RE: [ActiveDir] OT:Exchange 2003 SP1 bloat
In addition to the great advice from Hunter, you might want to check your virus definitions are up to date and that your Exchange-aware AV software is working properly. Exchange 2003 loop detection is pretty good in most cases, but it won't pick up everything. For example, badly configured Inbox rules can cause problems: my rule forwards emails to your mailbox and your rule forwards mail back to my mailbox. As Hunter suggests, a good way to counter problems like this is to configure mailbox limits for all mailboxes. Also configure your monitoring software to detect rapid store and transaction log growth. With any luck you can catch the problem while it's in progress, which will make troubleshooting easier. Tony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter Sent: Saturday, 13 August 2005 7:01 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat To reduce the size of the store you'll need to do an offline defrag. Did you have mailbox limits configured? As for finding the cause, in ESM go down to one of the bloated stores and sort the list of mailboxes based on size. Pick a couple of the largest ones and go into the Message Tracking Center, then look for messages delivered to those mailboxes during the time that the stores grew. This will give you a place to start looking, and message loops are a likely candidate. If none of the mailboxes show up as being excessively large, you'll need to start poking around the message tracking logs directly. You could also set up LogParser to analyze the message tracking logs. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Friday, August 12, 2005 12:29 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT:Exchange 2003 SP1 bloat But that would only affect the transaction logs, right? Not the Exchange databases? An offline defrag is needed to reduce the size of the store? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, August 12, 2005 2:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] OT:Exchange 2003 SP1 bloat If it is just one mailbox store, you can bet it is a specific user that is causing the problem (not that it is the users' fault or intention). Some message for that person being wedged, or something ... Any Mac user's with Entourage? There was an issue there once upon a time. http://blogs.msdn.com/jeremyk/archive/2004/11/11/255705.aspx http://www.e2ksecurity.com/archives/001308.html Ah, here's teh official one, I think: http://support.microsoft.com/?kbid=889525 Cheers, -BrettSh On Fri, 12 Aug 2005, Douglas M. Long wrote: I hate to throw another exchange question to this list, but this list is the only one that I seem to get good answers from. Does anyone know of a way to tell what is causing bloat in a storage group? Over the weekend we had some problems with transaction logs filling up rapidly, which was remedied by a reboot. I suspect it was corrupt messages in the queues since there were messages with blank senders that I could not delete, and also suspect that is what is causing the bloat. Bloat = 88GB storage group increase in two days, with one particular mailbox store growing to 92GB (only 373 users with mailbox limit of 100MB in the mailbox store) Is an offline defrag the only solution to this? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] trust question
Dean, You mention the VM sandpit and that lit a bulb... was doing testing with Forest trusts some days ago and had to do an outgoing trust between 2k3 and 2k3 forest using stub zones ... no NetBIOS in site... nowhere.. none..none..none It's amazing how ingrained these misconceptions become. I'll have harsh words with my memory retention department :-) Thanks for the info. Mylo Dean Wells wrote: My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust
RE: [ActiveDir] trust question
Inline ... -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: Tom Kern To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i guess my question is, how/where does the netlogon service get it from? DNS srv records? ** A client could not ask DNS such a question without prior knowledge of its domain suffix. To me, netlogon just refers to a secure encrypted channel between 2 hosts. To send a hashed password or register dns records of a DC. Or create a trust between a domain memeber and a dc or two domains. ** NETLOGON is many things; typically it is a share and a service. The service performs many functions (many of which you've mentioned), the creation of authenticated, secure channels is one of them. Try stopping it and see what happens. how does the netlogon service get a list of every domain in the forest when you join a domain with a client? ** The client simply asks the DC representing the domain it is joining. In NT and 2003. The source must be different depending on the OS-NT or 2000/2003. ** Windows NT and Active Directory are radically different technologies, the source of that information is likely very different but since I don't recollect the mechanisms used by Windows NT, I can't comment with any certainty. also, flat names or samAccount names when it comes to Domains, to me, always has been a synonoum for Netbios. ** Correct, since NetBIOS is being phased out but the concept of a short-name isn't, the newer name applies. i understand that a single HOST name can be part of a bigger dns name space and windows will try and append the suffixes, but a windows domain name with no suffix, can only be a netbios name to me. ** That's not correct, it would be a single labeled (not recommended )DNS name whose NetBIOS name may or may not be the same. The number of labels in a name do not tell Windows whether it is a DNS name or a NetBIOS name, we define that during the install. Windows maintains fewer and fewer NetBIOS dependencies through each successive version but the short/flat name is not going away in the foreseeable future. otherwise that would be like yahoo being the same as the Yahoo.com domain. it would be useless. ** I don't understand your point. Or it could just be me. i'm not the brightest bulb. I came from Novell backround(please don't hold it against me) ** I don't, my background is deeply rooted in Novell. and i still can't get over it when i see in AD something like cn=schema,cn=configuration,dc=domain,dc=root. i always think, how can a leaf object be inside another leaf object and if its not a leaf why would you use cn prefix and not ou. ** cn doesn't necessarily indicate a leaf object, it expresses common name. Novell's implementation was exactly that, their implementation, Microsoft's is different. The attribute prefix is controlled by the 'RDN attribute identifier' and can be any property enforced upon an object (standards dictate that it can even be