would look at writing something myself or maybe implementing one of the lighter syncing tools like SimpleSync or HP's LDSU. If you need to do a lot of transforms or complex translations or connect to lots of different data sources such as SAP, etc, MIIS might be where you want to go. If you spin up MIIS, it ispossible you may need to have a body sitting there maintaining and troubleshooting it due to its complexity plus it is really in flux right now in my opinion in terms of how many
[ActiveDir] OT: Change ownership
Title: DC replicating with deleted DSA object Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack
RE: [ActiveDir] Biggest AD Gripes
What is difficult about restoring a DC to different hardware? We just did our yearly DR testing (at Sungard as a matter of fact!), and I didn't have any problems. Just follow the little procedure they give you (basically, remove all the network cards and video card in device manager before you reboot after the recovery). Then, follow the other procedure they give you if you end up with phantom NICs. It's the same procedure for DCs as it is for member servers. It isn't hardware dependant, but if you are talking about the hours-long waltz you do with ntdsutil to remove all of the DCs you aren't bringing back, I've found a neat trick. Run through the process for one site once manually recording all of the text you type, then using a text editor create a command file duplicating the tons of commands required to remove every server from every site. Run ntdsutil yourfile.txt. The trick is that ntdsutil prompts before removing each server - just answer no to the server you recover. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes Sent: Tue 8/2/2005 11:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes * Using the new DFS-Replication mechanism in R2 for the SYSVOL This is available AFAIK if all your servers are running R2 :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2005 09:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes http://www.novell.com :o) Bloody NetWare bigot ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, August 02, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes A while ago I put some AD feature thoughts in a textfile not knowing what to do with them at that moment Here goes: * Active Directory thoughts: * OU = security principal * Possibility to merge Forests * Cut and paste a domain from one forest to another * Domain concept: * Domain controller - directory server (not specific to a certain domain, but hosting naming contexts) * Password policies not only per domain but also per OU * Keep domain as a replication boundary but remove the flat structure (prevent context login like NDS - Aliases?) * Multiple replication boundaries (naming contexts) per directory server * Remove domain as an entity. Forest is only entity needed * Integrate file system and possible other resources into the directory (e.g. search where security principals are used) * Permissioning TOP-DOWN and BOTTOM-UP (file system) * Delegation of Control: ability to dictate MEMBERS attribute AND the MEMBEROF attribute (so the possibility exists to dictate which users can be added to what groups)
RE: [ActiveDir] OT: Change ownership
Title: DC replicating with deleted DSA object Right click on the folder then properties Go in security tab and click advanced In there click on the owner tab and then select/add the owner you want Check the box that says replace owner on subcontainers and object Youre done ;) De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long Envoyé: Monday, August 08, 2005 2:32 PM À: ActiveDir@mail.activedir.org Objet: [ActiveDir] OT: Change ownership Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack
RE: [ActiveDir] OT: Change ownership
Title: DC replicating with deleted DSA object I only want to replace the owner on files/folders for a specific user, not all of them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, August 08, 2005 2:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Change ownership Right click on the folder then properties Go in security tab and click advanced In there click on the owner tab and then select/add the owner you want Check the box that says replace owner on subcontainers and object Youre done ;) De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long Envoyé: Monday, August 08, 2005 2:32 PM À: ActiveDir@mail.activedir.org Objet: [ActiveDir] OT: Change ownership Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack
RE: [ActiveDir] Biggest AD Gripes
Help me understand where I'm missing this (I've been in a con-call for 3.5 hours this AM...). Isn't the registry backed up as part of the System State? And, doesn't the registry pretty much make something 'hardware dependent' to some great degree, just by its very nature? I'm sure that there's something very simple that I'm missing. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, August 08, 2005 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes What is difficult about restoring a DC to different hardware? We just did our yearly DR testing (at Sungard as a matter of fact!), and I didn't have any problems. Just follow the little procedure they give you (basically, remove all the network cards and video card in device manager before you reboot after the recovery). Then, follow the other procedure they give you if you end up with phantom NICs. It's the same procedure for DCs as it is for member servers. It isn't hardware dependant, but if you are talking about the hours-long waltz you do with ntdsutil to remove all of the DCs you aren't bringing back, I've found a neat trick. Run through the process for one site once manually recording all of the text you type, then using a text editor create a command file duplicating the tons of commands required to remove every server from every site. Run ntdsutil yourfile.txt. The trick is that ntdsutil prompts before removing each server - just answer no to the server you recover. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes Sent: Tue 8/2/2005 11:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes * Using the new DFS-Replication mechanism in R2 for the SYSVOL This is available AFAIK if all your servers are running R2 :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2005 09:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes http://www.novell.com :o) Bloody NetWare bigot ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday, August 02, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes A while ago I put some AD feature thoughts in a textfile not knowing what to do with them at that moment Here goes: * Active Directory thoughts: * OU = security principal * Possibility to merge Forests * Cut and paste a domain from one forest to another * Domain concept: * Domain controller - directory server (not specific to a certain domain, but hosting naming contexts) * Password policies not only per domain but also per OU * Keep domain as a replication boundary but remove the flat structure (prevent context login like NDS -
[ActiveDir] Preferred Bridgeheads
We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
[ActiveDir] user profiles
What would be the easiest way to setup a default profile for a few thousand users and make sure that their profile is deleted from their local machines at logoff. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] OT: Change ownership
Title: DC replicating with deleted DSA object Oh! I did not understand the question, other than scripting I cant think of a way to do that. De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long Envoyé: Monday, August 08, 2005 2:51 PM À: ActiveDir@mail.activedir.org Objet: RE: [ActiveDir] OT: Change ownership I only want to replace the owner on files/folders for a specific user, not all of them. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruyere, Michel Sent: Monday, August 08, 2005 2:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: Change ownership Right click on the folder then properties Go in security tab and click advanced In there click on the owner tab and then select/add the owner you want Check the box that says replace owner on subcontainers and object Youre done ;) De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Douglas M. Long Envoyé: Monday, August 08, 2005 2:32 PM À: ActiveDir@mail.activedir.org Objet: [ActiveDir] OT: Change ownership Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack
RE: [ActiveDir] Preferred Bridgeheads
Not that its necessarily BAD, but the one problem is that if the system that the ISTG is on fails, then the ISTG is down for that site until the role is moved to another suitable machine. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, August 08, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] user profiles
Do you want them each to get their 'own' profile (that they can change and those changes would be there the next time they log on) or is it a 'standard' profile that needs to be the same for every user, every time they log on? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Monday, August 08, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user profiles What would be the easiest way to setup a default profile for a few thousand users and make sure that their profile is deleted from their local machines at logoff. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] For the Exchange heads out there...
