RE: [ActiveDir] OU permissions for user object
however this is managements call. and what do you do if your management tells you to shoot you in your foot? I'd certainly talk to your management and ask the rational behind their demand. Ideally no user should be a member of the builtin Server Operators group of the domain at all (no problem with Server OPs on member servers). There is areason why members of this group (and many other built-in groups) are protected by the AdminSDholder process = they are very sensitive accounts so that normal delegation task (such as resetting PW etc.) should not be granted on these accounts. Ofcourse you can change this "protection" behaviour in AD, but this doesn't make any sense unless you are willing to risk your company's assets. So you better try to find what their overall goal is, then we can help you figure out the best way to grant the correct permissions ina way that will work well with the delegation concept of AD. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Freitag, 2. September 2005 08:34To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OU permissions for user object Hi Guido, Yes you are correct, this is what is happening. But I believe the reason that the inherit on existing objects is not checked is due to the adminsdholder. The user is question is a member of the builtin\server operators group, therefore when I set the user object to inherit the permissions, it resets itself to unchecked after roughly 15mins. I now have a problem, my global group I which I have delegated permissions to on an OU must be a member of the Builtin\Server Operators group. If the inherit flag is reset after 10mins, how can I get this user object to be able to administer other users who are also members of the Builtin\Server Operators group? If I had the choice, I wouldn't use the builtin groups, however this is managements call. thanks"Grillenmeier, Guido" [EMAIL PROTECTED] wrote: sounds to me as if you've not set the permission to _inherit_ down to existing objects - check in the Advanced tab of the security editor (the tab that displays the permissions on your OU in ADUC) and see if your Full Control permission are set for User Objects (which will then automatically inherit down to user objects within this OU). If you've set the permission to all object, you'll explicitely have to set the scope of the permission to apply to "This object and all child objects" (or just to the child objects) - this will then inherit the permission to objects within the OU. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank AbagnaleSent: Donnerstag, 25. August 2005 10:46To: ActiveSubject: [ActiveDir] OU permissions for user object Hi, I've created an OU and I have delegated a security group the Create/DeleteUser Object with Full Permissions. I have also delegated the 'Create, Delete Manage User Account' right with F/C I only want this security group to be able to manage user accounts in this OU and modify the users details/group membership. The problem I have is that I can't enable/disable a user or modify the user's details on an account which already exists. If Icreate a new account, I can do all the delegated tasks set, but on existing accounts I get error messages such as "you haveinsufficient rights to perform this operation"or the details are greyed out. Any idea's where I can check? Iain __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Start your day with Yahoo! - make it your home page
Re: [ActiveDir] DNS resolution - prioritization
Thanks Roger for the reply, Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC. this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN) but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice. I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. (subnet mask request in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh-- ~~~Fortune and Love befriend the bold~~~ -- ~~~Fortune and Love befriend the bold~~~
Re: [ActiveDir] Additional domain controller
Thanks for the replies. So far I managed to join in the domain an additional DC. Set it up as a Global Catalog, set the replication time to four times per hour and now I am waiting to see if the replication works ( I will switch the old DC down to see if the users can log in without problems - I suppose there will be one little problem - I use for user profles a path of that type - \\DC\profiles\Userprofile and after this DC is switched off the users will not be able to download their profiles). Thanks again guys. I`ll send some results later. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Delegating access to zone data stored in an app partition
Scenario: Single forest, with a placeholder root domain and 4 regional, child domains Single group responsible for forest operations and each regional domain has their own domain admins for domain-wide tasks Requirement: Place _msdcs.forestrootdomain.com in a forest wide ADP but do not allow access to that data from regional domain admins. Allow root domain DAs and EAs access only. Has anyone ever considered or implemented such a design? Any supportability comments from Microsoft? Thanks, neil --- Neil Ruston Nomura International Plc Tel: 020 7521 3481 [EMAIL PROTECTED] PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Transfer GPO between domains
Return Receipt Your RE: [ActiveDir] Transfer GPO between domains document: wasChris Ryan/MIS/CORP/KrogerCo received by: at:09/06/2005 07:49:01 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Delegating access to zone data stored in an app partition