multi-valued ... not supported here BTW). I could (and have), for example, forced an OU to use CN instead ... my point is, the attribute prefix is configurable and does not indicate whether the object in question can or cannot contain anything, that is something typically inferred by those coming from an NDS background. maybe i'm thinking DNS domains when i should be thinking windows domains or vice versa. Or maybe a Domain has become so overused, i don't know what it is ** I couldn't agree more; the term domain is ambiguous without specific context. anymore- a windows area of management, a dns name space,a naming context to be replicated,a MS form of Kerberos Realm? I'm just confused. Sorry Dean, ignore me. To be honest, I don't know enough about anything network related to be arguing with you or the likes of anyone on this list. ** I wasn't aware we were arguing, I thought I was assisting with your questions/misconceptions, Heck, i'm an English Lit major. i haven't even taken Comp Sci so i guess i'm just too dense to see the difference between netbios the protocol, netbios the name,and flat names and dns names. My apologies. Please don't hold it against this dim bulb who is clearly out of his depth here. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: RE: [ActiveDir] trust question
I suspect that it comes from all of the external trusts that people have established with existing NT4 environments and not changing their tactics because the LMHosts and NetBIOS things work with NT4. First shot on Win2k to Win23 - fire up LMHosts and get it working. Yes - DNS will work, but as I said in my post earlier this week, sometimes the familiar and simpler methods make sense when you 5 million other problesm that are quite large. However, DNS or WINS (there, joe... happy? :) is the preferred method, without question as it provides a much more 'universal' mechanism for name resolution between the two entities once in place. Rick From: Dean Wells [EMAIL PROTECTED] Date: 2005/08/13 Sat AM 11:32:26 EDT To: Send - AD mailing list [EMAIL PROTECTED] Subject: RE: [ActiveDir] trust question I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and are typically more tolerant in these instances. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 9:46 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question Tom, Had to do this a few months back in a 3-way love triangle between NT4, 2K and 2K3 :-) ... even between 2k and 2k3 I don't believe that NetBIOS has been deprecated... so, yes you still need NetBIOS for the trust creation process try creating the trust with NetBIOS (e.g. LMHOSTS with 1xB and 1xC entries) enabled and then disable it and validate the trust afterwards... It could be for the trust creation only that it needs to be turned on.. Cheers Mylo Tom Kern wrote: I can't find a clear answer- when you form a trust between the root of a win2k3 forest and a child domain of a win2k forest, is netbios used at all? is this trust all done through dns? this is NOT a forest trust but an external trust. we are about to migrate to a new forest. the old forest has netbios/tcp turned off and so will the new forest. when an external trust is formed between a win2k3 and win2k domain, is wins/netbios needed? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] trust question
Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon the ability to resolve the trust partner, a role which DNS is more than able to fulfill. This is true to say of external, cross-forest and realm trusts (as far as I can recollect however, NT does impose a NetBIOS dependency). One of the most common reasons for trust creation failure is the scenario where each domain uses an isolated DNS name resolution hierarchy, enabling NetBIOS often appears to resolve this (no pun intended) since broadcast, WINS or LMHOSTS mechanisms are triggered and
RE: [ActiveDir] trust question
Hmmm, I understand the distinction you're making Eric but don't recollect it being the case, I'll take a look at the source again and see if I can't solidify this. Thanks for the input. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, August 14, 2005 1:08 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] trust question Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the impression that external trusts still used legacy name resolution.. Here's a common misunderstood article about it ;-) http://www.windowsdevcenter.com/pub/a/windows/2004/05/11/netbios.html Cheers Mylo Dean Wells wrote: I'm really not certain where this very common misunderstanding comes from, neither Windows 2000 nor Windows 2003 (nor Longhorn for that matter) requires NetBIOS in order to establish a trust. The locator mechanisms employed to establish the trust are dependant exclusively upon
[ActiveDir]
How do you setup folder redirection? How does it work? 1. create shared folder 2. start, programs, administrative tools, AD Users Computers 3. OU right click, properties, Group policy 4. new, any name, click name, edit, user config, windows settings 5. folder redirection, my docs Where do you go from here? Thanks all
RE: [ActiveDir] Task scheduler
Stupid question, Task Scheduler service is started? Else net start Task Scheduler Schtasks to create via cmd line.. But I'm sure you are already aware of that. Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Sunday, August 14, 2005 3:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Task scheduler The log shows up and the entries for when the service started and exited. Nothing else is in the log. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Friday, August 12, 2005 9:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Task scheduler In the Scheduled Tasks UI - goto Advanced and view log what shows up? steve - Original Message - From: Cothern Jeff D. Team EITC [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Friday, August 12, 2005 3:30 PM Subject: RE: [ActiveDir] Task scheduler Nothing is showing up in the eventlog at all. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ASB Sent: Friday, August 12, 2005 6:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Task scheduler What of the EventLog? Have you tried to create it from teh CLI? http://www.ultratech-llc.com/KB/?File=TaskSched.TXT -ASB FAST, CHEAP, SECURE: Pick Any TWO http://www.ultratech-llc.com/KB/ On 8/12/05, Cothern Jeff D. Team EITC [EMAIL PROTECTED] wrote: Windows 2000 stand alone machines. Task scheduler service is running. But when I try to create a new task nothing comes up. I looked in the local policy and I dont see any settings for the task scheduler. Anyone have any idea what could be causing this. Jeff List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] A bad bad thing...Manual push of AD?