Hello all. Query: We are running Ex2K Ent fully spacked on Svr2K also fully spacked. I have several public folders that were created by a user who is no longer here.When I right click on the folders, I do not get a Permissions tab.Oddly enough, if I look at the folder in the M drive, there is a Security tab.But I get a message stating that I only have VIEW rights.The Owner is "S-1-5-21-2000478354-1606980848-839522115-1793" At this time, I can only view and I am the admin!Sorry for the greenie query but, I am stumped. Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] Preferred Bridgeheads
If you constrain the list of bridgeheads you may be incapable of replicating an app. NC in and out of a site since in order to replicate a particular partition,the bridgehead in question must hold a copy of it ... if the preferred list contains only 2K DCs, that can't happen .. for the most part ...a 2K3 ISTG will override your choices and allocate a suitable bridgehead for you, it will however whine and whine and whine and ... you get the idea. I've found only a few scenarios in which they proved valuable ... may I ask why you're using them? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] For the Exchange heads out there...
pfDAVadmin is the tool you want. ftp://ftp.microsoft.com/pss/tools/exchange support tools/pfdavadmin I recommend,strongly, that you not use Windows Explorer to modify permissions via the infamous "M: Drive". From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ParkerSent: Monday, August 08, 2005 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange heads out there... Hello all. Query: We are running Ex2K Ent fully spacked on Svr2K also fully spacked. I have several public folders that were created by a user who is no longer here.When I right click on the folders, I do not get a Permissions tab.Oddly enough, if I look at the folder in the M drive, there is a Security tab.But I get a message stating that I only have VIEW rights.The Owner is "S-1-5-21-2000478354-1606980848-839522115-1793" At this time, I can only view and I am the admin!Sorry for the greenie query but, I am stumped. Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] Biggest AD Gripes
And, knowing fully that I'm replying to myself - I don't, nor have I ever used SunGuard, so I have no idea what 'card' they hand a client. I'd assume that it's something along the lines of the procedures lined out in: http://support.microsoft.com/default.aspx?scid=kb;en-us;249694 Which is still fraught with difficulty and lower than resonable success rate for most of the people and customers that I've talked with. I'm just indicating that there *IS* some difficulty involved - instructions neatly laid out or not. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Help me understand where I'm missing this (I've been in a con-call for 3.5 hours this AM...). Isn't the registry backed up as part of the System State? And, doesn't the registry pretty much make something 'hardware dependent' to some great degree, just by its very nature? I'm sure that there's something very simple that I'm missing. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, August 08, 2005 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes What is difficult about restoring a DC to different hardware? We just did our yearly DR testing (at Sungard as a matter of fact!), and I didn't have any problems. Just follow the little procedure they give you (basically, remove all the network cards and video card in device manager before you reboot after the recovery). Then, follow the other procedure they give you if you end up with phantom NICs. It's the same procedure for DCs as it is for member servers. It isn't hardware dependant, but if you are talking about the hours-long waltz you do with ntdsutil to remove all of the DCs you aren't bringing back, I've found a neat trick. Run through the process for one site once manually recording all of the text you type, then using a text editor create a command file duplicating the tons of commands required to remove every server from every site. Run ntdsutil yourfile.txt. The trick is that ntdsutil prompts before removing each server - just answer no to the server you recover. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes Sent: Tue 8/2/2005 11:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes * Using the new DFS-Replication mechanism in R2 for the SYSVOL This is available AFAIK if all your servers are running R2 :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2005 09:59 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Biggest AD Gripes http://www.novell.com :o) Bloody NetWare bigot ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Tuesday,
RE: [ActiveDir] Biggest AD Gripes
Recovery programs are supposed to be smart enough to not recover the parts of the registry that describe the hardware. I know Ntbackup does this since windows 2000 (it even does it correctly since 2k SP3 or so...) I'm really curious as to what problems people are having recovering to different hardware. I've done recoveries galore using Legato and ntbackup to different hardware (Compaq/HP to Dell, etc), and I've never ran into problems that couldn't easily be fixed (like phantom NICs). One thing that will bite you if you aren't careful is that BOOT.INI *is* recovered as part of the system state. That means if your partition layout isn't the same between original server and recovery server, it won't reboot after the recover. It's easy to fix before you reboot after the recovery, but correcting it after the fact is a bit more difficult. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Help me understand where I'm missing this (I've been in a con-call for 3.5 hours this AM...). Isn't the registry backed up as part of the System State? And, doesn't the registry pretty much make something 'hardware dependent' to some great degree, just by its very nature? I'm sure that there's something very simple that I'm missing. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, August 08, 2005 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes What is difficult about restoring a DC to different hardware? We just did our yearly DR testing (at Sungard as a matter of fact!), and I didn't have any problems. Just follow the little procedure they give you (basically, remove all the network cards and video card in device manager before you reboot after the recovery). Then, follow the other procedure they give you if you end up with phantom NICs. It's the same procedure for DCs as it is for member servers. It isn't hardware dependant, but if you are talking about the hours-long waltz you do with ntdsutil to remove all of the DCs you aren't bringing back, I've found a neat trick. Run through the process for one site once manually recording all of the text you type, then using a text editor create a command file duplicating the tons of commands required to remove every server from every site. Run ntdsutil yourfile.txt. The trick is that ntdsutil prompts before removing each server - just answer no to the server you recover. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Carlos Magalhaes Sent: Tue 8/2/2005 11:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes * Using the new DFS-Replication mechanism in R2 for the SYSVOL This is available AFAIK if all your servers are running R2 :P Carlos Magalhaes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: 02 August 2005 09:59 PM To: Send - AD mailing list
RE: [ActiveDir] For the Exchange heads out there...