as long as you understand that this won't hinder domain admins from changing things in the _msdcs.forestrootdomain.com DNS zone, then you could go down this path and consider it an obstacle. If you don't trust your child DAs to handle forest-wide config data, then they shouldn't be DAs - by using the local system account on the DC they'll always have write access to the app partition. However, if you still want to secure the _msdcs.forestrootdomain.com DNS zone without write-access for any child DA, then I'd suggest to leave it hosted only on root domain DCs. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Dienstag, 6. September 2005 12:59 To: ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Subject: [ActiveDir] Delegating access to zone data stored in an app partition Scenario: Single forest, with a placeholder root domain and 4 regional, child domains Single group responsible for forest operations and each regional domain has their own domain admins for domain-wide tasks Requirement: Place _msdcs.forestrootdomain.com in a forest wide ADP but do not allow access to that data from regional domain admins. Allow root domain DAs and EAs access only. Has anyone ever considered or implemented such a design? Any supportability comments from Microsoft? Thanks, neil --- Neil Ruston Nomura International Plc Tel: 020 7521 3481 [EMAIL PROTECTED] PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Transfer GPO between domains
Return Receipt Your RE: [ActiveDir] Transfer GPO between domains document : was Sudhir Kaushal/GIS/CSC received by: at: 09/06/2005 05:43:14 PM ZE5B List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Group policy security setting
Hi Charlie, If it is a user registry setting (other than Binary) there should be no problem with a custom ADM template. Can you explain what registry key it is and exactly what is not working? Alan Cuthbertson - Original Message - From: Charlie Kaiser [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Saturday, September 03, 2005 8:51 AM Subject: [ActiveDir] Group policy security setting This is driving me nuts I'm trying to set up a W2K3 SP1 terminal server machine, managed by group policy, that will allow users to run certain apps that actually load from another server. Here's the problem... When I try and launch one of those apps, I get the security warning box open file - security warning Are you sure you want to run this software? I finally figured out how to disable it; in IE properties, security, trusted sites, custom level, there's a setting: Launching applications and unsafe files. If I set that to enable, the box goes away. (I'm using software restrictions to only allow certain apps, so the warning box is irrelevant). I want to be able to set this value via GP rather than through the IE interface. The IE ADM template seems to include every setting except for this one. Why? I've tried creating a custom ADM for the setting, but I'm getting nowhere with that. I'll probably try that again next week. But I'm curious why this particular setting is not available in the template? Any ideas? Am I missing something? ** Charlie Kaiser W2K3 MCSA/MCSE/Security, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Additional domain controller
You might want to look and moving the profiles to a non-DC to avoid this issue ;) Also, make sure you wait for the dcpromo to finish replicating. That amount of time depends on the size of your AD Database, speed of your network etc. Phil On 9/6/05, Boris Demirov [EMAIL PROTECTED] wrote: Thanks for the replies.So far I managed to join in the domain an additional DC. Set it up as a Global Catalog, set the replication time to four times per hour and now I am waitingto see if the replication works ( I will switch the old DC down to see if theusers can log in without problems - I suppose there will be one little problem - I use for user profles a path of that type -\\DC\profiles\Userprofile and after this DC is switched off the users willnot be able to download their profiles).Thanks again guys. I`ll send some results later. List info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] DNS resolution - prioritization
Just wondering what the actual issue is here though, when a client logs in they will get a DC within their local site, that shouldn't be dependant on the clients subnet mask, just whether their IP falls within the scope of a site defined in AD. If there is a DC in that site then they should be reffered to that DC during logon processes. The behaviour of ping is not going to be site aware, but logon traffic will be. Phil On 9/6/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Thanks Roger for the reply,Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC.this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN) but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice.I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. (subnet mask request in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh-- ~~~Fortune and Love befriend the bold~~~-- ~~~ Fortune and Love befriend the bold~~~
RE: [ActiveDir] hide an attribute
So if you have a mixed mode forest, what if you give perms directly to Global groups on Enterprise objects in AD and only use local groups for Domain local stuff? or are you just supposed to rely on Auth users or Everyone for stuff like that? What happens if your perms are checked against a GC? GC's don't know about members of LG or GG's. Do your perms ever get checked against a GC btw? If i have RO perms on the config nc in domA and they get rep'ed to domB, is there a chance a GC from domB would be checked for perms or is it always a local DC on port 389? Thanks. your explanation made sense. it helped a lot. -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Mon 9/5/2005 2:45 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] hide an attribute winmail.dat