Okay just a quick scenario.. If the deletion has been replicated (I'm fat, running to the nearest DC would be a pain :) Would adrestore.exe does the job of restoring all these objects? Although as far as I know when object is deleted and still within tombstoned period, lots of attributes are not stored and cannot be retrieved back - but.. will it work? Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Friday, August 12, 2005 7:41 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Please don't forget to do insert these steps: 2.5 reboot the DC back to normal mode 2.7 give a chance for the auth restore to replicate out (not necessary, just a good idea) I'm so glad Guido wrote up the below, I had something 1/2 written up, but I couldn't remember any of the details ... Cheers, Brett On Fri, 12 Aug 2005, Grillenmeier, Guido wrote: hopefully you have another Win2003 DC with SP1 = a non-SP1 2003 DC would require you to perform more manual steps during the restore. As you're still in mixed mode, none of your links are LVR (which means they won't be revived on a non-SP1 DC and ofcourse not on a Win2000 DC) 1. so boot another SP1 DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object = with SP1, this step will create an LDIF file that will allow to restore the groups etc. it will be called ar_date-time_links_fully.qualified.domain.name.ldf (e.g. ar_20050725-145850_links_child1.root.net.ldf) and contain something similar to this: dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-UG1,OU=Groups,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: member member: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify delete: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - dn: CN=Child1-User2,OU=Accounts,OU=MyChild1OU1,DC=child1,DC=root,DC=net changetype: modify add: manager manager: CN=Root-User1,OU=Accounts,OU=MyRootOU1,OU=Externals,DC=root,DC=net - If you have multiple domain, you may get more than one file (depends on group-memberships of user and if you are doing the auth restore on a DC or GC - you should choose a GC if you have more than one domain). All you need to do after reboot is take that file and execute an LDIF import command (on a DC that corresponds to the file's domain): Ldifde -i -k -f ar_date-time_links_fully.qualified.domain.name.ldf e.g. Ldifde -i -k -f ar_20050725-145850_links_child1.root.net.ldf /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shadow Roldan Sent: Freitag, 12. August 2005 01:35 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? OK This is what I was looking for, this site didn't actually have a chance to repl out the delete so I just push back the 'good' state? So, if I understand I am supposed to: 1. reboot a good DC into DS Restore mode 2. use ntdsutil.exe to auth restore that user's object. 3. use ldifde to restore the links (not sure about this step...any more info?) Bring my mistake DC back online, it tries to replicate, hits the Auth Restore, and the delete gets tossed, my mistake is rectified, and no one is the wiser... Yes? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 2:56 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? I agree completely - that is the attraction of the lag sites - I have something in which I can push a change back out from a time delayed replica to where the object sill exists. And I agree as well - if there is a DC that has the object required - by all means, repl it back out authoritatively. Rick -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 3:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] A bad bad thing...Manual push of AD? Hmmm, maybe I misunderstoood ... I understood he has a user deleted on some DCs, but not on others. He doesn't want the user deleted. He can then just take a DC with the user, auth restore the user, let that replicate out. Yes, the delete change will try to replicate out, but when it hits the auth restore the delete
RE: [ActiveDir]
Right click and goto properties A subject would help your message greatly. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Patrick Paul Sent: Sunday, August 14, 2005 7:33 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] How do you setup folder redirection? How does it work? 1. create shared folder 2. start, programs, administrative tools, AD Users Computers 3. OU right click, properties, Group policy 4. new, any name, click name, edit, user config, windows settings 5. folder redirection, my docs Where do you go from here? Thanks all
RE: [ActiveDir] trust question
If you want to validate when this code path is fired, set a breakpoint on DCacheWriteDomainsToCache and see when it fires. It might be easiest to use image file execution options to do this and put every winlogon that fires up under ntsd, or you can do it on the kd side, whatever you find easiest. `Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Sunday, August 14, 2005 10:31 AM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question Hmmm, I understand the distinction you're making Eric but don't recollect it being the case, I'll take a look at the source again and see if I can't solidify this. Thanks for the input. -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Sunday, August 14, 2005 1:08 PM To: ActiveDir@mail.activedir.org; Send - AD mailing list Subject: RE: [ActiveDir] trust question Slight modification inline. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Saturday, August 13, 2005 6:34 PM To: Send - AD mailing list Subject: RE: [ActiveDir] trust question My apologies if I appeared to be yelling earlier, that wasn't my intention ... I guess some frustrations came out in my text, sorry about that :o( The GINA's domain list (by default) contains short or flat names (the term NetBIOS name currently describes the same thing but will eventually be replaced by either of those two ... I at least live in hope). The list is populated by the NETLOGON service (if memory serves) and is not dependent upon NetBIOS in anyway ... it merely shows the same short name. This too can be changed using the following registry entries - [EFleis] - The list in the GINA UI is actually populated by winlogon itself strictly speaking. When one presses the SAS in session 0 (this _only_ applies to session 0, no other session, as of win2k3 RTM anyway) we populate this list. That said, it does boil down to a query of netlogon of course (I don't recall if it asks the local netlogon who has already obtained the info from the upstream DCs netlogon or directly asks the DCs netlogon, it's been too long since I looked at this). Disclaimer: I really don't know much about winlogon architecture. I once had to debug this domain list population code and of course had to dip my toe in there, so you just heard about a third of what I learned in that debug. ;) [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] DCacheShowDomainTags=dword:0001 DCacheShowDnsNames=dword:0001 NetBIOS itself is a session layer+ protocol, i.e. it requires an underlying transport such as TCP/IP, IPX or NetBEUI. It provides a means of advertising presence, service and session management ... it also offers a transport-independent programmatic interface that permitted developers to write network-capable software without concerning themselves about the specifics of the underlying transport mechanism(s). If I may, I would wholeheartedly recommend getting yourself a series of shrink-wrapped VMs/VPCs such that you're able to prove-out these scenarios yourself, it's a facility I've grown to cherish and couldn't possibly work without. Hope the info. proves useful! Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Saturday, August 13, 2005 8:55 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] trust question i heard somewhere that windows 2k uses netbios to generate the drop down list of trusted domains when you logon. now don't yell at me, Dean, but is this true? how does it generate that list when you join a domain? there is just a lot of disinformation about netbios(is it a protocol? an API? A network driver?) and its role in windows today. from what you're saying, as long as each dns server has secondary zones of their respective domains or conditional forwarding, all should be good for a trust just based on dns? thanks On 8/13/05, Dean Wells [EMAIL PROTECTED] wrote: As I said, it is indeed a common misunderstanding ... the fact that there's a related article published only lends weight to that point. It takes very little effort to test and it continues to surprise me when I hear of articles such as the one you've referenced (not that I read it since I have more than enough accurate material to plough through ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mylo Sent: Saturday, August 13, 2005 12:19 PM To: ActiveDir@mail.activedir.org Cc: Send - AD mailing list Subject: Re: [ActiveDir] trust question Dean, Oh...I was under the
RE: [ActiveDir] user dump
Yeah, really. -B On Thu, 11 Aug 2005 [EMAIL PROTECTED] wrote: Repadmin ..uhmm really? :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] user dump And repadmin. BrettSh On Wed, 10 Aug 2005, Phil Renouf wrote: dsquery/dsget will do the trick as well. Phil On 8/10/05, Coleman, Hunter [EMAIL PROTECTED] wrote: ADFind: http://www.joeware.net/win/free/tools/adfind.htm Example 6 from the command line help (adfind.exe /?) should be a good starting point for you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, August 10, 2005 8:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user dump how can i dump a list of all of my ad users? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] user dump
Check out repadmin /viewlist - repadmin /listhelp should show you how to do it. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 Repadmin ..uhmm really? :) Thank you and have a splendid day! Kind Regards, Freddy Hartono Windows Administrator (ADSM/NT Security) Spherion Technology Group, Singapore For Agilent Technologies E-mail: [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brett Shirley Sent: Thursday, August 11, 2005 11:20 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] user dump And repadmin. BrettSh On Wed, 10 Aug 2005, Phil Renouf wrote: dsquery/dsget will do the trick as well. Phil On 8/10/05, Coleman, Hunter [EMAIL PROTECTED] wrote: ADFind: http://www.joeware.net/win/free/tools/adfind.htm Example 6 from the command line help (adfind.exe /?) should be a good starting point for you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddie Coleman III Sent: Wednesday, August 10, 2005 8:19 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] user dump how can i dump a list of all of my ad users? List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