I have even a better idea.. Migrate to Exchange 2003,Microsoft eliminated the need for a M: Drive( Thank you Microsoft ). What were they thinking in the first place when they decided to add a M: Drive to Exchange 2000, I never really understood the logic in it? Jose :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. SmithSent: Monday, August 08, 2005 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange heads out there... pfDAVadmin is the tool you want. ftp://ftp.microsoft.com/pss/tools/exchange support tools/pfdavadmin I recommend,strongly, that you not use Windows Explorer to modify permissions via the infamous "M: Drive". From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ParkerSent: Monday, August 08, 2005 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange heads out there... Hello all. Query: We are running Ex2K Ent fully spacked on Svr2K also fully spacked. I have several public folders that were created by a user who is no longer here.When I right click on the folders, I do not get a Permissions tab.Oddly enough, if I look at the folder in the M drive, there is a Security tab.But I get a message stating that I only have VIEW rights.The Owner is "S-1-5-21-2000478354-1606980848-839522115-1793" At this time, I can only view and I am the admin!Sorry for the greenie query but, I am stumped. Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
Re: [ActiveDir] OT: Change ownership
Try using SUBINACL..http://www.ultratech-llc.com/KB/?File=Perms.TXT -ASBFAST, CHEAP, SECURE: Pick Any TWOhttp://www.ultratech-llc.com/KB/ On 8/8/05, Douglas M. Long [EMAIL PROTECTED] wrote: Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack
RE: [ActiveDir] Biggest AD Gripes
I too am a Sungard refugee - twice this year already. The doc they hand you to rebuild your systems is pretty much like the one referenced below. We have found it less than reliable (especially when using Compaq/HP backups and restoring to Dell or vice-versa). The last few times we went, we junked the Sungard technique and used Veritas' system state restore, which has been *far* more successful. Still, the idea of doing a DR test with mostly VMWare disk images would really put a smile on this OLD guy's face :-) Hopefully by next year we'll have at least some of those to do. -Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 3:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes And, knowing fully that I'm replying to myself - I don't, nor have I ever used SunGuard, so I have no idea what 'card' they hand a client. I'd assume that it's something along the lines of the procedures lined out in: http://support.microsoft.com/default.aspx?scid=kb;en-us;249694 Which is still fraught with difficulty and lower than resonable success rate for most of the people and customers that I've talked with. I'm just indicating that there *IS* some difficulty involved - instructions neatly laid out or not. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, August 08, 2005 1:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Help me understand where I'm missing this (I've been in a con-call for 3.5 hours this AM...). Isn't the registry backed up as part of the System State? And, doesn't the registry pretty much make something 'hardware dependent' to some great degree, just by its very nature? I'm sure that there's something very simple that I'm missing. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Monday, August 08, 2005 1:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes What is difficult about restoring a DC to different hardware? We just did our yearly DR testing (at Sungard as a matter of fact!), and I didn't have any problems. Just follow the little procedure they give you (basically, remove all the network cards and video card in device manager before you reboot after the recovery). Then, follow the other procedure they give you if you end up with phantom NICs. It's the same procedure for DCs as it is for member servers. It isn't hardware dependant, but if you are talking about the hours-long waltz you do with ntdsutil to remove all of the DCs you aren't bringing back, I've found a neat trick. Run through the process for one site once manually recording all of the text you type, then using a text editor create a command file duplicating the tons of commands required to remove every server from every site. Run ntdsutil yourfile.txt. The trick is that ntdsutil prompts before removing each server - just answer no to the server you recover. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Tuesday, August 02, 2005 6:06 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes Everyone is making a number of suggestions/comments that hit home to me, so rather than chiming in with AOLMe too!/AOL, I'll bring up the one that makes me crazy that no-one has mentioned yet: Restoring a domain controller to alternate hardware (think Disaster Recovery drill at a company like Sungard) should Not. Be. So. Friggin'. Hard. It's better in K3 than it was in 2K, but it's still way too much of a hothouse-flower-y delicate operation. (Maybe Longhorn's AD as a service will make this better. I can hope, at least, because right now it still sucks canal water.) - Laura -Original Message- From: Almeida Pinto, Jorge de [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 02, 2005 6:30 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Biggest AD Gripes DFS-R is only supported for custom DFS namespaces. MS at the moment does not support DFS-R for SYSVOL replication. MS states that in the DFS-R overview document page 16 See: http://www.microsoft.com/downloads/details.aspx?FamilyID=5e547 c69-d224-4423-8eac-18d5883e7bc2DisplayLang=en QUOTE: DFS Replication is not supported for SYSVOL replication in Windows Server 2003 R2. Do not attempt to configure DFS Replication on SYSVOL by disabling FRS and setting up a replication group for SYSVOL. Continue to use FRS for SYSVOL replication on domain controllers running Windows Server 2003 R2. FRS and DFS Replication can co-exist on the same member server or domain controller. A shame, but true! DFS-R really rocks!!! It is way better than NTFRS! Cheers #JORGE#
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
I seem to recall that"(" and ")"have to be escaped in LDAP. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 6:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta directory is on a different domain, and is on HP-UX. The exchange server is on one machine, and the AD is on a different one. Both the AD and the exchange machines have the same admin login (the domain admin). The meta uses this login to connect to the AD and exchange. If I dont pass the attribute homeMDB, a simple AD user is created just fine. Just when I try to create the user with the homeMDB attribute does it give the problem. Found out this on the net # for hex 0x2020 / decimal 8224 : ERROR_DS_OPERATIONS_ERROR Also the homeMDB value is correct. I created a sample mailbox user from the exchange interface (users and computers) and verified the homeMDB attribute. What conditions can then lead to this problem? Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 10:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 4:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the "nice" full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 1:19 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724] DataAccess: EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] DataAccess: UP_AddRecord EXCH2K Failure = EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred... 10:38:03.502: [1412.724] RUPS: Muws2UPAdapter::write(EXCH2K:0:01BE0064): Call of UP_Add/Modify/Delete/RenameRecord(cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net) failed , error='UP_E_ADD_FAILED' (EXCH2K: Mapping Add/Modify Request, Error: An operations error occurred...) Pasted the part of the tarce only just in an attempt to give more information. The entry I am
RE: [ActiveDir] For the Exchange heads out there...