RE: [ActiveDir] hide an attribute
glad it helped. somemorecommentsinline /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, TomSent: Dienstag, 6. September 2005 15:27To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] hide an attribute So if you have a mixed mode forest, what if you give perms directly to Global groups on Enterprise objects in AD and only use local groups for Domain local stuff?[Guido Grillenmeier]that's fine or are you just supposed to rely on Auth users or Everyone for stuff like that?[Guido Grillenmeier]certainly not What happens if your perms are checked against a GC? GC's don't know about members of LG or GG's.[Guido Grillenmeier]ofcourse they know about members of LGs and GGs - but only of their own domain ;-) But that's not the point. Your membership in a global group is still valid when accessing data on a GCin a different domain = it's too much to explain the kerberos authentication process here in great detail, but you'd always first be authenticated against a DC of your proper domain giving you a ticket granting ticket etc. This is where you enter your username/PW to tell the system who you are - it will then validate you and see which groups you are in. Via the trust between the domains, that authentication is also valid against the GC of the other domain, but it will generatea service ticket valid for it's domain. This service ticket won't contain the DLGs of the other domains, but it will contain the GGs of your domain, the UGs of any domain AND it will add the DLGs of it's own domain to this service ticket. Checking the perms then is the authorization process, by which your previously generated kerberos ticket will be leveraged by the OS to check what permission you have on the resource you're trying to access. Do your perms ever get checked against a GC btw? [Guido Grillenmeier]yes, see above If i have RO perms on the config nc in domA and they get rep'ed to domB, is there a chance a GC from domB would be checked for perms or is it always a local DC on port 389?[Guido Grillenmeier]authentication will bea DC of your proper domain (domA)+ the GC of the trusted domain (domB). authorization will be done by the resource you're accessing, which would be the GC of domB in this case. Thanks. your explanation made sense. it helped a lot. -Original Message- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Mon 9/5/2005 2:45 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] hide an attribute
[ActiveDir] LIL OT system Reg size script
We recently had an issue where a policy seems to be causing the registry size to blow up on several of our servers. We Believe we have found the culprit policy and are looking into it but we want to monitor things.On this front I am trying to put to gether a script that will go thru a list of our servers and check the file sys of the system registry. i.e. check admin$\system32\config\system here is what i have On Error Resume Next Const ForReading = 1 Set objFSO = CreateObject("Scripting.FileSystemObject")Set objTextFile = objFSO.OpenTextFile("e:\scripts\servers.txt", ForReading) Do Until objTextFile.AtEndOfStream strComputer = objTextFile.Readline ' = ' Insert your code here ' = WScript.EchoWScript.Echo "=="WScript.Echo "Computer: " strComputerWScript.Echo "==" Set objFile = objFSO.GetFile("admin$\system32\config\system")Set objItem = strComputer.objFile WScript.Echo "FileSize: " objItem.FileSize ' = ' End ' = Loop objTextFile.Close Where am I going wrong? Jeff
RE: [ActiveDir] LIL OT system Reg size script
Why not using WMI to achieve this? Just keep the file list as you did below and use WMI to update the registry size. Check: Sample 4.14 - SetWin32_RegistrySizeWithAPI (Direct Properties).wsf or Sample 4.15 - SetWin32_RegistrySizeWithAPI (Indirect Properties).wsf at http://www.lissware.net, volume 1 samples. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITCSent: Tuesday, September 06, 2005 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LIL OT system Reg size script We recently had an issue where a policy seems to be causing the registry size to blow up on several of our servers. We Believe we have found the culprit policy and are looking into it but we want to monitor things.On this front I am trying to put to gether a script that will go thru a list of our servers and check the file sys of the system registry. i.e. check admin$\system32\config\system here is what i have On Error Resume Next Const ForReading = 1 Set objFSO = CreateObject("Scripting.FileSystemObject")Set objTextFile = objFSO.OpenTextFile("e:\scripts\servers.txt", ForReading) Do Until objTextFile.AtEndOfStream strComputer = objTextFile.Readline ' = ' Insert your code here ' = WScript.EchoWScript.Echo "=="WScript.Echo "Computer: " strComputerWScript.Echo "==" Set objFile = objFSO.GetFile("admin$\system32\config\system")Set objItem = strComputer.objFile WScript.Echo "FileSize: " objItem.FileSize ' = ' End ' = Loop objTextFile.Close Where am I going wrong? Jeff
Re: [ActiveDir] DNS resolution - prioritization
I agree client logon won't be a issue, asclients DC fit in the site boundary. But some of my startup script access netlogon as \\example.com\netlogon, andI suppose accessing anynetwork resourceby UNC has nothing to do with site boundary, it is pure DNS resolution. also what about domain DFS traffic ? will it consider site boundaries while, finding the nearest replica partner? or it will use plain DNS resolution? - Kamlesh On 9/6/05, Phil Renouf [EMAIL PROTECTED] wrote: Just wondering what the actual issue is here though, when a client logs in they will get a DC within their local site, that shouldn't be dependant on the clients subnet mask, just whether their IP falls within the scope of a site defined in AD. If there is a DC in that site then they should be reffered to that DC during logon processes. The behaviour of ping is not going to be site aware, but logon traffic will be. Phil On 9/6/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Thanks Roger for the reply,Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC.this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN) but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice.I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. (subnet mask request in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh-- ~~~Fortune and Love befriend the bold~~~-- ~~~ Fortune and Love befriend the bold~~~-- ~~~Fortune and Love befriend the bold ~~~