That is definitely in the plans for next year Jose. I truly agree with you. John Parker, MCSEIS Admin.Senior Technical SpecialistAlpha Display Systems. Alpha Video7711 Computer Ave.Edina, MN. 55435952-896-9898 Local800-388-0008 Watts952-896-9899 Fax612-804-8769 Cell952-841-3327 Direct [EMAIL PROTECTED]"Be excellent to each other"---End of Line--- -Original Message-From: Medeiros, Jose [mailto:[EMAIL PROTECTED]Sent: Monday, August 08, 2005 2:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange heads out there... I have even a better idea.. Migrate to Exchange 2003,Microsoft eliminated the need for a M: Drive( Thank you Microsoft ). What were they thinking in the first place when they decided to add a M: Drive to Exchange 2000, I never really understood the logic in it? Jose :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. SmithSent: Monday, August 08, 2005 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange heads out there... pfDAVadmin is the tool you want. ftp://ftp.microsoft.com/pss/tools/exchange support tools/pfdavadmin I recommend,strongly, that you not use Windows Explorer to modify permissions via the infamous "M: Drive". From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ParkerSent: Monday, August 08, 2005 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange heads out there... Hello all. Query: We are running Ex2K Ent fully spacked on Svr2K also fully spacked. I have several public folders that were created by a user who is no longer here.When I right click on the folders, I do not get a Permissions tab.Oddly enough, if I look at the folder in the M drive, there is a Security tab.But I get a message stating that I only have VIEW rights.The Owner is "S-1-5-21-2000478354-1606980848-839522115-1793" At this time, I can only view and I am the admin!Sorry for the greenie query but, I am stumped. Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] For the Exchange heads out there...
That won't fix his problem - pfDAVadmin will. :-) But I agree with your philosophy. ExIFS is great. Exposing it that way was a mistake. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, August 08, 2005 3:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange heads out there... I have even a better idea.. Migrate to Exchange 2003,Microsoft eliminated the need for a M: Drive( Thank you Microsoft ). What were they thinking in the first place when they decided to add a M: Drive to Exchange 2000, I never really understood the logic in it? Jose :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. SmithSent: Monday, August 08, 2005 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange heads out there... pfDAVadmin is the tool you want. ftp://ftp.microsoft.com/pss/tools/exchange support tools/pfdavadmin I recommend,strongly, that you not use Windows Explorer to modify permissions via the infamous "M: Drive". From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ParkerSent: Monday, August 08, 2005 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange heads out there... Hello all. Query: We are running Ex2K Ent fully spacked on Svr2K also fully spacked. I have several public folders that were created by a user who is no longer here.When I right click on the folders, I do not get a Permissions tab.Oddly enough, if I look at the folder in the M drive, there is a Security tab.But I get a message stating that I only have VIEW rights.The Owner is "S-1-5-21-2000478354-1606980848-839522115-1793" At this time, I can only view and I am the admin!Sorry for the greenie query but, I am stumped. Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
Re: [ActiveDir] OT: Change ownership
Log in as an administrator, goto advanced, choose take ownership and check the apply to all sub folders and files. You are now the owner. Change permissions to give the take ownership right to the person that should own it, log in as them and do the same. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] |-+-- | | ASB [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 08/08/2005 03:45 PM AST| | | Please respond to | | | ActiveDir | |-+-- --| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OT: Change ownership | --| Try using SUBINACL.. http://www.ultratech-llc.com/KB/?File=Perms.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 8/8/05, Douglas M. Long [EMAIL PROTECTED] wrote: Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] MailAlias in AD
Samuel T. Cossette wrote: Hi, I need basic Mail Alias stored in my AD. How can I add some kind of Mail attribute tab in the User and Computer AD Manager? I've already installed the Service For Unix and authenticated my Unix user and Postfix also lookup my user in AD. Now, I want to be able to edit/add the msSFU30AMailAlias (or any Mail attribute in the default AD+SFU schema) attribute, but I can't find how in the Microsoft AD Manager. If You want to add something to the ADUC snap-in You have to develop Your own extension to this snap-in. You can find details about interfaces etc on the MSDN pages. -- Tomasz Onyszko http://www.w2k.pl List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user profiles
For the first time it would be standard, but after their first logon, they could make changes as needed. (currently each user has their own, but it needs to be cleaned up) Do you want them each to get their 'own' profile (that they can change and those changes would be there the next time they log on) or is it a 'standard' profile that needs to be the same for every user, every time they log on? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] For the Exchange heads out there...
I just DL'd pfDAV. Damn! That's cool. Thanks Guys... John Parker, MCSEIS Admin.Senior Technical SpecialistAlpha Display Systems. Alpha Video7711 Computer Ave.Edina, MN. 55435952-896-9898 Local800-388-0008 Watts952-896-9899 Fax612-804-8769 Cell952-841-3327 Direct [EMAIL PROTECTED]"Be excellent to each other"---End of Line--- -Original Message-From: Michael B. Smith [mailto:[EMAIL PROTECTED]Sent: Monday, August 08, 2005 2:58 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange heads out there... That won't fix his problem - pfDAVadmin will. :-) But I agree with your philosophy. ExIFS is great. Exposing it that way was a mistake. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, JoseSent: Monday, August 08, 2005 3:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange heads out there... I have even a better idea.. Migrate to Exchange 2003,Microsoft eliminated the need for a M: Drive( Thank you Microsoft ). What were they thinking in the first place when they decided to add a M: Drive to Exchange 2000, I never really understood the logic in it? Jose :-) -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Michael B. SmithSent: Monday, August 08, 2005 12:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] For the Exchange heads out there... pfDAVadmin is the tool you want. ftp://ftp.microsoft.com/pss/tools/exchange support tools/pfdavadmin I recommend,strongly, that you not use Windows Explorer to modify permissions via the infamous "M: Drive". From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John ParkerSent: Monday, August 08, 2005 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] For the Exchange heads out there... Hello all. Query: We are running Ex2K Ent fully spacked on Svr2K also fully spacked. I have several public folders that were created by a user who is no longer here.When I right click on the folders, I do not get a Permissions tab.Oddly enough, if I look at the folder in the M drive, there is a Security tab.But I get a message stating that I only have VIEW rights.The Owner is "S-1-5-21-2000478354-1606980848-839522115-1793" At this time, I can only view and I am the admin!Sorry for the greenie query but, I am stumped. Thank you. John Parker, MCSE IS Admin. Senior Technical Specialist Alpha Display Systems.
RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred
The parens characters ( and ) *should* be encoded as \28 and \29 in a search filter. They will generally work fine without it though. Using those the parens characters in DNs or other attributes when making updates is fine assuming the tool being used doesn't get confused and interprets them as meta-data. Commas on the other hand would need to be escaped. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken CornetetSent: Monday, August 08, 2005 3:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred I seem to recall that"(" and ")"have to be escaped in LDAP. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 6:51 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta directory is on a different domain, and is on HP-UX. The exchange server is on one machine, and the AD is on a different one. Both the AD and the exchange machines have the same admin login (the domain admin). The meta uses this login to connect to the AD and exchange. If I dont pass the attribute homeMDB, a simple AD user is created just fine. Just when I try to create the user with the homeMDB attribute does it give the problem. Found out this on the net # for hex 0x2020 / decimal 8224 : ERROR_DS_OPERATIONS_ERROR Also the homeMDB value is correct. I created a sample mailbox user from the exchange interface (users and computers) and verified the homeMDB attribute. What conditions can then lead to this problem? Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 10:40 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred The meta tries to create the entry. so it creates the entry in AD and the agent is responsible for creating mailbox. Are the attributes seen for the entry correct? Also what all is required if I am creating a mailbox user from a meta or a script, etc. also can you suggest if I can find some useful information from the exchange server? Any diagnostics, etc? Thanks. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Friday, August 05, 2005 4:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Problem adding an Exchange User - An operations error occurred That error log isn't very good. You can't even tell if it is an error being floated back from a DC. Could be something in the meta directory tool. As for the specific data below for the attributes to be set on the user, I don't see anything bad though I wouldn't recommend the mailnickname to have that format, I would recommend it be the same as the sAMAccountName value. I tend to put the "nice" full version of the name in the displayName and that is the only place it is. What info specifically is the product trying to set and how is it setting it? You may have to do a network trace or something like it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 05, 2005 1:19 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Problem adding an Exchange User - An operations error occurred Hi I am trying to use a metadirectory to add an exchange user. An agent sitting on the Exchange server machine, which will add the mail box for the user. But when I try to add the user, I am getting the following error An operations error occurred 10:38:01.112: [1412.724] DataAccess: UP_AddRecord EXCH2K 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify Request 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Mapping Add/Modify operation to Exchange operation 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object 10:38:01.112: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Bind using Configured Credentials: 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Retrieving AD object. Success AD Object: LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net bind=ADS_SECURE_AUTHENTICATION 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD Object. Success server=rlgmfurs1ad01.gepurbsres01.net AD Object=cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox 10:38:01.127: [1412.724] DataAccess: EXCH2K: Operation: Getting an AD User Object from an an AD Object 10:38:03.502: [1412.724] DataAccess: EXCH2K: Operation: Add Or Move a Mailbox Error: An operations error occurred... Server=rlgmfurs1ad01.gepurbsres01.net, User=LDAP://cn=ZZZHHH\, ANGUS,OU=test,DC=gepurbsres01,DC=net 10:38:03.502: [1412.724]
RE: [ActiveDir] OT: Change ownership
I'm thinking that he's saying that this isn't an option that is available to him. I've run into exactly the same thing, as the Administrator of a given system CAN be removed from the ACL of a given object. Granted, going to the parent and FORCING the permission for the admin does work, but it happens to have a rather negative affect to all permissions on all folders and files below it. However there are times when it's absolutely necessary, regardless of the backend work restoring permissions for the innocent. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 08, 2005 3:03 PM To: ActiveDir@mail.activedir.org Cc: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: Re: [ActiveDir] OT: Change ownership Log in as an administrator, goto advanced, choose take ownership and check the apply to all sub folders and files. You are now the owner. Change permissions to give the take ownership right to the person that should own it, log in as them and do the same. Regards; James R. Day Active Directory Core Team Office of the Chief Information Officer National Park Service 202-230-2983 [EMAIL PROTECTED] |-+-- | | ASB [EMAIL PROTECTED] | | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 08/08/2005 03:45 PM AST| | | Please respond to | | | ActiveDir | |-+-- --- ---| | | | To: ActiveDir@mail.activedir.org | | cc: (bcc: James Day/Contractor/NPS) | | Subject: Re: [ActiveDir] OT: Change ownership | --- ---| Try using SUBINACL.. http://www.ultratech-llc.com/KB/?File=Perms.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 8/8/05, Douglas M. Long [EMAIL PROTECTED] wrote: Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] AD migration
I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] DC replicating with del eted DSA object
Steve, Thanks for your explanation, it is clearer now for me :) Regards, Yann De: [EMAIL PROTECTED] de la part de Steve Linehan Date: lun. 08/08/2005 19:49 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] DC replicating with deleted DSA object Replication Metadata is handled somewhat different than a typical deleted object. The following reference gives more details: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/1465d773-b763-45ec-b971-c23cdc27400e.mspx See the section titled How Replication Metadata is Preserved in Windows Server 2003 for more information on how/why this occurs. The original idea was to help in situations where we removed a connection and then re-added it back so that less overhead was required. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, August 08, 2005 11:00 AM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] DC replicating with deleted DSA object Hi, Ah..so for my comprehension, these Deleted Objects do not follow the Tombstone process for a deleted objects as users,computers.. (60 days if i remind...) as stated Rick. Does the Stay of Execution state=15days ONLY apply to DCs state (demoted, renamed with same name,etc..?) or any other objects ? Yann De: [EMAIL PROTECTED] de la part de Steve Linehan Date: lun. 08/08/2005 17:16 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] DC replicating with deleted DSA object Those connections are in a Stay of Execution state. With SP1 we changed so that we would not attempt to replicate with them but prior to that we will. If your forest has a normal config these will be removed after 15 days. They cause no harm and you can remove them with the /delete option or wait until the stay of execution period, normally 15 days. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 9:50 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] DC replicating with deleted DSA object We have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade is achieved as follows: 1. demote w2k DC 2. build and promote w2k3 DC Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. Furthermore, sometimes the same name is used in 1 and 2 but not always. If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see the following issue: snip y\ DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb z\ (deleted DSA) via RPC objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 y\ DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb snip Where: xx is a DC which was built temporarily and then demoted several days ago aa is a DC which was re-built (as per above) with the same name bb is a DC which was re-built (as per above) with the same name (in the same site as xx) I have been considering using repadmin /delete to remove these incorrect replication connections and wondered if anyone had used such a method before or could offer any alternatives? Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == winmail.dat
RE: [ActiveDir] AD migration
Hey Tom - sounds like fun. The phrase they are cut of from the root domain physically combined with both dns zones are in the root and they don't have any dns locally sounds a bit unrealistic - this should naturally cause numerous replication issues; basically nothing should work (even normal authentication) as it all requires DNS lookup. So I'm guessing that you do have some DNS servers in your child domains and it would be worthwhile for you to check if there are any secondary zones from the root domain (or the _msdcs subzone) being hosted on your child DCs or another DNS server used in your network. But your task doesn't seem to be fixing the current AD implementation, but rather to move away from it. DNS name-resolution is critical for any kind of trust in AD (except for trusts to NT4 domains which is not your scenario), however, you do not require EA permissions to set them up from your child domain to another domain in a new forest. But naturally you won't be able to creat a forest-trust (i.e. from root of current forest to root of new forest). The names of those domains that are directly trusted can NOT be the same (need to have different NetBios domain names). So yes, migration should work and even if you don't want to fix the current caos, you should ensure that DNS works well (in worst case concentrate on creating a workaround just for your child-domain - which should be sufficient for trust creation to your new forest where I'm sure you fully control DNS). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Dienstag, 9. August 2005 00:09 To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Preferred Bridgeheads
Rick, Don't you mean the bridgehead server role instead of the ISTG? I think you were saying: As long as DCs on the static BH list are up, everything is OK. When all DCs on the static list are for some reason unavailable the ISTG will not choose other available DCs as new BHs as it will happen with auto BHs Must have been a very long con-call? Or do I need to get a lot of coffee? ;-)) For this to work you almost need to make a GC the BH and it also depends on your site and replication topology. I have seen it happen in a W2K network where DCs/GCs from domain A and B where in site X (configured with auto BHs) and DCs/GCs from domain A and B and C where in site Y (configured with static BHs from domain C). All DCs where also a GC. As Dean alreaday said, the ISTG in site X whined and whined and whined there were no BH in site Y that could replicate a WRITABLE partition for domain A and B although the DCs were available. And a DC wil not replicate with a GC to replicate its own writable partition and thus it still chose a non-BH DC from domain A and B and reported that in the event-viewer. The solution is this case was to configure site Y with auto BHs which was not an option because of the scalability issue with W2K AD. the only solution left was to add at least one DC from domain A and B to the static BH list from site Y Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Mon 8/8/2005 9:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Preferred Bridgeheads Not that it's necessarily BAD, but the one problem is that if the system that the ISTG is on fails, then the ISTG is down for that site until the 'role' is moved to another suitable machine. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, August 08, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user profiles
When a user logs on for the first time the system the users logs on to wil first look in the netlogon share for a default user profile and if it does not find one it will use the default profile from the local computer the user logs on to. If you don't want the users to change the profile (as in make it mandatory) rename the NTUSER.DAT to NTUSER.MAN. What you could do is: * Create a folder named Default User in the netlogon share * Configure a default user profile as you want it and place it in the Default user folder on the netlogon share * Rename the NTUSER.DAT to NTUSER.MAN if the user will not be allowed to change the profile * Configure each user with a profile directory in its AD user object Cheers #JORGE# From: [EMAIL PROTECTED] on behalf of Dan Holme Sent: Mon 8/8/2005 9:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] user profiles Do you want them each to get their 'own' profile (that they can change and those changes would be there the next time they log on) or is it a 'standard' profile that needs to be the same for every user, every time they log on? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Monday, August 08, 2005 12:06 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user profiles What would be the easiest way to setup a default profile for a few thousand users and make sure that their profile is deleted from their local machines at logoff. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Preferred Bridgeheads
Yes, it was a long Con-Call. And, yes - I do need more coffee. :o) Yep - I did mean BH. Oy. time for a nap. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 4:34 PM To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Preferred Bridgeheads Rick, Don't you mean the bridgehead server role instead of the ISTG? I think you were saying: As long as DCs on the static BH list are up, everything is OK. When all DCs on the static list are for some reason unavailable the ISTG will not choose other available DCs as new BHs as it will happen with auto BHs Must have been a very long con-call? Or do I need to get a lot of coffee? ;-)) For this to work you almost need to make a GC the BH and it also depends on your site and replication topology. I have seen it happen in a W2K network where DCs/GCs from domain A and B where in site X (configured with auto BHs) and DCs/GCs from domain A and B and C where in site Y (configured with static BHs from domain C). All DCs where also a GC. As Dean alreaday said, the ISTG in site X whined and whined and whined there were no BH in site Y that could replicate a WRITABLE partition for domain A and B although the DCs were available. And a DC wil not replicate with a GC to replicate its own writable partition and thus it still chose a non-BH DC from domain A and B and reported that in the event-viewer. The solution is this case was to configure site Y with auto BHs which was not an option because of the scalability issue with W2K AD. the only solution left was to add at least one DC from domain A and B to the static BH list from site Y Cheers, #JORGE# From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Mon 8/8/2005 9:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Preferred Bridgeheads Not that it's necessarily BAD, but the one problem is that if the system that the ISTG is on fails, then the ISTG is down for that site until the 'role' is moved to another suitable machine. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, August 08, 2005 2:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Preferred Bridgeheads
We thought it would "help" with replication speed. I guess it was more of a WAG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads If you constrain the list of bridgeheads you may be incapable of replicating an app. NC in and out of a site since in order to replicate a particular partition,the bridgehead in question must hold a copy of it ... if the preferred list contains only 2K DCs, that can't happen .. for the most part ...a 2K3 ISTG will override your choices and allocate a suitable bridgehead for you, it will however whine and whine and whine and ... you get the idea. I've found only a few scenarios in which they proved valuable ... may I ask why you're using them? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~