Re: [ActiveDir] LIL OT system Reg size script
Set objFile = objFSO.GetFile(admin$\system32\config\system)Set objItem = strComputer.objFile WScript.Echo FileSize: objItem.FileSize Should be replaced with Set objFile = objFSO.GetFile( \\ strComputer \admin$\system32\config\system) WScript.Echo FileSize: objFile.FileSize On 9/6/05, Alain Lissoir [EMAIL PROTECTED] wrote: Why not using WMI to achieve this? Just keep the file list as you did below and use WMI to update the registry size. Check: Sample 4.14 - SetWin32_RegistrySizeWithAPI (Direct Properties).wsf or Sample 4.15 - SetWin32_RegistrySizeWithAPI (Indirect Properties).wsf at http://www.lissware.net, volume 1 samples. HTH /Alain From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Cothern Jeff D. Team EITCSent: Tuesday, September 06, 2005 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LIL OT system Reg size script We recently had an issue where a policy seems to be causing the registry size to blow up on several of our servers. We Believe we have found the culprit policy and are looking into it but we want to monitor things.On this front I am trying to put to gether a script that will go thru a list of our servers and check the file sys of the system registry. i.e. check admin$\system32\config\system here is what i have On Error Resume Next Const ForReading = 1 Set objFSO = CreateObject(Scripting.FileSystemObject)Set objTextFile = objFSO.OpenTextFile(e:\scripts\servers.txt, ForReading) Do Until objTextFile.AtEndOfStream strComputer = objTextFile.Readline ' = ' Insert your code here ' = WScript.EchoWScript.Echo ==WScript.Echo Computer: strComputer WScript.Echo == Set objFile = objFSO.GetFile(admin$\system32\config\system)Set objItem = strComputer.objFile WScript.Echo FileSize: objItem.FileSize ' = ' End ' = Loop objTextFile.Close Where am I going wrong? Jeff -- ~~~Fortune and Love befriend the bold ~~~
RE: [ActiveDir] LIL OT system Reg size script
OK Add that to the number of books I must get. In the meantime. As I dont have the book right now and I am very new to scripting. What is the difference between the Direct Properties and the Indirect Properties? Have started modifying but now having the problems with setting the Computername. In your script it is a const but I need it as a variable so that it goes thru the list of our Servers. Thanks Jeff From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Tuesday, September 06, 2005 11:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] LIL OT system Reg size script Why not using WMI to achieve this? Just keep the file list as you did below and use WMI to update the registry size. Check: Sample 4.14 - SetWin32_RegistrySizeWithAPI (Direct Properties).wsf or Sample 4.15 - SetWin32_RegistrySizeWithAPI (Indirect Properties).wsf at http://www.lissware.net, volume 1 samples. HTH /Alain From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITCSent: Tuesday, September 06, 2005 8:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] LIL OT system Reg size script We recently had an issue where a policy seems to be causing the registry size to blow up on several of our servers. We Believe we have found the culprit policy and are looking into it but we want to monitor things.On this front I am trying to put to gether a script that will go thru a list of our servers and check the file sys of the system registry. i.e. check admin$\system32\config\system here is what i have On Error Resume Next Const ForReading = 1 Set objFSO = CreateObject("Scripting.FileSystemObject")Set objTextFile = objFSO.OpenTextFile("e:\scripts\servers.txt", ForReading) Do Until objTextFile.AtEndOfStream strComputer = objTextFile.Readline ' = ' Insert your code here ' = WScript.EchoWScript.Echo "=="WScript.Echo "Computer: " strComputerWScript.Echo "==" Set objFile = objFSO.GetFile("admin$\system32\config\system")Set objItem = strComputer.objFile WScript.Echo "FileSize: " objItem.FileSize ' = ' End ' = Loop objTextFile.Close Where am I going wrong? Jeff
RE: [ActiveDir] DNS resolution - prioritization
Dfs is site aware. Since \\example.com\netlogon is managed by Dfs, the client will receive the location closest to it based on site. What you were referring to on returning DNS records is called netmask ordering. Youre right about the limitations of it. :m:dsm:cci:mvp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Tuesday, September 06, 2005 11:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS resolution - prioritization I agree client logon won't be a issue, asclients DC fit in the site boundary. But some of my startup script access netlogon as \\example.com\netlogon, andI suppose accessing anynetwork resourceby UNC has nothing to do with site boundary, it is pure DNS resolution. also what about domain DFS traffic ? will it consider site boundaries while, finding the nearest replica partner? or it will use plain DNS resolution? - Kamlesh On 9/6/05, Phil Renouf [EMAIL PROTECTED] wrote: Just wondering what the actual issue is here though, when a client logs in they will get a DC within their local site, that shouldn't be dependant on the clients subnet mask, just whether their IP falls within the scope of a site defined in AD. If there is a DC in that site then they should be reffered to that DC during logon processes. The behaviour of ping is not going to be site aware, but logon traffic will be. Phil On 9/6/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Thanks Roger for the reply, Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC. this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN) but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice. I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Monday, September 05, 2005 3:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. (subnet mask request in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~