RE: [ActiveDir] Preferred Bridgeheads
Without wishing to labor the point Russ, what aspect of replication 'speed' was thought to be improved? I ask as I often lecture on AD (and related technologies) and am interested to understand some of the misconceptions. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 6:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred Bridgeheads We thought it would "help" with replication speed. I guess it was more of a WAG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads If you constrain the list of bridgeheads you may be incapable of replicating an app. NC in and out of a site since in order to replicate a particular partition,the bridgehead in question must hold a copy of it ... if the preferred list contains only 2K DCs, that can't happen .. for the most part ...a 2K3 ISTG will override your choices and allocate a suitable bridgehead for you, it will however whine and whine and whine and ... you get the idea. I've found only a few scenarios in which they proved valuable ... may I ask why you're using them? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~
RE: [ActiveDir] AD migration
What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE : [ActiveDir] DC replicating with del eted DSA object
Oups sorry.. ...as stated Rick - I make a mistake betwenn Rick Kingslan and Neil Ruston ;) Sorry Neil :-) Cheers, Yann De: [EMAIL PROTECTED] de la part de TIROA YANN Date: lun. 08/08/2005 17:59 À: ActiveDir@mail.activedir.org Objet : RE : [ActiveDir] DC replicating with deleted DSA object Hi, Ah..so for my comprehension, these Deleted Objects do not follow the Tombstone process for a deleted objects as users,computers.. (60 days if i remind...) as stated Rick. Does the Stay of Execution state=15days ONLY apply to DCs state (demoted, renamed with same name,etc..?) or any other objects ? Yann De: [EMAIL PROTECTED] de la part de Steve Linehan Date: lun. 08/08/2005 17:16 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] DC replicating with deleted DSA object Those connections are in a Stay of Execution state. With SP1 we changed so that we would not attempt to replicate with them but prior to that we will. If your forest has a normal config these will be removed after 15 days. They cause no harm and you can remove them with the /delete option or wait until the stay of execution period, normally 15 days. Thanks, -Steve From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Monday, August 08, 2005 9:50 AM To: 'ActiveDir@mail.activedir.org' Subject: [ActiveDir] DC replicating with deleted DSA object We have recently re-built and upgraded several DCs from w2k to w2k3. The upgrade is achieved as follows: 1. demote w2k DC 2. build and promote w2k3 DC Sometimes the h/w in 1 and 2 are different but sometimes the same h/w is used. Furthermore, sometimes the same name is used in 1 and 2 but not always. If I now execute repadmin /showreps on an existing (bridgehead) w2k DC, I see the following issue: snip y\ DEL:620c0fd7-f4f4-46ce-90ef-099659abcef6 (deleted DSA) via RPC objectGuid: a6cb3618-9a77-43a6-9ac3-d753b9b112eb z\ (deleted DSA) via RPC objectGuid: ce82cc75-1c27-416f-808d-3ac461a17a63 y\ DEL:a41088e1-0d66-43e8-8b83-a8986f7f6b2a (deleted DSA) via RPC objectGuid: 72c4c974-7dc3-43ae-85aa-b427755983fb snip Where: xx is a DC which was built temporarily and then demoted several days ago aa is a DC which was re-built (as per above) with the same name bb is a DC which was re-built (as per above) with the same name (in the same site as xx) I have been considering using repadmin /delete to remove these incorrect replication connections and wondered if anyone had used such a method before or could offer any alternatives? Thanks, neil == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == winmail.dat
RE: [ActiveDir] AD migration
I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD migration
I just started today so what I got was- they have connectivity to the child dns server but they cut off connectivity to anything in the root domain. the firewall is blocking all root traffic. this has been like this for a week. nothing is replicating to the root and there is no access to the _msdc forest zone. The forest is win2k native with an empty root and 1 child domain in a seperate tree. they have DA access in the child domain but no DA/EA access in the root. all the exchange servers(about 10) are in the child domain. the only recipent policy in the root is the default one and the enterprise RUS. They want to migrate the child domain and all the resources to a new forest where we have full control of everything. i assume we do not need connectivity to the _msdc forest dns zone to create a trust with the old child domain to migrate everything over(or anything in the root dns zone). I'm not 2nd guessing the Quest guys, this is only for my own education. Thanks a lot On 8/8/05, Medeiros, Jose [EMAIL PROTECTED] wrote: I am sure Quest's consultant's knows what they are doing. Didn't you have them put a quote and migration plan together prior to the actual migration? Or are you asking these questions because you are second guessing them? Or is this just for your own knowledge? My understanding is that both domain names have to be different when using ADMT to migrate from a Source Domain to a Target Domain, unless Quest has a tool that over comes this that I am not aware of. Are you trying to keep the same domain name as the source? Microsoft also has a free tool that will allow you to rename the traget 2003 AD domain as after you have completed your migration and decommissioned old DC's. Jose -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Almeida Pinto, Jorge de Sent: Monday, August 08, 2005 2:46 PM To: ActiveDir@mail.activedir.org; activedirectory Subject: RE: [ActiveDir] AD migration What do you mean with In fact, they are cut off from the root domain pyhsically. ? Do you mean as in there is not replication between the two domains? If yes... dare I ask for how long? As I know of you can migrate the child domain without the root being available because you will be having a trust between the new domain and the child domain I still don't understand what you mean... They are cut off from the root and the DNS is avlable in the root. I must be missing something. Can you explain a bit more? Jorge From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Mon 8/8/2005 11:08 PM To: activedirectory Subject: [ActiveDir] AD migration I just started working for a company. they used to outsource their AD/Exchange but now they're trying to get it back. Its a 2 tree, 2 domain forest. the root domain is empty. this company only has DA access on the child domain. No EA access. In fact, they are cut off from the root domain pyhsically. What they want to do is create a new forest and migrate all users,exchange,computers,etc to the new forest and be done with the old. They are going to use Quest sw and a consultant from Quest for this. My question is- can this be done without any connectivity to the root? both dns zones are in the root so they really don't have any dns locally as well(needless to say, you cam imagine what the rep logs look like). I'm sure this complicates matters. however, the Quest people seem to think this can still work. can it? also, can the new forest have the same domain names as the old one? Thanks(I'm the guy who posted about his new job jitters about a week or 2 ago, and here i am. Their AD is more messed up than I thought :) ) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Preferred Bridgeheads