[ActiveDir] DFS Permissions
If I am using a DFS share that has copies of that share between child domains am I not able to use Domain Local Groups in conjunction with Global and Universal groups to grant permissions? I noticed that I cannot choose Domain Local groups from the list. Here is what I am trying to do DFSshare Servers participating in share are: serverA.parent ServerB.child1.parent ServerC.child2.parent ServerD.child3.parent Users in Parent, Child1, Child2 and Child3 all need to be able to access and potentially edit files. How would you recommend that I setup the permissions? I was thinking Parent DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent DFS Share Workgroup Universal - Granted rights to files and folders Child 1 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 2 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent Child 3 DFS Share Workgroup Global - Member of DFS Share Workgroup Universal in Parent I could use this same methodology to grant permissions to different kinds of users and folders as needed. What do you think Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Migrate Computers using ADMT
If I was to use the ADMT to migrate a workstation, would the wizard actually change the domain membership of the workstations if I used the ADMT v2 to migrate a workstation from child1.parent.com to parent.com? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS resolution - prioritization
DFS is site aware, but what about non-dfs? \\example.com will always resolve to some domain controller, dfs or no dfs, using round-robin dns, right? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, September 06, 2005 8:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS resolution - prioritization Dfs is site aware. Since \\example.com\netlogon is managed by Dfs, the client will receive the location closest to it based on site. What you were referring to on returning DNS records is called netmask ordering. Youre right about the limitations of it. :m:dsm:cci:mvp From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh Parmar Sent: Tuesday, September 06, 2005 11:18 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DNS resolution - prioritization I agree client logon won't be a issue, asclients DC fit in the site boundary. But some of my startup script access netlogon as \\example.com\netlogon, andI suppose accessing anynetwork resourceby UNC has nothing to do with site boundary, it is pure DNS resolution. also what about domain DFS traffic ? will it consider site boundaries while, finding the nearest replica partner? or it will use plain DNS resolution? - Kamlesh On 9/6/05, Phil Renouf [EMAIL PROTECTED] wrote: Just wondering what the actual issue is here though, when a client logs in they will get a DC within their local site, that shouldn't be dependant on the clients subnet mask, just whether their IP falls within the scope of a site defined in AD. If there is a DC in that site then they should be reffered to that DC during logon processes. The behaviour of ping is not going to be site aware, but logon traffic will be. Phil On 9/6/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Thanks Roger for the reply, Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC. this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN) but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice. I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger Seielstad E-mail Geek From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh Parmar Sent: Monday, September 05, 2005 3:30 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. (subnet mask request in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~ -- ~~~ Fortune and Love befriend the bold ~~~
[ActiveDir] OT-GPO\ADM Modem\LAN Enable\Disable
Does anyone know of a way without creating separate hardware profiles, That when a modem is in use the NIC(s) are disabled and when the NIC(s) are in use the modem is disabled? Regards Mark List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Migrate Computers using ADMT
Short answer: Yes. ADMT needs the PC's to be on the network when this happens so that it can launch a process on the workstation to translate profiles etc. Phil On 9/6/05, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I was to use the ADMT to migrate a workstation, would the wizardactually change the domain membership of the workstations if I used the ADMT v2 to migrate a workstation from child1.parent.com to parent.com?Justin A. SalandraMCSE Windows 2000 2003Network and Technology Services Manager Catholic Healthcare System646.505.3681 - office917.455.0110 - cell[EMAIL PROTECTED]List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] 2003 SP1
Good morning folks, I am entertaining the idea of applying SP1 to our 2003 domain controllers. I figured I would start with http://support.microsoft.com/kb/889101 but if you have any 1st hand knowledge of any issues, please let me know. For that matter, if you have a good link about applying 2003 SP1 to member servers please send it to me. I will probably assist with this task also. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Migrate Computers using ADMT
So technically I dont need to have a tech go to that computer and physically change domains? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Renouf Sent: Tuesday, September 06, 2005 1:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Migrate Computers using ADMT Short answer: Yes. ADMT needs the PC's to be on the network when this happens so that it can launch a process on the workstation to translate profiles etc. Phil On 9/6/05, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I was to use the ADMT to migrate a workstation, would the wizard actually change the domain membership of the workstations if I used the ADMT v2 to migrate a workstation from child1.parent.com to parent.com? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager Catholic Healthcare System 646.505.3681 - office 917.455.0110 - cell [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] Migrate Computers using ADMT
Correct. Run some tests with ADMT to get used to how it all works (preferably in a test forest with test workstations). Note though that the machines have to be on and that there will always be a few that don't work etc.; this is pretty much the same thing as deploying any type of agent like this, say SMS for example. Phil On 9/6/05, Salandra, Justin A. [EMAIL PROTECTED] wrote: So technically I don't need to have a tech go to that computer and physically change domains? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Phil RenoufSent: Tuesday, September 06, 2005 1:42 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Migrate Computers using ADMT Short answer: Yes. ADMT needs the PC's to be on the network when this happens so that it can launch a process on the workstation to translate profiles etc. Phil On 9/6/05, Salandra, Justin A. [EMAIL PROTECTED] wrote: If I was to use the ADMT to migrate a workstation, would the wizardactually change the domain membership of the workstations if I used the ADMT v2 to migrate a workstation from child1.parent.com to parent.com?Justin A. SalandraMCSE Windows 2000 2003Network and Technology Services Manager Catholic Healthcare System646.505.3681 - office917.455.0110 - cell [EMAIL PROTECTED]List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a netsh fi show state the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
It's probably to do with apply GPO over slow links, the troiuble is the spead is measured as the speed of the NIC not the speed of the link. Unless you dial up from the PC directly. I have had great fun with this and VPNs over ADSL and dial up. -Original Message- From: Joe Pochedley [EMAIL PROTECTED] Date: Tue, 6 Sep 2005 14:39:31 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a netsh fi show state the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
The domain mode is determined by the DNS suffix of your active network connections. This article has information on troubleshooting the XP SP2 firewall: http://www.microsoft.com/technet/prodtechnol/winxppro/support/wftshoot.mspx And it links to this article which describes the algorithm for determining if the domain mode is in effect (look in the How Network Determination Works section): http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx Hope that helps! -Original Message- From: Mark Parris [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 06, 2005 12:03 PM To: ActiveDir.org Subject: Re: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy It's probably to do with apply GPO over slow links, the troiuble is the spead is measured as the speed of the NIC not the speed of the link. Unless you dial up from the PC directly. I have had great fun with this and VPNs over ADSL and dial up. -Original Message- From: Joe Pochedley [EMAIL PROTECTED] Date: Tue, 6 Sep 2005 14:39:31 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a netsh fi show state the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy
Thanks for both the links. I had seen the first one, but not the second. While they answered the question I had, they didn't explain why the firewall is still enabled when it shouldn't be. The slow link threshold isn't an issue (set down the 200kbps quite some time ago, and confirmed with GPRESULT with the last applied time). The DNS suffix on the client matches the DNS suffix in the last-received Group Policy update DNS name, so it appears the client thinks it's on a trusted network (or at least it should). Still plugging away. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Salisbury Sent: Tuesday, September 06, 2005 3:20 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy The domain mode is determined by the DNS suffix of your active network connections. This article has information on troubleshooting the XP SP2 firewall: http://www.microsoft.com/technet/prodtechnol/winxppro/support/wftshoot.m spx And it links to this article which describes the algorithm for determining if the domain mode is in effect (look in the How Network Determination Works section): http://www.microsoft.com/technet/community/columns/cableguy/cg0504.mspx Hope that helps! -Original Message- From: Mark Parris [mailto:[EMAIL PROTECTED] Sent: Tuesday, September 06, 2005 12:03 PM To: ActiveDir.org Subject: Re: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy It's probably to do with apply GPO over slow links, the troiuble is the spead is measured as the speed of the NIC not the speed of the link. Unless you dial up from the PC directly. I have had great fun with this and