In the same spirit - but on the other side of the coin :) - I wouldn't mind hearing a brief elaborationon your earlier statement: "I've found only a few scenarios in which they proved valuable" Perhaps one reason might be when one of the servers in a site is underpowered/waiting to be upgraded, etc..? -DaveC ReutersIST Service Delivery From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 08, 2005 6:14 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads Without wishing to labor the point Russ, what aspect of replication 'speed' was thought to be improved? I ask as I often lecture on AD (and related technologies) and am interested to understand some of the misconceptions. --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 6:08 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Preferred Bridgeheads We thought it would "help" with replication speed. I guess it was more of a WAG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Monday, August 08, 2005 2:13 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] Preferred Bridgeheads If you constrain the list of bridgeheads you may be incapable of replicating an app. NC in and out of a site since in order to replicate a particular partition,the bridgehead in question must hold a copy of it ... if the preferred list contains only 2K DCs, that can't happen .. for the most part ...a 2K3 ISTG will override your choices and allocate a suitable bridgehead for you, it will however whine and whine and whine and ... you get the idea. I've found only a few scenarios in which they proved valuable ... may I ask why you're using them? --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, RussSent: Monday, August 08, 2005 3:03 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ ~~This e-mail is confidential, may contain proprietary informationof the Cooper Cameron Corporation and its operating Divisionsand may be confidential or privileged.This e-mail should be read, copied, disseminated and/or used onlyby the addressee. If you have received this message in error pleasedelete it, together with any attachments, from your system.~~ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services visit http://www.reuters.com/productinfo Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
RE: [ActiveDir] Preferred Bridgeheads
So Russ doesn't feel so bad, I've been to many customers that decided to specify preferred BH's. When I ask why I normally get any of the following responses. 1) They want a predictable DC to goto when they need to force replication between sites. This is relatively easy to ween them off of. 2) Like Russ, they thought it would either speed up replication or fix it. When I try to dig into what was broken that doing this might have fixed they have no clue. 3) Why not, it's in the GUI. I can normally shame them into undoing it. 4) Um, what's a preferred BH? These are mindless sheep that are easily controlled and will do whatever I tell them, so it's an easy fix. To be fair, there was 1 customer that actually had firewalls between Sites and were trying to limit communiation through specific DC's. They hadn't specified enough preferred BH's to account for each partition but you can't have everything. --- Dean Wells [EMAIL PROTECTED] wrote: Without wishing to labor the point Russ, what aspect of replication 'speed' was thought to be improved? I ask as I often lecture on AD (and related technologies) and am interested to understand some of the misconceptions. -- Dean Wells MSEtechnology * Email: dwells mailto:[EMAIL PROTECTED] @msetechnology.com http://msetechnology.com/ http://msetechnology.com _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, August 08, 2005 6:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Preferred Bridgeheads We thought it would help with replication speed. I guess it was more of a WAG. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 2:13 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Preferred Bridgeheads If you constrain the list of bridgeheads you may be incapable of replicating an app. NC in and out of a site since in order to replicate a particular partition, the bridgehead in question must hold a copy of it ... if the preferred list contains only 2K DCs, that can't happen .. for the most part ... a 2K3 ISTG will override your choices and allocate a suitable bridgehead for you, it will however whine and whine and whine and ... you get the idea. I've found only a few scenarios in which they proved valuable ... may I ask why you're using them? -- Dean Wells MSEtechnology * Email: dwells mailto:[EMAIL PROTECTED] @msetechnology.com http://msetechnology.com/ http://msetechnology.com _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, August 08, 2005 3:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Preferred Bridgeheads
Inadequate hardware is one, although that's typically less and less of an issue since most server class hardware nowadays is more than robust enough. Firewalls or router ACL's between sites and only designated DC's can intercommunicate with each other is another reason. Branch environments where many remote sites hub back to a central site. Specific BH's may be designated (although they're often put into their own sites anyway) as much for DR reasons as normal replication traffic. The act of connection objects moving around can cause vvjoin's which are relatively CPU intensive. Besides designating them, most customers only configure 1 per site, not realizing they're creating a single point of failure. They also will configure a DC to be a preferred BH when it's the only one in its site. Since it would have been the BH regardless, it's redundant and just adds administrative overhead. They also fail to designate enough BH's to support each partition. --- David Cliffe [EMAIL PROTECTED] wrote: In the same spirit - but on the other side of the coin :) - I wouldn't mind hearing a brief elaboration on your earlier statement: I've found only a few scenarios in which they proved valuable Perhaps one reason might be when one of the servers in a site is underpowered/waiting to be upgraded, etc..? -DaveC Reuters IST Service Delivery From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 6:14 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Preferred Bridgeheads Without wishing to labor the point Russ, what aspect of replication 'speed' was thought to be improved? I ask as I often lecture on AD (and related technologies) and am interested to understand some of the misconceptions. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, August 08, 2005 6:08 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Preferred Bridgeheads We thought it would help with replication speed. I guess it was more of a WAG. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Monday, August 08, 2005 2:13 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Preferred Bridgeheads If you constrain the list of bridgeheads you may be incapable of replicating an app. NC in and out of a site since in order to replicate a particular partition, the bridgehead in question must hold a copy of it ... if the preferred list contains only 2K DCs, that can't happen .. for the most part ... a 2K3 ISTG will override your choices and allocate a suitable bridgehead for you, it will however whine and whine and whine and ... you get the idea. I've found only a few scenarios in which they proved valuable ... may I ask why you're using them? -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] http://msetechnology.com http://msetechnology.com/ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Monday, August 08, 2005 3:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Preferred Bridgeheads We're almost all Win2k3 Domain Controllers, have a few left to upgrade. Question is, we have at least one DC at each site configured as a preferred bridgehead for IP. Is this not a good idea? Is it best to not prefer any bridgeheads and let AD do its job? I'm seeing a lot of event ID 1567's about it as well. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ - Visit our Internet site at http://www.reuters.com To find out more about Reuters Products and Services
RE: [ActiveDir] OT: Change ownership
This is exactly what I was looking for. THANKS Too bad I messed with it for an hour only to find out that the version in the resource kit doesnt work. I actually had to download it separately to get the proper version (even though I was using the 2003 resource kit that I downloaded today). From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Monday, August 08, 2005 3:46 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT: Change ownership Try using SUBINACL.. http://www.ultratech-llc.com/KB/?File=Perms.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 8/8/05, Douglas M. Long [EMAIL PROTECTED] wrote: Is there an easy way to change ownership on all files and folders in a directory owned by userA? I think I am having a stupid attack