VPNs over ADSL and dial up. -Original Message- From: Joe Pochedley [EMAIL PROTECTED] Date: Tue, 6 Sep 2005 14:39:31 To:ActiveDir@mail.activedir.org Subject: [ActiveDir] XP SP2 Firewall - Domain vs Standard Policy I've done some googling and searched the MS site a bit, but cannot find an answer... The question I have is this: How does an XP computer determine whether it's connected to the domain in order to decide which firewall policy (standard or domain) to enforce? The reason I ask is this: I see this most often with machines that come in over the WAN, though I've seen it a few times on machines on our local LAN too. A machine will start up and the firewall will be enabled. Normally that would be expected as that is the default behavior of the XP firewall. However, I do have a GPO that turns off the firewall for the domain profile. If I do a GPRESULT on these machine, the GPO is applied, yet the firewall is still on. If I do a netsh fi show state the current active profile is the standard profile, and the Firewall GPO that I have set displays as the Group Policy Version (so I know the machine has the settings) My only guess is that, for some reason when these machines start, they don't realize they're on the domain, but I can't explain why. Latency for the remote sites is about 60 to 100 ms and there are no DC's at many of the small (2-4 people) remote sites. If it were only remotes sites, then I might be convinced that the latency was an issue. But as I mentioned, I've seen it happen to machines on our LAN too. Any insights or other things to check would be much appreciated. Joe Pochedley A computer terminal is not some clunky old television with a typewriter in front of it. It is an interface where the mind and body can connect with the universe and move bits of it about. -Douglas Adams List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ Confidential This e-mail and any files transmitted with it are the property of Belkin Corporation and/or its affiliates, are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not one of the named recipients or otherwise have reason to believe that you have received this e-mail in error, please notify the sender and delete this message immediately from your computer. Any other use, retention, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive:
Re: [ActiveDir] DC authentication
Thommes, Michael M. wrote: SET LOGONSERVER at the command line should be enough. And on a similar note, if I'm having trouble with a user logging on to a specific DC, is there a way to force their workstation to log on to a different one? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DC authentication
nltest /sc_reset:domain\DC /server:computername will do the trick nicely. Nltest.exe is part of the Windows Support Tools. -Andrew -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of vex Sent: Tuesday, September 06, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] DC authentication Thommes, Michael M. wrote: SET LOGONSERVER at the command line should be enough. And on a similar note, if I'm having trouble with a user logging on to a specific DC, is there a way to force their workstation to log on to a different one? --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ smime.p7s Description: S/MIME cryptographic signature
Re: [ActiveDir] DC authentication
Cace, Andrew wrote: nltest /sc_reset:domain\DC /server:computername will do the trick nicely. Nltest.exe is part of the Windows Support Tools. Thanks, I'll give that a bash. Looks more useful than set logonserver=\\servername... --Brett List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] strange issue with(what else) Exchange(ot)
I emailed awhile ago about this issue- i'm recreating my domain in a test forest for migration testing. in our real and test forest, we have no connectivity to the root domain and no EA or SA access(never will). we are primary dns for both the root and child domain however. I recreated our domain in a test lab. then i tried installing exchange using the /diasterrecovery switch and it complained about not being able to contact the schema master and refused to go on. I ran adsiedit.msc as local system on a child dc and put this child dc as the value for the fSMORoleHolder attrib and then exchange installed until 24hrs later it stopped working. It claimed it could'nt contact a dc or gc. when i tested the secure channel, i got access denied. It was behaving as if it wasn't a membr of the domain. disjoining and rejoining did nothing. so a ibm consultant took over from there and while on the phone with MS, seized the fsmo roles via ntdsutil(but without EA or SA access?!!) anyway, that exchange installed fine with the dr switch(however that was just less than 24hrs ago). Installing a new exchange server is impossible. i still get can't connect to schema master error. sometimes its a can't connect to root domain error I'm currently talking to MS and so far they can't seem to figure it out. also they can't give me a answer as to why exchange setup needs to conect to the root domain(in fact as far as they're concerned, its the first time they heard of that). I'm wondering why MS can't explain conculsivleythe behavior oftheir own products to me? Anyway, i was wondering if anyone knew the answer out here or could explain these symptoms in any way? Esp since i think my company needs to install a new exchange server for archival and compliance purposesin our production enviorment before we migrate(as in asap as we have been out of complaince and are about to be audited very soon). thought i'd ask here while waiting for MS to respond. you guys seem to be a higher quality of support than most companies pay to get from MS. thanks!!
RE: [ActiveDir] 2003 SP1
Hi Johnny, The only major issue I've run into was around http://support.microsoft.com/?id=892501 HTH, Katherine -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: 07 September 2005 02:15 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 Good morning folks, I am entertaining the idea of applying SP1 to our 2003 domain controllers. I figured I would start with http://support.microsoft.com/kb/889101 but if you have any 1st hand knowledge of any issues, please let me know. For that matter, if you have a good link about applying 2003 SP1 to member servers please send it to me. I will probably assist with this task also. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS resolution - prioritization
You are correct - the DNS server won't provide any intelligence with regards to what it returns to a request. DNS should be returning ALL records for the appropriate domain, which I believe NetLogon on the local machine then parses against AD Sites by subnet. Gil Kirkpatrick wrote an extensive article for Windows IT Pro Magazine (or whatever they're calling it now) about 12-18 months ago that detailed how the whole process works. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Tuesday, September 06, 2005 12:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS resolution - prioritization Thanks Roger for the reply,Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogonThis DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC.this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN)but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice.I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. ("subnet mask request" in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh-- ~~~"Fortune and Love befriend the bold"~~~-- ~~~"Fortune and Love befriend the bold"~~~
RE: [ActiveDir] DNS resolution - prioritization
I think this is the article you are referring to: http://www.netpro.com/forum/files/authentication_topology.pdf Tony From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, 7 September 2005 2:49 p.m.To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] DNS resolution - prioritization You are correct - the DNS server won't provide any intelligence with regards to what it returns to a request. DNS should be returning ALL records for the appropriate domain, which I believe NetLogon on the local machine then parses against AD Sites by subnet. Gil Kirkpatrick wrote an extensive article for Windows IT Pro Magazine (or whatever they're calling it now) about 12-18 months ago that detailed how the whole process works. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Tuesday, September 06, 2005 12:47 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS resolution - prioritization Thanks Roger for the reply,Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogonThis DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC.this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN)but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice.I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. ("subnet mask request" in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh-- ~~~"Fortune and Love befriend the bold"~~~-- ~~~"Fortune and Love befriend the bold"~~~ This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal at Gen-i Limited
RE: [ActiveDir] 2003 SP1
I haven't done it on DC's yet (since I no longer run any...) but with regards to member servers I'm finding it rock solid. For a higher traffic DC or member server, I'd expect you'll see a relatively large decrease in CPU utilization for network related things. Roger Seielstad E-mail Geek -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Tuesday, September 06, 2005 11:15 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] 2003 SP1 Good morning folks, I am entertaining the idea of applying SP1 to our 2003 domain controllers. I figured I would start with http://support.microsoft.com/kb/889101 but if you have any 1st hand knowledge of any issues, please let me know. For that matter, if you have a good link about applying 2003 SP1 to member servers please send it to me. I will probably assist with this task also. Thanks Johnny Figueroa Enterprise Network Consultant/Integrator Network Services Banner Health Voice (602) 495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] DNS resolution - prioritization
Ahh - there's the issue. That's not the same thing as logon traffic. Switching that to a domain DFS will certainly fix the issue - DFS understands AD Sites Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kamlesh ParmarSent: Tuesday, September 06, 2005 8:18 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] DNS resolution - prioritization I agree client logon won't be a issue, asclients DC fit in the site boundary. But some of my startup script access netlogon as \\example.com\netlogon, andI suppose accessing anynetwork resourceby UNC has nothing to do with site boundary, it is pure DNS resolution. also what about domain DFS traffic ? will it consider site boundaries while, finding the nearest replica partner? or it will use plain DNS resolution? - Kamlesh On 9/6/05, Phil Renouf [EMAIL PROTECTED] wrote: Just wondering what the actual issue is here though, when a client logs in they will get a DC within their local site, that shouldn't be dependant on the clients subnet mask, just whether their IP falls within the scope of a site defined in AD. If there is a DC in that site then they should be reffered to that DC during logon processes. The behaviour of ping is not going to be site aware, but logon traffic will be. Phil On 9/6/05, Kamlesh Parmar [EMAIL PROTECTED] wrote: Thanks Roger for the reply,Problem is not the site setting, you see... when I ping for my domain's DNS name... or access the netlogon folder on DC as \\example.com\netlogon This DNS resolution, will NOT consider site boundaries and give me appropriate IP of local DC.this DNS resolution will ask for client's subnet mask and if it finds any matching IP of DC which falls into this client network, it will provide that DC IP as first one. (making sure traffic remains inside LAN) but, since client IP network is restrictive /21, the server which is there in the same physical LAN but in different subnet, will not be returned as first choice.I hope it clears it a bit. On 9/6/05, Roger Seielstad [EMAIL PROTECTED] wrote: I'd create smaller subnet records in AD (probably matching the /25 VLANs) and assign those to the sites which house the domain controller which you want them to use. You can keep the /21 subnet entry as a catch all as well, just in case. Roger SeielstadE-mail Geek From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Kamlesh ParmarSent: Monday, September 05, 2005 3:30 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] DNS resolution - prioritization Dear All, We have around 50 sites with 80 DCs, all in single domain. Now issue is three sites, have very restrictive network configuration for subnets. (all having 500+ machines) i.e. their subnet specification in AD is 10.*/21 but at the network level they have divided this subnet into VLANs with mask of /25, all inclusive in mask /21 defined for subnet at AD level. Problem: when machine tries to find the nearest DC using domain DNS name, DNS server doesn'tgive IPof nearest DC first. as server falls into only into one of the /25 subnets. ("subnet mask request" in DNS server is enabled) And as a result, machines go to other DCs for netlogon related activities/scripts. (generating unnecessary WAN traffic, slow login) I am working with Network team to initiate the feasibility of so many VLANs, (long process) and if its possible to merge some VLAN, then I will move the DC in that subnet. Any solution other than hard coding nearest DC in host file of all these machines. Regards, Kamlesh-- ~~~"Fortune and Love befriend the bold"~~~-- ~~~"Fortune and Love befriend the bold"~~~-- ~~~"Fortune and Love befriend the bold" ~~~